build(deps): bump github.com/vapor/vapor from 4.102.1 to 4.106.3

[dependabot]

Bumps github.com/vapor/vapor from 4.102.1 to 4.106.3.

Release notes

Sourced from github.com/vapor/vapor's releases.

4.106.3 - Adds JPEG XL (JXL) and AVIF HTTPMediaTypes

What's Changed

Adds JPEG XL (JXL) and AVIF HTTPMediaTypes by @​vamsii777 in #3250

Add additional image types:

app.post("upload") { req in guard [.jpeg, .png, .tiff, .webp, .jxl, .avif].contains(req.content.contentType) else { throw Abort(.unsupportedMediaType) } // ... }

New Contributor

• @​vamsii777 made their first contribution in #3250 🎉

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.106.2...4.106.3

4.106.1 - Omit ACAO header instead of empty value

What's Changed

Omit ACAO header instead of empty value by @​grahamburgsma in #3243

For context, Vapor currently sends an empty Access-Control-Allow-Origin (ACAO) header when the origin does not match or is set to none.

We recently had a pentest done against our Vapor server and the tester reported the following regarding the empty ACAO header:

When the header is empty, browsers might reject the request without detailed error messages, making it harder for developers to debug or even realize there is a problem. This lack of transparency can lead to extended periods of vulnerability before the issue is discovered.

Looking at some other sources as well, an empty header doesn’t appear to be a valid value and so could result in unexpected behaviour.

https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#the_http_response_headers https://fetch.spec.whatwg.org/#http-access-control-allow-origin

This patch was released by @​0xTim

Full Changelog: vapor/vapor@4.106.0...4.106.1

4.105.2 - Raise error when the data expected an array but not parsed as array

What's Changed

Raise error when the data expected an array but not parsed as array by @​sidepelican in #3222

URLEncodedFormDecoder fails silently without throwing an error when attempting to decode data in the following pattern: array[0]=0&array[1]=1&array[3]=3. Now it is decoded as an empty array. Typically, a decoder throws an error when data cannot be parsed as the expected structure, so I propose modifying the decoder to throw an error in this case as well.

... (truncated)

Commits

• 9786a42 Adds JPEG XL (JXL) and AVIF HTTPMediaTypes (#3250)
• fb1df82 fix HTTPMethod.RAW(value: String) string representation (#3249)
• 4d3bc6c Omit ACAO header instead of empty value (#3243)
• 02e8b30 Fix flaky test (#3246)
• 1310c6f Test MUSL and iOS compilation (#3241)
• 1466c50 Drop Support for Swift 5.8 (#3240)
• a4d7d4d Raise error when the data expected an array but not parsed as array (#3222)
• 083028c Throw an error if unkeyed container is at end (#3226)
• 287d944 Add response order pipelining test (#3228)
• 78b1b81 Bump peter-evans/create-pull-request from 6 to 7 in the dependencies group (#...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)