Skip to content

Bump phoenix from 1.7.11 to 1.7.12

Dependabot Zahir's Email requested to merge dependabot-hex-phoenix-1.7.12 into master

Bumps phoenix from 1.7.11 to 1.7.12.

Changelog

Sourced from phoenix's changelog.

1.7.12 (2024-04-11)

JavaScript Client Bug Fixes

  • Fix all unjoined channels from being removed from the socket when channel leave is called on any single unjoined channel instance

Enhancements

  • [phx.gen.auth] Add enhanced session fixation protection. For applications whichs previously used phx.gen.auth, the following line can be added to the renew_session function in the auth module:

      defp renew_session(conn) do
+   delete_csrf_token()
conn
|> configure_session(renew: true)
|> clear_session()

    Note: because the session id is in a http-only cookie by default, the only way to perform this attack prior to this change is if your application was already vulnerable to an XSS attack, which itself grants more escalated "privileges” than the CSRF fixation.

JavaScript Client Enhancements

  • Only memorize longpoll fallback for browser session if WebSocket never had a successful connection
Commits
  • bdc2d73 Release 1.7.12
  • 72c388c Fix channel leave on unjoined channels. Closes #5779
  • 28203dd Use clearer arg name
  • cdc16ab replace deprecated live_flash for Phoenix.Flash.get in phx.gen.auth (#5773)
  • 2c5da88 Fix phx.gen.socket moduledoc grammar and example path (#5769)
  • 7aea049 Clarify Token secrecy in docs (#5768)
  • 8f2770e Bump telemetry metrics to v1.0 (#5755)
  • 1312123 Allow running phx.digest task multiple times (#5753)
  • f17c2c1 Fix Phoenix.Controller.send_download/3 :encode option doc (#5754)
  • b07c130 Mention it is ok to use code generators
  • Additional commits viewable in compare view

Merge request reports