Skip to content

[Security] Bump vuetify from 2.6.8 to 2.6.10 in /webapp

Dependabot requested to merge dependabot-npm_and_yarn-webapp-vuetify-2.6.10 into master

Bumps vuetify from 2.6.8 to 2.6.10. This update includes a security fix.

Vulnerabilities fixed

Vuetify Cross-site Scripting vulnerability The package vuetify from 2.0.0-beta.4 and before 2.6.10 are vulnerable to Cross-site Scripting (XSS) due to improper input sanitization in the 'eventName' function within the VCalendar component.

Patched versions: 2.6.10 Affected versions: >= 2.0.0-beta.4, < 2.6.10

Release notes

Sourced from vuetify's releases.

v2.6.10

🔧 Bug Fixes

  • VCalendar: prevent XSS from eventName function (ade1434), closes #15757
  • VDialog: don't try to focus tabindex="-1" or hidden inputs (89e3850), closes #15745
  • VMenu: disable activatorFixed when attach is enabled (#15709) (464529a), closes #14922
  • VTextField: only show clear icon on hover or when focused (7a51ad0)
  • VTextField: prevent tabbing to clear button (f8ee680), closes #11202
  • web-types: add support for VDataTable pattern slots (#15694) (ac45c98)

🔬 Code Refactoring

  • VSelect: render highlight with vnodes instead of innerHTML (4468e3c)

BREAKING CHANGES

  • VCalendar: eventName function can no longer render arbitrary HTML, convert to VNodes instead. eventSummary can no longer be used with v-html, replace with <component :is="{ render: eventSummary }" />

v2.6.9

🔧 Bug Fixes

  • VCalendar: add aria roles to monthly calendar (#14640) (2cd34b4), closes #14604
  • VCalendar: forward all bound events to internal elements (#15592) (299330c)
  • VCarousel: add keys to delimiter buttons (#15459) (8d3895b)
  • VPagination: ignore invalid length values (f3f8d15), closes #15499
  • VRadio: change icon color when disabled (0cc43e2)
  • VSwitch: only affect control opacity when disabled (1e0a4ad)
Commits
  • fdfb6fc chore(release): publish v2.6.10
  • cd193e4 fix(VSelectList): correct mask class
  • 89e3850 fix(VDialog): don't try to focus tabindex="-1" or hidden inputs
  • 4468e3c refactor(VSelect): render highlight with vnodes instead of innerHTML
  • ade1434 fix(VCalendar): prevent XSS from eventName function
  • 464529a fix(VMenu): disabled activatorFixed when attach is enabled (#15709)
  • 7a51ad0 fix(VTextField): only show clear icon on hover or when focused
  • f8ee680 fix(VTextField): prevent tabbing to clear button
  • 170c7d1 chore(release): publish v2.6.9
  • 2cd34b4 fix(VCalendar): add aria roles to monthly calendar (#14640)
  • Additional commits viewable in compare view

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports