DEV Community

Jonas Brømsø
Jonas Brømsø

Posted on

Release 0.19.0 of Spellcheck (GitHub) Action - a security release

Hot of the press release of 0.19.0 of Spellcheck GitHub Action.

This release was aimed at being a maintenance release, based on a PR from the tireless @dependabot, making sure the Docker base image is kept up to date. Another bot stole it's thunder with a PR bumping a core dependency to a newer version, which had some security vulnerabilities patched.

Release 0.19.0 is available on DockerHub and in the GitHub Marketplace.

All I have done for this release, apart from releasing it, was reviewing, building and testing - thanks to my tireless bot contributors: @dependabot and @snyk-bot

Change log

0.19.0, 2021-12-18, security release , update recommended

  • Requirement lxml updated from 4.6.3 to 4.6.5 via PR #71 from @snyk-bot. This addresses a security, cross-site scripting vulnerability (XSS) in the lxml library, see SNYK-PYTHON-LXML-2316995

From the release notes for lxml 4.6.5:

A vulnerability (GHSL-2021-1038) in the HTML cleaner allowed sneaking script content through SVG images.
A vulnerability (GHSL-2021-1037) in the HTML cleaner allowed sneaking script content through CSS imports and other crafted constructs.

  • Docker image updated to Python 3.10.1 slim via PR #70 from @dependabot

Top comments (0)