search

ctti-clinicaltrials / aact

Improving Public Access to Aggregate Content of ClinicalTrials.gov
http://aact.ctti-clinicaltrials.org
MIT License
124 stars 33 forks source link

Bump the bundler at /. security update group with 5 updates #1101

Closed dependabot[bot] closed 8 months ago

dependabot[bot] commented 8 months ago

Bumps the bundler at /. security update group with 5 updates:

Package From To
rails 6.0.0 7.1.1
activesupport 6.0.0 7.1.1
actionpack 6.0.0 7.1.1
loofah 2.19.1 2.21.4
rails-html-sanitizer 1.4.4 1.6.0

Updates rails from 6.0.0 to 7.1.1

Release notes

Sourced from rails's releases.

7.1.1

Active Support

  • Add support for keyword arguments when delegating calls to custom loggers from ActiveSupport::BroadcastLogger.

    Jenny Shen

  • NumberHelper: handle objects responding to_d.

    fatkodima

  • Fix RedisCacheStore to properly set the TTL when incrementing or decrementing.

    This bug was only impacting Redis server older than 7.0.

    Thomas Countz

  • Fix MemoryStore to prevent race conditions when incrementing or decrementing.

    Pierre Jambet

Active Model

  • No changes.

Active Record

  • Fix auto populating IDENTITY columns for PostgreSQL.

    fatkodima

  • Fix "ArgumentError: wrong number of arguments (given 3, expected 2)" when down migrating rename_table in older migrations.

    fatkodima

  • Do not require the Action Text, Active Storage and Action Mailbox tables to be present when running when running test on CI.

    Rafael Mendonça França

Action View

... (truncated)

Commits
  • 2393805 Preparing for 7.1.1 release
  • b280d7f Sync CHANGELOG
  • 314220e Merge pull request #49525 from abhaynikam/fix-app-generated-dockerfile-to-use...
  • 1f1710d Merge pull request #49589 from fatkodima/fix-flaky-fixtures-test
  • 4921df0 Merge pull request #49565 from hachi8833/add_missing_doc_43487
  • 57d626e Merge pull request #49562 from akhilgkrishnan/update-postgres-naming-to-postg...
  • 63f204d Merge pull request #49553 from tricknotes/update-rails-ujs-build
  • 8a6118a Use released version of Sdoc
  • 3199a45 Merge pull request #49581 from hachi8833/update_doc_npm
  • a5534b9 Merge pull request #49515 from dustinbrownman/main
  • Additional commits viewable in compare view


Updates activesupport from 6.0.0 to 7.1.1

Release notes

Sourced from activesupport's releases.

7.1.1

Active Support

  • Add support for keyword arguments when delegating calls to custom loggers from ActiveSupport::BroadcastLogger.

    Jenny Shen

  • NumberHelper: handle objects responding to_d.

    fatkodima

  • Fix RedisCacheStore to properly set the TTL when incrementing or decrementing.

    This bug was only impacting Redis server older than 7.0.

    Thomas Countz

  • Fix MemoryStore to prevent race conditions when incrementing or decrementing.

    Pierre Jambet

Active Model

  • No changes.

Active Record

  • Fix auto populating IDENTITY columns for PostgreSQL.

    fatkodima

  • Fix "ArgumentError: wrong number of arguments (given 3, expected 2)" when down migrating rename_table in older migrations.

    fatkodima

  • Do not require the Action Text, Active Storage and Action Mailbox tables to be present when running when running test on CI.

    Rafael Mendonça França

Action View

... (truncated)

Changelog

Sourced from activesupport's changelog.

Rails 7.1.1 (October 11, 2023)

  • Add support for keyword arguments when delegating calls to custom loggers from ActiveSupport::BroadcastLogger.

    Edouard Chin

  • NumberHelper: handle objects responding to_d.

    fatkodima

  • Fix RedisCacheStore to properly set the TTL when incrementing or decrementing.

    This bug was only impacting Redis server older than 7.0.

    Thomas Countz

  • Fix MemoryStore to prevent race conditions when incrementing or decrementing.

    Pierre Jambet

Rails 7.1.0 (October 05, 2023)

  • No changes.

Rails 7.1.0.rc2 (October 01, 2023)

  • Fix AS::MessagePack with ENV["RAILS_MAX_THREADS"].

    Jonathan Hefner

Rails 7.1.0.rc1 (September 27, 2023)

  • Add a new public API for broadcasting logs

    This feature existed for a while but was until now a private API. Broadcasting log allows to send log message to difference sinks (STDOUT, a file ...) and is used by default in the development environment to write logs both on STDOUT and in the "development.log" file.

    Basic usage:

    stdout_logger = Logger.new(STDOUT)
file_logger = Logger.new("development.log")
broadcast = ActiveSupport::BroadcastLogger.new(stdout_logger, file_logger)

    broadcast.info("Hello!") # The "Hello!" message is written on STDOUT and in the log file.

... (truncated)

Commits
  • 2393805 Preparing for 7.1.1 release
  • b280d7f Sync CHANGELOG
  • 773e4a6 Merge pull request #49518 from Edouard-chin/ec-logger-doc
  • e2ded10 Merge pull request #49571 from jenshenny/kwargs-broadcast-logger
  • dfebc16 Merge pull request #49576 from fatkodima/fix-number-helper-to_d
  • c3117b5 Merge pull request #49554 from Thomascountz/fix-redis-lt7-ttl-not-set-on-firs...
  • 52c4aef Merge pull request #49542 from pjambet/pj/fix-memory-store-race-condition
  • f705603 Autolink references for AS::Notifications::Instrumenter [ci-skip]
  • 5fd7fc4 Capitalize framework names [ci-skip]
  • 7d49a43 Ensure on_rotation appears in RDoc [ci-skip]
  • Additional commits viewable in compare view


Updates actionpack from 6.0.0 to 7.1.1

Release notes

Sourced from actionpack's releases.

7.1.1

Active Support

  • Add support for keyword arguments when delegating calls to custom loggers from ActiveSupport::BroadcastLogger.

    Jenny Shen

  • NumberHelper: handle objects responding to_d.

    fatkodima

  • Fix RedisCacheStore to properly set the TTL when incrementing or decrementing.

    This bug was only impacting Redis server older than 7.0.

    Thomas Countz

  • Fix MemoryStore to prevent race conditions when incrementing or decrementing.

    Pierre Jambet

Active Model

  • No changes.

Active Record

  • Fix auto populating IDENTITY columns for PostgreSQL.

    fatkodima

  • Fix "ArgumentError: wrong number of arguments (given 3, expected 2)" when down migrating rename_table in older migrations.

    fatkodima

  • Do not require the Action Text, Active Storage and Action Mailbox tables to be present when running when running test on CI.

    Rafael Mendonça França

Action View

... (truncated)

Changelog

Sourced from actionpack's changelog.

Rails 7.1.1 (October 11, 2023)

  • No changes.

Rails 7.1.0 (October 05, 2023)

  • No changes.

Rails 7.1.0.rc2 (October 01, 2023)

  • No changes.

Rails 7.1.0.rc1 (September 27, 2023)

  • Add support for #deep_merge and #deep_merge! to ActionController::Parameters.

    Sean Doyle

Rails 7.1.0.beta1 (September 13, 2023)

  • AbstractController::Translation.raise_on_missing_translations removed

    This was a private API, and has been removed in favour of a more broadly applicable config.i18n.raise_on_missing_translations. See the upgrading guide for more information.

    Alex Ghiculescu

  • Add ActionController::Parameters#extract_value method to allow extracting serialized values from params

    params = ActionController::Parameters.new(id: "1_123", tags: "ruby,rails")
params.extract_value(:id) # => ["1", "123"]
params.extract_value(:tags, delimiter: ",") # => ["ruby", "rails"]

    Nikita Vasilevsky

  • Parse JSON response.parsed_body with ActiveSupport::HashWithIndifferentAccess

    Integrate with Minitest's new assert_pattern by parsing the JSON contents of response.parsed_body with ActiveSupport::HashWithIndifferentAccess, so that it's pattern-matching compatible.

    Sean Doyle

... (truncated)

Commits
  • 2393805 Preparing for 7.1.1 release
  • 5abcfd4 Merge pull request #49538 from akhilgkrishnan/capitalize-framework-names
  • dec60e5 Fix config name in changelog related to #49517
  • 4be0e37 Merge pull request #49517 from benstein/patch-1
  • d39db5d Preparing for 7.1.0 release
  • 60393bb Merge pull request #49493 from skipkayhil/hm-no-backticks
  • 311f639 Merge pull request #49487 from yawboakye/clarify-login-procedure-expectation
  • 7edbcce Merge pull request #49456 from seanpdoyle/strong-parameters-deep-merge-rdoc
  • 8340f8f Preparing for 7.1.0.rc2 release
  • fe87369 Merge pull request #49374 from yykamei/add_doc_for_protect_from_forgery
  • Additional commits viewable in compare view


Updates loofah from 2.19.1 to 2.21.4

Release notes

Sourced from loofah's releases.

2.21.4 / 2023-10-10

Fixed

  • Loofah::HTML5::Scrub.scrub_css is more consistent in preserving whitespace (and lack of whitespace) in CSS property values. In particular, .scrub_css no longer inserts whitespace between tokens that did not already have whitespace between them. [#273, fixes #271]

2.21.3 / 2023-05-15

2.21.2 / 2023-05-11

Dependencies

  • Update the dependency on Nokogiri to be >= 1.12.0. The dependency in 2.21.0 and 2.21.1 was left at >= 1.5.9 but versions before 1.12 would result in a NameError exception. [#266]

2.21.1 / 2023-05-10

Fixed

  • Don't define HTML5::Document and HTML5::DocumentFragment when Nokogiri is < 1.14. In 2.21.0 these classes were defined whenever Nokogiri::HTML5 was defined, but Nokogiri v1.12 and v1.13 do not support Loofah subclassing properly.

2.21.0 / 2023-05-10

HTML5 Support

Classes Loofah::HTML5::Document and Loofah::HTML5::DocumentFragment are introduced, along with helper methods:

  • Loofah.html5_document
  • Loofah.html5_fragment
  • Loofah.scrub_html5_document
  • Loofah.scrub_html5_fragment

These classes and methods use Nokogiri's HTML5 parser to ensure modern web standards are used.

⚠ HTML5 functionality is only available with Nokogiri v1.14.0 and higher.

⚠ HTML5 functionality is not available for JRuby. Please see this upstream Nokogiri issue if you're interested in helping implement and support HTML5 support.

Loofah::HTML4 module and namespace

Loofah::HTML has been renamed to Loofah::HTML4, and Loofah::HTML is aliased to preserve backwards-compatibility. Nokogiri::HTML and Nokogiri::HTML4 parse methods still use libxml2's (or NekoHTML's) HTML4 parser.

Take special note that if you rely on the class name of an object in your code, objects will now report a class of Loofah::HTML4::Foo where they previously reported Loofah::HTML::Foo. Instead of relying on the string returned by Object#class, prefer Class#=== or Object#is_a? or Object#instance_of?.

... (truncated)

Changelog

Sourced from loofah's changelog.

2.21.4 / 2023-10-10

Fixed

  • Loofah::HTML5::Scrub.scrub_css is more consistent in preserving whitespace (and lack of whitespace) in CSS property values. In particular, .scrub_css no longer inserts whitespace between tokens that did not already have whitespace between them. [#273, fixes #271]

2.21.3 / 2023-05-15

Fixed

2.21.2 / 2023-05-11

Dependencies

  • Update the dependency on Nokogiri to be >= 1.12.0. The dependency in 2.21.0 and 2.21.1 was left at >= 1.5.9 but versions before 1.12 would result in a NameError exception. [#266]

2.21.1 / 2023-05-10

Fixed

  • Don't define HTML5::Document and HTML5::DocumentFragment when Nokogiri is < 1.14. In 2.21.0 these classes were defined whenever Nokogiri::HTML5 was defined, but Nokogiri v1.12 and v1.13 do not support Loofah subclassing properly.

2.21.0 / 2023-05-10

HTML5 Support

Classes Loofah::HTML5::Document and Loofah::HTML5::DocumentFragment are introduced, along with helper methods:

  • Loofah.html5_document
  • Loofah.html5_fragment
  • Loofah.scrub_html5_document
  • Loofah.scrub_html5_fragment

These classes and methods use Nokogiri's HTML5 parser to ensure modern web standards are used.

⚠ HTML5 functionality is only available with Nokogiri v1.14.0 and higher.

⚠ HTML5 functionality is not available for JRuby. Please see this upstream Nokogiri issue if you're interested in helping implement and support HTML5 support.

Loofah::HTML4 module and namespace

Loofah::HTML has been renamed to Loofah::HTML4, and Loofah::HTML is aliased to preserve backwards-compatibility. Nokogiri::HTML and Nokogiri::HTML4 parse methods still use libxml2's (or NekoHTML's) HTML4 parser.

... (truncated)

Commits
  • 992b054 version bump to v2.21.4
  • 5d9a22f Merge pull request #273 from flavorjones/flavorjones-css-whitespace-handling
  • 876116e fix: scrub_css is more consistent with whitespace
  • edde5f2 Merge pull request #274 from flavorjones/flavorjones-bump-hoe-markdown
  • fe6238a ci: run github action weekly
  • dfff00d dep: bump hoe-markdown for ruby 3.3 ci
  • e34118a version bump to v2.21.3
  • 5c4a567 Merge pull request #268 from dharamgollapudi/patch-1
  • 0189e43 fix: quash uninitialized instance variable warning
  • 712067b version bump to v2.21.2
  • Additional commits viewable in compare view


Updates rails-html-sanitizer from 1.4.4 to 1.6.0

Release notes

Sourced from rails-html-sanitizer's releases.

1.6.0 / 2023-05-26

  • Dependencies have been updated:

    • Loofah ~>2.21 and Nokogiri ~>1.14 for HTML5 parser support
    • As a result, required Ruby version is now >= 2.7.0

    Security updates will continue to be made on the 1.5.x release branch as long as Rails 6.1 (which supports Ruby 2.5) is still in security support.

    Mike Dalessio

  • HTML5 standards-compliant sanitizers are now available on platforms supported by Nokogiri::HTML5. These are available as:

    • Rails::HTML5::FullSanitizer
    • Rails::HTML5::LinkSanitizer
    • Rails::HTML5::SafeListSanitizer

    And a new "vendor" is provided at Rails::HTML5::Sanitizer that can be used in a future version of Rails.

    Note that for symmetry Rails::HTML4::Sanitizer is also added, though its behavior is identical to the vendor class methods on Rails::HTML::Sanitizer.

    Users may call Rails::HTML::Sanitizer.best_supported_vendor to get back the HTML5 vendor if it's supported, else the legacy HTML4 vendor.

    Mike Dalessio

  • Module namespaces have changed, but backwards compatibility is provided by aliases.

    The library defines three additional modules:

    • Rails::HTML for general functionality (replacing Rails::Html)
    • Rails::HTML4 containing sanitizers that parse content as HTML4
    • Rails::HTML5 containing sanitizers that parse content as HTML5

    The following aliases are maintained for backwards compatibility:

    • Rails::Html points to Rails::HTML
    • Rails::HTML::FullSanitizer points to Rails::HTML4::FullSanitizer
    • Rails::HTML::LinkSanitizer points to Rails::HTML4::LinkSanitizer
    • Rails::HTML::SafeListSanitizer points to Rails::HTML4::SafeListSanitizer

    Mike Dalessio

  • LinkSanitizer always returns UTF-8 encoded strings. SafeListSanitizer and FullSanitizer already ensured this encoding.

... (truncated)

Changelog

Sourced from rails-html-sanitizer's changelog.

1.6.0 / 2023-05-26

  • Dependencies have been updated:

    • Loofah ~>2.21 and Nokogiri ~>1.14 for HTML5 parser support
    • As a result, required Ruby version is now >= 2.7.0

    Security updates will continue to be made on the 1.5.x release branch as long as Rails 6.1 (which supports Ruby 2.5) is still in security support.

    Mike Dalessio

  • HTML5 standards-compliant sanitizers are now available on platforms supported by Nokogiri::HTML5. These are available as:

    • Rails::HTML5::FullSanitizer
    • Rails::HTML5::LinkSanitizer
    • Rails::HTML5::SafeListSanitizer

    And a new "vendor" is provided at Rails::HTML5::Sanitizer that can be used in a future version of Rails.

    Note that for symmetry Rails::HTML4::Sanitizer is also added, though its behavior is identical to the vendor class methods on Rails::HTML::Sanitizer.

    Users may call Rails::HTML::Sanitizer.best_supported_vendor to get back the HTML5 vendor if it's supported, else the legacy HTML4 vendor.

    Mike Dalessio

  • Module namespaces have changed, but backwards compatibility is provided by aliases.

    The library defines three additional modules:

    • Rails::HTML for general functionality (replacing Rails::Html)
    • Rails::HTML4 containing sanitizers that parse content as HTML4
    • Rails::HTML5 containing sanitizers that parse content as HTML5

    The following aliases are maintained for backwards compatibility:

    • Rails::Html points to Rails::HTML
    • Rails::HTML::FullSanitizer points to Rails::HTML4::FullSanitizer
    • Rails::HTML::LinkSanitizer points to Rails::HTML4::LinkSanitizer
    • Rails::HTML::SafeListSanitizer points to Rails::HTML4::SafeListSanitizer

    Mike Dalessio

  • LinkSanitizer always returns UTF-8 encoded strings. SafeListSanitizer and FullSanitizer already ensured this encoding.

... (truncated)

Commits
  • 19fd6cd version bump to v1.6.0
  • a9b2f1e doc: update CHANGELOG and README with supported branch info
  • ca29c20 doc: update README moving verbose notes after usage
  • 3b31be5 version bump to v1.6.0.rc2
  • b98af6c Merge pull request #167 from rails/flavorjones-best-supported-vendor-method
  • e953444 feat: introduce Rails::HTML::Sanitizer.best_supported_vendor
  • 5419017 version bump to v1.6.0.rc1
  • 669dcd0 doc: update CONTRIBUTING with release process
  • cd77210 Merge pull request #166 from rails/flavorjones-update-deps-for-html5-variation2
  • 7cc07bb dep: update loofah and nokogiri to versions fully supporting HTML5
  • Additional commits viewable in compare view


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/ctti-clinicaltrials/aact/network/alerts).
dependabot[bot] commented 8 months ago

OK, I won't notify you again about this release, but will get in touch when a new version is available.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.