chore(deps): bump yiisoft/yii from 1.1.14 to 1.1.29 in /test/acceptance/workspaces/composer-app

[dependabot]

Bumps yiisoft/yii from 1.1.14 to 1.1.29.

Release notes

Sourced from yiisoft/yii's releases.

Version 1.1.29

https://www.yiiframework.com/news/587/yii-1-1-29-is-released

Version 1.1.28

https://www.yiiframework.com/news/549/yii-1-1-28-is-released-and-security-support-extended

Version 1.1.27

https://www.yiiframework.com/news/510/yii-1-1-27-is-released

Version 1.1.26

https://www.yiiframework.com/news/495/yii-1-1-26-is-released

Version 1.1.25

https://www.yiiframework.com/news/419/yii-1-1-25-is-released

Version 1.1.24

https://www.yiiframework.com/news/369/yii-1-1-24-is-released-and-security-support-extended

Version 1.1.23

https://www.yiiframework.com/news/318/yii-1-1-23-is-released

Version 1.1.22

https://www.yiiframework.com/news/267/yii-1-1-22-is-released

Version 1.1.21

https://www.yiiframework.com/news/206/yii-1-1-21-is-released

Version 1.1.20

https://www.yiiframework.com/news/178/yii-1-1-20-is-released

Version 1.1.19

This release is a maintenance release of Yii 1.1.x which contains compatibility fixes for PHP 7.0 and 7.1.

See the complete release announcement for all details: http://www.yiiframework.com/news/137/yii-1-1-19-is-released/

Version 1.1.18

This release is a maintenance release of Yii 1.1.x which contains compatibility fixes for PHP 7.0 and 7.1.

See the complete release announcement for all details: http://www.yiiframework.com/news/133/yii-1-1-18-is-released/

Version 1.1.17

This is the last release of Yii 1.1.x containing Enhancements. Future releases will be bugfix only.

See the complete release announcement for all details: http://www.yiiframework.com/news/93/yii-1-1-17-is-released/

Version 1.1.16

... (truncated)

Changelog

Sourced from yiisoft/yii's changelog.

Version 1.1.29 November 14, 2023

• Bug #4516: PHP 8 compatibility: Allow union types and intersection types in action declarations (wtommyw)
• Bug #4523: Fixed translated in Greek class messages in framework requirements view, which they should not be translated (lourdas)
• Bug #4534: PHP 8.2 compatibility: Fix deprecated dynamic properties in gii/components/Pear/Text/Diff (mdeweerd, marcovtwout)
• Bug: CVE-2023-47130. Prevent RCE when deserializing untrusted user input (ma4ter222, marcovtwout)
• Enh #4529: Exceptions thrown while loading fixture file rows now contain more details (eduardor2k)
• Enh #4533: Various refactorings applied based on PHAN checks (marcovtwout)

Version 1.1.28 February 28, 2023

• Bug #4484: Set Last-Modified after sending cache control headers (jannis701, wtommyw)
• Bug #4491: Fixed limit and Offset not working correctly with MSSQL version 11 (2012) and newer (shnoulle, wtommyw)
• Bug #4497: PHP 8.1 compatibility: Fix unserialize null in CRedisCache (kenguest, wtommyw)
• Bug #4499: PHP 8.1 compatibility: Fix deprecation warning in COciSchema (marcovtwout)
• Bug #4500: PHP 8.1 compatibility: Fix deprecation warnings in CMysql classes (csears123)
• Bug #4507: PHP 8.1 compatibility: Fix deprecation warning in CWebUser (marcovtwout, wtommyw)
• Enh #4490: Added support for PostgreSQL 15 (sternix, marcovtwout)
• Enh #4503: Update tests and code for PHP 8.1 compatibility, stop suppressing deprecation warnings in tests (wtommyw)
• Enh #4505: Added support for PHP 8.2 (wtommyw)

Version 1.1.27 November 21, 2022

• Bug: PHP 8.1 compatibility: Fix CFileCache call of file_get_contents (Bregi)
• Bug: CVE-2022-41922. Prevent RCE when deserializing untrusted user input (fi3wey, marcovtwout)

Version 1.1.26 September 30, 2022

• Bug #4453: Alpine Linux compatibility: Avoid using GLOB_BRACE in CFileHelper::removeDirectory (ivany4)
• Enh #4386: Added support for PHP 8.1 (marcovtwout, JonathanArgentao, ivany4, csears123)
• Enh #4386: Updated HTMLPurifier to version 4.15.0 for PHP 8.1 support (https://github.com/ezyang/htmlpurifier/blob/v4.15.0/NEWS) (marcovtwout)
• Enh #4392: Added support for SSL to CRedisCache (andres101)

Version 1.1.25 December 13, 2021

• Bug #4226: Fix for Gii diff displaying "reset() expects parameter 1 to be array, integer given" (LeoZandvliet, marcovtwout)
• Bug #4369: PHP 8.0 compatibility: Fix warning "Only the first byte will be assigned to the string offset" when generating code with Gii (marcovtwout)
• Bug #4374: Fix for createUpdateCommand which did not accept just a table name when using MSSQL (c-schmitz)
• Bug #4380: Prevent fatal errors while validating CSRF token of malformed requests (rob006)
• Bug #4382: PHP 8.0 compatibility: Fix CFileLogRoute throwing TypeError when logfile cannot be opened (marcovtwout)

Version 1.1.24 June 7, 2021

• Bug #4339: "There is no active transaction" when transaction is autocommitted (twisted1919)

... (truncated)

Commits

• f89b76e Release version 1.1.29
• 37142be Merge pull request from GHSA-mw2w-2hj2-fg8q
• d687882 FIX: Check the proper value
• f687987 Merge branch 'advisory-fix-marcovtwout' of github.com:yiisoft/yii-ghsa-mw2w-2...
• a113037 Change is_string to is_scalar to accept more argument types even though strin...
• 22c4c2b Merge branch 'master' into advisory-fix-marcovtwout
• 6d8e867 Merge pull request #4537 from yiisoft/4533-phan-check-improvements
• 0361fac Merge pull request #4536 from yiisoft/4534-fix-pear-diff-php-deprecations
• 3719f5d Update CHANGELOG
• ac88032 Improve formatting
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Pages

Latest commit:	5e3f5ec
Status:	🚫  Build failed.

View logs

[secure-code-warrior-for-github]

Micro-Learning Topic: Cross-site request forgery (Detected by phrase)

Matched on "CSRF"

What is this? (2min video)

Session-related but not session-based, this attack is based on the ability of an attacker to force an action on a user’s browser (commonly in the form of a POST request) to perform an unauthorized action on behalf of the user. This can often occur without the user even noticing it… or only noticing when it is too late. The root cause is that browsers automatically send session cookies with all requests to a given domain, regardless of where the source of the request came from, and the application server cannot differentiate between a request that came from pages it served or a request that came from an unrelated page.

Try a challenge in Secure Code Warrior

Helpful references

• Securing Rails Applications - Cross-Site Request Forgery (CSRF) - A Rails Guide that describes common security problems in web applications and how to avoid them with Rails.
• Spring Security - Cross Site Request Forgery (CSRF) - A Spring Security article that describes Spring support for protecting against Cross Site Request Forgery attacks.
• csurf Node.js CSRF protection middleware - Documentation on CSRF protection provided by the csurf middleware for Express.
• XSRF/CSRF Prevention in ASP.NET MVC and Web Pages - A detailed Microsoft article on how to prevent cross-site request forgery in ASP.NET MVC and Web Pages.
• Django Documentation - Cross Site Request Forgery protection - Documentation on CSRF protection provided by the Django framework.
• OWASP Cross-Site Request Forgery Prevention Cheat Sheet - This cheatsheet is focused on providing clear, simple, actionable guidance for preventing cross-site request forgery flaws in your applications.
• Laravel Docs - CSRF Protection - Documentation on CSRF protection provided by the Laravel framework.
• OWASP Cross Site Request Forgery (CSRF) - OWASP community page with comprehensive information about cross-site request forgery, and links to various OWASP resources to help detect or prevent it.
• Preventing Cross-Site Request Forgery (CSRF) Attacks in ASP.NET MVC Application - A detailed Microsoft article on how to prevent cross-site request forgery in ASP.NET MVC.