🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
Current Omniauth security policy maintains v2.0 and v2.1 channels for security releases, and security patches should not be typically expected for the v1.9 channel.
#538: Dropped testing for JRuby 9.0, though not support - @michaelherold.
Fixed
#516: Fixed NoMethodError raised when including Hashie::Extensions::Mash::SymbolizeKeys and Hashie::Extensions::SymbolizeKeys in mashes/hashes with non string or symbol keys - @carolineartz.
There is a possible denial of service vulnerability in the multipart parsing
component of Rack. This vulnerability has been assigned the CVE identifier
CVE-2022-30122.
Carefully crafted multipart POST requests can cause Rack's multipart parser to
take much longer than expected, leading to a possible denial of service
vulnerability.
Impacted code will use Rack's multipart parser to parse multipart posts. This
includes directly using the multipart parser like this:
params = Rack::Multipart.parse_multipart(env)
But it also includes reading POST data from a Rack request object like this:
p request.POST # read POST data
p request.params # reads both query params and POST data
All users running an affected release should either upgrade or use one of the
workarounds immediately.
There is a possible shell escape sequence injection vulnerability in the Lint
and CommonLogger components of Rack. This vulnerability has been assigned the
CVE identifier CVE-2022-30123.
Versions Affected: All.
Not affected: None
Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1
Impact
Carefully crafted requests can cause shell escape sequences to be written to
the terminal via Rack's Lint middleware and CommonLogger middleware. These
escape sequences can be leveraged to possibly execute commands in the victim's
terminal.
Impacted applications will have either of these middleware installed, and
vulnerable apps may have something like this:
use Rack::Lint
Or
use Rack::CommonLogger
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗️ omniauth (indirect, 1.9.1 → 1.9.2) · Repo
Security Advisories 🚨
🚨 OmniAuth's `lib/omniauth/failure_endpoint.rb` does not escape `message_key` value
Release Notes
1.9.2
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 1 commit:
Do not use postentially harmful error message in redirect
↗️ hashie (indirect, 4.1.0 → 5.0.0) · Repo · Changelog
Release Notes
5.0.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 61 commits:
Preparing for release, 5.0.0.
Merge pull request #555 from dblock/ruby-3.0
Test with Ruby 3.0.
Merge pull request #554 from dblock/michaelherold-dash-nil-keys
Merge branch 'dash-nil-keys' of https://github.com/michaelherold/hashie into michaelherold-dash-nil-keys
Merge pull request #545 from jackjennings/master
Use ruby/setup-ruby and reset fetch depth.
Fix: lock elasticsearch version in integration specs.
Merge pull request #547 from danwa5/issue-546-trash-properties
Add #except under Ruby 3
Fix CHANGELOG formatting
Merge pull request #543 from hashie/create-github-action
Track Omniauth official releases
Add integration tests to CI harness
Lint the CI configuration and update badge
Remove mention and configuration of CodeClimate
Fixed issue where a source hash key can be used in translating multiple properties
Remove travis.yml
Create initial action
Merge pull request #541 from amatsuda/uninclude_pretty_inspect
Hashie::Mash already includes Hashie::Extensions::PrettyInspect via Hashie::Hash
Merge pull request #537 from michaelherold/dash-consistency
Merge pull request #539 from anakinj/run-27-ci-only-once
Merge pull request #538 from michaelherold/drop-testing-for-old-rubies
Drop testing for unsupported Rubies
Drop jruby-9.0.5.0 from build matrix
Run 2.7 tests once
Fix inconsistencies with Dash defaults
Merge pull request #536 from michaelherold/export-normal-hash-from-indifferent
Allow exporting a normal, not-indifferent Hash
Ensure all properties are set on exported Dash
Expose `IndifferentAccess` conversion internally
Fix an imprecise spec for `Dash#replace`
Merge pull request #534 from voke/patch-1
Fix typo in README for PredefinedValues
Merge pull request #533 from gnomex/fix-json-specs-error
require json at spec_helper to fix #532
Add hash slice using IndifferentAccess.
Merge pull request #530 from caalberts/dash-allowed-values
Add Hashie::Extensions::Dash::AllowList
Merge pull request #527 from dblock/copyright-2020
Updated Copyright to (c) 2009-2020 Intridea, Inc., and Contributors.
Merge pull request #525 from yogeshjain999/indifferent-convert-change
Small amendments for Hash#merge with IndifferentAccess
Merge pull request #524 from aried3r/patch-2
Set fast_finish: true
Run danger, integration with Ruby 2.7
Rest with TruffleRuby, allow failure
Try testing JRuby 9.0 on xenial
Add changelog entry
Test with JRuby 9.2
Test with Ruby 2.7
Merge pull request #523 from dblock/danger-toc
Added TOC and upgraded danger-changelog to verify the keep-a-changelog formatted CHANGELOG.
Hashie mascot (#522)
Changes to `Mash` initialization key string conversion. (#521)
Elasticsearch integration spec fix (#520)
Merge pull request #517 from aried3r/patch-1
Correct link to PR in CHANGELOG.md
Remove text I missed during release
Preparing for next development iteration, 4.1.1.
↗️ rack (indirect, 2.2.3 → 2.2.4) · Repo · Changelog
Security Advisories 🚨
🚨 Denial of Service Vulnerability in Rack Multipart Parsing
🚨 Possible shell escape sequence injection vulnerability in Rack
Commits
See the full diff on Github. The new version differs by 18 commits:
fixup changelog
bump version
Better handling of case-insensitive headers for `Rack::Etag` middleware. (#1919)
Add 'custom exception on params too deep error' change to CHANGELOG. (#1914)
Expect additional optional version segment in version test. (#1913)
Merge branch '2-2-sec' into 2-2-stable
update changelog
bump version
Escape untrusted text when logging
Restrict broken mime parsing
Ensure Rack::QueryParser::ParamsTooDeepError is inherited from RangeError. (#1864)
Add Ruby 2.3 compatibility for tests, add Ruby 2.3 to CI. (#1863)
Merge pull request #1839 from RubyElders/2-2-stable-ci
Replace CircleCI with GitHub Actions.
Newer rubies spec compatibility.
Merge pull request #1838 from RubyElders/custom-range-exception-2-2
Use custom exception on params too deep error.
Don't ary.inspect in the lint assertions (backport) (#1765)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase
.All Depfu comment commands