Bump the bundler group across 1 directory with 11 updates #48

dependabot · 2024-05-13T19:08:26Z

Bumps the bundler group with 1 update in the / directory: actionpack.

Updates actionpack from 6.0.2.2 to 7.1.3.2

Release notes

v7.1.3.2

Active Support

No changes.

Active Model

No changes.

Active Record

No changes.

Action View

No changes.

Action Pack

Fix raise_on_missing_translations not working correctly with the translate method in controllers after the patch for CVE-2024-26143.

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

... (truncated)

Changelog

Sourced from actionpack's changelog.

Rails 7.1.3.2 (February 21, 2024)

Fix raise_on_missing_translations not working correctly with the translate method in controllers after the patch for CVE-2024-26143.

Rails 7.1.3.1 (February 21, 2024)

Fix possible XSS vulnerability with the translate method in controllers

CVE-2024-26143

Fix ReDoS in Accept header parsing

CVE-2024-26142

Rails 7.1.3 (January 16, 2024)

Fix including Rails.application.routes.url_helpers directly in an ActiveSupport::Concern.

Jonathan Hefner

Fix system tests when using a Chrome binary that has been downloaded by Selenium.

Jonathan Hefner

Rails 7.1.2 (November 10, 2023)

Fix a race condition that could cause a Text file busy - chromedriver error with parallel system tests

Matt Brictson

Fix StrongParameters#extract_value to include blank values

Otherwise composite parameters may not be parsed correctly when one of the component is blank.

fatkodima, Yasha Krasnou, Matthias Eiglsperger

Add racc as a dependency since it will become a bundled gem in Ruby 3.4.0

Hartley McGuire

Support handling Enumerator for non-buffered responses.

Zachary Scott

... (truncated)

Commits

6f0d1ad Preparing for 7.1.3.2 release
c25f0fc Respect raise_on_missing_ in controller
d73ed95 Preparing for 7.1.3.1 release
43037d8 update changelog
5187a9e fix XSS vulnerability when using translation
b4d3bfb Fix ReDoS in accept header scanning
36c1591 Preparing for 7.1.3 release
a84622f Sync changelog
8a0767d Fix test setup to raise SyntaxError on Ruby 2.7
894f933 Merge pull request #50764 from eugeneius/syntax_error_proxy_nil_backtrace_loc...
Additional commits viewable in compare view

Updates actionview from 6.0.2.2 to 7.1.3.2

Release notes

Sourced from actionview's releases.

v7.1.3.2

Active Support

No changes.

Active Model

No changes.

Active Record

No changes.

Action View

No changes.

Action Pack

Fix raise_on_missing_translations not working correctly with the translate method in controllers after the patch for CVE-2024-26143.

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

... (truncated)

Changelog

Sourced from actionview's changelog.

Rails 7.1.3.2 (February 21, 2024)

No changes.

Rails 7.1.3.1 (February 21, 2024)

No changes.

Rails 7.1.3 (January 16, 2024)

Better handle SyntaxError in Action View.

Mario Caropreso

Fix word_wrap with empty string.

Jonathan Hefner

Rename ActionView::TestCase::Behavior::Content to ActionView::TestCase::Behavior::RenderedViewContent.

Make RenderedViewContent inherit from String. Make private API with :nodoc:.

Sean Doyle

Fix detection of required strict locals.

Further fix render @collection compatibility with strict locals

Jean Boussier

Rails 7.1.2 (November 10, 2023)

Fix the number_to_human_size view helper to correctly work with negative numbers.

Earlopain

Automatically discard the implicit locals injected by collection rendering for template that can't accept them

When rendering a collection, two implicit variables are injected, which breaks templates with strict locals.

Now they are only passed if the template will actually accept them.

Yasha Krasnou, Jean Boussier

Fix @rails/ujs calling start() an extra time when using bundlers

Hartley McGuire, Ryunosuke Sato

... (truncated)

Commits

6f0d1ad Preparing for 7.1.3.2 release
d73ed95 Preparing for 7.1.3.1 release
43037d8 update changelog
36c1591 Preparing for 7.1.3 release
a84622f Sync changelog
81c8023 Sync changelog
610c7b8 Merge pull request #50752 from seanpdoyle/issue-49818-changelog
2606c66 Use verb form of "fallback"
680b81c Autolink AV::Helpers::SanitizeHelper#sanitize [ci-skip]
1f25cd3 Clean up AV::Helpers::SanitizeHelper#sanitize doc [ci-skip]
Additional commits viewable in compare view

Updates activerecord from 6.0.2.2 to 7.1.3.2

Release notes

Sourced from activerecord's releases.

v7.1.3.2

Active Support

No changes.

Active Model

No changes.

Active Record

No changes.

Action View

No changes.

Action Pack

Fix raise_on_missing_translations not working correctly with the translate method in controllers after the patch for CVE-2024-26143.

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

... (truncated)

Changelog

Sourced from activerecord's changelog.

Rails 7.1.3.2 (February 21, 2024)

No changes.

Rails 7.1.3.1 (February 21, 2024)

No changes.

Rails 7.1.3 (January 16, 2024)

Fix Migrations with versions older than 7.1 validating options given to add_reference.

Hartley McGuire

Ensure reload sets correct owner for each association.

Dmytro Savochkin

Fix view runtime for controllers with async queries.

fatkodima

Fix load_async to work with query cache.

fatkodima

Fix polymorphic belongs_to to correctly use parent's query_constraints.

fatkodima

Fix Preloader to not generate a query for already loaded association with query_constraints.

fatkodima

Fix multi-database polymorphic preloading with equivalent table names.

When preloading polymorphic associations, if two models pointed to two tables with the same name but located in different databases, the preloader would only load one.

Ari Summer

Fix encrypted_attribute? to take into account context properties passed to encrypts.

Maxime Réty

Fix find_by to work correctly in presence of composite primary keys.

... (truncated)

Commits

6f0d1ad Preparing for 7.1.3.2 release
d73ed95 Preparing for 7.1.3.1 release
43037d8 update changelog
36c1591 Preparing for 7.1.3 release
a0eef52 Merge pull request #50767 from rporrasluc/fix-db-runtime-calculation
4b699da Merge pull request #50680 from skipkayhil/hm-fix-legacy-add-reference
9cf3c5b Fix CHANGELOG
21dff57 Add changelog entry for #46383
57a50f5 Merge pull request #46383 from dmytro-savochkin/fix-activerecord-reload-assoc...
81c8023 Sync changelog
Additional commits viewable in compare view

Updates activestorage from 6.0.2.2 to 7.1.3.2

Release notes

Sourced from activestorage's releases.

v7.1.3.2

Active Support

No changes.

Active Model

No changes.

Active Record

No changes.

Action View

No changes.

Action Pack

Fix raise_on_missing_translations not working correctly with the translate method in controllers after the patch for CVE-2024-26143.

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

... (truncated)

Changelog

Sourced from activestorage's changelog.

Rails 7.1.3.2 (February 21, 2024)

No changes.

Rails 7.1.3.1 (February 21, 2024)

No changes.

Rails 7.1.3 (January 16, 2024)

Fix N+1 query when fetching preview images for non-image assets.

Aaron Patterson & Justin Searls

Fix all Active Storage database related models to respect ActiveRecord::Base.table_name_prefix configuration.

Chedli Bourguiba

Fix ActiveStorage::Representations::ProxyController not returning the proper preview image variant for previewable files.

Chedli Bourguiba

Fix ActiveStorage::Representations::ProxyController to proxy untracked variants.

Chedli Bourguiba

Fix direct upload forms when submit button contains nested elements.

Marc Köhlbrugge

When using the preprocessed: true option, avoid enqueuing transform jobs for blobs that are not representable.

Chedli Bourguiba

Process preview image variant when calling ActiveStorage::Preview#processed. For example, attached_pdf.preview(:thumb).processed will now immediately generate the full-sized preview image and the :thumb variant of it. Previously, the :thumb variant would not be generated until a further call to e.g. processed.url.

Chedli Bourguiba and Jonathan Hefner

Prevent ActiveRecord::StrictLoadingViolationError when strict loading is enabled and the variant of an Active Storage preview has already been

... (truncated)

Commits

6f0d1ad Preparing for 7.1.3.2 release
d73ed95 Preparing for 7.1.3.1 release
43037d8 update changelog
36c1591 Preparing for 7.1.3 release
a84622f Sync changelog
d8a8dd9 Merge pull request #50758 from rails/fix-video-preview-nplus1
2606c66 Use verb form of "fallback"
a8b302c Split up code blocks for multi-file examples [ci-skip]
29cc708 Merge pull request #50167 from chaadow/fix_activestorage_table_prefix
09a9cb9 Merge pull request #50165 from jonathanhefner/follow-up-48290-selector
Additional commits viewable in compare view

Updates activesupport from 6.0.2.2 to 7.1.3.2

Release notes

Sourced from activesupport's releases.

v7.1.3.2

Active Support

No changes.

Active Model

No changes.

Active Record

No changes.

Action View

No changes.

Action Pack

Fix raise_on_missing_translations not working correctly with the translate method in controllers after the patch for CVE-2024-26143.

Active Job

No changes.

Action Mailer

No changes.

Action Cable

No changes.

... (truncated)

Changelog

Sourced from activesupport's changelog.

Rails 7.1.3.2 (February 21, 2024)

No changes.

Rails 7.1.3.1 (February 21, 2024)

No changes.

Rails 7.1.3 (January 16, 2024)

Handle nil backtrace_locations in ActiveSupport::SyntaxErrorProxy.

Eugene Kenny

Fix ActiveSupport::JSON.encode to prevent duplicate keys.

If the same key exist in both String and Symbol form it could lead to the same key being emitted twice.

Manish Sharma

Fix ActiveSupport::Cache::Store#read_multi when using a cache namespace and local cache strategy.

Mark Oleson

Fix Time.now/DateTime.now/Date.today to return results in a system timezone after #travel_to.

There is a bug in the current implementation of #travel_to: it remembers a timezone of its argument, and all stubbed methods start returning results in that remembered timezone. However, the expected behaviour is to return results in a system timezone.

Aleksei Chernenkov

Fix :unless_exist option for MemoryStore#write (et al) when using a cache namespace.

S. Brent Faulkner

Fix ActiveSupport::Deprecation to handle blaming generated code.

Jean Boussier, fatkodima

Rails 7.1.2 (November 10, 2023)

Fix :expires_in option for RedisCacheStore#write_multi.

... (truncated)

Commits

6f0d1ad Preparing for 7.1.3.2 release
c25f0fc Respect raise_on_missing_ in controller
d73ed95 Preparing for 7.1.3.1 release
43037d8 update changelog
36c1591 Preparing for 7.1.3 release
a84622f Sync changelog
894f933 Merge pull request #50764 from eugeneius/syntax_error_proxy_nil_backtrace_loc...
b02f6c9 Merge pull request #48957 from cmaruz/48326
81c8023 Sync changelog
3a85830 Merge pull request #50749 from Earlopain/changelog-typo
Additional commits viewable in compare view

Updates globalid from 0.4.2 to 1.2.1

Release notes

Sourced from globalid's releases.

1.2.0

What's Changed

Drop support to Rails < 6.1 and Ruby <2.7 by @rafaelfranca in rails/globalid#153

Don't show secrets for SignedGlobalID#inspect by @p8 in rails/globalid#160

Allow for composite identifiers delimited by / by @nvasilevski in rails/globalid#163

Add Eager Load Option by @rafacoello in rails/globalid#139

New Contributors

@rafaelfranca made their first contribution in rails/globalid#153

@p8 made their first contribution in rails/globalid#159

@nvasilevski made their first contribution in rails/globalid#162

@rafacoello made their first contribution in rails/globalid#139

Full Changelog: rails/globalid@v1.1.0...v1.2.0

1.1.0

What's Changed

URI::GID: Update #check_scheme, no need to call super by @alexcwatt in rails/globalid#146

JSON-encode GlobalIDs as strings by @georgeclaghorn in rails/globalid#149

Support pattern matching of GlobalID & GlobalID::URI by @ojab in rails/globalid#140

prevent double find by @ooooooo-q in rails/globalid#148

implement non signed global_id helper method on fixture set by @rainerborene in rails/globalid#144

New Contributors

@daemonsy made their first contribution in rails/globalid#142

@alexcwatt made their first contribution in rails/globalid#146

@liijunwei made their first contribution in rails/globalid#150

@ojab made their first contribution in rails/globalid#140

@ooooooo-q made their first contribution in rails/globalid#148

@rainerborene made their first contribution in rails/globalid#144

Full Changelog: rails/globalid@v1.0.1...v1.1.0

v1.0.1

Possible ReDoS based DoS vulnerability in GlobalID

There is a ReDoS based DoS vulnerability in the GlobalID gem. This vulnerability has been assigned the CVE identifier CVE-2023-22799.

Versions Affected: >= 0.2.1 Not affected: NOTAFFECTED Fixed Versions: 1.0.1

Impact

There is a possible DoS vulnerability in the model name parsing section of the GlobalID gem. Carefully crafted input can cause the regular expression engine to take an unexpected amount of time. All users running an affected release should either upgrade or use one of the workarounds immediately.

... (truncated)

Commits

488ab6c Prepare for 1.2.1
0f585e9 Whitespaces
626a342 Merge pull request #168 from ghiculescu/handle-no-primary-key
759d1eb Don't break on models where primary_key is not defined
27dff72 Prepare for 1.2.0
4ec9833 Merge pull request #165 from rails/rm-json-serializer
d371dd1 Change verifier to conform Rails 7.1 API
b73e5f9 Remove deprecation when default cache format is used
5246758 Make sure legacy verifier behavior work with JSON serializer and symbol values
2fab171 Update the ruby extension to use Ruby LSP
Additional commits viewable in compare view

Updates loofah from 2.5.0 to 2.22.0

Release notes

Sourced from loofah's releases.

2.22.0 / 2023-11-13

Added

A :targetblank HTML scrubber which ensures all hyperlinks have target="_blank". #275 @stefannibrasil and @thdaraujo

A :noreferrer HTML scrubber which ensures all hyperlinks have rel=noreferrer, similar to the :nofollow and :noopener scrubbers. #277 @wynksaiddestroy

2.21.4 / 2023-10-10

Fixed

Loofah::HTML5::Scrub.scrub_css is more consistent in preserving whitespace (and lack of whitespace) in CSS property values. In particular, .scrub_css no longer inserts whitespace between tokens that did not already have whitespace between them. [#273, fixes #271]

2.21.3 / 2023-05-15

Quash "instance variable not initialized" warning in Ruby < 3.0. [#268] (Thanks, @dharamgollapudi!)

2.21.2 / 2023-05-11

Dependencies

Update the dependency on Nokogiri to be >= 1.12.0. The dependency in 2.21.0 and 2.21.1 was left at >= 1.5.9 but versions before 1.12 would result in a NameError exception. [#266]

2.21.1 / 2023-05-10

Fixed

Don't define HTML5::Document and HTML5::DocumentFragment when Nokogiri is < 1.14. In 2.21.0 these classes were defined whenever Nokogiri::HTML5 was defined, but Nokogiri v1.12 and v1.13 do not support Loofah subclassing properly.

2.21.0 / 2023-05-10

HTML5 Support

Classes Loofah::HTML5::Document and Loofah::HTML5::DocumentFragment are introduced, along with helper methods:

Loofah.html5_document

Loofah.html5_fragment

Loofah.scrub_html5_document

Loofah.scrub_html5_fragment

These classes and methods use Nokogiri's HTML5 parser to ensure modern web standards are used.

⚠ HTML5 functionality is only available with Nokogiri v1.14.0 and higher.

... (truncated)

Changelog

Sourced from loofah's changelog.

2.22.0 / 2023-11-13

Added

A :targetblank HTML scrubber which ensures all hyperlinks have target="_blank". #275 @stefannibrasil and @thdaraujo

A :noreferrer HTML scrubber which ensures all hyperlinks have rel=noreferrer, similar to the :nofollow and :noopener scrubbers. #277 @wynksaiddestroy

2.21.4 / 2023-10-10

Fixed

Loofah::HTML5::Scrub.scrub_css is more consistent in preserving whitespace (and lack of whitespace) in CSS property values. In particular, .scrub_css no longer inserts whitespace between tokens that did not already have whitespace between them. [#273, fixes #271]

2.21.3 / 2023-05-15

Fixed

Quash "instance variable not initialized" warning in Ruby < 3.0. [#268] (Thanks, @dharamgollapudi!)

2.21.2 / 2023-05-11

Dependencies

Update the dependency on Nokogiri to be >= 1.12.0. The dependency in 2.21.0 and 2.21.1 was left at >= 1.5.9 but versions before 1.12 would result in a NameError exception. [#266]

2.21.1 / 2023-05-10

Fixed

Don't define HTML5::Document and HTML5::DocumentFragment when Nokogiri is < 1.14. In 2.21.0 these classes were defined whenever Nokogiri::HTML5 was defined, but Nokogiri v1.12 and v1.13 do not support Loofah subclassing properly.

2.21.0 / 2023-05-10

HTML5 Support

Classes Loofah::HTML5::Document and Loofah::HTML5::DocumentFragment are introduced, along with helper methods:

Loofah.html5_document

Loofah.html5_fragment

Loofah.scrub_html5_document

Loofah.scrub_html5_fragment

These classes and methods use Nokogiri's HTML5 parser to ensure modern web standards are used.

⚠ HTML5 functionality is only available with Nokogiri v1.14.0 and higher.

... (truncated)

Commits

cb14ea7 version bump to v2.22.0
64e0a26 update CHANGELOG
c5cfb80 Merge pull request #277 from wynksaiddestroy/feature/noreferrer_scrubber
4ad2e13 Add noreferrer scrubber
5345bb7 Merge pull request #275 from hexdevs/add-target-blank-scrub
09e11ad feat: adds :targetblank scrubber
992b054 version bump to v2.21.4
5d9a22f Merge pull request #273 from flavorjones/flavorjones-css-whitespace-handling
876116e fix: scrub_css is more consistent with whitespace
edde5f2 Merge pull request #274 from flavorjones/flavorjones-bump-hoe-markdown
Additional commits viewable in compare view

Updates nokogiri from 1.10.9 to 1.16.5

Release notes

Sourced from nokogiri's releases.

v1.16.5 / 2024-05-13

Security

[CRuby] Vendored libxml2 is updated to address CVE-2024-34459. See GHSA-r95h-9x8f-r3f7 for more information.

Dependencies

[CRuby] Vendored libxml2 is updated to v2.12.7 from v2.12.6. (@flavorjones)

sha256 checksums:

af0f44fa3e664dfb2aa10de8b551447d720c1e8d1f0aa3f35783dcc43e40a874  nokogiri-1.16.5-aarch64-linux.gem
23dc2357b26409a5c33b7e32a82902f0e9995305420f16d1a03ab3ea1a482fec  nokogiri-1.16.5-arm-linux.gem
950d037530edb49f75ad35de0b8038b970a7dda57e2b6326895b0e49fadf6214  nokogiri-1.16.5-arm64-darwin.gem
b7aefc94370c62476b8528e8d8abb6160203abd84a1f4eceda8f1aa8974d9989  nokogiri-1.16.5-java.gem
ec2167160df8fec3137bf95d574ed80ebc1d002bb3b281546b60b4aa9002466e  nokogiri-1.16.5-x64-mingw-ucrt.gem
6984200491fac69974005ecfa2de129d61843d345eafa5d6f58e8b908d1cf107  nokogiri-1.16.5-x64-mingw32.gem
abdc389ab1ec6604492da16bd9d06ad746fdb6bd6a1bd274c400d61ffcadb3c4  nokogiri-1.16.5-x86-linux.gem
63d24981345856f2baf7f4089870a62d3042fb8d3021b280fb04fc052532e3c4  nokogiri-1.16.5-x86-mingw32.gem
71b5f54e378c433d13df67c3b71acc4716129da62402d8181f310c4216a63279  nokogiri-1.16.5-x86_64-darwin.gem
0ca238da870066bed2f7837af6f35791bb9b76c4c5638999c46aac44818a6a97  nokogiri-1.16.5-x86_64-linux.gem
ec36162c68984fa0a90a5c4ae7ab7759460639e716cc1ce75f34c3cb54158ad2  nokogiri-1.16.5.gem

v1.16.4 / 2024-04-10

Dependencies

[CRuby] Vendored zlib in the precompiled native gems is updated to v1.3.1 from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see this discussion about removing the compression libraries altogether in a future version of Nokogiri.

sha256 checksums:

bdb1dc4378ebcf3ade8f440c7df68f6d76946a1a96c4823a2b4c53c01a320cd5  nokogiri-1.16.4-aarch64-linux.gem
0c994b9996d5576eddcc3201a94ef2bff6fc3627c4ae4d2708b0ec9b9743ec6a  nokogiri-1.16.4-arm-linux.gem
8e86abb64c93c06d3c588042a0e757279e8f1dc88b5210a00be892a9a7a27196  nokogiri-1.16.4-arm64-darwin.gem
bf84fa28be4943692bd64772186e0832fb1061f80714ccb93e111e9d72b1cadc  nokogiri-1.16.4-java.gem
a46808467c1f63a2031e1ca0715cd5336bb4ec759e9c0e2f4c951c1cc30994ae  nokogiri-1.16.4-x64-mingw-ucrt.gem
4cdf64bc5e9443ec3e0b595347ecc8affe21968d9ae934c0825d26630ef96468  nokogiri-1.16.4-x64-mingw32.gem
d86d21bae47dd9f6f5223055e45d33fae08b0b89aad94cbc0ece4f4274fa7af5  nokogiri-1.16.4-x86-linux.gem
d488b872884844686780fda7cf5da44ee884d32faa713a55aeb4736d76718168  nokogiri-1.16.4-x86-mingw32.gem
a896e52a56951ffb0e6a9279afbf485d683e357a053d27f4cfcb2a73b0824628  nokogiri-1.16.4-x86_64-darwin.gem
92ff4f09910255fec84b3bc4c4b182e94cada3ed12b9f7a6ea058e0af186fb31  nokogiri-1.16.4-x86_64-linux.gem
</tr></table>

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.16.5

Security

[CRuby] Vendored libxml2 is updated to address CVE-2024-34459. See GHSA-r95h-9x8f-r3f7 for more information.

Dependencies

[CRuby] Vendored libxml2 is updated to v2.12.7 from v2.12.6. (@flavorjones)

v1.16.4 / 2024-04-10

Dependencies

[CRuby] Vendored zlib in the precompiled native gems is updated to v1.3.1 from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see this discussion about removing the compression libraries altogether in a future version of Nokogiri.

v1.16.3 / 2024-03-15

Dependencies

[CRuby] Vendored libxml2 is updated to v2.12.6 from v2.12.5. (@flavorjones)

Changed

[CRuby] XML::Reader sets the @encoding instance variable during reading if it is not passed into the initializer. Previously, it would remain nil. The behavior of Reader#encoding has not changed. This works around changes to how libxml2 reports the encoding used in v2.12.6.

v1.16.2 / 2024-02-04

Security

[CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See GHSA-xc9x-jj77-9p9j for more information.

Dependencies

[CRuby] Vendored libxml2 is updated to v2.12.5 from v2.12.4. (@flavorjones)

v1.16.1 / 2024-02-03

Dependencies

[CRuby] Vendored libxml2 is updated to v2.12.4 from v2.12.3. (@flavorjones)

... (truncated)

Commits

cd70bd3 version bump to v1.16.5
afc36de dep: update vendored libxml2 to v2.12.7 (#3191)
41b4f08 ci: add arm64-darwin coverage using macos-14
67b9e86 dep: update libxml2 to v2.12.7
17c0362 version bump to v1.16.4
1c329e9 dep: update to zlib 1.3.1 (v1.16.x) (#3175)
edeac07 dep: update to zlib 1.3.1
80fb608 version bump to v1.16.3
710bd96 dep: update libxml 2.12.6 (branch v1.16.x) (#3151)
461a96e fix: Reader#read sets @encoding if it is unset
Additional commits viewable in compare view

Updates rack from 2.2.2 to 3.0.11

Release notes

Sourced from rack's releases.

v3.0.9.1

What's Changed

Fixed ReDoS in Accept header parsing [CVE-2024-26146]

Fixed ReDoS in Content Type header parsing [CVE-2024-25126]

Reject Range headers which are too large [CVE-2024-26141]

Full Changelog: rack/rack@v3.0.9...v3.0.9.1

v3.0.9

What's Changed

Fix content-length calcuation in Rack:Response#write #2150

Full Changelog: rack/rack@v3.0.8...v3.0.9

v3.0.8

What's Changed

Backport "Fix some unused variable verbose warnings" by @skipkayhil in rack/rack#2084

New Contributors

@skipkayhil made their first contribution in rack/rack#2084

Full Changelog: rack/rack@v3.0.7...v3.0.8

v3.0.7

What's Changed

Backport "Make query parameters without = have nil values". by @jeremyevans in rack/rack#2060

Full Changelog: rack/rack@v3.0.6.1...v3.0.7

v3.0.6.1

No release notes provided.

v3.0.4.1

Full Changelog: rack/rack@v3.0.4...v3.0.4.1

v3.0.4

Full Changelog: rack/rack@v3.0.3...v3.0.4

v3.0.3

What's Changed

Release v3.0.3 by @ioquatix in rack/rack#2000

Full Changelog: rack/rack@v3.0.2...v3.0.3

v3.0.2

Full Changelog: rack/rack@v3.0.1...v3.0.2

... (truncated)

Changelog

Sourced from rack's changelog.

[3.0.11] - 2024-05-10

Backport #2062 to 3-0-stable: Do not allow BodyProxy to respond to to_str, make to_ary call close . (#2062, @jeremyevans)

[3.0.10] - 2024-03-21

Backport #2104 to 3-0-stable: Return empty when parsing a multi-part POST with only one end delimiter. (#2164, @JoeDupuis)

[3.0.9.1] - 2024-02-21

Security

CVE-2024-26146 Fixed ReDoS in Accept header parsing

CVE-2024-25126 Fixed ReDoS in Content Type header parsing

CVE-2024-26141 Reject Range headers which are too large

[3.0.9] - 2024-01-31

Fix incorrect content-length header that was emitted when Rack::Response#write was used in some situations. (#2150, @mattbrictson)

[3.0.8] - 2023-06-14

Fix some unused variable verbose warnings. (#2084, [@jeremyevans], @skipkayhil)

[3.0.7] - 2023-03-16

Make query parameters without = have nil values. (#2059, [@jeremyevans])

[3.0.6.1] - 2023-03-13

Security

[CVE-2023-27539] Avoid ReDoS in header parsing

[3.0.6] - 2023-03-13

Add QueryParser#missing_value for handling missing values + tests. (#2052, [@ioquatix])

[3.0.5] - 2023-03-13

Split form/query parsing into two steps. (#2038, @matthewd)

[3.0.4.2] - 2023-03-02

Security

... (truncated)

Commits

See full diff in compare view

Updates rails-html-sanitizer from 1.3.0 to 1.6.0

Release notes

Sourced from rails-html-sanitizer's releases.

1.6.0 / 2023-05-26

Dependencies have been updated:

Loofah ~>2.21 and Nokogiri ~>1.14 for HTML5 parser support

As a result, required Ruby version is now >= 2.7.0

Security updates will continue to be made on the 1.5.x release branch as long as Rails 6.1 (which supports Ruby 2.5) is still in security support.

Mike Dalessio

HTML5 standards-compliant sanitizers are now available on platforms supported by Nokogiri::HTML5. These are available as:

Rails::HTML5::FullSanitizer

Rails::HTML5::LinkSanitizer

Rails::HTML5::SafeListSanitizer

And a new "vendor" is provided at Rails::HTML5::Sanitizer that can be used in a future version of Rails.

Note that for symmetry Rails::HTML4::Sanitizer is also added, though its behavior is identical to the vendor class methods on Rails::HTML::Sanitizer.

Users may call Rails::HTML::Sanitizer.best_supported_vendor to get back the HTML5 vendor if it's supported, else the legacy HTML4 vendor.

Mike Dalessio

Module namespaces have changed, but backwards compatibility is provided by aliases.

The library defines three additional modules:

Rails::HTML for general functionality (replacing Rails::Html)

Rails::HTML4 containing sanitizers that parse content as HTML4

Rails::HTML5 containing sanitizers that parse content as HTML5

The following aliases are maintained for backwards compatibility:

Rails::Html points to Rails::HTML

Rails::HTML::FullSanitizer points to Rails::HTML4::FullSanitizer

Rails::HTML::LinkSanitizer points to Rails::HTML4::LinkSanitizer

Rails::HTML::SafeListSanitizer points to Rails::HTML4::SafeListSanitizer

Mike Dalessio

LinkSanitizer always returns UTF-8 encoded strings. SafeListSanitizer and FullSanitizer already ensured this encoding.

... (truncated)

Changelog

Sourced from rails-html-sanitizer's changelog.

1.6.0 / 2023-05-26

Dependencies have been updated:

Loofah ~>2.21 and Nokogiri ~>1.14 for HTML5 parser support

As a result, required Ruby version is now >= 2.7.0

Security updates will continue to be made on the 1.5.x release branch as long as Rails 6.1 (which supports Ruby 2.5) is still in security support.

Mike Dalessio

HTML5 standards-compliant sanitizers are now available on platforms supported by Nokogiri::HTML5. These are available as:

Rails::HTML5::FullSanitizer

Rails::HTML5::LinkSanitizer

Rails::HTML5::SafeListSanitizer

And a new "vendor" is provided at Rails::HTML5::Sanitizer that can be used in a future version of Rails.

Note that for symmetry Rails::HTML4::Sanitizer is also added, though its behavior is identical to the vendor class methods on Rails::HTML::Sanitizer.

Users may call Rails::HTML::Sanitizer.best_supported_vendor to get back the HTML5 vendor if it's supported, else the legacy HTML4 vendor.

Mike Dalessio

Module namespaces have changed, but backwards compatibility is provided by aliases.

The library defines three additional modules:

Rails::HTML for general functionality (replacing Rails::Html)

Rails::HTML4 containing sanitizers that parse content as HTML4

Rails::HTML5 containing sanitizers that parse content as HTML5

The following aliases are maintained for backwards compatibility:

Rails::Html points to Rails::HTML

Rails::HTML::FullSanitizer points to Rails::HTML4::FullSanitizer

Rails::HTML::LinkSanitizer points to Rails::HTML4::LinkSanitizer

Rails::HTML::SafeListSanitizer points to Rails::HTML4::SafeListSanitizer

Mike Dalessio

LinkSanitizer always returns UTF-8 encoded strings. SafeListSanitizer and FullSanitizer already ensured this encoding.

... (truncated)

Commits

19fd6cd version bump to v1.6.0
a9b2f1e doc: update CHANGELOG and README with supported branch info
ca29c20 doc: update README moving verbose notes after usage
3b31be5 version bump to v1.6.0.rc2
b98af6c Merge pull request #167 from rails/flavorjones-best-supported-vendor-method
e953444 feat: introduce Rails::HTML::Sanitizer.best_supported_vendor
5419017 version bump to v1.6.0.rc1
669dcd0 doc: update CONTRIBUTING with release process
cd77210 Merge pull request #166 from rails/flavorjones-update-deps-for-html5-variation2
7cc07bb dep: update loofah and nokogiri to versions fully supporting HTML5
Additional commits viewable in compare view

Updates tzinfo from 1.2.7 to 2.0.6

Release notes

Sourced from tzinfo's releases.

v2.0.6

Eliminate Object#untaint deprecation warnings on JRuby 9.4.0.0. #145.

TZInfo v2.0.6 on RubyGems.org

v2.0.5

Changed DateTime results to always use the proleptic Gregorian calendar. This affects DateTime results prior to 1582-10-15 and any arithmetic performed on the results that would produce a secondary result prior to 1582-10-15.

Added support for eager loading all the time zone and country data by calling either TZInfo::DataSource#eager_load! or TZInfo.eager_load!. Compatible with Ruby On Rails' eager_load_namespaces. #129.

Ignore the SECURITY file from Arch Linux's tzdata package. #134.

TZInfo v2.0.5 on RubyGems.org

v2.0.4

Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

TZInfo v2.0.4 on RubyGems.org

v2.0.3

Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. #120.

Fixed TimeWithOffset#getlocal returning a TimeWithOffset with the timezone_offset still assigned when called with an offset argument on JRuby 9.3.

Rubinius is no longer supported.

TZInfo v2.0.3 on RubyGems.org

v2.0.2

Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.

Fixed warnings when running on Ruby 2.8. #113.

TZInfo v2.0.2 on RubyGems.org

v2.0.1

Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode. #100.

Fixed warnings when running on Ruby 2.7. #109.

Added a TZInfo::Timezone#=~ method that performs a regex match on the time zone identifier. #99.

Added a TZInfo::Country#=~ method that performs a regex match on the country code.

TZInfo v2.0.1 on RubyGems.org

v2.0.0

Added

to_local and period_for instance methods ha...
Description has been truncated

Bumps the bundler group with 1 update in the / directory: [actionpack](https://github.com/rails/rails). Updates `actionpack` from 6.0.2.2 to 7.1.3.2 - [Release notes](https://github.com/rails/rails/releases) - [Changelog](https://github.com/rails/rails/blob/v7.1.3.2/actionpack/CHANGELOG.md) - [Commits](rails/rails@v6.0.2.2...v7.1.3.2) Updates `actionview` from 6.0.2.2 to 7.1.3.2 - [Release notes](https://github.com/rails/rails/releases) - [Changelog](https://github.com/rails/rails/blob/v7.1.3.2/actionview/CHANGELOG.md) - [Commits](rails/rails@v6.0.2.2...v7.1.3.2) Updates `activerecord` from 6.0.2.2 to 7.1.3.2 - [Release notes](https://github.com/rails/rails/releases) - [Changelog](https://github.com/rails/rails/blob/v7.1.3.2/activerecord/CHANGELOG.md) - [Commits](rails/rails@v6.0.2.2...v7.1.3.2) Updates `activestorage` from 6.0.2.2 to 7.1.3.2 - [Release notes](https://github.com/rails/rails/releases) - [Changelog](https://github.com/rails/rails/blob/v7.1.3.2/activestorage/CHANGELOG.md) - [Commits](rails/rails@v6.0.2.2...v7.1.3.2) Updates `activesupport` from 6.0.2.2 to 7.1.3.2 - [Release notes](https://github.com/rails/rails/releases) - [Changelog](https://github.com/rails/rails/blob/v7.1.3.2/activesupport/CHANGELOG.md) - [Commits](rails/rails@v6.0.2.2...v7.1.3.2) Updates `globalid` from 0.4.2 to 1.2.1 - [Release notes](https://github.com/rails/globalid/releases) - [Commits](rails/globalid@v0.4.2...v1.2.1) Updates `loofah` from 2.5.0 to 2.22.0 - [Release notes](https://github.com/flavorjones/loofah/releases) - [Changelog](https://github.com/flavorjones/loofah/blob/main/CHANGELOG.md) - [Commits](flavorjones/loofah@v2.5.0...v2.22.0) Updates `nokogiri` from 1.10.9 to 1.16.5 - [Release notes](https://github.com/sparklemotion/nokogiri/releases) - [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md) - [Commits](sparklemotion/nokogiri@v1.10.9...v1.16.5) Updates `rack` from 2.2.2 to 3.0.11 - [Release notes](https://github.com/rack/rack/releases) - [Changelog](https://github.com/rack/rack/blob/main/CHANGELOG.md) - [Commits](https://github.com/rack/rack/commits) Updates `rails-html-sanitizer` from 1.3.0 to 1.6.0 - [Release notes](https://github.com/rails/rails-html-sanitizer/releases) - [Changelog](https://github.com/rails/rails-html-sanitizer/blob/main/CHANGELOG.md) - [Commits](rails/rails-html-sanitizer@v1.3.0...v1.6.0) Updates `tzinfo` from 1.2.7 to 2.0.6 - [Release notes](https://github.com/tzinfo/tzinfo/releases) - [Changelog](https://github.com/tzinfo/tzinfo/blob/master/CHANGES.md) - [Commits](tzinfo/tzinfo@v1.2.7...v2.0.6) --- updated-dependencies: - dependency-name: actionpack dependency-type: indirect dependency-group: bundler - dependency-name: actionview dependency-type: indirect dependency-group: bundler - dependency-name: activerecord dependency-type: indirect dependency-group: bundler - dependency-name: activestorage dependency-type: indirect dependency-group: bundler - dependency-name: activesupport dependency-type: indirect dependency-group: bundler - dependency-name: globalid dependency-type: indirect dependency-group: bundler - dependency-name: loofah dependency-type: indirect dependency-group: bundler - dependency-name: nokogiri dependency-type: indirect dependency-group: bundler - dependency-name: rack dependency-type: indirect dependency-group: bundler - dependency-name: rails-html-sanitizer dependency-type: indirect dependency-group: bundler - dependency-name: tzinfo dependency-type: indirect dependency-group: bundler ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added the dependencies Pull requests that update a dependency file label May 13, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the bundler group across 1 directory with 11 updates #48

Bump the bundler group across 1 directory with 11 updates #48

dependabot bot commented on behalf of github May 13, 2024

Bump the bundler group across 1 directory with 11 updates #48

Are you sure you want to change the base?

Bump the bundler group across 1 directory with 11 updates #48

Conversation

dependabot bot commented on behalf of github May 13, 2024

v7.1.3.2

Active Support

Active Model

Active Record

Action View

Action Pack

Active Job

Action Mailer

Action Cable

Rails 7.1.3.2 (February 21, 2024)

Rails 7.1.3.1 (February 21, 2024)

Rails 7.1.3 (January 16, 2024)

Rails 7.1.2 (November 10, 2023)

v7.1.3.2

Active Support

Active Model

Active Record

Action View

Action Pack

Active Job

Action Mailer

Action Cable

Rails 7.1.3.2 (February 21, 2024)

Rails 7.1.3.1 (February 21, 2024)

Rails 7.1.3 (January 16, 2024)

Rails 7.1.2 (November 10, 2023)

v7.1.3.2

Active Support

Active Model

Active Record

Action View

Action Pack

Active Job

Action Mailer

Action Cable

Rails 7.1.3.2 (February 21, 2024)

Rails 7.1.3.1 (February 21, 2024)

Rails 7.1.3 (January 16, 2024)

v7.1.3.2

Active Support

Active Model

Active Record

Action View

Action Pack

Active Job

Action Mailer

Action Cable

Rails 7.1.3.2 (February 21, 2024)

Rails 7.1.3.1 (February 21, 2024)

Rails 7.1.3 (January 16, 2024)

v7.1.3.2

Active Support

Active Model

Active Record

Action View

Action Pack

Active Job

Action Mailer

Action Cable

Rails 7.1.3.2 (February 21, 2024)

Rails 7.1.3.1 (February 21, 2024)

Rails 7.1.3 (January 16, 2024)

Rails 7.1.2 (November 10, 2023)

1.2.0

What's Changed

New Contributors

1.1.0

What's Changed

New Contributors

v1.0.1

Possible ReDoS based DoS vulnerability in GlobalID

Impact

2.22.0 / 2023-11-13

Added

2.21.4 / 2023-10-10