chore(deps): bump the composer group across 1 directory with 2 updates #165

New Issue

MrUnknownDE · 2026-04-05T19:51:18+02:00

MrUnknownDE commented

2026-04-05 19:51:18 +02:00

Originally created by @dependabot[bot] on 5/6/2025

Bumps the composer group with 1 update in the / directory: laravel/framework.

Updates laravel/framework from 11.31.0 to 11.44.1

Release notes

Sourced from laravel/framework's releases.

v11.44.1

[11.x] Add valid values to ensure method by @lancepioch in laravel/framework#54840

Fix attribute name used on Validator instance within certain rule classes by @crynobone in laravel/framework#54845

[11.x] Fix Application::interBasePath() fails to resolve application when project name is "vendor" by @crynobone in laravel/framework#54871

[11.x] Test improvements by @crynobone in laravel/framework#54879

v11.44.0

[11.x] Fix parsing PHP_CLI_SERVER_WORKERS as string instead of int by @crynobone in laravel/framework#54724

[11.x] Rename Redis parse connection for cluster test method to follow naming conventions by @jackbayliss in laravel/framework#54721

[11.x] Allow readAt method to use in database channel by @utsavsomaiya in laravel/framework#54729

[11.x] Fix: Custom Exceptions with Multiple Arguments does not properly rein… by @pandiselvamm in laravel/framework#54705

[11.x] Update ConcurrencyTest exception reference to use namespace by @jackbayliss in laravel/framework#54732

[11.x] Deprecate Factory::$modelNameResolver by @samlev in laravel/framework#54736

[11x.] Improved typehints for InteractsWithDatabase by @cosmastech in laravel/framework#54748

[11.x] Improved typehints for InteractsWithExceptionHandling && ExceptionHandlerFake by @cosmastech in laravel/framework#54747

v11.43.2

[11.x] Add missing test for implode() by @nuernbergerA in laravel/framework#54704

[11.x] Enhance eventStream to Support Custom Events and Start Messages by @devhammed in laravel/framework#54695

Revert "[11.x] Enhance eventStream to Support Custom Events and Start Messages" by @taylorotwell in laravel/framework#54714

[11.x] Replace MD5 with xxh128 in File::hasSameHash() by @vlakoff in laravel/framework#54690

[11.x] Add parameter typing for closure to addGlobalScope method by @jnoordsij in laravel/framework#54677

[11.x] assertOnlyJsonValidationErrors / assertOnlyInvalid by @gdebrauwer in laravel/framework#54678

[11.x] Allow for assertions against QueueFake::pushRaw() by @cosmastech in laravel/framework#54703

[11.x] Fix: Handles non nested explode of multiple Date and Numeric rules in ValidationRuleParser by @AlexandreMeledandri in laravel/framework#54718

v11.43.1

[11.x] Fix "Divide by Zero" regression bug introduced in #54650 by @crynobone in laravel/framework#54685

Revert "Fix Collection::implode with \Stringable objects" by @crynobone in laravel/framework#54691

v11.43.0

Remove Incorrect @mixin Annotation in BuildsQueries Trait by @daniel-de-wit in laravel/framework#54596

make withoutScopedBindings usable on RouteRegistrar by @ssninnni in laravel/framework#54592

[11.x] Update Broadcasting Install Command For Bun Version 1.1.39^ by @realpoke in laravel/framework#54605

[11.x] Add isTtySupported to Process facade by @Riley19280 in laravel/framework#54604

[11.x] fix: pagination generics by @calebdw in laravel/framework#54601

Convert closures to arrow functions in the Model class by @alikhosravidev in laravel/framework#54599

[11.x] Document hashedValue as non-nullable by @JurianArie in laravel/framework#54615

[11.x] Prohibited If Declined and Prohibited If Accepted validation rules by @osama-98 in laravel/framework#54608

[11.x] Fix param types for orWhereHasMorph method by @simonellensohn in laravel/framework#54659

[11.x] Add pascal alias for studly string helper by @da-mask in laravel/framework#54655

[11.x] make the Eloquent missing attribute handler more accurate by changing offsetExists by @koenvu in laravel/framework#54654

[11.x] use exec function if the symlink function is unavailable by @aisuvro in laravel/framework#54651

[11.x] use value helper for $perPage as used for $total by @rodrigopedra in laravel/framework#54650

[11.x] [cleanup] used illuminate str contains by @daison12006013 in laravel/framework#54647

[11.x] Allow can attribute on group by @utsavsomaiya in laravel/framework#54648

Test Improvements by @crynobone in laravel/framework#54645

Fixes Factory Using Wrong Model Name by @SameOldNick in laravel/framework#54644

[11.x] fix 'parsePipeString' in pipeline helper by @igzard in laravel/framework#54643

Update old() docblock by @AJenbo in laravel/framework#54641

... (truncated)

Commits

0883d41 Update version to v11.44.1
c666f89 [11.x] Test improvements (#54879)
1154a31 [11.x] Fix Application::interBasePath() fails to resolve application when p...
a8da712 Fix attribute name used on Validator instance within certain rule classes (...
fd9681f [11.x] Add valid values to ensure method (#54840)
9de7525 Update CHANGELOG
e9a33da Update version to v11.44.0
2c72603 exception handling typehints (#54747)
344c37f [11x.] Improved typehints for InteractsWithDatabase (#54748)
0054c26 [11.x] Deprecate Factory::$modelNameResolver (#54736)
Additional commits viewable in compare view

Updates league/commonmark from 2.6.1 to 2.7.0

Release notes

Sourced from league/commonmark's releases.

2.7.0

This is a security release to address a potential cross-site scripting (XSS) vulnerability when using the AttributesExtension with untrusted user input.

Added

Added attributes/allow config option to specify which attributes users are allowed to set on elements (default allows virtually all attributes)

Changed

The AttributesExtension blocks all attributes starting with on unless explicitly allowed via the attributes/allow config option

The allow_unsafe_links option is now respected by the AttributesExtension when users specify href and src attributes

2.6.2

Fixed

Fixed Attributes extension parsing regression (#1071)

Other Changes

fix incorrect interface in docs v2.6 by @CharrafiMed in thephpleague/commonmark#1063

docs/2.6/extensions/front-matter.md: add missing newline by @DanielEScherzer in thephpleague/commonmark#1069

New Contributors

@CharrafiMed made their first contribution in thephpleague/commonmark#1063

@DanielEScherzer made their first contribution in thephpleague/commonmark#1069

Full Changelog: https://github.com/thephpleague/commonmark/compare/2.6.1...2.6.2

Changelog

Sourced from league/commonmark's changelog.

[2.7.0]

This is a security release to address a potential cross-site scripting (XSS) vulnerability when using the AttributesExtension with untrusted user input.

Added

Added attributes/allow config option to specify which attributes users are allowed to set on elements (default allows virtually all attributes)

Changed

The AttributesExtension blocks all attributes starting with on unless explicitly allowed via the attributes/allow config option

The allow_unsafe_links option is now respected by the AttributesExtension when users specify href and src attributes

[2.6.2] - 2025-04-18

Fixed

Fixed Attributes extension parsing regression (#1071)

Commits

6fbb36d Prepare to release 2.7.0
f0d626c Merge commit from fork
4320725 Fix XSS in AttributesExtension
d4b08b8 Create 2.7 branch
5b794e1 Remove docs for 1.0 - 1.5
3db9d35 Merge branch '2.6'
06c3b0b Prepare to release 2.6.2
771974c Fix Attributes extension parsing regression (#1071)
e99ee2e Merge pull request #1069 from DanielEScherzer/patch-1
f356ca5 docs/2.6/extensions/front-matter.md: add missing newline
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

*Originally created by @dependabot[bot] on 5/6/2025* Bumps the composer group with 1 update in the / directory: [laravel/framework](https://github.com/laravel/framework). Updates `laravel/framework` from 11.31.0 to 11.44.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/laravel/framework/releases">laravel/framework's releases</a>.</em></p> <blockquote> <h2>v11.44.1</h2> <ul> <li>[11.x] Add valid values to ensure method by <a href="https://github.com/lancepioch"><code>@lancepioch</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54840">laravel/framework#54840</a></li> <li>Fix attribute name used on <code>Validator</code> instance within certain rule classes by <a href="https://github.com/crynobone"><code>@crynobone</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54845">laravel/framework#54845</a></li> <li>[11.x] Fix <code>Application::interBasePath()</code> fails to resolve application when project name is "vendor" by <a href="https://github.com/crynobone"><code>@crynobone</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54871">laravel/framework#54871</a></li> <li>[11.x] Test improvements by <a href="https://github.com/crynobone"><code>@crynobone</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54879">laravel/framework#54879</a></li> </ul> <h2>v11.44.0</h2> <ul> <li>[11.x] Fix parsing <code>PHP_CLI_SERVER_WORKERS</code> as <code>string</code> instead of <code>int</code> by <a href="https://github.com/crynobone"><code>@crynobone</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54724">laravel/framework#54724</a></li> <li>[11.x] Rename Redis parse connection for cluster test method to follow naming conventions by <a href="https://github.com/jackbayliss"><code>@jackbayliss</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54721">laravel/framework#54721</a></li> <li>[11.x] Allow <code>readAt</code> method to use in database channel by <a href="https://github.com/utsavsomaiya"><code>@utsavsomaiya</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54729">laravel/framework#54729</a></li> <li>[11.x] Fix: Custom Exceptions with Multiple Arguments does not properly rein… by <a href="https://github.com/pandiselvamm"><code>@pandiselvamm</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54705">laravel/framework#54705</a></li> <li>[11.x] Update ConcurrencyTest exception reference to use namespace by <a href="https://github.com/jackbayliss"><code>@jackbayliss</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54732">laravel/framework#54732</a></li> <li>[11.x] Deprecate <code>Factory::$modelNameResolver</code> by <a href="https://github.com/samlev"><code>@samlev</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54736">laravel/framework#54736</a></li> <li>[11x.] Improved typehints for <code>InteractsWithDatabase</code> by <a href="https://github.com/cosmastech"><code>@cosmastech</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54748">laravel/framework#54748</a></li> <li>[11.x] Improved typehints for <code>InteractsWithExceptionHandling</code> && <code>ExceptionHandlerFake</code> by <a href="https://github.com/cosmastech"><code>@cosmastech</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54747">laravel/framework#54747</a></li> </ul> <h2>v11.43.2</h2> <ul> <li>[11.x] Add missing test for <code>implode()</code> by <a href="https://github.com/nuernbergerA"><code>@nuernbergerA</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54704">laravel/framework#54704</a></li> <li>[11.x] Enhance eventStream to Support Custom Events and Start Messages by <a href="https://github.com/devhammed"><code>@devhammed</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54695">laravel/framework#54695</a></li> <li>Revert "[11.x] Enhance eventStream to Support Custom Events and Start Messages" by <a href="https://github.com/taylorotwell"><code>@taylorotwell</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54714">laravel/framework#54714</a></li> <li>[11.x] Replace MD5 with xxh128 in File::hasSameHash() by <a href="https://github.com/vlakoff"><code>@vlakoff</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54690">laravel/framework#54690</a></li> <li>[11.x] Add parameter typing for closure to addGlobalScope method by <a href="https://github.com/jnoordsij"><code>@jnoordsij</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54677">laravel/framework#54677</a></li> <li>[11.x] <code>assertOnlyJsonValidationErrors</code> / <code>assertOnlyInvalid</code> by <a href="https://github.com/gdebrauwer"><code>@gdebrauwer</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54678">laravel/framework#54678</a></li> <li>[11.x] Allow for assertions against <code>QueueFake::pushRaw()</code> by <a href="https://github.com/cosmastech"><code>@cosmastech</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54703">laravel/framework#54703</a></li> <li>[11.x] Fix: Handles non nested explode of multiple Date and Numeric rules in ValidationRuleParser by <a href="https://github.com/AlexandreMeledandri"><code>@AlexandreMeledandri</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54718">laravel/framework#54718</a></li> </ul> <h2>v11.43.1</h2> <ul> <li>[11.x] Fix "Divide by Zero" regression bug introduced in <a href="https://redirect.github.com/laravel/framework/issues/54650">#54650</a> by <a href="https://github.com/crynobone"><code>@crynobone</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54685">laravel/framework#54685</a></li> <li>Revert "Fix Collection::implode with \Stringable objects" by <a href="https://github.com/crynobone"><code>@crynobone</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54691">laravel/framework#54691</a></li> </ul> <h2>v11.43.0</h2> <ul> <li>Remove Incorrect <a href="https://github.com/mixin"><code>@mixin</code></a> Annotation in BuildsQueries Trait by <a href="https://github.com/daniel-de-wit"><code>@daniel-de-wit</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54596">laravel/framework#54596</a></li> <li>make withoutScopedBindings usable on RouteRegistrar by <a href="https://github.com/ssninnni"><code>@ssninnni</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54592">laravel/framework#54592</a></li> <li>[11.x] Update Broadcasting Install Command For Bun Version 1.1.39^ by <a href="https://github.com/realpoke"><code>@realpoke</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54605">laravel/framework#54605</a></li> <li>[11.x] Add isTtySupported to Process facade by <a href="https://github.com/Riley19280"><code>@Riley19280</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54604">laravel/framework#54604</a></li> <li>[11.x] fix: pagination generics by <a href="https://github.com/calebdw"><code>@calebdw</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54601">laravel/framework#54601</a></li> <li>Convert closures to arrow functions in the Model class by <a href="https://github.com/alikhosravidev"><code>@alikhosravidev</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54599">laravel/framework#54599</a></li> <li>[11.x] Document hashedValue as non-nullable by <a href="https://github.com/JurianArie"><code>@JurianArie</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54615">laravel/framework#54615</a></li> <li>[11.x] Prohibited If Declined and Prohibited If Accepted validation rules by <a href="https://github.com/osama-98"><code>@osama-98</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54608">laravel/framework#54608</a></li> <li>[11.x] Fix param types for <code>orWhereHasMorph</code> method by <a href="https://github.com/simonellensohn"><code>@simonellensohn</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54659">laravel/framework#54659</a></li> <li>[11.x] Add pascal alias for studly string helper by <a href="https://github.com/da-mask"><code>@da-mask</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54655">laravel/framework#54655</a></li> <li>[11.x] make the Eloquent missing attribute handler more accurate by changing offsetExists by <a href="https://github.com/koenvu"><code>@koenvu</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54654">laravel/framework#54654</a></li> <li>[11.x] use exec function if the symlink function is unavailable by <a href="https://github.com/aisuvro"><code>@aisuvro</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54651">laravel/framework#54651</a></li> <li>[11.x] use value helper for $perPage as used for $total by <a href="https://github.com/rodrigopedra"><code>@rodrigopedra</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54650">laravel/framework#54650</a></li> <li>[11.x] [cleanup] used illuminate str contains by <a href="https://github.com/daison12006013"><code>@daison12006013</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54647">laravel/framework#54647</a></li> <li>[11.x] Allow can attribute on group by <a href="https://github.com/utsavsomaiya"><code>@utsavsomaiya</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54648">laravel/framework#54648</a></li> <li>Test Improvements by <a href="https://github.com/crynobone"><code>@crynobone</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54645">laravel/framework#54645</a></li> <li>Fixes Factory Using Wrong Model Name by <a href="https://github.com/SameOldNick"><code>@SameOldNick</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54644">laravel/framework#54644</a></li> <li>[11.x] fix 'parsePipeString' in pipeline helper by <a href="https://github.com/igzard"><code>@igzard</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54643">laravel/framework#54643</a></li> <li>Update old() docblock by <a href="https://github.com/AJenbo"><code>@AJenbo</code></a> in <a href="https://redirect.github.com/laravel/framework/pull/54641">laravel/framework#54641</a></li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/laravel/framework/commit/0883d4175f4e2b5c299e7087ad3c74f2ce195c6d"><code>0883d41</code></a> Update version to v11.44.1</li> <li><a href="https://github.com/laravel/framework/commit/c666f89566d69c6b846d4f536cac38e05f7a2111"><code>c666f89</code></a> [11.x] Test improvements (<a href="https://redirect.github.com/laravel/framework/issues/54879">#54879</a>)</li> <li><a href="https://github.com/laravel/framework/commit/1154a3114d5c01b7014889ea46d9124b4f2dae6f"><code>1154a31</code></a> [11.x] Fix <code>Application::interBasePath()</code> fails to resolve application when p...</li> <li><a href="https://github.com/laravel/framework/commit/a8da712687ac2c69feb86966b7d98281a0a81698"><code>a8da712</code></a> Fix attribute name used on <code>Validator</code> instance within certain rule classes (...</li> <li><a href="https://github.com/laravel/framework/commit/fd9681ffbb5cdc50ea33566c37d8472d1d078bc7"><code>fd9681f</code></a> [11.x] Add valid values to ensure method (<a href="https://redirect.github.com/laravel/framework/issues/54840">#54840</a>)</li> <li><a href="https://github.com/laravel/framework/commit/9de752590837b8a056f9b18c493907f83c86ae9c"><code>9de7525</code></a> Update CHANGELOG</li> <li><a href="https://github.com/laravel/framework/commit/e9a33da34815ac1ed46c7e4c477a775f4592f0a7"><code>e9a33da</code></a> Update version to v11.44.0</li> <li><a href="https://github.com/laravel/framework/commit/2c72603358a00f3c819ee7cac7518ccecca87d13"><code>2c72603</code></a> exception handling typehints (<a href="https://redirect.github.com/laravel/framework/issues/54747">#54747</a>)</li> <li><a href="https://github.com/laravel/framework/commit/344c37f822a060249c33c86432f71e48d56e0c10"><code>344c37f</code></a> [11x.] Improved typehints for <code>InteractsWithDatabase</code> (<a href="https://redirect.github.com/laravel/framework/issues/54748">#54748</a>)</li> <li><a href="https://github.com/laravel/framework/commit/0054c26cdb2094bc38168c1a290bcd8d4696cafe"><code>0054c26</code></a> [11.x] Deprecate <code>Factory::$modelNameResolver</code> (<a href="https://redirect.github.com/laravel/framework/issues/54736">#54736</a>)</li> <li>Additional commits viewable in <a href="https://github.com/laravel/framework/compare/v11.31.0...v11.44.1">compare view</a></li> </ul> </details> <br /> Updates `league/commonmark` from 2.6.1 to 2.7.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/thephpleague/commonmark/releases">league/commonmark's releases</a>.</em></p> <blockquote> <h2>2.7.0</h2> <p>This is a <strong>security release</strong> to address <a href="https://github.com/thephpleague/commonmark/security/advisories/GHSA-3527-qv2q-pfvx">a potential cross-site scripting (XSS) vulnerability when using the <code>AttributesExtension</code> with untrusted user input</a>.</p> <h3>Added</h3> <ul> <li>Added <code>attributes/allow</code> config option to specify which attributes users are allowed to set on elements (default allows virtually all attributes)</li> </ul> <h3>Changed</h3> <ul> <li>The <code>AttributesExtension</code> blocks all attributes starting with <code>on</code> unless explicitly allowed via the <code>attributes/allow</code> config option</li> <li>The <code>allow_unsafe_links</code> option is now respected by the <code>AttributesExtension</code> when users specify <code>href</code> and <code>src</code> attributes</li> </ul> <h2>2.6.2</h2> <h2>Fixed</h2> <ul> <li>Fixed Attributes extension parsing regression (<a href="https://redirect.github.com/thephpleague/commonmark/issues/1071">#1071</a>)</li> </ul> <h2>Other Changes</h2> <ul> <li>fix incorrect interface in docs v2.6 by <a href="https://github.com/CharrafiMed"><code>@CharrafiMed</code></a> in <a href="https://redirect.github.com/thephpleague/commonmark/pull/1063">thephpleague/commonmark#1063</a></li> <li>docs/2.6/extensions/front-matter.md: add missing newline by <a href="https://github.com/DanielEScherzer"><code>@DanielEScherzer</code></a> in <a href="https://redirect.github.com/thephpleague/commonmark/pull/1069">thephpleague/commonmark#1069</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/CharrafiMed"><code>@CharrafiMed</code></a> made their first contribution in <a href="https://redirect.github.com/thephpleague/commonmark/pull/1063">thephpleague/commonmark#1063</a></li> <li><a href="https://github.com/DanielEScherzer"><code>@DanielEScherzer</code></a> made their first contribution in <a href="https://redirect.github.com/thephpleague/commonmark/pull/1069">thephpleague/commonmark#1069</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/thephpleague/commonmark/compare/2.6.1...2.6.2">https://github.com/thephpleague/commonmark/compare/2.6.1...2.6.2</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/thephpleague/commonmark/blob/2.7/CHANGELOG.md">league/commonmark's changelog</a>.</em></p> <blockquote> <h2>[2.7.0]</h2> <p>This is a <strong>security release</strong> to address a potential cross-site scripting (XSS) vulnerability when using the <code>AttributesExtension</code> with untrusted user input.</p> <h3>Added</h3> <ul> <li>Added <code>attributes/allow</code> config option to specify which attributes users are allowed to set on elements (default allows virtually all attributes)</li> </ul> <h3>Changed</h3> <ul> <li>The <code>AttributesExtension</code> blocks all attributes starting with <code>on</code> unless explicitly allowed via the <code>attributes/allow</code> config option</li> <li>The <code>allow_unsafe_links</code> option is now respected by the <code>AttributesExtension</code> when users specify <code>href</code> and <code>src</code> attributes</li> </ul> <h2>[2.6.2] - 2025-04-18</h2> <h3>Fixed</h3> <ul> <li>Fixed Attributes extension parsing regression (<a href="https://redirect.github.com/thephpleague/commonmark/issues/1071">#1071</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/thephpleague/commonmark/commit/6fbb36d44824ed4091adbcf4c7d4a3923cdb3405"><code>6fbb36d</code></a> Prepare to release 2.7.0</li> <li><a href="https://github.com/thephpleague/commonmark/commit/f0d626cf05ad3e99e6db26ebcb9091b6cd1cd89b"><code>f0d626c</code></a> Merge commit from fork</li> <li><a href="https://github.com/thephpleague/commonmark/commit/43207253ea5f14867c77c697cd3838c446cadcea"><code>4320725</code></a> Fix XSS in AttributesExtension</li> <li><a href="https://github.com/thephpleague/commonmark/commit/d4b08b81d23e1a30fa70edc0bff4f1c0595c0892"><code>d4b08b8</code></a> Create 2.7 branch</li> <li><a href="https://github.com/thephpleague/commonmark/commit/5b794e1654d86472445667e41cc16adc5646a790"><code>5b794e1</code></a> Remove docs for 1.0 - 1.5</li> <li><a href="https://github.com/thephpleague/commonmark/commit/3db9d35b600de147e4ca01298fe1666c9ccaf1d4"><code>3db9d35</code></a> Merge branch '2.6'</li> <li><a href="https://github.com/thephpleague/commonmark/commit/06c3b0bf2540338094575612f4a1778d0d2d5e94"><code>06c3b0b</code></a> Prepare to release 2.6.2</li> <li><a href="https://github.com/thephpleague/commonmark/commit/771974c975d465218dc62b6d90c91acb593e38e9"><code>771974c</code></a> Fix Attributes extension parsing regression (<a href="https://redirect.github.com/thephpleague/commonmark/issues/1071">#1071</a>)</li> <li><a href="https://github.com/thephpleague/commonmark/commit/e99ee2e1e0220612b9d836cd13bbf2990cbdf18f"><code>e99ee2e</code></a> Merge pull request <a href="https://redirect.github.com/thephpleague/commonmark/issues/1069">#1069</a> from DanielEScherzer/patch-1</li> <li><a href="https://github.com/thephpleague/commonmark/commit/f356ca567c46abfb76d1a6dbc940755212273147"><code>f356ca5</code></a> docs/2.6/extensions/front-matter.md: add missing newline</li> <li>Additional commits viewable in <a href="https://github.com/thephpleague/commonmark/compare/2.6.1...2.7.0">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/pyrohost/pyrodactyl/network/alerts). </details>

MrUnknownDE closed this issue

2026-04-05 19:51:18 +02:00

Sign in to join this conversation.

Branches Tags

main

redesign-amy

dependabot/composer/composer-a63f04cb24

transfer-queue

releases/v4.5.1

dependabot/npm_and_yarn/eslint-9.38.0

dependabot/npm_and_yarn/hcaptcha/react-hcaptcha-1.14.0

releases/v4.5.0

dependabot/npm_and_yarn/vitejs/plugin-react-swc-4.2.0

dependabot/npm_and_yarn/vite-7.1.12

dependabot/npm_and_yarn/browserslist-4.27.0

releases/v4.4.1

releases/v4.4.0

releases/v4.3.0

releases/v4.2.2

releases/v4.2.1

releases/v4.2.0

async-backups

releases/v4.1.0

releases/v4.0.0

multi-language

dependabot/npm_and_yarn/npm_and_yarn-34180670f1

subdomains

dev-old

dependabot/npm_and_yarn/eslint-plugin-prettier-5.5.4

elytra

startup-command

overhead-memory

amy/pyro-143-ui-redesign

naterfute/fix_unit_tests

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/pyrodactyl#165