🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.
There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed
an untrusted user to run any pending migrations on a Rails app running in
production.
This vulnerability has been assigned the CVE identifier CVE-2020-8185.
Versions Affected: 6.0.0 < rails < 6.0.3.2
Not affected: Applications with config.action_dispatch.show_exceptions = false (this is not a default setting in production)
Fixed Versions: rails >= 6.0.3.2
Impact
Using this issue, an attacker would be able to execute any migrations that
are pending for a Rails app running in production mode. It is important to
note that an attacker is limited to running migrations the application
developer has already defined in their application and ones that have not
already ran.
Workarounds
Until such time as the patch can be applied, application developers should
disable the ActionDispatch middleware in their production environment via
a line such as this one in their config/environment/production.rb:
In some cases user supplied information can be inadvertently leaked from
Strong Parameters. Specifically the return value of each, or each_value,
or each_pair will return the underlying "untrusted" hash of data that was
read from the parameters. Applications that use this return value may be
inadvertently use untrusted user input.
Impacted code will look something like this:
def update
# Attacker has included the parameter: `{ is_admin: true }`
User.update(clean_up_params)
end
def clean_up_params
params.each { |k, v| SomeModel.check(v) if k == :name }
end
Note the mistaken use of each in the clean_up_params method in the above
example.
Workarounds
Do not use the return values of each, each_value, or each_pair in your
application.
In some cases user supplied information can be inadvertently leaked from
Strong Parameters. Specifically the return value of each, or each_value,
or each_pair will return the underlying "untrusted" hash of data that was
read from the parameters. Applications that use this return value may be
inadvertently use untrusted user input.
Impacted code will look something like this:
def update
# Attacker has included the parameter: `{ is_admin: true }`
User.update(clean_up_params)
end
def clean_up_params
params.each { |k, v| SomeModel.check(v) if k == :name }
end
Note the mistaken use of each in the clean_up_params method in the above
example.
Workarounds
Do not use the return values of each, each_value, or each_pair in your
application.
It is possible to possible to, given a global CSRF token such as the one
present in the authenticity_token meta tag, forge a per-form CSRF token for
any action for that session.
Versions Affected: rails < 5.2.5, rails < 6.0.4
Not affected: Applications without existing HTML injection vulnerabilities.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1
Impact
Given the ability to extract the global CSRF token, an attacker would be able to
construct a per-form CSRF token for that session.
Workarounds
This is a low-severity security issue. As such, no workaround is necessarily
until such time as the application can be upgraded.
It is possible to possible to, given a global CSRF token such as the one
present in the authenticity_token meta tag, forge a per-form CSRF token for
any action for that session.
Versions Affected: rails < 5.2.5, rails < 6.0.4
Not affected: Applications without existing HTML injection vulnerabilities.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1
Impact
Given the ability to extract the global CSRF token, an attacker would be able to
construct a per-form CSRF token for that session.
Workarounds
This is a low-severity security issue. As such, no workaround is necessarily
until such time as the application can be upgraded.
In the scenario where an attacker might be able to control the href attribute of an anchor tag or
the action attribute of a form tag that will trigger a POST action, the attacker can set the
href or action to a cross-origin URL, and the CSRF token will be sent.
Workarounds
To work around this problem, change code that allows users to control the href attribute of an anchor
tag or the action attribute of a form tag to filter the user parameters.
For example, code like this:
link_to params
to code like this:
link_to filtered_params
def filtered_params
# Filter just the parameters that you trust
end
In the scenario where an attacker might be able to control the href attribute of an anchor tag or
the action attribute of a form tag that will trigger a POST action, the attacker can set the
href or action to a cross-origin URL, and the CSRF token will be sent.
Workarounds
To work around this problem, change code that allows users to control the href attribute of an anchor
tag or the action attribute of a form tag to filter the user parameters.
For example, code like this:
link_to params
to code like this:
link_to filtered_params
def filtered_params
# Filter just the parameters that you trust
end
There is a possible XSS vulnerability in ActionView's JavaScript literal
escape helpers. Views that use the j or escape_javascript methods
may be susceptible to XSS attacks.
Versions Affected: All.
Not affected: None.
Fixed Versions: 6.0.2.2, 5.2.4.2
Impact
There is a possible XSS vulnerability in the j and escape_javascript
methods in ActionView. These methods are used for escaping JavaScript string
literals. Impacted code will look something like this:
<script>let a =`<%= j unknown_input %>`</script>
or
<script>let a =`<%= escape_javascript unknown_input %>`</script>
Releases
The 6.0.2.2 and 5.2.4.2 releases are available at the normal locations.
Workarounds
For those that can't upgrade, the following monkey patch may be used:
ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
{
"`" => "\\`",
"$" => "\\$"
}
)
moduleActionView::Helpers::JavaScriptHelperalias:old_ej:escape_javascriptalias:old_j:jdefescape_javascript(javascript)
javascript = javascript.to_s
if javascript.empty?
result =""else
result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
end
javascript.html_safe? ? result.html_safe : result
endalias:j:escape_javascriptend
There is a possible file content disclosure vulnerability in Action View. This
vulnerability has been assigned the CVE identifier CVE-2019-5418.
Versions Affected: All.
Not affected: None.
Fixed Versions: 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1
Impact
There is a possible file content disclosure vulnerability in Action View.
Specially crafted accept headers in combination with calls to render file:
can cause arbitrary files on the target server to be rendered, disclosing the
file contents.
The impact is limited to calls to render which render file contents without
a specified accept format. Impacted code in a controller looks something like
this:
class UserController < ApplicationController
def index
render file: "#{Rails.root}/some/file"
end
end
Rendering templates as opposed to files is not impacted by this vulnerability.
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Releases
The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are
available at the normal locations.
Workarounds
This vulnerability can be mitigated by specifying a format for file rendering,
like this:
class UserController < ApplicationController
def index
render file: "#{Rails.root}/some/file", formats: [:html]
end
end
In summary, impacted calls to render look like this:
render file: "#{Rails.root}/some/file"
The vulnerability can be mitigated by changing to this:
There is a potential denial of service vulnerability in actionview.
This vulnerability has been assigned the CVE identifier CVE-2019-5419.
Impact
Specially crafted accept headers can cause the Action View template location
code to consume 100% CPU, causing the server unable to process requests. This
impacts all Rails applications that render views.
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Workarounds
This vulnerability can be mitigated by wrapping render calls with respond_to blocks. For example, the following example is vulnerable:
class UserController < ApplicationController
def index
render "index"
end
end
But the following code is not vulnerable:
class UserController < ApplicationController
def index
respond_to |format|
format.html { render "index" }
end
end
end
Implicit rendering is impacted, so this code is vulnerable:
class UserController < ApplicationController
def index
end
end
But can be changed this this:
class UserController < ApplicationController
def index
respond_to |format|
format.html { render "index" }
end
end
end
Alternatively to specifying the format, the following monkey patch can be
applied in an initializer:
$ cat config/initializers/formats_filter.rb
# frozen_string_literal: true
ActionDispatch::Request.prepend(Module.new do
def formats
super().select do |format|
format.symbol || format.ref == "*/*"
end
end
end)
There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a
direct file upload to be modified by an end user.
Versions Affected: rails < 5.2.4.2, rails < 6.0.3.1
Not affected: Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1
Impact
Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a
new signature from the server. This could be used to bypass controls in place on the server to limit upload size.
Workarounds
This is a low-severity security issue. As such, no workaround is necessarily
until such time as the application can be upgraded.
There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a
direct file upload to be modified by an end user.
Versions Affected: rails < 5.2.4.2, rails < 6.0.3.1
Not affected: Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1
Impact
Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a
new signature from the server. This could be used to bypass controls in place on the server to limit upload size.
Workarounds
This is a low-severity security issue. As such, no workaround is necessarily
until such time as the application can be upgraded.
There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
untrusted user input is written to the cache store using the raw: true parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:
data = cache.fetch("demo", raw: true) { untrusted_string }
Versions Affected: rails < 5.2.5, rails < 6.0.4
Not affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the raw option when storing untrusted user input.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1
Impact
Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.
In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
they are calling Rails.cache.fetch they are using consistent values of the raw parameter for both
reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
detect if data was serialized using the raw option upon deserialization.
Workarounds
It is recommended that application developers apply the suggested patch or upgrade to the latest release as
soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
the raw argument should be double-checked to ensure that they conform to the expected format.
There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
untrusted user input is written to the cache store using the raw: true parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:
data = cache.fetch("demo", raw: true) { untrusted_string }
Versions Affected: rails < 5.2.5, rails < 6.0.4
Not affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the raw option when storing untrusted user input.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1
Impact
Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.
In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
they are calling Rails.cache.fetch they are using consistent values of the raw parameter for both
reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
detect if data was serialized using the raw option upon deserialization.
Workarounds
It is recommended that application developers apply the suggested patch or upgrade to the latest release as
soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
the raw argument should be double-checked to ensure that they conform to the expected format.
It is possible to forge a secure or host-only cookie prefix in Rack using
an arbitrary cookie write by using URL encoding (percent-encoding) on the
name of the cookie. This could result in an application that is dependent on
this prefix to determine if a cookie is safe to process being manipulated
into processing an insecure or cross-origin request.
This vulnerability has been assigned the CVE identifier CVE-2020-8184.
Versions Affected: rack < 2.2.3, rack < 2.1.4
Not affected: Applications which do not rely on __Host- and __Secure- prefixes to determine if a cookie is safe to process
Fixed Versions: rack >= 2.2.3, rack >= 2.1.4
Impact
An attacker may be able to trick a vulnerable application into processing an
insecure (non-SSL) or cross-origin request if they can gain the ability to write
arbitrary cookies that are sent to the application.
Workarounds
If your application is impacted but you cannot upgrade to the released versions or apply
the provided patch, this issue can be temporarily addressed by adding the following workaround:
module Rack
module Utils
module_function def parse_cookies_header(header)
return {} unless header
header.split(/[;] */n).each_with_object({}) do |cookie, cookies|
next if cookie.empty?
key, value = cookie.split('=', 2)
cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)
end
end
end
end
There is a possible a possible remote code executing exploit in Rails when in
development mode. This vulnerability has been assigned the CVE identifier
CVE-2019-5420.
With some knowledge of a target application it is possible for an attacker to
guess the automatically generated development mode secret token. This secret
token can be used in combination with other Rails internals to escalate to a
remote code execution exploit.
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Releases
The 6.0.0.beta3 and 5.2.2.1 releases are available at the normal locations.
Workarounds
This issue can be mitigated by specifying a secret key in development mode.
In "config/environments/development.rb" add this:
The ReDoS flaw allows an attacker to exhaust the server's capacity to process
incoming requests by sending a WebSocket handshake request containing a header
of the following form:
That is, a header containing an unclosed string parameter value whose content is
a repeating two-byte sequence of a backslash and some other character. The
parser takes exponential time to reject this header as invalid, and this will
block the processing of any other work on the same thread. Thus if you are
running a single-threaded server, such a request can render your service
completely unavailable.
Workarounds
There are no known work-arounds other than disabling any public-facing WebSocket functionality you are operating.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
depfu[bot]
commented
4 years ago
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ rails (5.2.4.2 → 6.0.3.2) · Repo
Release Notes
6.0.3
6.0.2.1
6.0.2
6.0.1
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
✳️ sass-rails (5.0.6 → 5.1.0) · Repo
Release Notes
5.0.7
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
✳️ web-console (3.7.0 → 4.0.3) · Repo · Changelog
Release Notes
4.0.3
4.0.2
4.0.1 (from changelog)
4.0.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ actioncable (indirect, 5.2.4.2 → 6.0.3.2) · Repo · Changelog
Release Notes
6.0.3.2 (from changelog)
6.0.3.1 (from changelog)
6.0.3 (from changelog)
6.0.2.1 (from changelog)
6.0.2 (from changelog)
6.0.1 (from changelog)
6.0.0 (from changelog)
5.2.4.3 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ actionmailer (indirect, 5.2.4.2 → 6.0.3.2) · Repo · Changelog
Release Notes
6.0.3.2 (from changelog)
6.0.3.1 (from changelog)
6.0.3 (from changelog)
6.0.2.1 (from changelog)
6.0.2 (from changelog)
6.0.1 (from changelog)
6.0.0 (from changelog)
5.2.4.3 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ actionpack (indirect, 5.2.4.2 → 6.0.3.2) · Repo · Changelog
Security Advisories 🚨
🚨 Untrusted users able to run pending migrations in production
🚨 Possible Strong Parameters Bypass in ActionPack
🚨 Possible Strong Parameters Bypass in ActionPack
🚨 Ability to forge per-form CSRF tokens given a global CSRF token
🚨 Ability to forge per-form CSRF tokens given a global CSRF token
Release Notes
6.0.3.2 (from changelog)
6.0.3.1 (from changelog)
6.0.3 (from changelog)
6.0.2.1 (from changelog)
6.0.2 (from changelog)
6.0.1 (from changelog)
6.0.0 (from changelog)
5.2.4.3 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ actionview (indirect, 5.2.4.2 → 6.0.3.2) · Repo · Changelog
Security Advisories 🚨
🚨 CSRF Vulnerability in rails-ujs
🚨 CSRF Vulnerability in rails-ujs
🚨 Possible XSS vulnerability in ActionView
🚨 File Content Disclosure in Action View
🚨 Denial of Service Vulnerability in Action View
Release Notes
6.0.3.2 (from changelog)
6.0.3.1 (from changelog)
6.0.3 (from changelog)
6.0.2.1 (from changelog)
6.0.2 (from changelog)
6.0.1 (from changelog)
6.0.0 (from changelog)
5.2.4.3 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ activejob (indirect, 5.2.4.2 → 6.0.3.2) · Repo · Changelog
Release Notes
6.0.3.2 (from changelog)
6.0.3.1 (from changelog)
6.0.3 (from changelog)
6.0.2.1 (from changelog)
6.0.2 (from changelog)
6.0.1 (from changelog)
6.0.0 (from changelog)
5.2.4.3 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ activemodel (indirect, 5.2.4.2 → 6.0.3.2) · Repo · Changelog
Release Notes
6.0.3.2 (from changelog)
6.0.3.1 (from changelog)
6.0.3 (from changelog)
6.0.2.1 (from changelog)
6.0.2 (from changelog)
6.0.1 (from changelog)
6.0.0 (from changelog)
5.2.4.3 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ activerecord (indirect, 5.2.4.2 → 6.0.3.2) · Repo · Changelog
Release Notes
6.0.3.2 (from changelog)
6.0.3.1 (from changelog)
6.0.3 (from changelog)
6.0.2.1 (from changelog)
6.0.2 (from changelog)
6.0.1 (from changelog)
6.0.0 (from changelog)
5.2.4.3 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ activestorage (indirect, 5.2.4.2 → 6.0.3.2) · Repo · Changelog
Security Advisories 🚨
🚨 Circumvention of file size limits in ActiveStorage
🚨 Circumvention of file size limits in ActiveStorage
Release Notes
6.0.3.2 (from changelog)
6.0.3.1 (from changelog)
6.0.3 (from changelog)
6.0.2.1 (from changelog)
6.0.2 (from changelog)
6.0.1 (from changelog)
6.0.0 (from changelog)
5.2.4.3 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ activesupport (indirect, 5.2.4.2 → 6.0.3.2) · Repo · Changelog
Security Advisories 🚨
🚨 Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
🚨 Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Release Notes
6.0.3.2 (from changelog)
6.0.3.1 (from changelog)
6.0.3 (from changelog)
6.0.2.1 (from changelog)
6.0.2 (from changelog)
6.0.1 (from changelog)
6.0.0 (from changelog)
5.2.4.3 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ bindex (indirect, 0.5.0 → 0.8.1) · Repo
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ ffi (indirect, 1.11.1 → 1.13.1) · Repo · Changelog
Release Notes
1.13.1 (from changelog)
1.13.0 (from changelog)
1.12.2 (from changelog)
1.12.1 (from changelog)
1.12.0 (from changelog)
1.11.3 (from changelog)
1.11.2 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ i18n (indirect, 1.8.2 → 1.8.3) · Repo · Changelog
Release Notes
1.8.3
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ loofah (indirect, 2.4.0 → 2.6.0) · Repo · Changelog
Release Notes
2.6.0 (from changelog)
2.5.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ mimemagic (indirect, 0.3.4 → 0.3.5) · Repo · Changelog
Release Notes
0.3.5 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ minitest (indirect, 5.14.0 → 5.14.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ rack (indirect, 2.2.2 → 2.2.3) · Repo · Changelog
Security Advisories 🚨
🚨 Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ railties (indirect, 5.2.4.2 → 6.0.3.2) · Repo · Changelog
Security Advisories 🚨
🚨 Possible Remote Code Execution Exploit in Rails Development Mode
Release Notes
6.0.3.2 (from changelog)
6.0.3.1 (from changelog)
6.0.3 (from changelog)
6.0.2.1 (from changelog)
6.0.2 (from changelog)
6.0.1 (from changelog)
6.0.0 (from changelog)
5.2.4.3 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ rb-fsevent (indirect, 0.10.3 → 0.10.4) · Repo
Release Notes
0.10.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ rb-inotify (indirect, 0.10.0 → 0.10.1) · Repo
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ sass (indirect, 3.5.1 → 3.7.4) · Repo
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ tilt (indirect, 2.0.8 → 2.0.10) · Repo · Changelog
Release Notes
2.0.10 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ tzinfo (indirect, 1.2.6 → 1.2.7) · Repo · Changelog
Release Notes
1.2.7
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ websocket-driver (indirect, 0.7.1 → 0.7.2) · Repo · Changelog
Release Notes
0.7.2 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ websocket-extensions (indirect, 0.1.4 → 0.1.5) · Repo · Changelog
Security Advisories 🚨
🚨 Regular Expression Denial of Service in websocket-extensions (RubyGem)
Release Notes
0.1.5 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
🆕 actionmailbox (added, 6.0.3.2)
🆕 actiontext (added, 6.0.3.2)
🆕 zeitwerk (added, 2.3.0)
🗑️ arel (removed)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands