Versions of the package sidekiq before 7.1.3 and 6.5.10 are vulnerable to Denial of Service (DoS) due to insufficient checks in the dashboard-charts.js file. An attacker can exploit this vulnerability by manipulating the localStorage value which will cause excessive polling requests.
Release Notes
sidekiq/sidekiq (sidekiq)
### [`v7.1.3`](https://togithub.com/sidekiq/sidekiq/blob/HEAD/Changes.md#713)
[Compare Source](https://togithub.com/sidekiq/sidekiq/compare/v7.1.2...v7.1.3)
- Add `sidekiq_options retry_for: 48.hours` to allow time-based retry windows \[[#6029](https://togithub.com/sidekiq/sidekiq/issues/6029)]
- Support sidekiq_retry_in and sidekiq_retries_exhausted_block in ActiveJobs ([#5994](https://togithub.com/sidekiq/sidekiq/issues/5994))
- Lowercase all Rack headers for Rack 3.0 \[[#5951](https://togithub.com/sidekiq/sidekiq/issues/5951)]
- Validate Sidekiq::Web page refresh delay to avoid potential DoS,
CVE-2023-26141, thanks for reporting Keegan!
### [`v7.1.2`](https://togithub.com/sidekiq/sidekiq/blob/HEAD/Changes.md#712)
[Compare Source](https://togithub.com/sidekiq/sidekiq/compare/v7.1.1...v7.1.2)
- Mark Web UI assets as private so CDNs won't cache them \[[#5936](https://togithub.com/sidekiq/sidekiq/issues/5936)]
- Fix stackoverflow when using Oj and the JSON log formatter \[[#5920](https://togithub.com/sidekiq/sidekiq/issues/5920)]
- Remove spurious `enqueued_at` from scheduled ActiveJobs \[[#5937](https://togithub.com/sidekiq/sidekiq/issues/5937)]
### [`v7.1.1`](https://togithub.com/sidekiq/sidekiq/blob/HEAD/Changes.md#711)
[Compare Source](https://togithub.com/sidekiq/sidekiq/compare/v7.1.0...v7.1.1)
- Support multiple CurrentAttributes \[[#5904](https://togithub.com/sidekiq/sidekiq/issues/5904)]
- Speed up latency fetch with large queues on Redis <7 \[[#5910](https://togithub.com/sidekiq/sidekiq/issues/5910)]
- Allow a larger default client pool \[[#5886](https://togithub.com/sidekiq/sidekiq/issues/5886)]
- Ensure Sidekiq.options\[:environment] == RAILS_ENV \[[#5932](https://togithub.com/sidekiq/sidekiq/issues/5932)]
### [`v7.1.0`](https://togithub.com/sidekiq/sidekiq/blob/HEAD/Changes.md#710)
[Compare Source](https://togithub.com/sidekiq/sidekiq/compare/v7.0.9...v7.1.0)
- Improve display of ActiveJob arguments in Web UI \[[#5825](https://togithub.com/sidekiq/sidekiq/issues/5825), cover]
- Update `push_bulk` to push `batch_size` jobs at a time and allow laziness \[[#5827](https://togithub.com/sidekiq/sidekiq/issues/5827), fatkodima]
This allows Sidekiq::Client to push unlimited jobs as long as it has enough memory for the batch_size.
- Update `perform_bulk` to use `push_bulk` internally.
- Change return value of `push_bulk` to map 1-to-1 with arguments.
If you call `push_bulk(args: [[1], [2], [3]])`, you will now always get
an array of 3 values as the result: `["jid1", nil, "jid3"]` where nil means
that particular job did not push successfully (possibly due to middleware
stopping it). Previously nil values were removed so it was impossible to tell
which jobs pushed successfully and which did not.
- Migrate away from all deprecated Redis commands \[[#5788](https://togithub.com/sidekiq/sidekiq/issues/5788)]
Sidekiq will now print a warning if you use one of those deprecated commands.
- Prefix all Sidekiq thread names \[[#5872](https://togithub.com/sidekiq/sidekiq/issues/5872)]
Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Amsterdam, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
'~> 7.0.6'->'~> 7.1.0'GitHub Vulnerability Alerts
CVE-2023-26141
Versions of the package sidekiq before 7.1.3 and 6.5.10 are vulnerable to Denial of Service (DoS) due to insufficient checks in the dashboard-charts.js file. An attacker can exploit this vulnerability by manipulating the localStorage value which will cause excessive polling requests.
Release Notes
sidekiq/sidekiq (sidekiq)
### [`v7.1.3`](https://togithub.com/sidekiq/sidekiq/blob/HEAD/Changes.md#713) [Compare Source](https://togithub.com/sidekiq/sidekiq/compare/v7.1.2...v7.1.3) - Add `sidekiq_options retry_for: 48.hours` to allow time-based retry windows \[[#6029](https://togithub.com/sidekiq/sidekiq/issues/6029)] - Support sidekiq_retry_in and sidekiq_retries_exhausted_block in ActiveJobs ([#5994](https://togithub.com/sidekiq/sidekiq/issues/5994)) - Lowercase all Rack headers for Rack 3.0 \[[#5951](https://togithub.com/sidekiq/sidekiq/issues/5951)] - Validate Sidekiq::Web page refresh delay to avoid potential DoS, CVE-2023-26141, thanks for reporting Keegan! ### [`v7.1.2`](https://togithub.com/sidekiq/sidekiq/blob/HEAD/Changes.md#712) [Compare Source](https://togithub.com/sidekiq/sidekiq/compare/v7.1.1...v7.1.2) - Mark Web UI assets as private so CDNs won't cache them \[[#5936](https://togithub.com/sidekiq/sidekiq/issues/5936)] - Fix stackoverflow when using Oj and the JSON log formatter \[[#5920](https://togithub.com/sidekiq/sidekiq/issues/5920)] - Remove spurious `enqueued_at` from scheduled ActiveJobs \[[#5937](https://togithub.com/sidekiq/sidekiq/issues/5937)] ### [`v7.1.1`](https://togithub.com/sidekiq/sidekiq/blob/HEAD/Changes.md#711) [Compare Source](https://togithub.com/sidekiq/sidekiq/compare/v7.1.0...v7.1.1) - Support multiple CurrentAttributes \[[#5904](https://togithub.com/sidekiq/sidekiq/issues/5904)] - Speed up latency fetch with large queues on Redis <7 \[[#5910](https://togithub.com/sidekiq/sidekiq/issues/5910)] - Allow a larger default client pool \[[#5886](https://togithub.com/sidekiq/sidekiq/issues/5886)] - Ensure Sidekiq.options\[:environment] == RAILS_ENV \[[#5932](https://togithub.com/sidekiq/sidekiq/issues/5932)] ### [`v7.1.0`](https://togithub.com/sidekiq/sidekiq/blob/HEAD/Changes.md#710) [Compare Source](https://togithub.com/sidekiq/sidekiq/compare/v7.0.9...v7.1.0) - Improve display of ActiveJob arguments in Web UI \[[#5825](https://togithub.com/sidekiq/sidekiq/issues/5825), cover] - Update `push_bulk` to push `batch_size` jobs at a time and allow laziness \[[#5827](https://togithub.com/sidekiq/sidekiq/issues/5827), fatkodima] This allows Sidekiq::Client to push unlimited jobs as long as it has enough memory for the batch_size. - Update `perform_bulk` to use `push_bulk` internally. - Change return value of `push_bulk` to map 1-to-1 with arguments. If you call `push_bulk(args: [[1], [2], [3]])`, you will now always get an array of 3 values as the result: `["jid1", nil, "jid3"]` where nil means that particular job did not push successfully (possibly due to middleware stopping it). Previously nil values were removed so it was impossible to tell which jobs pushed successfully and which did not. - Migrate away from all deprecated Redis commands \[[#5788](https://togithub.com/sidekiq/sidekiq/issues/5788)] Sidekiq will now print a warning if you use one of those deprecated commands. - Prefix all Sidekiq thread names \[[#5872](https://togithub.com/sidekiq/sidekiq/issues/5872)]Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Amsterdam, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.