Skip to content
This repository has been archived by the owner on Mar 12, 2024. It is now read-only.

[Security] Bump video.js from 5.12.6 to 7.14.3 #152

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

dependabot-preview[bot]
Copy link

Bumps video.js from 5.12.6 to 7.14.3.

Release notes

Sourced from video.js's releases.

v7.14.3

7.14.3 (2021-07-26)

Bug Fixes

v7.14.2

7.14.2 (2021-07-19)

Bug Fixes

  • dom: in removeClass, check element for null in case of a disposed player (#6701) (2990cc7)

v7.14.1

7.14.1 (2021-07-14)

Bug Fixes

Chores

  • use setup-node cache and remove individual cache step (#7310) (fab6e87)

Documentation

  • react: Added a functional React component using React.useEffect (#7203) (2360236)

v7.14.0

7.14.0 (2021-06-30)

Features

v7.13.4

7.13.4 (2021-06-30)

Bug Fixes

... (truncated)

Changelog

Sourced from video.js's changelog.

7.14.3 (2021-07-26)

Bug Fixes

7.14.2 (2021-07-19)

Bug Fixes

  • dom: in removeClass, check element for null in case of a disposed player (#6701) (2990cc7)

7.14.1 (2021-07-14)

Bug Fixes

Chores

  • use setup-node cache and remove individual cache step (#7310) (fab6e87)

Documentation

  • react: Added a functional React component using React.useEffect (#7203) (2360236)

7.14.0 (2021-06-30)

Features

7.13.4 (2021-06-30)

Bug Fixes

  • lang: add some translations to es.json (#6822) (fbcfb7b)
  • throw error on muted resolution rejection during autoplay (#7293) (f9fb1d3)
  • event: event polyfill detection compatibility with react-native-web (#7286) (a221be1), closes #7259
  • lang: improve Hungarian translation (#7289) (0f70787)

Chores

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will not automatically merge this PR because it includes an out-of-range update to a production dependency.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

@dependabot-preview dependabot-preview bot added the dependencies Pull requests that update a dependency file label Jul 27, 2021
@dependabot-preview
Copy link
Author

We've just been alerted that this update fixes a security vulnerability:

Sourced from The GitHub Security Advisory Database.

Cross-site Scripting in video.js

This affects the package video.js before 7.14.3. The src attribute of track tag allows to bypass HTML escaping and execute arbitrary code.

Affected versions: ["< 7.14.3"]

@dependabot-preview dependabot-preview bot changed the title Bump video.js from 5.12.6 to 7.14.3 [Security] Bump video.js from 5.12.6 to 7.14.3 Aug 10, 2021
@dependabot-preview dependabot-preview bot added the security Pull requests that address a security vulnerability label Aug 10, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants