emma icon indicating copy to clipboard operation
emma copied to clipboard
verified publisher icon emmalanguage

Bump spray-json_2.11 from 1.3.3 to 1.3.5

Open dependabot[bot] opened this issue 5 years ago • 0 comments

Bumps spray-json_2.11 from 1.3.3 to 1.3.5.

Release notes

Sourced from spray-json_2.11's releases.

1.3.5

See the milestone for all changes.

Security fix for several Denial Of Service vulnerabilities:

  • CVE-2018-18853: Limit the number of characters for numbers in the parser (#278)
  • CVE-2018-18854: Use TreeMap instead of HashMap for JsObject to prevent collision attacks (#277)
  • CVE-2018-18855: Fix uncontrolled recursion in parser by limiting nesting depth (#286)

Thanks, Andriy Plokhotnyuk who brought the first two issues to our attention.

Migration Notes

For some fixes, we added new limits to the parser:

  • Maximum depth of nested JSON values, defaults to 1000
  • Maximum characters for number values, defaults to 100

We introduced a JsonParserSettings class which can be used to customize these limits. New overloads for JsonParser.apply and String.parseJson have been introduced to specify custom settings.

Also, field ordering changed when printing a JsValue. Use jsValue.sortedPrint if you want to be sure fields are always ordered the same.

v1.3.4

This release is cross released for Scala 2.10, 2.11, 2.12 and 2.13-M2.

It is mostly a small maintanance release in which some documentation was polished and for example the sortedPrint printer was added.

Specific source-compatibility breaking edge-case: While binary compatibility remains working in this release, there is one specific edge case which can happen and be not source-compatible when upgrading to this version. The method def pimpString was made not-implicit, and replaced by implicit def enrichString, so if you previously imported the implicit specifically by its name, i.e. rather than import spray.json._ you wrote import spray.json.pimpString code relying on this change would now break. Please change it to import _, which will bring in the required implicits.

For a complete list of closed issues please refer to the milestone.

Changelog

Sourced from spray-json_2.11's changelog.

Version 1.3.5 (2017-10-24)

Security fix for several Denial Of Service vulnerabilities:

  • CVE-2018-18853: Limit the number of characters for numbers in the parser (#278)
  • CVE-2018-18854: Use TreeMap instead of HashMap for JsObject to prevent collision attacks (#277)
  • CVE-2018-18855: Fix uncontrolled recursion in parser by limiting nesting depth (#286)

Thanks, Andriy Plokhotnyuk who brought the first two issues to our attention.

Migration Notes

For some fixes, we added new limits to the parser:

  • Maximum depth of nested JSON values, defaults to 1000
  • Maximum characters for number values, defaults to 100

We introduced a JsonParserSettings class which can be used to customize these limits. New overloads for JsonParser.apply and String.parseJson have been introduced to specify custom settings.

Version 1.3.4 (2017-10-24)

  • Replace ClassManifest by ClassTag
  • Deprecate Pimp* classes and replace by Rich*
Commits
  • bfaf245 Add 1.3.5 release notes
  • 62520d7 Add documentation for JsonParserSettings
  • 21a3468 Seal JsonParserSetting trait
  • 0821642 Bump version to 1.3.5
  • b2f485e Merge pull request #283 from jrudolph/limit-size-of-numbers
  • a8c45e7 CVE-2018-18853 Limit the number of characters for numbers in the parser, fixe...
  • d56d7f4 Merge pull request #284 from jrudolph/fix-uncontrolled-recursion
  • 659d7e3 Merge pull request #285 from spray/jrudolph-patch-1
  • c8e106f Merge pull request #280 from jrudolph/use-TreeMap-fixes-277
  • a558753 CVE-2018-18855 Fix uncontrolled recursion in the JsonParser by imposing a con...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

dependabot[bot] avatar Jan 26 '21 13:01 dependabot[bot]