Commit e0401ce
authored
build(deps): bump github.com/cyphar/filepath-securejoin from 0.4.0 to 0.4.1 (#46)
Bumps
[github.com/cyphar/filepath-securejoin](https://github.com/cyphar/filepath-securejoin)
from 0.4.0 to 0.4.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/cyphar/filepath-securejoin/releases">github.com/cyphar/filepath-securejoin's
releases</a>.</em></p>
<blockquote>
<h2>v0.4.1</h2>
<p>This release fixes a regression introduced in one of the hardening
features added to filepath-securejoin 0.4.0.</p>
<ul>
<li>The restrictions added for <code>root</code> paths passed to
<code>SecureJoin</code> in 0.4.0 was
found to be too strict and caused some regressions when folks tried to
update, so this restriction has been relaxed to only return an error if
the
path contains a <code>..</code> component. We still recommend users use
<code>filepath.Clean</code>
(and even <code>filepath.EvalSymlinks</code>) on the <code>root</code>
path they are using, but at
least you will no longer be punished for "trivial" unclean
paths. (<a
href="https://redirect.github.com/cyphar/filepath-securejoin/issues/46">#46</a>)</li>
</ul>
<p>Signed-off-by: Aleksa Sarai <a
href="mailto:[email protected]">[email protected]</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/cyphar/filepath-securejoin/blob/main/CHANGELOG.md">github.com/cyphar/filepath-securejoin's
changelog</a>.</em></p>
<blockquote>
<h2>[0.4.1] - 2025-01-28</h2>
<h3>Fixed</h3>
<ul>
<li>The restrictions added for <code>root</code> paths passed to
<code>SecureJoin</code> in 0.4.0 was
found to be too strict and caused some regressions when folks tried to
update, so this restriction has been relaxed to only return an error if
the
path contains a <code>..</code> component. We still recommend users use
<code>filepath.Clean</code>
(and even <code>filepath.EvalSymlinks</code>) on the <code>root</code>
path they are using, but at
least you will no longer be punished for "trivial" unclean
paths.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/cyphar/filepath-securejoin/commit/7abd870410ccf784788af4f55c6413c9ef47222d"><code>7abd870</code></a>
VERSION: release v0.4.1</li>
<li><a
href="https://github.com/cyphar/filepath-securejoin/commit/509a359825574ec98dcc71d46a7da70f6c2c4592"><code>509a359</code></a>
merge <a
href="https://redirect.github.com/cyphar/filepath-securejoin/issues/47">#47</a>
into cyphar/filepath-securejoin:main</li>
<li><a
href="https://github.com/cyphar/filepath-securejoin/commit/fbaef26914475e0fc00ffc264810f27843a0046e"><code>fbaef26</code></a>
join: loosen cleanliness requirements for SecureJoin root</li>
<li><a
href="https://github.com/cyphar/filepath-securejoin/commit/54460df8cb63e951ec6779792fc03917481e2587"><code>54460df</code></a>
merge <a
href="https://redirect.github.com/cyphar/filepath-securejoin/issues/45">#45</a>
into cyphar/filepath-securejoin:main</li>
<li><a
href="https://github.com/cyphar/filepath-securejoin/commit/14e6cfe11c46b0db91ecdc35df660ef789333ced"><code>14e6cfe</code></a>
VERSION: back to development</li>
<li>See full diff in <a
href="https://github.com/cyphar/filepath-securejoin/compare/v0.4.0...v0.4.1">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>2 files changed
+3
-3
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
3 | 3 | | |
4 | 4 | | |
5 | 5 | | |
6 | | - | |
| 6 | + | |
7 | 7 | | |
8 | 8 | | |
9 | 9 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
11 | 11 | | |
12 | 12 | | |
13 | 13 | | |
14 | | - | |
15 | | - | |
| 14 | + | |
| 15 | + | |
16 | 16 | | |
17 | 17 | | |
18 | 18 | | |
| |||
0 commit comments