🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
Sidekiq Pro users will now see a Pause button next to each queue in
the Web UI, allowing them to pause queues manually [#4374, shayonj]
Fix Sidekiq::Workers API unintentional change in 6.0.2 [#4387]
6.0.3 (from changelog)
Fix Sidekiq::Client.push_bulk API which was erroneously putting
invalid at values in the job payloads [#4321]
6.0.2 (from changelog)
Fix Sidekiq Enterprise's rolling restart functionality, broken by refactoring in 6.0.0. [#4334]
More internal refactoring and performance tuning [fatkodima]
6.0.1 (from changelog)
Performance tuning, Sidekiq should be 10-15% faster now [#4303, 4299,
4269, fatkodima]
Dark Mode support in Web UI (further design polish welcome!) [#4227, mperham,
fatkodima, silent-e]
Job-specific log levels, allowing you to turn on debugging for
problematic workers. [fatkodima, #4287]
MyWorker.set(log_level::debug).perform_async(...)
Ad-hoc job tags. You can tag your jobs with, e.g, subdomain, tenant, country,
locale, application, version, user/client, "alpha/beta/pro/ent", types of jobs,
teams/people responsible for jobs, additional metadata, etc.
Tags are shown on different pages with job listings. Sidekiq Pro users
can filter based on them [fatkodima, #4280]
classMyWorkerincludeSidekiq::Worker
sidekiq_options tags: ['bank-ops', 'alpha']
...
end
Fetch scheduled jobs in batches before pushing into specific queues.
This will decrease enqueueing time of scheduled jobs by a third. [fatkodima, #4273]
ScheduledSet with 10,000 jobs
Before: 56.6 seconds
After: 39.2 seconds
Compress error backtraces before pushing into Redis, if you are
storing error backtraces, this will halve the size of your RetrySet
in Redis [fatkodima, #4272]
RetrySet with 100,000 jobs
Before: 261 MB
After: 129 MB
Support display of ActiveJob 6.0 payloads in the Web UI [#4263]
Add SortedSet#scan for pattern based scanning. For large sets this API will be MUCH faster
than standard iteration using each. [fatkodima, #4262]
Sidekiq::DeadSet.new.scan("UnreliableApi") do |job|
job.retry
end
Dramatically speed up SortedSet#find_job(jid) by using Redis's ZSCAN
support, approx 10x faster. [fatkodima, #4259]
Easier way to test enqueuing specific ActionMailer and ActiveRecord delayed jobs. Instead of manually
parsing embedded class, you can now test by fetching jobs for specific classes. [fatkodima, #4292]
It is possible to forge a secure or host-only cookie prefix in Rack using
an arbitrary cookie write by using URL encoding (percent-encoding) on the
name of the cookie. This could result in an application that is dependent on
this prefix to determine if a cookie is safe to process being manipulated
into processing an insecure or cross-origin request.
This vulnerability has been assigned the CVE identifier CVE-2020-8184.
Versions Affected: rack < 2.2.3, rack < 2.1.4
Not affected: Applications which do not rely on __Host- and __Secure- prefixes to determine if a cookie is safe to process
Fixed Versions: rack >= 2.2.3, rack >= 2.1.4
Impact
An attacker may be able to trick a vulnerable application into processing an
insecure (non-SSL) or cross-origin request if they can gain the ability to write
arbitrary cookies that are sent to the application.
Workarounds
If your application is impacted but you cannot upgrade to the released versions or apply
the provided patch, this issue can be temporarily addressed by adding the following workaround:
module Rack
module Utils
module_function def parse_cookies_header(header)
return {} unless header
header.split(/[;] */n).each_with_object({}) do |cookie, cookies|
next if cookie.empty?
key, value = cookie.split('=', 2)
cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)
end
end
end
end
Fix exists? returning an actual boolean when called with multiple keys. See #918.
Setting Redis.exists_returns_integer = false disables warning message about new behaviour. See #920.
4.2.0 (from changelog)
Convert commands to accept keyword arguments rather than option hashes. This both help catching typos, and reduce needless allocations.
Deprecate the synchrony driver. It will be removed in 5.0 and hopefully maintained as a separate gem. See #915.
Make Redis#exists variadic, will return an Integer if called with multiple keys.
Add Redis#exists? to get a Boolean if any of the keys exists.
Redis#exists when called with a single key will warn that future versions will return an Integer.
Set Redis.exists_returns_integer = true to opt-in to the new behavior.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ sidekiq (6.0.0 → 6.1.1) · Repo · Changelog
Release Notes
6.1.1 (from changelog)
6.1.0 (from changelog)
6.0.7 (from changelog)
6.0.6 (from changelog)
6.0.5 (from changelog)
6.0.4 (from changelog)
6.0.3 (from changelog)
6.0.2 (from changelog)
6.0.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ connection_pool (indirect, 2.2.2 → 2.2.3) · Repo · Changelog
Release Notes
2.2.3 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 30 commits:
Rejigger to remove errors.rb
Integrate standard gem, code formatting fixes, no functional changes
Move wrapper into separate file
Rejigger exceptions, fixes #130
CI: Use openjdk11
CI: refer to JRuby using rvm alias
CI: Run latest JRuby release
README: Use API Redis.new in example
Removed explicitly declaration of thread library.
Add ruby 2.7 to CI
CI: Use 2.6, 2.5, 2.4, jruby-9.2.8.0
CI: Use latest patch versions of Rubies
CI: Drop unused sudo: false directive
mperham/connection_pool#113 expose pool from Wrapper (#114)
bump jruby
Interrupt timing is implementation-specific (#112)
fix jruby
doc failure
changes, cleanup
merge
freshen up ruby matrix
remove old jruby hacks, cleanup code
Remove monotonic clock hacks
Remove wrapper for monotonic time (#109)
Don't let threads die from exceptions in tests
Stricter casting of connection pool size
Ensure size is integer
polish
add stats to README
bump
↗️ rack (indirect, 2.2.2 → 2.2.3) · Repo · Changelog
Security Advisories 🚨
🚨 Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Commits
See the full diff on Github. The new version differs by 2 commits:
bump version
When parsing cookies, only decode the values
↗️ redis (indirect, 4.1.2 → 4.2.1) · Repo · Changelog
Release Notes
4.2.1 (from changelog)
4.2.0 (from changelog)
4.1.4 (from changelog)
4.1.3 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
🗑️ rack-protection (removed)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase
.All Depfu comment commands