Skip to content

[Snyk] Upgrade swagger-ui from 5.11.0 to 5.17.7 #134

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade swagger-ui from 5.11.0 to 5.17.7 #134

wants to merge 1 commit into from

Conversation

leika
Copy link
Contributor

@leika leika commented May 31, 2024

This PR was automatically created by Snyk using the credentials of a real user.


![snyk-top-banner](https://github.com/andygongea/OWASP-Benchmark/assets/818805/c518c423-16fe-447e-b67f-ad5a49b5d123)

Snyk has created this PR to upgrade swagger-ui from 5.11.0 to 5.17.7.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 30 versions ahead of your current version.

  • The recommended version was released on 22 days ago.

Issues fixed by the recommended upgrade:

Issue Score Exploit Maturity
high severity Uncontrolled resource consumption
SNYK-JS-BRACES-6838727		 554 Proof of Concept
high severity Inefficient Regular Expression Complexity
SNYK-JS-MICROMATCH-6838728		 554 No Known Exploit
medium severity Template Injection
SNYK-JS-DOMPURIFY-6474511		 554 Proof of Concept
medium severity Missing Release of Resource after Effective Lifetime
SNYK-JS-INFLIGHT-6095116		 554 Proof of Concept
medium severity Improper Input Validation
SNYK-JS-SWAGGERCLIENT-6836803		 554 No Known Exploit
low severity Permissive Cross-domain Policy with Untrusted Domains
SNYK-JS-UNDICI-6252336		 554 No Known Exploit
low severity Improper Access Control
SNYK-JS-UNDICI-6564963		 554 No Known Exploit
low severity Improper Authorization
SNYK-JS-UNDICI-6564964		 554 No Known Exploit
Release notes
Package name: swagger-ui
  • 5.17.7 - 2024-05-09

    5.17.7 (2024-05-09)

    Bug Fixes

    • components: render parameter extensions in the description column (#9883) (1367a8f)
    • json-schema-5: allow collapsing for primitive models (#9639) (450bb99), closes #9595
    • render null values included in enum (#9683) (0dd9afa)
  • 5.17.6 - 2024-05-07

    5.17.6 (2024-05-07)

    Bug Fixes

    • swagger-ui-react: display definition defined as YAML or JSON string (#9918) (6ae2c1f), closes #9915
    • system: allow wrapping components both from presets and plugins (#9919) (877470b), closes #7232
  • 5.17.5 - 2024-05-06

    5.17.5 (2024-05-06)

    Bug Fixes

    • config: perform configuration synchronously (5fa60ce)
    • try-it-out: fix parsing null values when building requests (#9914) (fc7410b)
  • 5.17.4 - 2024-05-06

    5.17.4 (2024-05-06)

    Bug Fixes

    • security: remove patch-package production dependency (#9909) (cb9a06f)
  • 5.17.3 - 2024-04-30

    5.17.3 (2024-04-30)

    Bug Fixes

    • distribute proper source maps in npm distribution packages (#9877) (8c90d5d), closes #9101
    • swagger-ui-react: call onComplete hook with system instance (#9895) (3f67b08), closes #9876
  • 5.17.2 - 2024-04-25

    5.17.2 (2024-04-25)

    Bug Fixes

    • config: remove system config source (#9875) (333e5e3), closes #5148
    • allow to create SwaggerUI instances without rendering to the DOM container by default
  • 5.17.1 - 2024-04-24

    5.17.1 (2024-04-24)

    Bug Fixes

    • json-schema-2020-12-samples: skip anyOf and oneOf while merging schemas (#9853) (f7373a0), closes #9198
    • utils: fix validation for required values without specified type (#9863) (6fccf9e), closes #8007
    • deps: eliminate runtime errors related to traverse library
    • upstream fixes in swagger-client (v3.27.1, v3.27.2)
  • 5.17.0 - 2024-04-22

    5.17.0 (2024-04-22)

    Features

    • config: expose config and make it overridable (#9862) (17d50a6)
    • swagger-ui-react: rewrite into SSR compatible function component (#9855) (351191b), closes #9243
  • 5.16.2 - 2024-04-19

    5.16.2 (2024-04-19)

    Bug Fixes

    • swagger-ui-react: avoid triggering implicit system rendering (#9847) (3a671c6), closes #9846
  • 5.16.1 - 2024-04-18

    5.16.1 (2024-04-18)

    Bug Fixes

  • 5.16.0 - 2024-04-18
  • 5.15.2 - 2024-04-15
  • 5.15.1 - 2024-04-11
  • 5.15.0 - 2024-04-10
  • 5.14.0 - 2024-04-08
  • 5.13.0 - 2024-03-29
  • 5.12.3 - 2024-03-27
  • 5.12.2 - 2024-03-26
  • 5.12.1 - 2024-03-26
  • 5.12.0 - 2024-03-13
  • 5.11.10 - 2024-03-06
  • 5.11.9 - 2024-03-04
  • 5.11.8 - 2024-02-23
  • 5.11.7 - 2024-02-16
  • 5.11.6 - 2024-02-15
  • 5.11.5 - 2024-02-15
  • 5.11.4 - 2024-02-14
  • 5.11.3 - 2024-02-07
  • 5.11.2 - 2024-01-29
  • 5.11.1 - 2024-01-26
  • 5.11.0 - 2024-01-08
from swagger-ui GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-bot
fix: upgrade swagger-ui from 5.11.0 to 5.17.7
9e13a0d 
Snyk has created this PR to upgrade swagger-ui from 5.11.0 to 5.17.7.

See this package in npm:
swagger-ui

See this project in Snyk:
https://app.snyk.io/org/leika/project/cf7fd23c-9b5c-4f72-8aeb-086f9864e120?utm_source=github&utm_medium=referral&page=upgrade-pr
@leika
Copy link
Contributor Author

leika commented Apr 28, 2025

/ask what's the purpose, beside the description. go deep and help me understand

@qodo-merge-pro Qodo Merge Pro
Copy link

Qodo Merge was enabled for this repository. To continue using it, please link your Git account with your Qodo account here.

Ask

what's the purpose, beside the description. go deep and help me understand

Answer:

The purpose of this PR is to upgrade the swagger-ui dependency from version 5.10.3 to 5.17.7. Based on the PR description, this upgrade is primarily security-focused:

  1. Security Vulnerability Fixes: The PR description mentions at least two high-severity vulnerabilities that are fixed in the newer version:

    • Uncontrolled resource consumption (SNYK-JS-BRACES-6838727) with a high severity score of 554
    • Inefficient Regular Expression Complexity (SNYK-JS-MICROMATCH-6838728)

  2. Significant Version Jump: The upgrade moves 30 versions ahead, suggesting this is a substantial update that likely includes many bug fixes, performance improvements, and new features beyond just the security fixes.

  3. Dependency Maintenance: Keeping dependencies updated is a software development best practice that:

    • Makes the codebase more secure
    • Reduces technical debt
    • Makes future upgrades easier (avoiding "dependency hell")
    • Ensures compatibility with other modern libraries

  4. Automated Security Process: This PR was automatically created by Snyk, a security platform that scans for vulnerabilities in dependencies and suggests upgrades. This indicates your project has an automated security monitoring system in place.

The swagger-ui package is used to generate interactive API documentation interfaces, so this upgrade ensures that the API documentation component of your application remains secure and up-to-date.

@leika
Copy link
Contributor Author

leika commented Apr 28, 2025

/update_changelog

@qodo-merge-pro Qodo Merge Pro
Copy link

Qodo Merge was enabled for this repository. To continue using it, please link your Git account with your Qodo account here.

Changelog updates: 🔄

2025-04-28

Changed

  • Upgraded swagger-ui from 5.11.0 to 5.17.7 *
  • Fixed potential security vulnerabilities in dependencies

to commit the new content to the CHANGELOG.md file, please type:
'/update_changelog --pr_update_changelog.push_changelog_changes=true'

@leika
Copy link
Contributor Author

leika commented Apr 28, 2025

/scan_repo_discussions

@qodo-merge-pro Qodo Merge Pro
Copy link

Qodo Merge was enabled for this repository. To continue using it, please link your Git account with your Qodo account here.

Scan repo discussions:
Number of merged PRs last year, 1, is less than the minimal number of PRs needed for the analysis, 50.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OpenAPI 3.1.0 support: [Bug] Wrong field in 'Example value' when using oneOf Sourcemap does not work Swagger-UI web page hangs when endpoint has several required parameters, but at least one is not provided Adding multiple plugins with wrapComponents on the same core component seems broken swagger-config.yaml configuration is overriden by the defaults
Swagger-ui-react not working with nextjs since 5.3.2 a11y: Once you expand a data element of a schema, there is no way to collapse it again. Address getting configUrl value from options in query Sync SwaggerUI default options with Swagger-ui-react Issue with runtime config default options
2 participants
@leika @snyk-bot