Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump the bundler group across 1 directory with 5 updates #34

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump the bundler group across 1 directory with 5 updates #34

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github May 13, 2024

Bumps the bundler group with 4 updates in the / directory: activesupport, addressable, nokogiri and rack.

Updates activesupport from 5.2.4 to 5.2.8.1

Release notes

Sourced from activesupport's releases.

5.2.8.1

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • Change ActiveRecord::Coders::YAMLColumn default to safe_load

    This adds two new configuration options The configuration options are as follows:

    • config.active_storage.use_yaml_unsafe_load

    When set to true, this configuration option tells Rails to use the old "unsafe" YAML loading strategy, maintaining the existing behavior but leaving the possible escalation vulnerability in place. Setting this option to true is not recommended, but can aid in upgrading.

    • config.active_record.yaml_column_permitted_classes

    The "safe YAML" loading method does not allow all classes to be deserialized by default. This option allows you to specify classes deemed "safe" in your application. For example, if your application uses Symbol and Time in serialized data, you can add Symbol and Time to the allowed list as follows:

    config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]

    [CVE-2022-32224]

Action View

  • No changes.

Action Pack

... (truncated)

Commits
  • 8030cff Preparing for 5.2.8.1 release
  • ec10235 updating version and changelog
  • 2652133 Preparing for 5.2.8 release
  • a1b8a9b Merge pull request #45027 from rails/fix-tag-helper-regression
  • 9f3761a Merge branch '5-2-sec' into 5-2-stable
  • b290430 Preparing for 5.2.7.1 release
  • 2d8cb45 Update changelogs for release
  • 1278c0f Fix and add protections for XSS in names.
  • de20f93 Merge pull request #38069 from y-yagi/make_load_interlock_aware_monitor_work_...
  • 459e7cf Preparing for 5.2.7 release
  • Additional commits viewable in compare view

Updates addressable from 2.7.0 to 2.8.6

Changelog

Sourced from addressable's changelog.

Addressable 2.8.6

  • Memoize regexps for common character classes (#524)

#524: sporkmonger/addressable#524

Addressable 2.8.5

  • Fix thread safety issue with encoding tables (#515)
  • Define URI::NONE as a module to avoid serialization issues (#509)
  • Fix YAML serialization (#508)

#508: sporkmonger/addressable#508 #509: sporkmonger/addressable#509 #515: sporkmonger/addressable#515

Addressable 2.8.4

  • Restore Addressable::IDNA.unicode_normalize_kc as a deprecated method (#504)

#504: sporkmonger/addressable#504

Addressable 2.8.3

  • Fix template expand level 2 hash support for non-string objects (#499, #498)

#499: sporkmonger/addressable#499 #498: sporkmonger/addressable#498

Addressable 2.8.2

  • Improve cache hits and JIT friendliness (#486)
  • Improve code style and test coverage (#482)
  • Ensure reset of deferred validation (#481)
  • Resolve normalization differences between IDNA::Native and IDNA::Pure (#408, #492)
  • Remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438) (accidentally reverted by #449 merge but added back in #492)

#492: sporkmonger/addressable#492

Addressable 2.8.1

  • refactor Addressable::URI.normalize_path to address linter offenses (#430)
  • update gemspec to reflect supported Ruby versions (#466, #464, #463)
  • compatibility w/ public_suffix 5.x (#466, #465, #460)
  • fixes "invalid byte sequence in UTF-8" exception when unencoding URLs containing non UTF-8 characters (#459)
  • Ractor compatibility (#449)
  • use the whole string instead of a single line for template match (#431)
  • force UTF-8 encoding only if needed (#341)

#449: sporkmonger/addressable#449 #460: sporkmonger/addressable#460 #463: sporkmonger/addressable#463 #464: sporkmonger/addressable#464 #465: sporkmonger/addressable#465 #466: sporkmonger/addressable#466

... (truncated)

Commits
  • 35a0f5c gemspec: more #freeze and rubygems_version bump (#526)
  • 63ab40e Update version, gemspec, and CHANGELOG for 2.8.6 (#525)
  • 20879a9 Memoize regexps for common character classes (#524)
  • 60feb48 Link directly to versioned changelog from gemspec (#522)
  • d3635cc Bump actions/checkout from 3 to 4 (#521)
  • 7cd185e Update version, gemspec, and CHANGELOG for 2.8.5 (#518)
  • a5a8514 Fix gemspec generation (#517)
  • e01456b Fix thread safety issue with encoding tables (#515)
  • cf2153e Allow ruby-head to fail (#516)
  • b56cef3 Define URI::NONE as a module to avoid serialization issues (#509)
  • Additional commits viewable in compare view

Updates nokogiri from 1.10.9 to 1.16.5

Release notes

Sourced from nokogiri's releases.

v1.16.5 / 2024-05-13

Security

Dependencies

sha256 checksums:

af0f44fa3e664dfb2aa10de8b551447d720c1e8d1f0aa3f35783dcc43e40a874  nokogiri-1.16.5-aarch64-linux.gem
23dc2357b26409a5c33b7e32a82902f0e9995305420f16d1a03ab3ea1a482fec  nokogiri-1.16.5-arm-linux.gem
950d037530edb49f75ad35de0b8038b970a7dda57e2b6326895b0e49fadf6214  nokogiri-1.16.5-arm64-darwin.gem
b7aefc94370c62476b8528e8d8abb6160203abd84a1f4eceda8f1aa8974d9989  nokogiri-1.16.5-java.gem
ec2167160df8fec3137bf95d574ed80ebc1d002bb3b281546b60b4aa9002466e  nokogiri-1.16.5-x64-mingw-ucrt.gem
6984200491fac69974005ecfa2de129d61843d345eafa5d6f58e8b908d1cf107  nokogiri-1.16.5-x64-mingw32.gem
abdc389ab1ec6604492da16bd9d06ad746fdb6bd6a1bd274c400d61ffcadb3c4  nokogiri-1.16.5-x86-linux.gem
63d24981345856f2baf7f4089870a62d3042fb8d3021b280fb04fc052532e3c4  nokogiri-1.16.5-x86-mingw32.gem
71b5f54e378c433d13df67c3b71acc4716129da62402d8181f310c4216a63279  nokogiri-1.16.5-x86_64-darwin.gem
0ca238da870066bed2f7837af6f35791bb9b76c4c5638999c46aac44818a6a97  nokogiri-1.16.5-x86_64-linux.gem
ec36162c68984fa0a90a5c4ae7ab7759460639e716cc1ce75f34c3cb54158ad2  nokogiri-1.16.5.gem

v1.16.4 / 2024-04-10

Dependencies

  • [CRuby] Vendored zlib in the precompiled native gems is updated to v1.3.1 from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see this discussion about removing the compression libraries altogether in a future version of Nokogiri.

sha256 checksums:

bdb1dc4378ebcf3ade8f440c7df68f6d76946a1a96c4823a2b4c53c01a320cd5  nokogiri-1.16.4-aarch64-linux.gem
0c994b9996d5576eddcc3201a94ef2bff6fc3627c4ae4d2708b0ec9b9743ec6a  nokogiri-1.16.4-arm-linux.gem
8e86abb64c93c06d3c588042a0e757279e8f1dc88b5210a00be892a9a7a27196  nokogiri-1.16.4-arm64-darwin.gem
bf84fa28be4943692bd64772186e0832fb1061f80714ccb93e111e9d72b1cadc  nokogiri-1.16.4-java.gem
a46808467c1f63a2031e1ca0715cd5336bb4ec759e9c0e2f4c951c1cc30994ae  nokogiri-1.16.4-x64-mingw-ucrt.gem
4cdf64bc5e9443ec3e0b595347ecc8affe21968d9ae934c0825d26630ef96468  nokogiri-1.16.4-x64-mingw32.gem
d86d21bae47dd9f6f5223055e45d33fae08b0b89aad94cbc0ece4f4274fa7af5  nokogiri-1.16.4-x86-linux.gem
d488b872884844686780fda7cf5da44ee884d32faa713a55aeb4736d76718168  nokogiri-1.16.4-x86-mingw32.gem
a896e52a56951ffb0e6a9279afbf485d683e357a053d27f4cfcb2a73b0824628  nokogiri-1.16.4-x86_64-darwin.gem
92ff4f09910255fec84b3bc4c4b182e94cada3ed12b9f7a6ea058e0af186fb31  nokogiri-1.16.4-x86_64-linux.gem
</tr></table>

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.16.5

Security

Dependencies

v1.16.4 / 2024-04-10

Dependencies

  • [CRuby] Vendored zlib in the precompiled native gems is updated to v1.3.1 from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see this discussion about removing the compression libraries altogether in a future version of Nokogiri.

v1.16.3 / 2024-03-15

Dependencies

Changed

  • [CRuby] XML::Reader sets the @encoding instance variable during reading if it is not passed into the initializer. Previously, it would remain nil. The behavior of Reader#encoding has not changed. This works around changes to how libxml2 reports the encoding used in v2.12.6.

v1.16.2 / 2024-02-04

Security

Dependencies

v1.16.1 / 2024-02-03

Dependencies

... (truncated)

Commits

Updates rack from 2.0.8 to 2.2.9

Release notes

Sourced from rack's releases.

v2.2.8.1

What's Changed

Full Changelog: rack/rack@v2.2.8...v2.2.8.1

v2.2.8

What's Changed

New Contributors

Full Changelog: rack/rack@v2.2.7...v2.2.8

v2.2.7

What's Changed

New Contributors

Full Changelog: rack/rack@v2.2.6.4...v2.2.7

v2.2.6.4

No release notes provided.

v2.1.4.4

What's Changed

Full Changelog: rack/rack@v2.1.4.3...v2.1.4.4

v2.0.9.4

What's Changed

Full Changelog: rack/rack@v2.0.9.3...v2.0.9.4

Changelog

Sourced from rack's changelog.

Changelog

All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference Keep A Changelog.

Unreleased

SPEC Changes

  • rack.input is now optional. (#1997, [@​ioquatix])
  • Rack::Utils.escape_html is now delegated to CGI.escapeHTML. ' is escaped to [#39](https://github.com/rack/rack/issues/39); instead of #x27;. (decimal vs hexadecimal) (#2099, @​JunichiIto)

Changed

  • rack.input is now optional, and if missing, will raise an error. Use this to fail on multipart parsing a request without an input body. (#2018, [@​ioquatix])
  • Introduce module Rack::BadRequest which is included in multipart and query parser errors. (#2019, [@​ioquatix])
  • MIME type for JavaScript files (.js) changed from application/javascript to text/javascript (1bd0f15)
  • Add .mjs MIME type (#2057, [@​axilleas])
  • Update MIME types associated to .ttf, .woff, .woff2 and .otf extensions to use mondern font/* types. (#2065, [@​davidstosik])
  • set_cookie_header utility now supports the partitioned cookie attribute. This is required by Chrome in some embedded contexts. (#2131, [@​flavio-b])
  • Remove non-standard status codes 306, 509, & 510 and update descriptions for 413, 422, & 451. (#2137, [@​wtn])
  • Add fallback lookup and deprecation warning for obsolete status symbols. (#2137, [@​wtn])
  • In Rack::Files, ignore the Range header if served file is 0 bytes. (#2159, [@​zarqman])

[3.0.11] - 2024-05-10

  • Backport #2062 to 3-0-stable: Do not allow BodyProxy to respond to to_str, make to_ary call close . (#2062, @​jeremyevans)

[3.0.10] - 2024-03-21

  • Backport #2104 to 3-0-stable: Return empty when parsing a multi-part POST with only one end delimiter. (#2164, @​JoeDupuis)

[3.0.9.1] - 2024-02-21

Security

[3.0.9] - 2024-01-31

  • Fix incorrect content-length header that was emitted when Rack::Response#write was used in some situations. (#2150, @​mattbrictson)

[3.0.8] - 2023-06-14

... (truncated)

Commits

Updates tzinfo from 1.2.5 to 1.2.11

Release notes

Sourced from tzinfo's releases.

v1.2.11

  • Eliminate Object#untaint deprecation warnings on JRuby 9.4.0.0. #145.

TZInfo v1.2.11 on RubyGems.org

v1.2.10

  • Fixed a relative path traversal bug that could cause arbitrary files to be loaded with require when used with RubyDataSource. Please refer to GHSA-5cm2-9h8c-rvfx for details. CVE-2022-31163.
  • Ignore the SECURITY file from Arch Linux's tzdata package. #134.

TZInfo v1.2.10 on RubyGems.org

v1.2.9

  • Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

TZInfo v1.2.9 on RubyGems.org

v1.2.8

  • Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. The 64-bit section is now always used regardless of whether Time has support for 64-bit times. #120.
  • Rubinius is no longer supported.

TZInfo v1.2.8 on RubyGems.org

v1.2.7

  • Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
  • Fixed warnings when running on Ruby 2.8. #112.

TZInfo v1.2.7 on RubyGems.org

v1.2.6

  • Timezone#strftime('%s', time) will now return the correct number of seconds since the epoch. #91.
  • Removed the unused TZInfo::RubyDataSource::REQUIRE_PATH constant.
  • Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode.
  • Fixed warnings when running on Ruby 2.7. #106 and #111.

TZInfo v1.2.6 on RubyGems.org

Changelog

Sourced from tzinfo's changelog.

Version 1.2.11 - 28-Jan-2023

  • Eliminate Object#untaint deprecation warnings on JRuby 9.4.0.0. #145.

Version 1.2.10 - 19-Jul-2022

  • Fixed a relative path traversal bug that could cause arbitrary files to be loaded with require when used with RubyDataSource. Please refer to GHSA-5cm2-9h8c-rvfx for details. CVE-2022-31163.
  • Ignore the SECURITY file from Arch Linux's tzdata package. #134.

Version 1.2.9 - 16-Dec-2020

  • Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

Version 1.2.8 - 8-Nov-2020

  • Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. The 64-bit section is now always used regardless of whether Time has support for 64-bit times. #120.
  • Rubinius is no longer supported.

Version 1.2.7 - 2-Apr-2020

  • Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
  • Fixed warnings when running on Ruby 2.8. #112.

Version 1.2.6 - 24-Dec-2019

  • Timezone#strftime('%s', time) will now return the correct number of seconds since the epoch. #91.
  • Removed the unused TZInfo::RubyDataSource::REQUIRE_PATH constant.
  • Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode.
  • Fixed warnings when running on Ruby 2.7. #106 and #111.
Commits
  • 2dc46fd Preparing v1.2.11.
  • c854e6a Update copyright years.
  • 9c092f3 Eliminate Object#untaint deprecation warnings on JRuby 9.4.0.0.
  • 4e5f8b7 Add Ruby 3.1, 3.2 and JRuby 9.4.
  • 2f58c69 Update the dependency on actions/checkout.
  • e52c056 Revert "Workaround for 'Permission denied - NUL' errors with JRuby on Windows."
  • 0814dcd Fix the release date.
  • fd05e2a Preparing v1.2.10.
  • b98c32e Merge branch 'fix-directory-traversal-1.2' into 1.2
  • ac3ee68 Remove unnecessary escaping of + within regex character classes.
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the bundler group across 1 directory with 5 updates
93eaf36 
Bumps the bundler group with 4 updates in the / directory: [activesupport](https://github.com/rails/rails), [addressable](https://github.com/sporkmonger/addressable), [nokogiri](https://github.com/sparklemotion/nokogiri) and [rack](https://github.com/rack/rack).


Updates `activesupport` from 5.2.4 to 5.2.8.1
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v7.1.3.2/activesupport/CHANGELOG.md)
- [Commits](rails/rails@v5.2.4...v5.2.8.1)

Updates `addressable` from 2.7.0 to 2.8.6
- [Changelog](https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md)
- [Commits](sporkmonger/addressable@addressable-2.7.0...addressable-2.8.6)

Updates `nokogiri` from 1.10.9 to 1.16.5
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](sparklemotion/nokogiri@v1.10.9...v1.16.5)

Updates `rack` from 2.0.8 to 2.2.9
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/main/CHANGELOG.md)
- [Commits](rack/rack@2.0.8...v2.2.9)

Updates `tzinfo` from 1.2.5 to 1.2.11
- [Release notes](https://github.com/tzinfo/tzinfo/releases)
- [Changelog](https://github.com/tzinfo/tzinfo/blob/master/CHANGES.md)
- [Commits](tzinfo/tzinfo@v1.2.5...v1.2.11)

---
updated-dependencies:
- dependency-name: activesupport
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: addressable
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: nokogiri
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: rack
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: tzinfo
  dependency-type: indirect
  dependency-group: bundler
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code labels May 13, 2024
@dependabot dependabot bot mentioned this pull request May 13, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants