chore(deps): Bump view_component from 4.5.0 to 4.12.0

[dependabot]

Bumps view_component from 4.5.0 to 4.12.0.

Release notes

Sourced from view_component's releases.

4.12.0

• Fix stale render context on reused component instances. A ViewComponent::Base instance memoized its controller, helpers, request, view context, lookup context, view flow, and requested format details on first render via ||=. Rendering the same instance a second time (intentionally or via aliasing) reused that stale context, which could leak data across requests, sessions, or users. #render_in now resets these ivars on every call so each render derives its context from the current view.

  Joel Hawksley

• Fix HTML-safety bypass in around_render. ViewComponent::Base#around_render could return HTML-unsafe strings that bypassed the escaping applied to normal #call return values, creating an XSS risk. The vulnerability was amplified in ViewComponent::Collection#render_in, which joined per-item results and unconditionally marked the output html_safe. HTML-unsafe strings returned from around_render are now escaped (with a warning) and Collection#render_in now uses safe_join so unsafe per-item output is escaped instead of laundered into a SafeBuffer. Joel Hawksley

4.11.0

• Update render_in signature to accept **_ for compatibility with Rails #50623.

  Joel Hawksley

• Fix translation scope resolution in nested lambda-backed slots. Relative t(".key") calls inside lambda-backed slots were resolving against an intermediate component's scope instead of the original partial's scope where the block was defined.

  Artin Boghosian

4.10.0

• Fix NameError: uninitialized constant ViewComponent::SystemTestControllerNefariousPathError when booting in the test environment with eager_load = true.

  Joel Hawksley

• Fix yielded content rendered at wrong location when using form helpers.

  Joel Hawksley, Markus

4.9.0

• Fix path traversal vulnerability in ViewComponentsSystemTestController where sibling directories sharing a string prefix with the allowed temp directory could bypass the path containment check. The start_with? check has been replaced with a separator-aware prefix check, and nefarious path errors now return a 404 instead of an unhandled exception.

  Joel Hawksley

• Fix preview route vulnerability where inherited methods on ViewComponent::Preview (such as render_with_template) could be invoked via the preview URL, allowing arbitrary internal Rails templates to be rendered with attacker-controlled locals and request parameters. render_args now raises AbstractController::ActionNotFound for any example not explicitly declared on the preview subclass.

  Joel Hawksley

• Add yard-lint to CI.

  Joel Hawksley

4.8.0

• Add compile.view_component ActiveSupport::Notifications event for eager compilation at boot time.

  Joel Hawksley, GitHub Copilot

4.7.0

• Fix stale content cache when slots are accessed before render_in.

  Jared Armstrong

• Add rubocop-view_component to resources.

... (truncated)

Changelog

Sourced from view_component's changelog.

4.12.0

• Fix stale render context on reused component instances. A ViewComponent::Base instance memoized its controller, helpers, request, view context, lookup context, view flow, and requested format details on first render via ||=. Rendering the same instance a second time (intentionally or via aliasing) reused that stale context, which could leak data across requests, sessions, or users. #render_in now resets these ivars on every call so each render derives its context from the current view.

  Joel Hawksley

• Fix HTML-safety bypass in around_render. ViewComponent::Base#around_render could return HTML-unsafe strings that bypassed the escaping applied to normal #call return values, creating an XSS risk. The vulnerability was amplified in ViewComponent::Collection#render_in, which joined per-item results and unconditionally marked the output html_safe. HTML-unsafe strings returned from around_render are now escaped (with a warning) and Collection#render_in now uses safe_join so unsafe per-item output is escaped instead of laundered into a SafeBuffer.

  Joel Hawksley

4.11.0

• Update render_in signature to accept **_ for compatibility with Rails #50623.

  Joel Hawksley

• Fix translation scope resolution in nested lambda-backed slots. Relative t(".key") calls inside lambda-backed slots were resolving against an intermediate component's scope instead of the original partial's scope where the block was defined.

  Artin Boghosian

4.10.0

• Fix NameError: uninitialized constant ViewComponent::SystemTestControllerNefariousPathError when booting in the test environment with eager_load = true.

  Joel Hawksley

• Fix yielded content rendered at wrong location when using form helpers.

  Joel Hawksley, Markus

4.9.0

• Fix path traversal vulnerability in ViewComponentsSystemTestController where sibling directories sharing a string prefix with the allowed temp directory could bypass the path containment check. The start_with? check has been replaced with a separator-aware prefix check, and nefarious path errors now return a 404 instead of an unhandled exception.

  Joel Hawksley

• Fix preview route vulnerability where inherited methods on ViewComponent::Preview (such as render_with_template) could be invoked via the preview URL, allowing arbitrary internal Rails templates to be rendered with attacker-controlled locals and request parameters. render_args now raises AbstractController::ActionNotFound for any example not explicitly declared on the preview subclass.

  Joel Hawksley

• Add yard-lint to CI.

  Joel Hawksley

4.8.0

• Add compile.view_component ActiveSupport::Notifications event for eager compilation at boot time.

  Joel Hawksley, GitHub Copilot

... (truncated)

Commits

• 4cbdbaa Merge pull request #2649 from ViewComponent/release-4-12-0
• a8888e1 Fix lint and bump allocation ranges
• 02d8896 lockfiles
• 50a2baf release 4.12.0
• 6796b2e Merge commit from fork
• 015f42c clean up changelog
• 5963e48 simplify
• 53106be update changelog
• 7b05073 fix Reused component instances retain stale render context
• 48e5fd2 fix for around_render safety gap
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)