Hi, I use jQuery v3.5.1 (latest stable) with Visual Studion 2019. When I scan for security vulnerabilities with NuGetDefense I get the following report:

"CVE-2016-10707 : jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an infinite recursion, exceeding the stack call limit."

This is a link to the full description: https://nvd.nist.gov/vuln/detail/CVE-2016-10707

I opened a ticket in jquery support, they answered me as follows:

"You should contact the creators of the scanner to report a bug. The CVE references a version that is not the one you are running. See #3133."

Please advise how to proceed to fix this issue.

Thanks in advance!

@digitalcoyote good to know. The use case is legit, and for V2 it made sense. As V3 can be used on the WSL too, it should ideally bundle the executables and not the module. I'll draft something 😉

A general remark on my end. It makes zero sense to use chocolatey to install a Powershell module (it might have been OK for V2, but not for V3). However, looking at what scoop does for V3, that would be perfect for chocolatey too. I'd love to take ownership of the package, or guide this direction as that fits best with the use-case of V3.

Changes

1. Allow use of v3 of oh-my-posh, by picking up new release tags format.
2. Change v2 reference to Set-Theme to v3's Set-PoshPrompt.

FYI @JanDeDobbeleer, in case you spot anything else in the chocolateyinstall.ps1 that may need changing. @digitalcoyote I imagine the oh-my-posh.nuspec could use changing, but might leave that with you.

Background

Seems like v3 was in a pre-release/beta state until recently, I'm a complete novice with chocolatey/powershell, but noticed that oh-my-posh has a new major version and was wondering why it wasn't getting picked up, looks to be that the version tags are prefixed with v now.

I was able to get the below terminal output, but couldn't figure out how to run chocolateyinstall.ps1 after it unpacked the nupkg, so couldn't test it beyond that. <details> <summary>My amateur attempt at running update.ps1</summary> <p>

❯ .\update.ps1
oh-my-posh - checking updates using au version 2020.11.21
Install-PackageProvider: C:\Users\adehad\Documents\GitHub\chocolatey-packages\oh-my-posh\update.ps1:15
Line |
  15 |    Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Forc …
     |    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Administrator rights are required to install packages in ''. Log
     | on to the computer with an account that has Administrator rights,
     | and then try again, or install in
     | 'C:\Users\adehad\AppData\Local\PackageManagement\ProviderAssemblies' by adding "-Scope CurrentUser" to your command. You can also try running the Windows PowerShell session with elevated rights (Run as Administrator).

Saved Module
Remove-Item: C:\Users\adehad\Documents\GitHub\chocolatey-packages\oh-my-posh\update.ps1:25
Line |
  25 |    Remove-Item -Path "./oh-my-posh/$version/Build" -Force -Recurse
     |    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Cannot find path
     | 'C:\Users\adehad\Documents\GitHub\chocolatey-packages\oh-my-posh\oh-my-posh\3.106.4\Build' because it does not exist.

Remove-Item: C:\Users\adehad\Documents\GitHub\chocolatey-packages\oh-my-posh\update.ps1:26
Line |
  26 |    Remove-Item -Path "./oh-my-posh/$version/.vscode" -Force -Recurse
     |    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Cannot find path
     | 'C:\Users\adehad\Documents\GitHub\chocolatey-packages\oh-my-posh\oh-my-posh\3.106.4\.vscode' because it does not exist.

Remove-Item: C:\Users\adehad\Documents\GitHub\chocolatey-packages\oh-my-posh\update.ps1:27
Line |
  27 |    Remove-Item -Path "./oh-my-posh/$version/TestsResults.xml" -Force
     |    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Cannot find path
     | 'C:\Users\adehad\Documents\GitHub\chocolatey-packages\oh-my-posh\oh-my-posh\3.106.4\TestsResults.xml' because it does not exist.


URL check
nuspec version: 2.0.496
remote version: 3.106.4
New version is available
Automatic checksum skipped
Updating files
  $Latest data:
    NuspecVersion             (String)     2.0.496
    PackageName               (String)     oh-my-posh
    Version                   (String)     3.106.4
  oh-my-posh.nuspec
    setting id: oh-my-posh
    updating version: 2.0.496 -> 3.106.4
Attempting to build package from 'oh-my-posh.nuspec'.
Successfully created package 'C:\Users\adehad\Documents\GitHub\chocolatey-packages\oh-my-posh\oh-my-posh.3.106.4.nupkg'

Package updated

Path          : C:\Users\adehad\Documents\GitHub\chocolatey-packages\oh-my-posh
Name          : oh-my-posh
Updated       : True
Pushed        : False
RemoteVersion : 3.106.4
NuspecVersion : 2.0.496
Result        : {oh-my-posh - checking updates using au version 2020.11.21, , URL
                check, nuspec version: 2.0.496…}
Error         :                                                                                                          
NuspecPath    : C:\Users\adehad\Documents\GitHub\chocolatey-packages\oh-my-posh\oh-my-posh.nuspec                                                                                          NuspecXml     : #document
Ignored       : False                                                                                                    
IgnoreMessage :
StreamsPath   : C:\Users\adehad\Documents\GitHub\chocolatey-packages\oh-my-posh\oh-my-posh.json
Streams       :

</p> </details>

Will this be an extra source for finding vulnerabilities that automatically can be ran? It would be a welcome addition since we cannot really use the dotnet list command as is in a CI/CD scenario without adding string comparison scripts around it. :-)

Thank you for your support!

allow env-vars to be marked as secret. this leads to them not being replaced during export except if the corresponding checkmark is set ("export secrets") on sync, the variable names should be exported but no values, merging should ignore these "changes" similar for privatebin export

this adds secrets which are handled differently than normal environment variables and are not synced. base for oauth support

this adds secrets which are handled differently than normal environment variables and are not synced. base for oauth support

Request Collection context menu unreadable in light theme

@digitalcoyote I will have a look.

Could the auto bot be updated so that the latest package of n3dr will become available on chocolatey?

This was creating additional nesting on the readme that was confusing. It made methods appear as nested methods of siblings.

This was creating additional nesting on the readme that was confusing. It made methods appear as nested methods of siblings.