🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
There is a possible ReDoS vulnerability in the block_format helper in Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2024-47889.
Impact
Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.
Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.
Releases
The fixed releases are available at the normal locations.
Workarounds
Users can avoid calling the block_format helper or upgrade to Ruby 3.2
There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.
Impact
For applications using HTTP Token authentication via authenticate_or_request_with_http_token or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.
Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.
Releases
The fixed releases are available at the normal locations.
There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.
Impact
Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.
Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.
Releases
The fixed releases are available at the normal locations.
There is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888.
Impact
Carefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.
Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.
Releases
The fixed releases are available at the normal locations.
Workarounds
Users can avoid calling plain_text_for_blockquote_node or upgrade to Ruby 3.2
worked for most objects, they did not for classes and modules that were also
namespaces (i.e., those defined by a file and matching subdirectories). In
such cases, their child constants could not be autoloaded.
This limitation has been removed.
TracePoint is no longer used.
Requires Ruby 3.2 or later.
Gems that work with previous versions of Zeitwerk also work with this one. If
they support Ruby versions older than 3.2 they can specify a relaxed version
constraint for Zeitwerk like "~> 2.6", for example.
In client projects, Bundler takes the Ruby requirement into account when
resolving dependencies, so Gemfile.lock will get one compatible with the
Ruby version being used.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu cancel merge
Cancels automatic merging of this PR
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ rails (7.1.4 → 7.1.4.1) · Repo
Commits
See the full diff on Github. The new version differs by 11 commits:
Preparing for 7.1.4.1 releaseUpdate CHANGELOGsAvoid backtracking in ActionMailer block_formatAvoid backtracing in plain_text_for_blockquote_nodeAvoid backtracking in filtered_query_stringAvoid backtracking in Token#raw_paramsRemove required Ruby version from releaserMerge pull request #53053 from gabriel-amaral/gabriel-amaral/fix-devcontainer-image-buildMerge pull request #52962 from rails/rm-releserAddress `Rails::Command::HelpIntegrationTest` failure against ruby 3.4.0devSkip importmap-rails 2.0.2 which won't work for Ruby version '<= 3.0'↗️ actioncable (indirect, 7.1.4 → 7.1.4.1) · Repo · Changelog
Release Notes
7.1.4.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 11 commits:
Preparing for 7.1.4.1 releaseUpdate CHANGELOGsAvoid backtracking in ActionMailer block_formatAvoid backtracing in plain_text_for_blockquote_nodeAvoid backtracking in filtered_query_stringAvoid backtracking in Token#raw_paramsRemove required Ruby version from releaserMerge pull request #53053 from gabriel-amaral/gabriel-amaral/fix-devcontainer-image-buildMerge pull request #52962 from rails/rm-releserAddress `Rails::Command::HelpIntegrationTest` failure against ruby 3.4.0devSkip importmap-rails 2.0.2 which won't work for Ruby version '<= 3.0'↗️ actionmailbox (indirect, 7.1.4 → 7.1.4.1) · Repo · Changelog
↗️ actionmailer (indirect, 7.1.4 → 7.1.4.1) · Repo · Changelog
Security Advisories 🚨
🚨 Possible ReDoS vulnerability in block_format in Action Mailer
Release Notes
7.1.4.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 11 commits:
Preparing for 7.1.4.1 releaseUpdate CHANGELOGsAvoid backtracking in ActionMailer block_formatAvoid backtracing in plain_text_for_blockquote_nodeAvoid backtracking in filtered_query_stringAvoid backtracking in Token#raw_paramsRemove required Ruby version from releaserMerge pull request #53053 from gabriel-amaral/gabriel-amaral/fix-devcontainer-image-buildMerge pull request #52962 from rails/rm-releserAddress `Rails::Command::HelpIntegrationTest` failure against ruby 3.4.0devSkip importmap-rails 2.0.2 which won't work for Ruby version '<= 3.0'↗️ actionpack (indirect, 7.1.4 → 7.1.4.1) · Repo · Changelog
Security Advisories 🚨
🚨 Possible ReDoS vulnerability in HTTP Token authentication in Action Controller
🚨 Possible ReDoS vulnerability in query parameter filtering in Action Dispatch
Release Notes
7.1.4.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 11 commits:
Preparing for 7.1.4.1 releaseUpdate CHANGELOGsAvoid backtracking in ActionMailer block_formatAvoid backtracing in plain_text_for_blockquote_nodeAvoid backtracking in filtered_query_stringAvoid backtracking in Token#raw_paramsRemove required Ruby version from releaserMerge pull request #53053 from gabriel-amaral/gabriel-amaral/fix-devcontainer-image-buildMerge pull request #52962 from rails/rm-releserAddress `Rails::Command::HelpIntegrationTest` failure against ruby 3.4.0devSkip importmap-rails 2.0.2 which won't work for Ruby version '<= 3.0'↗️ actiontext (indirect, 7.1.4 → 7.1.4.1) · Repo · Changelog
Security Advisories 🚨
🚨 Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text
Release Notes
7.1.4.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 11 commits:
Preparing for 7.1.4.1 releaseUpdate CHANGELOGsAvoid backtracking in ActionMailer block_formatAvoid backtracing in plain_text_for_blockquote_nodeAvoid backtracking in filtered_query_stringAvoid backtracking in Token#raw_paramsRemove required Ruby version from releaserMerge pull request #53053 from gabriel-amaral/gabriel-amaral/fix-devcontainer-image-buildMerge pull request #52962 from rails/rm-releserAddress `Rails::Command::HelpIntegrationTest` failure against ruby 3.4.0devSkip importmap-rails 2.0.2 which won't work for Ruby version '<= 3.0'↗️ actionview (indirect, 7.1.4 → 7.1.4.1) · Repo · Changelog
Release Notes
7.1.4.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 11 commits:
Preparing for 7.1.4.1 releaseUpdate CHANGELOGsAvoid backtracking in ActionMailer block_formatAvoid backtracing in plain_text_for_blockquote_nodeAvoid backtracking in filtered_query_stringAvoid backtracking in Token#raw_paramsRemove required Ruby version from releaserMerge pull request #53053 from gabriel-amaral/gabriel-amaral/fix-devcontainer-image-buildMerge pull request #52962 from rails/rm-releserAddress `Rails::Command::HelpIntegrationTest` failure against ruby 3.4.0devSkip importmap-rails 2.0.2 which won't work for Ruby version '<= 3.0'↗️ activejob (indirect, 7.1.4 → 7.1.4.1) · Repo · Changelog
Release Notes
7.1.4.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 11 commits:
Preparing for 7.1.4.1 releaseUpdate CHANGELOGsAvoid backtracking in ActionMailer block_formatAvoid backtracing in plain_text_for_blockquote_nodeAvoid backtracking in filtered_query_stringAvoid backtracking in Token#raw_paramsRemove required Ruby version from releaserMerge pull request #53053 from gabriel-amaral/gabriel-amaral/fix-devcontainer-image-buildMerge pull request #52962 from rails/rm-releserAddress `Rails::Command::HelpIntegrationTest` failure against ruby 3.4.0devSkip importmap-rails 2.0.2 which won't work for Ruby version '<= 3.0'↗️ activemodel (indirect, 7.1.4 → 7.1.4.1) · Repo · Changelog
Release Notes
7.1.4.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 11 commits:
Preparing for 7.1.4.1 releaseUpdate CHANGELOGsAvoid backtracking in ActionMailer block_formatAvoid backtracing in plain_text_for_blockquote_nodeAvoid backtracking in filtered_query_stringAvoid backtracking in Token#raw_paramsRemove required Ruby version from releaserMerge pull request #53053 from gabriel-amaral/gabriel-amaral/fix-devcontainer-image-buildMerge pull request #52962 from rails/rm-releserAddress `Rails::Command::HelpIntegrationTest` failure against ruby 3.4.0devSkip importmap-rails 2.0.2 which won't work for Ruby version '<= 3.0'↗️ activerecord (indirect, 7.1.4 → 7.1.4.1) · Repo · Changelog
Release Notes
7.1.4.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 11 commits:
Preparing for 7.1.4.1 releaseUpdate CHANGELOGsAvoid backtracking in ActionMailer block_formatAvoid backtracing in plain_text_for_blockquote_nodeAvoid backtracking in filtered_query_stringAvoid backtracking in Token#raw_paramsRemove required Ruby version from releaserMerge pull request #53053 from gabriel-amaral/gabriel-amaral/fix-devcontainer-image-buildMerge pull request #52962 from rails/rm-releserAddress `Rails::Command::HelpIntegrationTest` failure against ruby 3.4.0devSkip importmap-rails 2.0.2 which won't work for Ruby version '<= 3.0'↗️ activestorage (indirect, 7.1.4 → 7.1.4.1) · Repo · Changelog
Release Notes
7.1.4.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 11 commits:
Preparing for 7.1.4.1 releaseUpdate CHANGELOGsAvoid backtracking in ActionMailer block_formatAvoid backtracing in plain_text_for_blockquote_nodeAvoid backtracking in filtered_query_stringAvoid backtracking in Token#raw_paramsRemove required Ruby version from releaserMerge pull request #53053 from gabriel-amaral/gabriel-amaral/fix-devcontainer-image-buildMerge pull request #52962 from rails/rm-releserAddress `Rails::Command::HelpIntegrationTest` failure against ruby 3.4.0devSkip importmap-rails 2.0.2 which won't work for Ruby version '<= 3.0'↗️ activesupport (indirect, 7.1.4 → 7.1.4.1) · Repo · Changelog
Release Notes
7.1.4.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 11 commits:
Preparing for 7.1.4.1 releaseUpdate CHANGELOGsAvoid backtracking in ActionMailer block_formatAvoid backtracing in plain_text_for_blockquote_nodeAvoid backtracking in filtered_query_stringAvoid backtracking in Token#raw_paramsRemove required Ruby version from releaserMerge pull request #53053 from gabriel-amaral/gabriel-amaral/fix-devcontainer-image-buildMerge pull request #52962 from rails/rm-releserAddress `Rails::Command::HelpIntegrationTest` failure against ruby 3.4.0devSkip importmap-rails 2.0.2 which won't work for Ruby version '<= 3.0'↗️ irb (indirect, 1.14.0 → 1.14.1) · Repo
Release Notes
1.14.1
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 19 commits:
Bump version to v1.14.1 (#1009)Use proper locale in history encoding test (#1008)Fix debug command in nomultiline mode (#1006)Use InstructionSequence#script_lines to get method source (#1005)Remove KEYWORD_ALIASES which handled special alias name of irb_break irb_catch and irb_next command (#1004)Specify commit hash of yamatanooroti (#1000)Fix easter_egg run without RDoc, fix input-method test run without RDoc (#998)Skip show_doc tests if RDoc is not availableSurpressing 'unknown command: “Switch to inspect mode.”' message (#995)Make colorize test pass with NO_COLOR env set (#994)Colorize command input (#983)Move parse_command method to Context (#993)Fix kill pager pid throwing Errno::ESRCH when pager process already terminated (#989)Improve easter_egg logo resolution (#987)Update COMPARED_WITH_PRY.md (#984)Remove Ruby version checks (#985)Clear ENV["XDG_CONFIG_HOME"] to avoid loading user-defined irbrc in TestIRB::ConfigValidationTest (#982)Group class methods under `class << self` (#981)Update commands list in the readme↗️ net-imap (indirect, 0.4.16 → 0.4.17) · Repo
Release Notes
0.4.17
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 21 commits:
🔀 Merge pull request #341 from ruby/backport/0.4/340/fix-gh-workflow-push_gem⬆️ Upgrade step-security/harden-runner (v2.8.1 to v2.10.1)✅ Fix GH action for rubygems Trusted Publishing🔖 Bump version to 0.4.17🔀 Merge pull request #339 from ruby/backport/0.4/334/responses-return-frozen_dup🔧 Set responses_without_block to frozen_dup in 0.6✨ Responses with no args can return frozen dup hash✨ Responses with type can return frozen dup array🔊 Update #responses deprecation message✅ Split up IMAP#responses test by arguments🚚 Move IMAP#responses tests to their own file📚 Improve rdoc for IMAP#responses📚 Improve Config rdoc🔀 Merge pull request #338 from ruby/backport/0.4/331/nicer-seqset-frozen-error🥅 Improve SequenceSet frozen errors🔀 Backport #317 and #330 into v0.4-stable✨ Add #extract_responses method✅ Add wait_for_response_count test helper✅ Add FakeServer#unsolicited (for testing)✅ Add a Mutex to FakeServer (for tests only)🐛 Fix SequenceSet[input] for a SequenceSet input↗️ rack (indirect, 2.2.9 → 2.2.10) · Repo · Changelog
Release Notes
2.2.10 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 2 commits:
Bump patch version.[2.2-stable] Fix compatibility issues with Ruby 3.4.0dev (#2248)↗️ railties (indirect, 7.1.4 → 7.1.4.1) · Repo · Changelog
Release Notes
7.1.4.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 11 commits:
Preparing for 7.1.4.1 releaseUpdate CHANGELOGsAvoid backtracking in ActionMailer block_formatAvoid backtracing in plain_text_for_blockquote_nodeAvoid backtracking in filtered_query_stringAvoid backtracking in Token#raw_paramsRemove required Ruby version from releaserMerge pull request #53053 from gabriel-amaral/gabriel-amaral/fix-devcontainer-image-buildMerge pull request #52962 from rails/rm-releserAddress `Rails::Command::HelpIntegrationTest` failure against ruby 3.4.0devSkip importmap-rails 2.0.2 which won't work for Ruby version '<= 3.0'↗️ zeitwerk (indirect, 2.6.18 → 2.7.0) · Repo · Changelog
Release Notes
2.7.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 15 commits:
Ready for 2.7.0Adds a note about backwards compatibility to the CHANGELOGRewordingRemove TracePoint Ruby compatibility testUpdate CHANGELOGFix method signature annotationPrefer Dir.each_child over Dir.childrenRemove polyfill for UnboundMethod#bind_callRemove polyfill for Module#autoload?Remove polyfill for Symbol#nameReplace TracePoint with const_added for explicit namespacesMove core extensions to a new core_ext folderAdd missing @raise annotationRevises month capitalization in CHANGELOG.mdRevises quotesDepfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands