Colin Snover | 8 Dec 20:40 2014

[SECURITY] New Dojo releases, all versions 1.4 through 1.10

Hi,

Several cross-site scripting vulnerabilities have been discovered and
fixed in dojox/av, dojox/embed, and dojox/form.

These vulnerabilities only impact users that publish the dojox package.
Users that publish only the dojo and dijit packages are unaffected and
do not need to take any action.

The following new releases contain fixes for the discovered vulnerabilities:

http://downloads.dojotoolkit.org/release-1.4.6/
http://downloads.dojotoolkit.org/release-1.5.5/
http://downloads.dojotoolkit.org/release-1.6.3/
http://downloads.dojotoolkit.org/release-1.7.8/
http://downloads.dojotoolkit.org/release-1.8.9/
http://downloads.dojotoolkit.org/release-1.9.6/
http://downloads.dojotoolkit.org/release-1.10.3/

We recommend you upgrade your Dojo packages. Alternatively, out of an
abundance of caution, you may delete the following files if you do not
use any of these components:

dojox/av/resources/audio.swf
dojox/av/resources/video.swf
dojox/form/uploader.swf
dojox/form/fileuploader.swf

Dojo 1.2 and 1.3 are also impacted, but are end-of-life versions of the
Toolkit and will not receive updates for this or any other issue. Users
(Continue reading)

Colin Snover | 8 Dec 06:35 2014

dojox repo freeze

Hi,

Until further notice (Monday), please don’t make any commits to the
dojox repository.

Thanks!

-- 
Colin Snover
http://zetafleet.com

--

-- 
dojo-contributors mailing list
Colin Snover | 4 Dec 16:56 2014

Dojo 2 core promoted to Dojo organization repository

Hi everyone,

I’m happy to announce that the Dojo 2 core repository previously at
csnover/core has been promoted to the main Dojo organization at
dojo/dojo2. Please let me know if you have any questions. As time
permits, I will be fixing things up to:

* Enable CI service
* Add automatic periodic builds for anyone that wants to be able to take
and use AMD or CJS modules directly from the repository without compiling
* Pull in the final set of contribution and code quality guidelines
* Introduce proposals in the issue tracker on GitHub to firm up the
goals and direction of the repository

If you would like to start hacking away at this code please just create
a brief ticket in the issue tracker that describes what you’re doing so
everyone is able to keep track.

The code from this repository is currently published to npm using the
dojo <at> beta tag and is in use by the Leadfoot and Dig Dug components of
Intern.

Best,

-- 
Colin Snover
http://zetafleet.com

--

-- 
dojo-contributors mailing list
(Continue reading)

Colin Snover | 4 Dec 16:46 2014

New weekly meeting time

Hi everyone,

(Apologies for not getting this announcement out in time for this week!)

I’ve received survey results on new preferred times for the weekly Dojo Meeting. Starting next week, the new meeting time moving forward will be Tuesdays at 9am PT (12pm ET, 5pm GMT).

For anyone that is not familiar, the Dojo Meeting is a weekly meeting where members of the Dojo Toolkit and some other related Dojo Foundation projects meet to discuss status updates, discuss plans for future releases, and address any outstanding issues in real-time on IRC at #dojo-meeting on irc.freenode.net. All interested parties are welcome to join to listen in, ask questions, and offer constructive suggestions.

I hope to see you there!

Best,
-- Colin Snover http://zetafleet.com
--

-- 
dojo-contributors mailing list
Bill Keese | 3 Dec 01:07 2014

signing DOH robot JAR

The DOH robot jar's certificate has expired, and the instructions at https://github.com/dojo/util/blob/master/doh/robot/README#L32 didn't work for me.

But I tried just following the much simpler procedure listed at http://www.jade-cheng.com/uh/ta/signed-applet-tutorial/#creating-self-signed-applets and (after preliminary testing) it seems to work fairly well, even with the latest version of java and the latest versions of FF, IE, and Chrome.   For FF and IE11, it only gives security prompts initially, not on every test.   For chrome, it gives the prompts occasionally (perhaps when robot is run after non-robot tests?).  Seems at least as good as before.

I'm far from an expert on signing applets, so if anyone has any insight, let me know.  I know that getting a real signature (from Verisign etc.) is better than self signing, and Christophe said he would try to get a real signature.   For the meantime, I may check this in.  One downside is that it says it expires "within 6 months", so the procedure needs to be repeated often.  Probably there's a flag to adjust that.

Bill
--

-- 
dojo-contributors mailing list
Jason Voccia | 1 Dec 20:26 2014
Picon

Dijit Intern-Conversion

I am new to contributing code to Dijit/Dojo, and found that DOHRobot was not working well in any configuration I could put together. 
It also looks like you all are moving to intern for testing from DOH.  

I wanted to get an automated test for #18262 before submitting so I took a first pass at converting the menu_mouse tests in Dijit to intern — here:
following the layout you all used for Dojo (folder called tests-intern off the root of the repo)

Are you open to these types of contributions?
Is there a place where you are collecting these types of changes?
And finally if the first two questions are affirmative — Could I get some feedback/help on getting these tests to passing at 100%/techniques to simplify the testing code/or what I am doing wrong :)?  

Thanks!
Jason
--

-- 
dojo-contributors mailing list
Dylan Schiemann | 18 Nov 06:07 2014

dgrid 0.4 and dstore 1.0 released

In case you missed our announcements on Monday, we've released dstore
1.0, the planned successor to dojo/store, as well as dgrid 0.4 (which
natively supports dstore, along with many other improvements). The
announcements, websites, and release notes for each are available at the
following URLs:

dstore:
* http://www.sitepen.com/blog/2014/11/17/introducing-dstore/
* http://dstorejs.io/
* https://github.com/SitePen/dstore/releases/tag/v1.0.0

dgrid:
* http://www.sitepen.com/blog/2014/11/17/dgrid-0-4-released/
* http://dgrid.io/
* https://github.com/SitePen/dgrid/releases/tag/v0.4.0

Regards,
-Dylan

-- 
Dylan Schiemann
SitePen, Inc.
Dojo workshops in the US, Canada, and Europe:
http://www.sitepen.com/workshops/
SitePen Insider: http://sitepen.com/insider/
http://www.sitepen.com/

--

-- 
dojo-contributors mailing list

Colin Snover | 7 Nov 20:06 2014

Dojo weekly meeting rescheduling

Hi,

As people maybe have noticed I am not able to make the Dojo meetings any
more at the Wednesday time. Would everyone be OK changing this meeting
to Tuesday at the same time? Is there another day/time that other people
would prefer more?

Let me know,

-- 
Colin Snover
http://zetafleet.com

--

-- 
dojo-contributors mailing list

Colin Snover | 20 Oct 00:18 2014

New Dojo releases: 1.10.2, 1.9.5, 1.8.8, 1.7.7

Hi,

New maintenance releases for the 1.10, 1.9, 1.8, and 1.7 branches are
now available from <http://downloads.dojotoolkit.org/>.

A full list of resolved issues for these releases can be found at
<https://bugs.dojotoolkit.org/query?status=closed&milestone=1.10.2&or&status=closed&milestone=1.9.5&or&status=closed&milestone=1.8.8&or&status=closed&milestone=1.7.7&col=id&col=summary&col=milestone&col=owner&col=type&col=priority&col=component&col=version&order=priority>.

Google CDN updates are pending.

Best,

-- 
Colin Snover
http://zetafleet.com

--

-- 
dojo-contributors mailing list

Colin Snover | 12 Sep 21:41 2014

Dojo releases: 1.10.1, 1.9.4, 1.8.7, 1.7.6

Hi,

I’m pleased to announce the immediate availability of Dojo maintenance
releases 1.10.1, 1.9.4, 1.8.7, and 1.7.6.

http://downloads.dojotoolkit.org/release-1.10.1/
http://downloads.dojotoolkit.org/release-1.9.4/
http://downloads.dojotoolkit.org/release-1.8.7/
http://downloads.dojotoolkit.org/release-1.7.6/

Have a nice weekend,

-- 
Colin Snover
http://zetafleet.com

--

-- 
dojo-contributors mailing list
Jared Jurkiewicz | 26 Aug 16:12 2014
Picon

require loader quesiton

Is dojo planning to support the improved requireJS API, such as the better error handling noted here:

http://requirejs.org/docs/api.html#errors

?

So you can have an error call back fired if the require fails?

Sincerely,
-- Jared Jurkiewicz
--

-- 
dojo-contributors mailing list

Gmane