🚨 [security] Update action_text-trix 2.1.17 → 2.1.18 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ action_text-trix (indirect, 2.1.17 → 2.1.18) · Repo · Changelog

Security Advisories 🚨

🚨 Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop (Level0InputController)

Impact

The Trix editor, in versions prior to 2.1.18, is vulnerable to XSS when a crafted application/x-trix-document JSON payload is dropped into the editor in environments using the fallback Level0InputController (e.g., embedded WebViews lacking Input Events Level 2 support).

The StringPiece.fromJSON method trusted href attributes from the JSON payload without sanitization. An attacker could craft a draggable element containing a javascript: URI in the href attribute that, when dropped into a vulnerable editor, would bypass DOMPurify sanitization and inject executable JavaScript into the DOM.

Exploitation requires a specific environment (Level0InputController fallback) and social engineering (victim must drag and drop attacker-controlled content into the editor). Applications using server-side HTML sanitization (such as Rails' built-in sanitizer) are additionally protected, as the payload is neutralized on save.

Patches

Update Recommendation: Users should upgrade to Trix editor version 2.1.18 or later.

References

The XSS vulnerability was responsibly reported by Hackerone researcher newbiefromcoma.

Release Notes

2.1.18

Security

• Sanitize javascript: URI in JSON drag-drop deserialization by @flavorjones in #1293

Infrastructure/CI

• ci: harden GitHub Actions workflows by @flavorjones in #1284

Full Changelog: v2.1.17...v2.1.18

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• v2.1.18
• Fix XSS via javascript: URI in JSON drag-drop deserialization (#1293)
• ci: harden GitHub Actions workflows (#1284)

↗️ bigdecimal (indirect, 4.0.1 → 4.1.0) · Repo · Changelog

Release Notes

4.1.0

What's Changed

• Remove ENABLE_NUMERIC_STRING flag by @tompng in #479
• Sample code without deprecated modules by @tompng in #480
• Improve performance of add/sub when exponent of two bigdecimals have huge difference by @tompng in #478
• Change frozen_string_literal from false to true by @tompng in #481
• NTT multiplication and Newton-Raphson division by @tompng in #407
• Implement BigMath::PI with Gauss-Legendre algorithm by @tompng in #434
• Improve taylor series calculation of exp and sin by bit burst algorithm by @tompng in #433
• Remove calculating log(10) in BigMath.log for large/small x by @tompng in #484
• Add missing call-seq by @tompng in #485
• Split internal extra calculation prec and BigDecimal.double_fig usage by @tompng in #486
• Add RBS signature and testing by @ksss in #488
• Add missing sig file by @ksss in #492
• Simplify butterfly operation of Number Theoretic Transform by @tompng in #496
• Assume always have uint64_t by @tompng in #497
• Use bit_length to calculate NTT bit size by @tompng in #498
• Update depend files, etc by @tompng in #499
• Fix erfc(x,prec) precision when x is huge by @tompng in #502
• Increase BigMath converge test precisions by @tompng in #503
• Fix error compiling with ruby.wasm by @tompng in #504
• Bump version to 4.1.0 by @tompng in #505

New Contributors

• @ksss made their first contribution in #488

Full Changelog: v4.0.1...v4.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 30 commits:

• Bump version to 4.1.0 (#505)
• Fix error compiling with ruby.wasm (#504)
• Increase BigMath converge test precisions (#503)
• Fix erfc(x,prec) precision when x is huge (#502)
• Update depend files, etc (#499)
• Use bit_length to calculate NTT bit size (#498)
• Remove DECDIG=uint16_t branch. BigDecimal already requires uint64_t from v3.1.0 (#497)
• Simplify butterfly operation of Number Theoretic Transform (#496)
• Merge pull request #494 from ruby/dependabot/github_actions/rubygems/release-gem-1.1.4
• Merge pull request #495 from ruby/dependabot/github_actions/step-security/harden-runner-2.16.0
• Bump step-security/harden-runner from 2.15.1 to 2.16.0
• Bump rubygems/release-gem from 1.1.2 to 1.1.4
• Merge pull request #493 from ruby/dependabot/github_actions/step-security/harden-runner-2.15.1
• Bump step-security/harden-runner from 2.14.1 to 2.15.1
• Add missing sig file (#492)
• Add RBS signature and testing (#488)
• Split internal extra calculation prec and BigDecimal.double_fig usage (#486)
• Add missing call-seq (#485)
• Remove calculating log(10) in BigMath.log for large/small x (#484)
• Improve taylor series calculation of exp and sin by bit burst algorithm (#433)
• Implement BigMath::PI with Gauss-Legendre algorithm (#434)
• NTT multiplication and Newton-Raphson division (#407)
• Merge pull request #483 from ruby/dependabot/github_actions/actions/checkout-6.0.2
• Merge pull request #482 from ruby/dependabot/github_actions/step-security/harden-runner-2.14.1
• Bump actions/checkout from 6.0.1 to 6.0.2
• Bump step-security/harden-runner from 2.14.0 to 2.14.1
• Change frozen_string_literal from false to true (#481)
• Improve performance of add/sub when exponent of two bigdecimals have huge difference (#478)
• Sample code without deprecated modules (#480)
• Remove ENABLE_NUMERIC_STRING flag (#479)

↗️ json (indirect, 2.19.2 → 2.19.3) · Repo · Changelog

Release Notes

2.19.3

• Fix handling of unescaped control characters preceeded by a backslash.

Full Changelog: v2.19.2...v2.19.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 2 commits:

• Release 2.19.3
• Fix handling of unescaped control characters preceeded by a backslash

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)