Closed dependabot-preview[bot] closed 4 years ago
artsy-peril[bot]
commented
4 years ago | Warnings | |
|---|---|
| :warning: | It looks like code was changed without adding anything to the Changelog. You can add #trivial in the PR body to skip the check. |
Generated by :no_entry_sign: dangerJS against a305c7cf22f047f6bc5b65eb553269da3f64bb85
dependabot-preview[bot]
commented
4 years ago OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.
If you change your mind, just re-open this PR and I'll resolve any conflicts on it.
Bumps sprockets from 3.6.3 to 4.0.0. This update includes a security fix.
Vulnerabilities fixed
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sprockets/CVE-2018-3760.yml).* > **Path Traversal in Sprockets** > Specially crafted requests can be used to access files that exist on > the filesystem that is outside an application's root directory, when the > Sprockets server is used in production. > > All users running an affected release should either upgrade or use one of the work arounds immediately. > > Workaround: > In Rails applications, work around this issue, set `config.assets.compile = false` and > `config.public_file_server.enabled = true` in an initializer and precompile the assets. > > This work around will not be possible in all hosting environments and upgrading is advised. > > Patched versions: >= 2.12.5, < 3.0.0; >= 3.7.2, < 4.0.0; >= 4.0.0.beta8 > Unaffected versions: noneRelease notes
*Sourced from [sprockets's releases](https://github.com/rails/sprockets/releases).* > ## v3.7.0 > - Deprecated interfaces now emit deprecation warnings [#345](https://github-redirect.dependabot.com/rails/sprockets/issues/345)Changelog
*Sourced from [sprockets's changelog](https://github.com/rails/sprockets/blob/master/CHANGELOG.md).* > ## 4.0.0 > > - Fixes for Ruby 2.7 keyword arguments warnings [#625](https://github-redirect.dependabot.com/rails/sprockets/pull/625) > - Manifest files are sorted alphabetically [#626](https://github-redirect.dependabot.com/rails/sprockets/pull/626) > > ## 4.0.0.beta10 > > - Fix YACB (Yet Another Caching Bug) [Fix broken expansion of asset link paths](https://github-redirect.dependabot.com/rails/sprockets/pull/614) > > ## 4.0.0.beta9 > > - Minimum Ruby version for Sprockets 4 is now 2.5+ which matches minimum ruby verision of Rails [#604](https://github-redirect.dependabot.com/rails/sprockets/issues/604) > - Fix threading bug introduced in Sprockets 4 [#603](https://github-redirect.dependabot.com/rails/sprockets/issues/603) > - Warn when two potential manifest files exist. [#560](https://github-redirect.dependabot.com/rails/sprockets/issues/560) > > ## 4.0.0.beta8 > > - Security release for [CVE-2018-3760](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3760) > > ## 4.0.0.beta7 > > - Fix a year long bug that caused `Sprockets::FileNotFound` errors when the asset was present [#547](https://github-redirect.dependabot.com/rails/sprockets/issues/547) > - Raise an error when two assets such as foo.js and foo.js.erb would produce the same output artifact (foo.js) [#549 [#530](https://github-redirect.dependabot.com/rails/sprockets/issues/530)] > - Process `*.jst.eco.erb` files with ERBProcessor > > ## 4.0.0.beta6 > > - Fix source map line offsets [#515](https://github-redirect.dependabot.com/rails/sprockets/issues/515) > - Return a `400 Bad Request` when the path encoding is invalid. [#514](https://github-redirect.dependabot.com/rails/sprockets/issues/514) > > ## 4.0.0.beta5 > > - Reduce string allocations > - Source map metadata uses compressed form specified by the [source map v3 spec](https://docs.google.com/document/d/1U1RGAehQwRypUTovF1KRlpiOFze0b-_2gc6fAH0KY0k). [#402](https://github-redirect.dependabot.com/rails/sprockets/issues/402) **[BREAKING]** > - Generate [index maps](https://docs.google.com/document/d/1U1RGAehQwRypUTovF1KRlpiOFze0b-_2gc6fAH0KY0k/edit#heading=h.535es3xeprgt) when decoding source maps isn't necessary. [#402](https://github-redirect.dependabot.com/rails/sprockets/issues/402) > - Remove fingerprints from source map files. [#402](https://github-redirect.dependabot.com/rails/sprockets/issues/402) > > ## 4.0.0.beta4 > > - Changing the version now busts the digest of all assets [#404](https://github-redirect.dependabot.com/rails/sprockets/issues/404) > - Exporter interface added [#386](https://github-redirect.dependabot.com/rails/sprockets/issues/386) > - Using ENV vars in templates will recompile templates when the env vars change. [#365](https://github-redirect.dependabot.com/rails/sprockets/issues/365) > - Source maps for imported sass files with sassc is now fixed [#391](https://github-redirect.dependabot.com/rails/sprockets/issues/391) > - Load paths now in error messages [#322](https://github-redirect.dependabot.com/rails/sprockets/issues/322) > - Cache key added to babel processor [#387](https://github-redirect.dependabot.com/rails/sprockets/issues/387) > - `Environment#find_asset!` can now be used to raise an exception when asset could not be found [#379](https://github-redirect.dependabot.com/rails/sprockets/issues/379) > > ## 4.0.0.beta3 > > - Source Map fixes [#255](https://github-redirect.dependabot.com/rails/sprockets/issues/255) [#367](https://github-redirect.dependabot.com/rails/sprockets/issues/367) > ... (truncated)Commits
- [`08fef08`](https://github.com/rails/sprockets/commit/08fef08562c7a6a13a7c521938e83409a33e2b77) v4.0.0 - [`0ef4c97`](https://github.com/rails/sprockets/commit/0ef4c972e55d9e9721436939242af4d60d4ebc57) Merge pull request [#631](https://github-redirect.dependabot.com/rails/sprockets/issues/631) from rails/schneems/changelog - [`540b0d2`](https://github.com/rails/sprockets/commit/540b0d247f3efea9eb95d57a8501cfb96538a008) [ci skip] check changelog entry - [`02d4c0a`](https://github.com/rails/sprockets/commit/02d4c0a9a5dac5a69094b19d0ca08cbaa42b0e1a) Merge pull request [#628](https://github-redirect.dependabot.com/rails/sprockets/issues/628) from ahorek/optimize_source_maps - [`4caa653`](https://github.com/rails/sprockets/commit/4caa65349c360866ba7d869252394f69a5f6a769) optimize source maps - [`365036d`](https://github.com/rails/sprockets/commit/365036d12cc35e5c7b0f1c740b4f268c434ee7e0) Merge pull request [#627](https://github-redirect.dependabot.com/rails/sprockets/issues/627) from ahorek/kwargs - [`6e6d6a7`](https://github.com/rails/sprockets/commit/6e6d6a70848cf006fabf48088cb4140c6d1858e7) kwargs - [`d9e7037`](https://github.com/rails/sprockets/commit/d9e7037b75e8bf881ffc40a0209b6b7529462ff4) Merge pull request [#625](https://github-redirect.dependabot.com/rails/sprockets/issues/625) from amatsuda/kwargs - [`cbf3b82`](https://github.com/rails/sprockets/commit/cbf3b82694f7f51cabd81a509809ddfecca860b0) Merge pull request [#626](https://github-redirect.dependabot.com/rails/sprockets/issues/626) from amatsuda/sort_manifest_entries - [`b416821`](https://github.com/rails/sprockets/commit/b4168217a4f81e6470afe427bf355061fb37a473) Sort manifest entries alphabetically before choosing one - Additional commits viewable in [compare view](https://github.com/rails/sprockets/compare/v3.6.3...v4.0.0)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)