Bump phoenix from 1.7.11 to 1.7.12
Bumps phoenix from 1.7.11 to 1.7.12.
Changelog
Sourced from phoenix's changelog.
1.7.12 (2024-04-11)
JavaScript Client Bug Fixes
- Fix all unjoined channels from being removed from the socket when channel leave is called on any single unjoined channel instance
Enhancements
[phx.gen.auth] Add enhanced session fixation protection. For applications whichs previously used
phx.gen.auth
, the following line can be added to therenew_session
function in the auth module:defp renew_session(conn) do + delete_csrf_token() conn |> configure_session(renew: true) |> clear_session()
Note: because the session id is in a http-only cookie by default, the only way to perform this attack prior to this change is if your application was already vulnerable to an XSS attack, which itself grants more escalated "privileges” than the CSRF fixation.
JavaScript Client Enhancements
- Only memorize longpoll fallback for browser session if WebSocket never had a successful connection
Commits
-
bdc2d73
Release 1.7.12 -
72c388c
Fix channel leave on unjoined channels. Closes #5779 -
28203dd
Use clearer arg name -
cdc16ab
replace deprecated live_flash for Phoenix.Flash.get in phx.gen.auth (#5773) -
2c5da88
Fix phx.gen.socket moduledoc grammar and example path (#5769) -
7aea049
Clarify Token secrecy in docs (#5768) -
8f2770e
Bump telemetry metrics to v1.0 (#5755) -
1312123
Allow running phx.digest task multiple times (#5753) -
f17c2c1
Fix Phoenix.Controller.send_download/3 :encode option doc (#5754) -
b07c130
Mention it is ok to use code generators - Additional commits viewable in compare view