@rails/ujs - npm Package Compare versions

Comparing version 6.0.0-beta3 to 6.0.0-rc1

CHANGELOG.md

@@ -0,9 +1,44 @@
+## Rails 6.0.0.rc1 (April 24, 2019) ##
+
+*   Fix partial caching skips same item issue
+
+    If we render cached collection partials with repeated items, those repeated items
+    will get skipped. For example, if you have 5 identical items in your collection, Rails
+    only renders the first one when `cached` is set to true. But it should render all
+    5 items instead.
+
+    Fixes #35114.
+
+    *Stan Lo*
+
+*   Only clear ActionView cache in development on file changes
+
+    To speed up development mode, view caches are only cleared when files in
+    the view paths have changed. Applications which have implemented custom
+    `ActionView::Resolver` subclasses may need to add their own cache clearing.
+
+    *John Hawthorn*
+
+*   Fix `ActionView::FixtureResolver` so that it handles template variants correctly.
+
+    *Edward Rudd*
+
+
 ## Rails 6.0.0.beta3 (March 11, 2019) ##
 
-*   No changes.
+*   Only accept formats from registered mime types
 
+    A lack of filtering on mime types could allow an attacker to read
+    arbitrary files on the target server or to perform a denial of service
+    attack.
 
+    Fixes CVE-2019-5418
+    Fixes CVE-2019-5419
+
+    *John Hawthorn*, *Eileen M. Uchitelle*, *Aaron Patterson*
+
+
 ## Rails 6.0.0.beta2 (February 25, 2019) ##
 
-*   ActionView::Template.finalize_compiled_template_methods is deprecated with
+*   `ActionView::Template.finalize_compiled_template_methods` is deprecated with
     no replacement.
@@ -13,3 +48,3 @@
 
-*   config.action_view.finalize_compiled_template_methods is deprecated with
+*   `config.action_view.finalize_compiled_template_methods` is deprecated with
     no replacement.
@@ -20,4 +55,5 @@
 *   Ensure unique DOM IDs for collection inputs with float values.
-    Fixes #34974
 
+    Fixes #34974.
+
     *Mark Edmondson*
@@ -24,0 +60,0 @@

lib/assets/compiled/rails-ujs.js

@@ -35,10 +35,15 @@ /*
     (function() {
-      var cspNonce;
+      var nonce;
 
-      cspNonce = Rails.cspNonce = function() {
-        var meta;
-        meta = document.querySelector('meta[name=csp-nonce]');
-        return meta && meta.content;
+      nonce = null;
+
+      Rails.loadCSPNonce = function() {
+        var ref;
+        return nonce = (ref = document.querySelector("meta[name=csp-nonce]")) != null ? ref.content : void 0;
       };
 
+      Rails.cspNonce = function() {
+        return nonce != null ? nonce : Rails.loadCSPNonce();
+      };
+
     }).call(this);
@@ -269,3 +274,3 @@ (function() {
             document.head.appendChild(script).parentNode.removeChild(script);
-          } else if (type.match(/\bxml\b/)) {
+          } else if (type.match(/\b(xml|html|svg)\b/)) {
             parser = new DOMParser();
@@ -659,5 +664,5 @@ type = type.replace(/;.+/, '');
     (function() {
-      var $, CSRFProtection, delegate, disableElement, enableElement, fire, formSubmitButtonClick, getData, handleConfirm, handleDisabledElement, handleMethod, handleRemote, preventInsignificantClick, refreshCSRFTokens;
+      var $, CSRFProtection, delegate, disableElement, enableElement, fire, formSubmitButtonClick, getData, handleConfirm, handleDisabledElement, handleMethod, handleRemote, loadCSPNonce, preventInsignificantClick, refreshCSRFTokens;
 
-      fire = Rails.fire, delegate = Rails.delegate, getData = Rails.getData, $ = Rails.$, refreshCSRFTokens = Rails.refreshCSRFTokens, CSRFProtection = Rails.CSRFProtection, enableElement = Rails.enableElement, disableElement = Rails.disableElement, handleDisabledElement = Rails.handleDisabledElement, handleConfirm = Rails.handleConfirm, preventInsignificantClick = Rails.preventInsignificantClick, handleRemote = Rails.handleRemote, formSubmitButtonClick = Rails.formSubmitButtonClick, handleMethod = Rails.handleMethod;
+      fire = Rails.fire, delegate = Rails.delegate, getData = Rails.getData, $ = Rails.$, refreshCSRFTokens = Rails.refreshCSRFTokens, CSRFProtection = Rails.CSRFProtection, loadCSPNonce = Rails.loadCSPNonce, enableElement = Rails.enableElement, disableElement = Rails.disableElement, handleDisabledElement = Rails.handleDisabledElement, handleConfirm = Rails.handleConfirm, preventInsignificantClick = Rails.preventInsignificantClick, handleRemote = Rails.handleRemote, formSubmitButtonClick = Rails.formSubmitButtonClick, handleMethod = Rails.handleMethod;
 
@@ -725,2 +730,3 @@ if ((typeof jQuery !== "undefined" && jQuery !== null) && (jQuery.ajax != null)) {
         document.addEventListener('DOMContentLoaded', refreshCSRFTokens);
+        document.addEventListener('DOMContentLoaded', loadCSPNonce);
         return window._rails_loaded = true;
@@ -727,0 +733,0 @@ };

package.json

 {
   "name": "@rails/ujs",
-  "version": "6.0.0-beta3",
+  "version": "6.0.0-rc1",
   "description": "Ruby on Rails unobtrusive scripting adapter",
@@ -5,0 +5,0 @@ "main": "lib/assets/compiled/rails-ujs.js",

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

New author

Supply chain risk

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

37928

increased by4.21%

Lines of code

669

increased by0.6%

Number of lines in readme file

41

increased by5.13%

Number of medium supply chain risk alerts

0

decreased by-100%

No dependency changes