Update dependency chartkick to v3 [SECURITY]#16

Open

renovate[bot] wants to merge 1 commit intomasterfrom

renovate/rubygems-chartkick-vulnerability

Contributor

renovate bot commented Sep 25, 2022 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
chartkick (source)	`1.3.2` → `3.4.0`

GitHub Vulnerability Alerts

CVE-2019-12732

The Chartkick gem through 3.1.0 for Ruby allows XSS.

CVE-2019-18841

Affected versions of @polymer/polymer are vulnerable to prototype pollution. The package fails to prevent modification of object prototypes through chart options containing a payload such as {"__proto__": {"polluted": true}}. It is possible to achieve the same results if a chart loads data from a malicious server.

Recommendation

Upgrade to version 3.2.0 or later.

CVE-2020-16254

The Chartkick gem through 3.3.2 for Ruby allows Cascading Style Sheets (CSS) Injection (without attribute).

Release Notes

ankane/chartkick (chartkick)

`v3.4.0`

Fixed CSS injection with width and height options - more info

`v3.3.2`

Updated Chartkick.js to 3.2.1

`v3.3.1`

Updated Chart.js to 2.9.3
Fixed deprecation warnings in Ruby 2.7

`v3.3.0`

Updated Chartkick.js to 3.2.0
Rolled back Chart.js to 2.8.0 due to legend change

`v3.2.2`

Updated Chartkick.js to 3.1.3
Updated Chart.js to 2.9.1

`v3.2.1`

Updated Chartkick.js to 3.1.1

`v3.2.0`

Fixed XSS vulnerability - more info

`v3.1.0`

Updated Chartkick.js to 3.1.0
Updated Chart.js to 2.8.0

`v3.0.2`

Fixed error with nonce option with Secure Headers and Rails < 5.2
Updated Chartkick.js to 3.0.2
Updated Chart.js to 2.7.3

`v3.0.1`

Updated Chartkick.js to 3.0.1

`v3.0.0`

Updated Chartkick.js to 3.0.0
Added code option
Added support for nonce: true

Breaking changes

Removed support for Rails < 4.2
Removed chartkick.js from asset precompile (no longer needed)
Removed xtype option - numeric axes are automatically detected
Removed window.Chartkick = {...} way to set config - use Chartkick.configure instead
Removed support for the Google Charts jsapi loader - use loader.js instead

`v2.3.5`

Updated Chartkick.js to 2.3.6

`v2.3.4`

Updated Chartkick.js to 2.3.5
Updated Chart.js to 2.7.2

`v2.3.3`

Updated Chartkick.js to 2.3.4

`v2.3.2`

Updated Chartkick.js to 2.3.3

`v2.3.1`

Updated Chartkick.js to 2.3.1

`v2.3.0`

Fixed deep merge error for non-Rails apps
Updated Chartkick.js to 2.3.0

`v2.2.5`

Updated Chart.js to 2.7.1

`v2.2.4`

Added compatibility with Rails API
Updated Chartkick.js to 2.2.4

`v2.2.3`

Updated Chartkick.js to 2.2.3
Updated Chart.js to 2.5.0

`v2.2.2`

Updated Chartkick.js to 2.2.2

`v2.2.1`

Updated Chartkick.js to 2.2.1

`v2.2.0`

Updated Chartkick.js to 2.2.0
Improved JavaScript API
Added download option - Chart.js only
Added refresh option
Added donut option to pie chart

`v2.1.3`

Updated Chartkick.js to 2.1.2 - fixes missing zero values for Chart.js

`v2.1.2`

Added defer option
Added nonce option
Updated Chartkick.js to 2.1.1

`v2.1.1`

Use custom version of Chart.js to fix label overlap

`v2.1.0`

Added basic support for new Google Charts loader
Added configure function
Dropped jQuery and Zepto dependencies for AJAX
Updated Chart.js to 2.2.2

`v2.0.2`

Updated Chartkick.js to 2.0.1
Updated Chart.js to 2.2.1

`v2.0.1`

Small Chartkick.js fixes
Updated Chart.js to 2.2.0

`v2.0.0`

Chart.js is now the default adapter - yay open source!
Axis types are automatically detected - no need for discrete: true
Better date support
New JavaScript API

`v1.5.2`

Fixed Sprockets error

`v1.5.1`

Updated chartkick.js to latest version
Included Chart.bundle.js

`v1.5.0`

Added Chart.js adapter beta
Fixed line height on timeline charts

`v1.4.2`

Added width option
Added label option
Added support for stacked: false for area charts
Lazy load adapters
Better tooltip for dates for Google Charts
Fixed asset precompilation issue with Rails 5

`v1.4.1`

Fixed regression with min: nil

`v1.4.0`

Added scatter chart
Added axis titles

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          Update dependency chartkick to v3 [SECURITY]

d619c4f

renovate bot force-pushed the renovate/rubygems-chartkick-vulnerability branch from 4f325da to d619c4f Compare

March 16, 2023 17:52

Contributor Author

renovate bot commented Apr 3, 2023 •

edited

Loading

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Gemfile.lock

Fetching source index from https://rubygems.org/
--- ERROR REPORT TEMPLATE -------------------------------------------------------
- What did you do?

  I ran the command `/opt/containerbase/tools/bundler/1.11.2/3.3.0/bin/bundler lock --update chartkick`

- What did you expect to happen?

  I expected Bundler to...

- What happened instead?

  Instead, what actually happened was...


Error details

    NoMethodError: undefined method `inflate' for module Gem
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/fetcher.rb:90:in `fetch_spec'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/remote_specification.rb:71:in `_remote_specification'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/remote_specification.rb:76:in `method_missing'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:160:in `block in __dependencies'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:157:in `each'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:157:in `__dependencies'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:112:in `activate_platform'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:275:in `block in search_for'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:275:in `each'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:275:in `search_for'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:332:in `block in verify_gemfile_dependencies_are_found!'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:330:in `each'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:330:in `verify_gemfile_dependencies_are_found!'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:199:in `start'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/resolver.rb:183:in `resolve'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/definition.rb:198:in `resolve'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/definition.rb:137:in `specs'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/definition.rb:126:in `resolve_remotely!'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/cli/lock.rb:27:in `run'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/cli.rb:412:in `lock'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/vendor/thor/lib/thor/command.rb:27:in `run'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/vendor/thor/lib/thor/invocation.rb:126:in `invoke_command'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/vendor/thor/lib/thor.rb:359:in `dispatch'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/vendor/thor/lib/thor/base.rb:440:in `start'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/cli.rb:10:in `start'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/exe/bundler:19:in `block in <top (required)>'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/lib/bundler/friendly_errors.rb:7:in `with_friendly_errors'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/gems/bundler-1.11.2/exe/bundler:17:in `<top (required)>'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/bin/bundler:25:in `load'
      /opt/containerbase/tools/bundler/1.11.2/3.3.0/bin/bundler:25:in `<main>'

Environment

    Bundler   1.11.2
    Rubygems  3.5.3
    Ruby      3.3.0p0 (2023-12-25 revision 5124f9ac7513eb590c37717337c430cb93caa151) [x86_64-linux]
    GEM_HOME  /tmp/renovate/cache/others/bundler
    GEM_PATH  :/opt/containerbase/tools/bundler/1.11.2/3.3.0
    Git       2.43.2

Bundler settings

    github.com
      Set via BUNDLE_GITHUB__COM: "**redacted**"
--- TEMPLATE END ----------------------------------------------------------------

Unfortunately, an unexpected error occurred, and Bundler cannot continue.

First, try this link to see if there are any existing issue reports for this error:
https://github.com/bundler/bundler/search?q=undefined+method+%60inflate%27+for+module+Gem&type=Issues

If there aren't any reports for this error yet, please create copy and paste the report template above into a new issue. Don't forget to anonymize any private data! The new issue form is located at:
https://github.com/bundler/bundler/issues/new

Contributor Author

renovate bot commented May 23, 2024 •

edited

Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Gemfile.lock

Fetching source index from https://rubygems.org/
Retrying fetcher due to error (2/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Retrying fetcher due to error (3/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Retrying fetcher due to error (4/4): Bundler::HTTPError Could not fetch specs from https://rubygems.org/
Could not fetch specs from https://rubygems.org/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet