⚠️ [fixing yanked version] 🚨 [security] [Gmright/Milestones/Gmright-market/Commerce/Net_holder/Blue-sky] Update octokit: 4.17.0 → 4.25.1 (minor)

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

⚠️ You are using a yanked version of octokit ⚠️

We're getting an error that the version of octokit you're currently using is no longer installable, it most likely has been yanked. That means your deployment, CI build and local development setup are broken until you update octokit to a different version.

We recommend to merge this update as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ octokit (indirect, 4.17.0 → 4.25.1) · Repo · Changelog

Security Advisories 🚨

🚨 Octokit gem published with world-writable files

Impact

Versions 4.23.0
and 4.24.0 of the octokit gem
were published containing world-writeable files.

Specifically, the gem was packed
with files having their permissions set to -rw-rw-rw- (i.e. 0666) instead of rw-r--r--
(i.e. 0644). This means everyone who is not the owner (Group and Public) with access
to the instance where this release had been installed could modify the world-writable
files from this gem.

Malicious code already present and running on your machine,
separate from this package, could modify the gem’s files and change its behavior
during runtime.

Patches

octokit 4.25.0

Workarounds

Users can use the previous version of the gem v4.22.0.
Alternatively, users can modify the file permissions manually until they are able
to upgrade to the latest version.

Release Notes

4.25.1

Stop configuring Faraday's retry middleware twice (@Edouard-chin)

Fix various Ruby warnings (e.g. missing parentheses) (@coryf)

4.25.0

✅ NOTE: This remediates A security advisory was published on versions 4.23.0 and 4.24.0 of this gem. You can read more about this in the published security advisory. ✅

DX Improvements

Rubocop improvements by @timrogers in #1441

Require multi-factor authentication to push new releases to RubyGems by @timrogers in #1443

CI Improvements

Updates all build scripts to be more durable and adds details on how to run a manual file integrity check by @nickfloyd in #1446

Housekeeping

Drop support for Ruby 1.9.2 in Octokit::Client::Contents#create_contents by @timrogers in #1442

Full Changelog: v4.24.0...v4.25.0

4.24.0

Known issues

Note: This release fixes the issue around autoloading modules causing some modules to not load before use #1428

Code improvements

#1354, #1426 Enabling Ruby's immutable ("frozen") string literals i.e. --enable-frozen-string-literal via @timrogers and @olleolleolle

CI Improvements

Adds Code QL analysis to octokit.rb via @nickfloyd

Bug fixes

#1428 Fixes module loading issue with autoloading (this reverts #1351 ) - more information here via @collinsauve. @waiting-for-dev, @etiennebarrie, @timrogers, and @nickfloyd

Full Changelog: v4.23.0...v4.24.0

4.23.0

Code improvements

#1382 Correctly raise Octokit::TooManyRequests when hitting secondary rate limit via @jasonopslevel

#1411 Adds support for Faraday v2 usage via @skryukov

CI Improvements

#1395 Adds Ruby 3.1 to CI via @petergoldstein

Performance improvements

#1351 Make clients autoload via @gmcgibbon

Bug fixes

#1297 Escape label names with URL characters via @Fryguy

#1375 Escape ref in archive_link via @max611

#1117 & #1419 Ensures that any nil parameters being passed in will initialize with Octokit's defaults instead of nil via @akerl, @nickfloyd

#1321 & #1415 Fixed total_count calculation when paginating results for check runs and check suites via @a2ikm, @matiasalbarello

#1121 Fixes service status methods via @vierarb

Documentation

#1414 replace git.io link in source docs via @wonda-tea-coffee

#1412 Document how and when the SDK raises exceptions via @timrogers

#1356 Fixes grammar and style via @nikoandpiko

Full Changelog: v4.22.0...v4.23.0

4.22.0

Deprecation Fix

#1359 Fix Faraday deprecation warning @ybiquitous

Code Improvements

#1336 Update regex for create ref @thepwagner

#1350 Support pagination in compare api @mrpinsky

CI and dependency updates

#1353 Add Ruby 3.0 support for CI builds @olleolleolle

#1387 Update pry-byebug requirement @ashishkeshan

Documentation

#1376 Update example README code with token filtering @bencolon

#1381 Update organization migration documentation links @rzhade3

4.21.0

API Support

#1319 Add delete workflow run support @szemek

#1322 Add match refs support @AHaymond

#1329 Add rename branch support @gmcgibbon

#1332 Add billing actions support @M-Yamashita01

Error handling

#1324 Handle path diff too large errors @yykamei

Code clean up

#1326 Remove graduated preview headers @ivailop

Documentation

#1314 Update authentication usage @curquiza

#1317 Fix logo link @gjtorikian

#1318 Fix GitHub typo @bl-ue

4.20.0

API Support

#1304 Added the ability to delete a deployment @jer-k

#1308 Add repo vulnerability alerts related functionality for repositories @calvinhughes

Bug fixes

#1309 Paginate outside_collaborators calls @sds

#1316 Uses of FaradayMiddleware#on_complete should not be private @tarebyte

Code improvements

#1131 Add CommitIsNotPartOfPullRequest error @wata727

#1303 Remove integrations preview header @MichaelViveros

#1307 Raise Octokit::InstallationSuspended when another error is received @yykamei

Documentation

#1302 Add documentation on how to specify the ref option for RubyDoc @aomathwift

#1311 Fix Code of Conduct link in Table of Contents @eduardoj

4.19.0

Code Improvements

#1223 Ensure a boolean is returned for application_authenticated @zakallen

#1255 Update api paths in the organization api to take ids @hmharvey

#1260 Fix last_response behavior after failures @JackTLi

#1253 Ensure adapters set SSL options properly @tjwallace

#1270 Add context around rate limit errors @jatindhankhar

API Support

#1252 Introduces support for the ActionWorkflow and ActionWorkflowRun APIs @petar-lazarov

#1236 Support for ActionsSecrets API @jylitalo

#1266 Support for get the authenticated app @kitop

#1281 Support for create a workflow dispatch event @igfoo

#1286 Support installation suspended failures @stmllr

#1288 Support for user migration endpoints @stmllr

Documentation

#1248 Fix documentation link for update a repository @spier

#1269 Update some documentation param names @tarebyte

#1276 Remove dangling phrase in CONTRIBUTING.md @igfoo

#1278 Link related doc in CONTRIBUTING.md @igfoo

#1279 Fix script typo in README.md @igfoo

#1291 Fix typo in authorizations comments @ohbarye

CI and dependency updates

#1206 Increased CI coverage @MSP-Greg

#1243 Add Ruby 2.7 CI support @ybiquitous

#1244 Removed coveralls dependency @hmharvey

#1263 Remove duplicated CI coverage @hmharvey

#1264 Keep running CI on PRs @hmharvey

4.18.0

Documentation

#1200 Fix an API link in the Search client @NickLaMuro

Preview Header Support

#1183 Enable issue events API to return project events @gammons

#1203 Update deprecated application API to new preview @oreoshake

Bug Fixes

#1201 Fix random test failures @MSP-Greg

#1218 Fix incorrect URLs for the Authorizations client @tarebyte

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ addressable (indirect, 2.7.0 → 2.8.0) · Repo · Changelog

Security Advisories 🚨

🚨 Regular Expression Denial of Service in Addressable templates

Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption,
leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input,
but nonetheless, no previous security advisory for Addressable has cautioned against doing this.
Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.

Release Notes

2.8.0 (from changelog)

fixes ReDoS vulnerability in Addressable::Template#match

no longer replaces + with spaces in queries for non-http(s) schemes

fixed encoding ipv6 literals

the :compacted flag for normalized_query now dedupes parameters

fix broken escape_component alias

dropping support for Ruby 2.0 and 2.1

adding Ruby 3.0 compatibility for development tasks

drop support for rack-mount and remove Addressable::Template#generate

performance improvements

switch CI/CD to GitHub Actions

Does any of this look wrong? Please let us know.

↗️ faraday (indirect, 1.0.0 → 2.3.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sawyer (indirect, 0.8.2 → 0.9.2) · Repo

Release Notes

0.9.1

What's Changed

Specify correct minimal Faraday version by @skryukov in #73

New Contributors

@skryukov made their first contribution in #73

Full Changelog: v0.9.0...v0.9.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

🆕 faraday-net_http (added, 2.0.3)

🆕 ruby2_keywords (added, 0.0.5)

🗑️ multipart-post (removed)

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@depfu rebase
Rebases against your default branch and redoes this update

@depfu recreate
Recreates this PR, overwriting any edits that you've made to it

@depfu merge
Merges this PR once your tests are passing and conflicts are resolved

@depfu close
Closes this PR and deletes the branch

@depfu reopen
Restores the branch and reopens this PR (if it's closed)

@depfu pause
Ignores all future updates for this dependency and closes this PR

@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR

@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

gmright2 / DEFOLD_Gmright_INLINE