🚨 [security] Update chartkick: 3.0.2 → 3.4.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ chartkick (3.0.2 → 3.4.0) · Repo · Changelog

Security Advisories 🚨

🚨 CSS injection with width and height options

Chartkick is vulnerable to CSS injection
if user input is passed to the width or height option.

<%= line_chart data, width: params[:width], height: params[:height] %>

An attacker can set additional CSS properties, like:

<%= line_chart data, width: "100%; background-image: url('http://example.com/image.png')" %>

🚨 Prototype Pollution in Chartkick.js 3.1.x

A specially crafted response in data loaded via URL
can cause prototype pollution in JavaScript.

🚨 XSS Vulnerability in Chartkick Ruby Gem

Chartkick is vulnerable to a cross-site scripting (XSS) attack if
both the following conditions are met:

Condition 1:
It's used with ActiveSupport.escape_html_entities_in_json = false
(this is not the default for Rails)
OR used with a non-Rails framework like Sinatra.

Condition 2:
Untrusted data or options are passed to a chart.

<%= line_chart params[:data], min: params[:min] %>

Release Notes

3.4.0 (from changelog)

• Fixed CSS injection with width and height options - more info

3.3.2 (from changelog)

• Updated Chartkick.js to 3.2.1

3.3.1 (from changelog)

• Updated Chart.js to 2.9.3
• Fixed deprecating warnings in Ruby 2.7

3.3.0 (from changelog)

• Updated Chartkick.js to 3.2.0
• Rolled back Chart.js to 2.8.0 due to legend change

3.2.2 (from changelog)

• Updated Chartkick.js to 3.1.3
• Updated Chart.js to 2.9.1

3.2.1 (from changelog)

• Updated Chartkick.js to 3.1.1

3.2.0 (from changelog)

• Fixed XSS vulnerability - see #488

3.1.0 (from changelog)

• Updated Chartkick.js to 3.1.0
• Updated Chart.js to 2.8.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 70 commits:

• Version bump to 3.4.0 [skip ci]
• Fixed CSS injection with width and height options
• Version bump to 3.3.2 [skip ci]
• Updated Chartkick.js to 3.2.1
• Updated chartkick.js to fix error with GeoChart with latest Google Charts release
• Added dev instructions [skip ci]
• Added Travis CI
• Added todo [skip ci]
• Test escaping
• Test chart ids
• Added test for default options
• Test nonce
• Added tests for more options
• Added tests for more charts
• Updated readme [skip ci]
• Updated issue template [skip ci]
• Updated issue template [skip ci]
• Updated issue template [skip ci]
• Moved contributing info to templates [skip ci]
• Updated issue template [skip ci]
• Keep it concise [skip ci]
• Updated issue template [skip ci]
• Updated issue template [skip ci]
• Updated issue template [skip ci]
• Updated issue template [skip ci]
• Updated feature request template [skip ci]
• Updated issue config [skip ci]
• Updated issue config [skip ci]
• Test issue config [skip ci]
• Test issue templates (#539)
• Version bump to 3.3.1 [skip ci]
• Fixed deprecating warnings in Ruby 2.7
• Updated Chart.js to 2.9.3
• Added dates to changelog [skip ci]
• file -> byte [skip ci]
• Version bump to 3.3.0 [skip ci]
• Updated readme for Chartkick.js updates
• Updated Chartkick.js to 3.2.0
• Rolled back Chart.js to 2.8.0 due to legend change
• Updated docs [skip ci]
• Updated Chart.js to 2.9.2
• Version bump to 3.2.2 [skip ci]
• Updated Chartkick.js to 3.1.3
• Updated Chartkick.js to 3.1.2 and Chart.js to 2.9.1
• Version bump to 3.2.1 [skip ci]
• Updated Chartkick.js to 3.1.1
• Fixed missing bar chart labels with Chart.js 2.8.0 - closes #490
• Use require_relative in gemspec
• klass always trusted, but safer pattern
• Fixed XSS vulnerability
• Cleaner code [skip ci]
• Less is more
• No longer just master
• Version bump to 3.1.0
• Document xmin and xmax
• Added instructions for Rails 6
• Updated Chartkick.js to 3.1.0
• Better notes
• Better wording
• Updated Chart.js to 2.8.0
• Removed survey [skip ci]
• Added note in Contributing Guide about Chartkick.js [skip ci]
• Uncapitalize [skip ci]
• Consistent docs [skip ci]
• Update README.md (#470)
• Fix typo in README (#471)
• Updated copyright date [skip ci]
• Added survey [skip ci]
• Better test code
• Added tutorial [skip ci]

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #168.