mirror of
https://github.com/coder/coder.git
synced 2026-06-02 20:48:20 +00:00
dependabot[bot]
e96d033e89
Bumps [sanitize-html](https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html) and [@types/sanitize-html](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/sanitize-html). These dependencies needed to be updated together. Updates `sanitize-html` from 2.17.0 to 2.17.3 <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/apostrophecms/apostrophe/blob/main/packages/sanitize-html/CHANGELOG.md">sanitize-html's changelog</a>.</em></p> <blockquote> <h2>2.17.3 (2026-04-15)</h2> <h3>Security</h3> <ul> <li>Fix vulnerability introduced in version 2.17.2 that allowed XSS attacks if the developer chose to permit <code>option</code> tags. There was no vulnerability when not explicitly allowing <code>option</code> tags.</li> </ul> <h2>2.17.2 (2026-03-19)</h2> <h3>Changes</h3> <ul> <li>Upgrade <code>htmlparser2</code> from 8.x to 10.1.0. This improves security by correctly decoding zero-padded numeric character references (e.g., <code>&[#0000001](https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html/issues/0000001)</code>) that previously bypassed <code>javascript:</code> URL detection. Also fixes double-encoding of entities inside raw text elements like <code>textarea</code> and <code>option</code>.</li> </ul> <h2>2.17.1 (2026-02-18)</h2> <h3>Fixes</h3> <ul> <li>Fix unclosed tags (e.g., <code><hello</code>) returning empty string in <code>escape</code> and <code>recursiveEscape</code> modes. Fixes <a href="https://redirect.github.com/apostrophecms/sanitize-html/issues/706">#706</a>. Thanks to <a href="https://github.com/choi2601">Byeong Hyeon</a> for the fix.</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/apostrophecms/apostrophe/commit/96cf174486e1387948e189786c2d574cf7c3f3d0"><code>96cf174</code></a> For release only (<a href="https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html/issues/5381">#5381</a>)</li> <li><a href="https://github.com/apostrophecms/apostrophe/commit/7ca2d16237c72718ef7e5c7ae0458e6027ac4f64"><code>7ca2d16</code></a> Merge commit from fork</li> <li><a href="https://github.com/apostrophecms/apostrophe/commit/297a4227f30243c25c172ae69a9435884d496e73"><code>297a422</code></a> Bump dependencies (<a href="https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html/issues/5376">#5376</a>)</li> <li><a href="https://github.com/apostrophecms/apostrophe/commit/7e607c9fe1605764144bdc9f529961d5738e7ea2"><code>7e607c9</code></a> Changelog reconciliation for release (<a href="https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html/issues/5359">#5359</a>)</li> <li><a href="https://github.com/apostrophecms/apostrophe/commit/49d0bb775161ce5ccf572752979ff727a31e51a5"><code>49d0bb7</code></a> Port/sanitize html community contrib (<a href="https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html/issues/5337">#5337</a>)</li> <li><a href="https://github.com/apostrophecms/apostrophe/commit/a9ca4ef04f77a8e73add90e96254f3358cf4cbaa"><code>a9ca4ef</code></a> For release only (<a href="https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html/issues/5328">#5328</a>)</li> <li><a href="https://github.com/apostrophecms/apostrophe/commit/bbf3359314c1bff667f11716e3cb55d3d42f0150"><code>bbf3359</code></a> Port sanitize html standalone pr (<a href="https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html/issues/5323">#5323</a>)</li> <li><a href="https://github.com/apostrophecms/apostrophe/commit/f5f266c2caff45df376aba68d06f4bb67cbde5d7"><code>f5f266c</code></a> Adds changeset (<a href="https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html/issues/5209">#5209</a>)</li> <li><a href="https://github.com/apostrophecms/apostrophe/commit/c9aba85f33b958278fdb9ccff52ce79e299e3913"><code>c9aba85</code></a> PRO-8756: monorepo workflows (<a href="https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html/issues/5179">#5179</a>)</li> <li><a href="https://github.com/apostrophecms/apostrophe/commit/107bcd2427a4e6e8e41e5a48847cdc8548fcb242"><code>107bcd2</code></a> Pro 8756 monorepo switch (<a href="https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html/issues/5177">#5177</a>)</li> <li>See full diff in <a href="https://github.com/apostrophecms/apostrophe/commits/sanitize-html@2.17.3/packages/sanitize-html">compare view</a></li> </ul> </details> <br /> Updates `@types/sanitize-html` from 2.16.0 to 2.16.1 <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/sanitize-html">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>