Skip to content

chore(deps): bump github.com/sparkle-project/sparkle from 2.7.1 to 2.7.3 #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dependabot wants to merge 1 commit into from
Closed

chore(deps): bump github.com/sparkle-project/sparkle from 2.7.1 to 2.7.3 #94

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Sep 15, 2025

Bumps github.com/sparkle-project/sparkle from 2.7.1 to 2.7.3.

Release notes

Sourced from github.com/sparkle-project/sparkle's releases.

2.7.3 - Important security fixes for local exploits + crash fix

Changes for 2.7.3:

  • Double quote team identifiers in requirement strings to fix crash if Team ID starts with number (#2766) (Zorg)

This fixes a potential crash that may occur for specific Team IDs, introduced in 2.7.2 which includes security fixes.

A release for 2.8.0 betas (aimed at revamped Tahoe support) with this fix will also been published soon.

--

Changes for 2.7.2:

This release contains security fixes for local exploits reported/reviewed by @​Karmaz95 . More details can be found in this discussion.

For apps that install package updates, you may not be able to test Sparkle in a development environment easily where Sparkle's tools are often not specially signed. If this is the case, please try testing Sparkle either from a notarized version of your app, or from a version of your app that was installed by your package installer.

2.7.2 - Important security fixes for local exploits

Warning (EDIT): Don't use this build. Use 2.7.3 or later which includes a potential crash fix introduced here.

Changes:

  • Harden policy on what operations clients are allowed to take (#2763) (Zorg)

This release contains security fixes for local exploits reported/reviewed by @​Karmaz95 . More details can be found in this discussion.

For apps that install package updates, you may not be able to test Sparkle in a development environment easily where Sparkle's tools are often not specially signed. If this is the case, please try testing Sparkle either from a notarized version of your app, or from a version of your app that was installed by your package installer.

A release for 2.8.0 betas (aimed at revamped Tahoe support) with these fixes has also been published.

Commits
  • 06beff6 Update Package management files for version 2.7.3
  • 7b25899 Double quote team identifiers in designated requirement strings (#2766)
  • cad8f2f Update CHANGELOG for 2.7.3
  • 4f20e5d Update Package management files for version 2.7.2
  • 06c5445 Update CHANGELOG for 2.7.2
  • fc4f8cb Harden policy on what operations clients are allowed to take
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): bump github.com/sparkle-project/sparkle from 2.7.1 to 2.7.3
e189d5f 
Bumps [github.com/sparkle-project/sparkle](https://github.com/sparkle-project/Sparkle) from 2.7.1 to 2.7.3.
- [Release notes](https://github.com/sparkle-project/Sparkle/releases)
- [Commits](sparkle-project/Sparkle@2.7.1...2.7.3)

---
updated-dependencies:
- dependency-name: github.com/sparkle-project/sparkle
  dependency-version: 2.7.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Author

dependabot bot commented on behalf of github Sep 15, 2025

Labels

The following labels could not be found: dependencies, swift. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot bot requested a review from K9i-0 as a code owner September 15, 2025 00:30
@github-actions
Copy link

github-actions bot commented Sep 15, 2025

❌ Version Update Required

This PR is merging to develop but the version in Info.plist has not been updated.

Current version: 0.7.15
PR version: 0.7.15

Please update the version number in Info.plist before this PR can be merged.

How to update:

  1. Edit Info.plist
  2. Update both CFBundleShortVersionString and CFBundleVersion values to the same version
  3. Commit and push the changes

Or use the update script:

./scripts/update-version.sh patch  # or minor/major

The version should follow semantic versioning (x.y.z format).

@dependabot @github
Copy link
Author

dependabot bot commented on behalf of github Sep 22, 2025

Superseded by #97.

@dependabot dependabot bot closed this Sep 22, 2025
@dependabot dependabot bot deleted the dependabot/swift/github.com/sparkle-project/sparkle-2.7.3 branch September 22, 2025 00:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@K9i-0 K9i-0 Awaiting requested review from K9i-0 K9i-0 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant