Update dependency view_component to v3.9.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
view_component (source, changelog)	3.4.0 -> 3.9.0

GitHub Vulnerability Alerts

CVE-2024-21636

Impact

What kind of vulnerability is it? Who is impacted?

This is an XSS vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. Note that only components that define a #call method (i.e. instead of using a sidecar template) are affected. The return value of the #call method is not sanitized and can include user-defined content.

In addition, the return value of the #output_postamble method is not sanitized, which can also lead to XSS issues.

Patches

Has the problem been patched? What versions should users upgrade to?

Versions 3.9.0 has been released and fully mitigates both the #call and the #output_postamble vulnerabilities.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Sanitize the return value of #call, eg:

class MyComponent < ApplicationComponent
  def call
    html_escape("<div>#{user_input}</div>")
  end
end

References

Are there any links users can visit to find out more?

https://github.com/ViewComponent/view_component/pull/1950

For more information

If you have any questions or comments about this advisory:

Open an issue in the github/view_component project.

---

Release Notes

viewcomponent/view_component (view_component)

v3.9.0

Compare Source

• Don’t break rails stats if ViewComponent path is missing.

  Claudio Baccigalupo

• Add deprecation warnings for EOL ruby and Rails versions and patches associated with them.

  Reegan Viljoen

• Add support for Ruby 3.3.

  *Reegan Viljoen*
  

• Allow translations to be inherited and overridden in subclasses.

  Elia Schito

• Resolve console warnings when running test suite.

  Joel Hawksley

• Fix spelling in a local variable.

  Olle Jonsson

• Avoid duplicating rendered string when output_postamble is blank.

  Mitchell Henke

• Ensure HTML output safety.

  Cameron Dutro

v3.8.0

Compare Source

• Use correct value for the config.action_dispatch.show_exceptions config option for edge Rails.

  Cameron Dutro

• Remove unsupported versions of Rails & Ruby from CI matrix.

  Reegan Viljoen

• Raise error when uncountable slot names are used in renders_many

  Hugo Chantelauze
  Reegan Viljoen

• Replace usage of String#ends_with? with String#end_with? to reduce the dependency on ActiveSupport core extensions.

  halo

• Don't add ActionDispatch::Static middleware unless public_file_server.enabled.

  Daniel Gonzalez
  Reegan Viljoen

• Resolve an issue where slots starting with call would cause a NameError

  Blake Williams

• Add use_helper API.

  Reegan Viljoen

• Fix bug where the Rails module wasn't being searched from the root namespace.

  Zenéixe

• Fix bug where #with_request_url, set the incorrect request.fullpath.

  Nachiket Pusalkar

• Allow setting method when using the with_request_url test helper.

  Andrew Duthie

v3.7.0

Compare Source

• Support Rails 7.1 in CI.

  Reegan Viljoen
  Cameron Dutro

• Document the capture compatibility patch on the Known issues page.

  Simon Fish

• Add Simundia to list of companies using ViewComponent.

  Alexandre Ignjatovic

• Reduce UnboundMethod objects by memoizing initialize_parameters.

  Rainer Borene

• Improve docs about inline templates interpolation.

  Hans Lemuet

• Update generators.md to clarify the way of changing config.view_component.view_component_path.

  Shozo Hatta

• Attempt to fix Ferrum timeout errors by creating driver with unique name.

  Cameron Dutro

v3.6.0

Compare Source

• Refer to helpers in NameError message in development and test environments.

  Simon Fish

• Fix API documentation and revert unnecessary change in preview.rb.

  Richard Macklin

• Initialize ViewComponent::Config with defaults before framework load.

  Simon Fish

• Add 3.2 to the list of Ruby CI versions

  Igor Drozdov

• Stop running PVC's docs:preview rake task in CI, as the old docsite has been removed.

  Cameron Dutro

• Minor testing documentation improvement.

  Travis Gaff

• Add SearchApi to users list.

  Sebastjan Prachovskij

• Fix #with_request_url to ensure request.query_parameters is an instance of ActiveSupport::HashWithIndifferentAccess.

  milk1000cc

• Add PeopleForce to list of companies using ViewComponent.

  Volodymyr Khandiuk

v3.5.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.