Fixed: Query Builder not allowing multiple rules
Fixed: Application dropdown displaying under navigation fade
Fixed: Form state not updating after trigger action is invoked
Fixed: Environment variable resolution since moving to Vite
Fixed: Left navigation does not update when route changes
Fixed: Marketplace shared inventory locations are not mutable for vendors
Fixed: DynamicField’s clearValueOnMatch
is matched in update forms even if no field is changed causing fields to clear
Fixed: OMS confirming returned items quantity field non-responsive
Fixed: Display $0.00
when amount is undefined
Fixed: Asset picker’s z-index value
Fixed: Empty values being submitted as translations
Address vulnerability with nanoid valueOf
The package nanoid before 3.1.31 is vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Normally, this would not be necessary since it is used only by postcss. However, sanitize-html pulls in postcss during runtime to sanitize CSS user input
Upgraded axios
to 0.25.0 from 0.24.0 to include their upgrade of follow-redirects
to 1.14.7
.
Previous version of follow-redirects
was vulnerable to Information Exposure by leaking the cookie header to a third party site in the process of fetching a remote URL with the cookie in the request body.
If the response contains a location header, it will follow the redirect to another URL of a potentially malicious actor, to which the cookie would be exposed.