Skip to content

Bump view_component from 4.6.0 to 4.12.0#44

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bundler/view_component-4.11.0
Closed

Bump view_component from 4.6.0 to 4.12.0#44
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bundler/view_component-4.11.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps view_component from 4.6.0 to 4.12.0.

Release notes

Sourced from view_component's releases.

4.12.0

  • Fix stale render context on reused component instances. A ViewComponent::Base instance memoized its controller, helpers, request, view context, lookup context, view flow, and requested format details on first render via ||=. Rendering the same instance a second time (intentionally or via aliasing) reused that stale context, which could leak data across requests, sessions, or users. #render_in now resets these ivars on every call so each render derives its context from the current view.

    Joel Hawksley

  • Fix HTML-safety bypass in around_render. ViewComponent::Base#around_render could return HTML-unsafe strings that bypassed the escaping applied to normal #call return values, creating an XSS risk. The vulnerability was amplified in ViewComponent::Collection#render_in, which joined per-item results and unconditionally marked the output html_safe. HTML-unsafe strings returned from around_render are now escaped (with a warning) and Collection#render_in now uses safe_join so unsafe per-item output is escaped instead of laundered into a SafeBuffer. Joel Hawksley

4.11.0

  • Update render_in signature to accept **_ for compatibility with Rails #50623.

    Joel Hawksley

  • Fix translation scope resolution in nested lambda-backed slots. Relative t(".key") calls inside lambda-backed slots were resolving against an intermediate component's scope instead of the original partial's scope where the block was defined.

    Artin Boghosian

4.10.0

  • Fix NameError: uninitialized constant ViewComponent::SystemTestControllerNefariousPathError when booting in the test environment with eager_load = true.

    Joel Hawksley

  • Fix yielded content rendered at wrong location when using form helpers.

    Joel Hawksley, Markus

4.9.0

  • Fix path traversal vulnerability in ViewComponentsSystemTestController where sibling directories sharing a string prefix with the allowed temp directory could bypass the path containment check. The start_with? check has been replaced with a separator-aware prefix check, and nefarious path errors now return a 404 instead of an unhandled exception.

    Joel Hawksley

  • Fix preview route vulnerability where inherited methods on ViewComponent::Preview (such as render_with_template) could be invoked via the preview URL, allowing arbitrary internal Rails templates to be rendered with attacker-controlled locals and request parameters. render_args now raises AbstractController::ActionNotFound for any example not explicitly declared on the preview subclass.

    Joel Hawksley

  • Add yard-lint to CI.

    Joel Hawksley

4.8.0

  • Add compile.view_component ActiveSupport::Notifications event for eager compilation at boot time.

    Joel Hawksley, GitHub Copilot

4.7.0

  • Fix stale content cache when slots are accessed before render_in.

    Jared Armstrong

  • Add rubocop-view_component to resources.

... (truncated)

Changelog

Sourced from view_component's changelog.

4.12.0

  • Fix stale render context on reused component instances. A ViewComponent::Base instance memoized its controller, helpers, request, view context, lookup context, view flow, and requested format details on first render via ||=. Rendering the same instance a second time (intentionally or via aliasing) reused that stale context, which could leak data across requests, sessions, or users. #render_in now resets these ivars on every call so each render derives its context from the current view.

    Joel Hawksley

  • Fix HTML-safety bypass in around_render. ViewComponent::Base#around_render could return HTML-unsafe strings that bypassed the escaping applied to normal #call return values, creating an XSS risk. The vulnerability was amplified in ViewComponent::Collection#render_in, which joined per-item results and unconditionally marked the output html_safe. HTML-unsafe strings returned from around_render are now escaped (with a warning) and Collection#render_in now uses safe_join so unsafe per-item output is escaped instead of laundered into a SafeBuffer.

    Joel Hawksley

4.11.0

  • Update render_in signature to accept **_ for compatibility with Rails #50623.

    Joel Hawksley

  • Fix translation scope resolution in nested lambda-backed slots. Relative t(".key") calls inside lambda-backed slots were resolving against an intermediate component's scope instead of the original partial's scope where the block was defined.

    Artin Boghosian

4.10.0

  • Fix NameError: uninitialized constant ViewComponent::SystemTestControllerNefariousPathError when booting in the test environment with eager_load = true.

    Joel Hawksley

  • Fix yielded content rendered at wrong location when using form helpers.

    Joel Hawksley, Markus

4.9.0

  • Fix path traversal vulnerability in ViewComponentsSystemTestController where sibling directories sharing a string prefix with the allowed temp directory could bypass the path containment check. The start_with? check has been replaced with a separator-aware prefix check, and nefarious path errors now return a 404 instead of an unhandled exception.

    Joel Hawksley

  • Fix preview route vulnerability where inherited methods on ViewComponent::Preview (such as render_with_template) could be invoked via the preview URL, allowing arbitrary internal Rails templates to be rendered with attacker-controlled locals and request parameters. render_args now raises AbstractController::ActionNotFound for any example not explicitly declared on the preview subclass.

    Joel Hawksley

  • Add yard-lint to CI.

    Joel Hawksley

4.8.0

  • Add compile.view_component ActiveSupport::Notifications event for eager compilation at boot time.

    Joel Hawksley, GitHub Copilot

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code labels May 19, 2026
@dependabot dependabot Bot mentioned this pull request May 19, 2026
Closed
@dependabot dependabot Bot changed the title Bump view_component from 4.6.0 to 4.11.0 Bump view_component from 4.6.0 to 4.12.0 Jun 10, 2026
@dependabot
Bump view_component from 4.6.0 to 4.12.0
9207634 
Bumps [view_component](https://github.com/viewcomponent/view_component) from 4.6.0 to 4.12.0.
- [Release notes](https://github.com/viewcomponent/view_component/releases)
- [Changelog](https://github.com/ViewComponent/view_component/blob/main/docs/CHANGELOG.md)
- [Commits](ViewComponent/view_component@v4.6.0...v4.12.0)

---
updated-dependencies:
- dependency-name: view_component
  dependency-version: 4.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/bundler/view_component-4.11.0 branch from aee172f to 9207634 Compare June 10, 2026 11:33
@dependabot @github

dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #46.

@dependabot dependabot Bot closed this Jun 15, 2026
@dependabot dependabot Bot deleted the dependabot/bundler/view_component-4.11.0 branch June 15, 2026 22:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants