artsy / watt

Watt is a shared js/css/img asset library for Artsy Rails apps.
https://github.com/artsy/watt
MIT License
0 stars 1 forks source link

[Security] Bump ffi from 1.9.14 to 1.11.2 #309

Closed dependabot-preview[bot] closed 5 years ago

dependabot-preview[bot] commented 5 years ago

Bumps ffi from 1.9.14 to 1.11.2. This update includes a security fix.

Vulnerabilities fixed *Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/ffi/CVE-2018-1000201.yml).* > **ruby-ffi DDL loading issue on Windows OS** > ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be > hijacked on Windows OS, when a Symbol is used as DLL name instead of a String > This vulnerability appears to have been fixed in v1.9.24 and later. > > Patched versions: >= 1.9.24 > Unaffected versions: none
Changelog *Sourced from [ffi's changelog](https://github.com/ffi/ffi/blob/master/CHANGELOG.md).* > 1.11.2 / 2019-11-11 > ------------------- > > Added: > * Add DragonFlyBSD as a platform. [#724](https://github-redirect.dependabot.com/ffi/ffi/issues/724) > > Changed: > * Sort all types.conf files, so that files and changes are easier to compare. > * Regenerated type conf for freebsd12 and x86_64-linux targets. [#722](https://github-redirect.dependabot.com/ffi/ffi/issues/722) > * Remove MACOSX_DEPLOYMENT_TARGET that was targeting very old version 10.4. [#647](https://github-redirect.dependabot.com/ffi/ffi/issues/647) > * Fix library name mangling for non glibc Linux/UNIX. [#727](https://github-redirect.dependabot.com/ffi/ffi/issues/727) > * Fix compiler warnings raised by ruby-2.7 > * Update libffi to latest master. > > > 1.11.1 / 2019-05-20 > ------------------- > > Changed: > * Raise required ruby version to >=2.0. [#699](https://github-redirect.dependabot.com/ffi/ffi/issues/699), [#700](https://github-redirect.dependabot.com/ffi/ffi/issues/700) > * Fix a possible linker error on ruby < 2.3 on Linux. > > > 1.11.0 / 2019-05-17 > ------------------- > This version was yanked on 2019-05-20 to fix an install issue on ruby-1.9.3. [#700](https://github-redirect.dependabot.com/ffi/ffi/issues/700) > > Added: > * Add ability to disable or force use of system libffi. [#669](https://github-redirect.dependabot.com/ffi/ffi/issues/669) > Use like `gem inst ffi -- --enable-system-libffi` . > * Add ability to call FFI callbacks from outside of FFI call frame. [#584](https://github-redirect.dependabot.com/ffi/ffi/issues/584) > * Add proper documentation to FFI::Generator and ::Task > * Add gemspec metadata. [#696](https://github-redirect.dependabot.com/ffi/ffi/issues/696), [#698](https://github-redirect.dependabot.com/ffi/ffi/issues/698) > > Changed: > * Fix stdcall on Win32. [#649](https://github-redirect.dependabot.com/ffi/ffi/issues/649), [#669](https://github-redirect.dependabot.com/ffi/ffi/issues/669) > * Fix load paths for FFI::Generator::Task > * Fix FFI::Pointer#read_string(0) to return a binary String. [#692](https://github-redirect.dependabot.com/ffi/ffi/issues/692) > * Fix benchmark suite so that it runs on ruby-2.x > * Move FFI::Platform::CPU from C to Ruby. [#663](https://github-redirect.dependabot.com/ffi/ffi/issues/663) > * Move FFI::StructByReference to Ruby. [#681](https://github-redirect.dependabot.com/ffi/ffi/issues/681) > * Move FFI::DataConverter to Ruby ([#661](https://github-redirect.dependabot.com/ffi/ffi/issues/661)) > * Various cleanups and improvements of specs and benchmarks > > Removed: > * Remove ruby-1.8 and 1.9 compatibility code. [#683](https://github-redirect.dependabot.com/ffi/ffi/issues/683) > * Remove unused spec files. [#684](https://github-redirect.dependabot.com/ffi/ffi/issues/684) > > > 1.10.0 / 2019-01-06 > ... (truncated)
Commits - [`a0386c8`](https://github.com/ffi/ffi/commit/a0386c8e334697cbccbc8db74c2587934e341900) Update CHANGELOG [ci skip] - [`4c8051e`](https://github.com/ffi/ffi/commit/4c8051ecc963caadb8864a5ddf8d3fba76db3949) Update libffi to latest master - [`8121e6f`](https://github.com/ffi/ffi/commit/8121e6fd84e90782534e6f7fc7ce7b80258126bd) Update CHANGELOG for 1.11.2 - [`1b64c01`](https://github.com/ffi/ffi/commit/1b64c011496172e22daf29ed88f570faa29a6ceb) Bump VERSION to 1.11.2 - [`d18826d`](https://github.com/ffi/ffi/commit/d18826d2501368ffcf13dc7d8b2956bcf95cdf51) Merge pull request [#722](https://github-redirect.dependabot.com/ffi/ffi/issues/722) from adam12/regenerate-freebsd12-types - [`7f909c2`](https://github.com/ffi/ffi/commit/7f909c2245a4406c3f39d81b856c1d4bfdd4f365) Fix library name mangling for non glibc Linux/UNIX - [`f841beb`](https://github.com/ffi/ffi/commit/f841beb43577fb58e39eef29c98f92fb3ea9a500) Merge pull request [#724](https://github-redirect.dependabot.com/ffi/ffi/issues/724) from ahorek/dragonfly - [`e58135b`](https://github.com/ffi/ffi/commit/e58135b01a09e47fd7f9f8e28f811e4e99d31e27) add types - [`2dcc07d`](https://github.com/ffi/ffi/commit/2dcc07d122a897bcfaaef23964ab9ed20dfa8756) identify dragonflybsd as a platform - [`a6d6242`](https://github.com/ffi/ffi/commit/a6d624262cf409b86c250d00bc64bba9cc0cb2f0) Regenerated type conf for freebsd12 target - Additional commits viewable in [compare view](https://github.com/ffi/ffi/compare/1.9.14...1.11.2)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)
oxaudo commented 5 years ago

Just merging this one. Seems very inconsequential.