Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency select2 to v4 [SECURITY] - autoclosed #301

Closed
wants to merge 1 commit into from
Closed

Update dependency select2 to v4 [SECURITY] - autoclosed #301

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 25, 2022
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
select2 (source) 3.5.1 -> 4.0.6 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2016-10744

In Select2 through 4.0.5, as used in Snipe-IT and other products, rich selectlists allow XSS. This affects use cases with Ajax remote data loading when HTML templates are used to display listbox data.

Release Notes

select2/select2

v4.0.6

Compare Source

New features/improvements
Bug fixes
  • Fix up arrow error when there are no options in dropdown (#​5127)
  • Add ; before beginning of factory wrapper (#​5089)
  • Fix IE11 issue with select losing focus after selecting an item (#​4860)
  • Clear tooltip from select2-selection__rendered when selection is cleared (#​4640, #​4746)
  • Fix keyboard not closing when closing dropdown on iOS 10 (#​4680)
  • User-defined types not normalized properly when passed in as data (#​4632)
  • Perform deep merge for Defaults.set() (#​4364)
  • Fix "the results could not be loaded" displaying during AJAX request (#​4356)
  • Cache objects in Utils.__cache instead of using $.data (#​4346, #​5486)
  • Removing the double event binding registration of selection:update (#​4306)
Accessibility
  • Improve .select2-hidden-accessible (#​4908)
  • Add role and aria-readonly attributes to single selection dropdown value (#​4881)
Translations
  • Add Turkmen translations (tk) (#​5125)
  • Fix error in French translations (#​5122)
  • Add Albanian translation (sq) (#​5199)
  • Add Georgian translation (ka) (#​5179)
  • Add Nepali translation (ne) (#​5295)
  • Add Bangla translation (bn) (#​5248)
  • Add removeAllItems translation for clear "x" title (#​5291)
  • Fix wording in Vietnamese translations (#​5387)
  • Fix error in Russian translation (#​5401)
Miscellaneous
  • Remove duplicate CSS selector in classic theme (#​5115)

v4.0.5

Compare Source

Bug fixes
  • Replace autocapitalize=off with autocapitalize=none (#​4994)
Translations
  • Vietnamese: remove an unnecessary quote mark (#​5059)
  • Czech: Add missing commas and periods (#​5052)
  • Spanish: Update the 'errorLoading' message (#​5032)
  • Fix typo in Romanian (#​5005)
  • Improve French translation (#​4988)
  • Add Pashto translation (ps) (#​4960)
  • Add translations for lower and upper Sorbian (dsb and hsb) (#​4949)
  • Updates to Slovak (#​4915)
  • Fixed Norwegian inputTooShort message (#​4817, 4896)
  • Add Afrikaans translation (af) (#​4850)
  • Add Bosnian translation (bs) (#​4504)

v4.0.4

Compare Source

New features / Improvements
Bug fixes
Documentation
Translations

v4.0.3

Compare Source

This is the third bugfix release of Select2 4.0.0. It builds upon the second bugfix release and fixes many common issues.

New features / Improvements
Bug fixes
Documentation
Translations

v4.0.2

Compare Source

This is the second bugfix release of Select2 4.0.0. It builds upon the first release candidate of Select2 4.0.2 with some minor improvements.

New features / Improvements
Bug fixes
Documentation
Translations

v4.0.1

Compare Source

New features / improvements
  • Trigger input event before change events (#​4649)
  • Feed back the keypress code that was responsible for the 'close' event (#​5513)
  • Only trigger selection:update once on DOM change events (#​5734)
Bug fixes
  • Prevent opening of disabled elements (#​5751)
Documentation
  • Fix "edit this page" links in docs (#​5689)
Miscellaneous

v4.0.0

Compare Source

This builds upon the second release candidate, so review all previous release notes before upgrading from previous versions of Select2.

Supported environments
  • jQuery 1.7.2+
  • Modern browsers (Chrome, Firefox, Safari)
  • Internet Explorer 8+
New features
Breaking changes
  • Select2 now uses the MIT license
  • The full build of Select2 no longer includes jQuery - You must include jQuery separately on your page.
  • Select2 will prevent the inner scrolling of modals (and other scrollable containers) when it is open to prevent the UI from breaking. Read more at the commit.
  • jQuery is no longer listed as a dependency in the bower.json/component.json files.
  • <select> has replaced <input type="hidden" /> for all options (including remote data)
  • The matcher has been revamped to include full context, a compatibility module (select2/compat/matcher) has been created
  • The display always reflects the order data is sent to the server
  • The click mask is no longer the default (again). You can get back the old functionality by wrapping your selectionAdapter with the ClickMask (select2/selection/clickMask) decorator.
  • Select2 no longer stops the propagation of events happening within the dropdown and selection. You can use the StopPropagation modules available in the full builds to prevent this. [select2/select2@8f8140e3b00c5d5bb232455137c4c633d7da4275]
  • The enter key no longer toggles the state of multiple select items in the results, but instead will only select them. Use CTRL + Space instead to toggle the state. [select2/select2@017c20109471fa5b835603faf5dc37f7c2c2ea45]
  • Warnings will now be triggered in the developer console if Select2 detects an unsupported configuration.
Options
  • The default value of the width option has been changed from style to resolve.
  • The copy value for the width option has been renamed to style.
Renamed
  • formatSelection -> templateSelection
  • formatResult -> templateResult
  • sortResults -> sorter
  • createSearchChoice -> createTag
  • selectOnBlur -> selectOnClose
  • ajax.jsonpCallback -> ajax.jsonp
  • ajax.results -> ajax.processResults
  • tags: [array,of,data] -> data: [array,of,data], tags: true
  • placeholderOption has been replaced by placeholder.id (placeholder -> placeholder.text)
Internationalization
  • formatNoMatches -> language.noMatches
  • formatSearching -> language.searching
  • formatInputTooShort -> language.inputTooShort
  • formatInputTooLong -> language.inputTooLong
  • formatAjaxError -> language.errorLoading
  • formatLoading -> language.loadingMore
  • formatSelectionTooBig -> language.maximumSelected
Deprecated/Removed
  • initSelection - This is no longer needed with <select> tags. Limited backwards compatibility in the full build.
  • id - Data objects should now always have id and text attributes that are strings, use $.map when migrating
  • query - Use a custom data adapter instead. Limited backwards compatibility in the full build.
  • ajax.params - All parameters passed to ajax will be passed to the AJAX data transport function
Methods
Renamed
  • .select2("val", [value]) -> .val([value])
  • .select2("enable", !disabled) -> .prop("disabled", disabled)
Removed
  • .select2("onSortStart") and .select2("onSortEnd") - A custom selection adapter should be created instead
  • .select2("data", data) - Create the <option> tags for the objects that you would like to set, and set the .val to select them
  • .select2("readonly") - There is no way to make a <select> element read-only, disable it instead
Events
New
  • select2:closing is triggered before the dropdown is closed
  • select2:select is triggered when an option is selected
Renamed
  • select2-close is now select2:close
  • select2-open is now select2:open
  • select2-opening is now select2:opening
  • select2-selecting is now select2:selecting
  • select2-removed is now select2:unselect
  • select2-removing is now select2:unselecting
Removed
  • select2-clearing has been removed in favor of select2:unselecting
  • select2-highlight
  • select2-loaded
  • select2-focus - Use the native focus event instead
  • select2-blur - Use the native blur event instead
  • All extra properties from the change event were removed
    • val can be retrieved with $element.val() instead
    • added can be retrieved by listening to select2:select
    • removed can be retrieved by listening to select2:unselect

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot changed the title Update dependency select2 to 4.0.6 [SECURITY] Update dependency select2 to v4 [SECURITY] Mar 22, 2023
@renovate renovate bot changed the title Update dependency select2 to v4 [SECURITY] Update dependency select2 to v4 [SECURITY] - autoclosed Jun 14, 2023
@renovate renovate bot closed this Jun 14, 2023
@renovate renovate bot deleted the renovate/npm-select2-vulnerability branch June 14, 2023 05:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants