[Security] Bump sinatra from 2.0.1 to 2.0.3

[dependabot-preview]

Bumps sinatra from 2.0.1 to 2.0.3. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

XSS via the 400 Bad Request page
Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.

Patched versions: >= 2.0.2
Unaffected versions: < 2.0.0

Changelog

Sourced from sinatra's changelog.

2.0.3 / 2018-06-09

• Fix the backports gem regression #1442 by Marc-André Lafortune

2.0.2 / 2018-06-05

• Escape invalid query parameters #1432 by Kunpei Sakai

  • The patch fixes CVE-2018-11627.

• Fix undefined method error for Sinatra::RequiredParams with hash key #1431 by Arpit Chauhan

• Add xml content-types to valid html_types for Rack::Protection #1413 by Reenan Arbitrario

• Encode route parameters using :default_encoding setting #1412 by Brian m. Carlson

• Fix unpredictable behaviour from Sinatra::ConfigFile #1244 by John Hope

• Add Sinatra::IndifferentHash#slice #1405 by Shota Iguchi

• Remove status code 205 from drop body response #1398 by Shota Iguchi

• Ignore empty captures from params #1390 by Shota Iguchi

• Improve development support and documentation and source code by Zp Yuan, Andreas Finger, Olle Jonsson, Shota Iguchi, Nikita Bulai and Joshua O'Brien

Commits

• 51f1761 2.0.3 release
• 17b4253 Merge pull request #1442 from sinatra/fix-1441
• dff6770 bump version to 2.0.3
• 7e0944a add v2.0.3 entry
• 6479338 Tweak require
• 25225ee Require only what's needed
• 4b77084 Use ActiveSupport's try as some versions of backports have wrong implementation
• b52e1bb Remove obsolete requires
• c8910e9 2.0.2 release
• 20eef6e Merge pull request #1437 from sinatra/update-changelog-for-v2.0.2
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use (this|these) label[s] will set the current labels as the default for future PRs for this repo and language
• @dependabot use (this|these) reviewer[s] will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use (this|these) assignee[s] will set the current assignees as the default for future PRs for this repo and language

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

[dependabot-preview]

We've just been alerted that this update fixes a security vulnerability:

Sourced from The Ruby Advisory Database.

XSS via the 400 Bad Request page
Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.

Patched versions: [">= 2.0.2"]
Unaffected versions: ["< 2.0.0.beta1", "2.0.0-alpha"]