Skip to content

chore(deps): update dependency coreruleset-v3 to v3.3.10 in config/_default/params.yaml#527

Merged
renovate[bot] merged 1 commit into
mainfrom
renovate/crs-v3-updates
Jul 5, 2026
Merged

chore(deps): update dependency coreruleset-v3 to v3.3.10 in config/_default/params.yaml#527
renovate[bot] merged 1 commit into
mainfrom
renovate/crs-v3-updates

Conversation

@renovate

@renovate renovate Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Update Change OpenSSF
coreruleset-v3 patch 3.3.93.3.10 OpenSSF Scorecard

Release Notes

coreruleset/coreruleset (coreruleset-v3)

v3.3.10

Compare Source

What's Changed

⚠️ Breaking Change
  • Requires libmodsecurity v3.0.16 or later when running on nginx/libmodsecurity v3. The XML attribute injection fix (ctl:ruleRemoveTargetByTag=...;XML://@​* in rule 901181) depends on owasp-modsecurity/ModSecurity#3589, which fixes the lexer's rejection of @ in ctl:ruleRemoveTarget* actions. On libmodsecurity v3 versions older than v3.0.16, this ctl action fails to parse, breaking config load.
  • Fully opting out of XML attribute inspection (tx.crs_xml_attr_inspect) requires ModSecurity v2 >= v2.9.14, once owasp-modsecurity/ModSecurity#3591 is fixed upstream. Until then, ctl:ruleRemoveTargetByTag cannot remove the XML://@​* target on ModSecurity v2, so rule 901181 cannot disable attribute inspection on that engine.
⭐ Important changes

Full Changelog: coreruleset/coreruleset@v3.3.9...v3.3.10


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added dependencies Pull requests that update a dependency file github-releases patch labels Jul 5, 2026
@renovate renovate Bot enabled auto-merge (squash) July 5, 2026 00:58
@renovate renovate Bot force-pushed the renovate/crs-v3-updates branch from 1331692 to 2830fc6 Compare July 5, 2026 04:51
@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying website with  Cloudflare Pages  Cloudflare Pages

Latest commit: 2830fc6
Status:⚡️  Build in progress...

View logs

@renovate renovate Bot merged commit 42d3ee5 into main Jul 5, 2026
1 of 2 checks passed
@renovate renovate Bot deleted the renovate/crs-v3-updates branch July 5, 2026 04:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github-releases patch

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants