🚨 [security] [Gmright/Milestones/Gmright-market/Commerce/Net_holder/Blue-sky] Update github-pages: 204 → 208 (major)

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ github-pages (204 → 208) · Repo

Release Notes

208

#716 - Train of updates containing:

#711 - Update rouge to 💎 v3.23.0
#707 - Update jekyll-redirect-from to 💎 v0.16.0
#710 - Update Jekyll-feed to 💎 v0.15.0
#712 - Update jekyll-remote-theme to 💎 v0.4.2
#713 - Update Jekyll-mentions to 💎 v1.6.0
#714 - Update jekyll-theme-hacker to 💎 v0.1.2
#715 - Update jemoji to 💎 v0.12.0

207

Bump jekyll to v3.9.0, kramdown to v2.3.0 (#704)
Also, update CI to use Ruby 2.5 and greater.

206

Bump rouge to v3.19.0 #690

205

Bump jekyll to v3.8.7 #689

Upgrade Ruby to 2.5.8

Upgrade rubocop-github to 0.16.0

Stop testing on Ruby 2.3 and 2.4

Does any of this look wrong? Please let us know.

Sorry, we couldn't find anything useful about this release.

↗️ activesupport (indirect, 5.2.4.1 → 6.0.3.3) · Repo · Changelog

Security Advisories 🚨

🚨 Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore

There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
untrusted user input is written to the cache store using the raw: true parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:
data = cache.fetch("demo", raw: true) { untrusted_string }
Versions Affected: rails < 5.2.5, rails < 6.0.4
Not affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the raw option when storing untrusted user input.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.

In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
they are calling Rails.cache.fetch they are using consistent values of the raw parameter for both
reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
detect if data was serialized using the raw option upon deserialization.

Workarounds

It is recommended that application developers apply the suggested patch or upgrade to the latest release as
soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
the raw argument should be double-checked to ensure that they conform to the expected format.

🚨 Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore

There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
untrusted user input is written to the cache store using the raw: true parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:
data = cache.fetch("demo", raw: true) { untrusted_string }
Versions Affected: rails < 5.2.5, rails < 6.0.4
Not affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the raw option when storing untrusted user input.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.

In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
they are calling Rails.cache.fetch they are using consistent values of the raw parameter for both
reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
detect if data was serialized using the raw option upon deserialization.

Workarounds

It is recommended that application developers apply the suggested patch or upgrade to the latest release as
soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
the raw argument should be double-checked to ensure that they conform to the expected format.

Release Notes

6.0.3.3 (from changelog)

No changes.

6.0.3.2 (from changelog)

No changes.

6.0.3.1 (from changelog)

[CVE-2020-8165] Deprecate Marshal.load on raw cache read in RedisCacheStore

[CVE-2020-8165] Avoid Marshal.load on raw cache value in MemCacheStore

6.0.3 (from changelog)

Array#to_sentence no longer returns a frozen string.

Before:
['one', 'two'].to_sentence.frozen?
# => true
After:
['one', 'two'].to_sentence.frozen?
# => false
Nicolas Dular
Update ActiveSupport::Messages::Metadata#fresh? to work for cookies with expiry set when ActiveSupport.parse_json_times = true.

Christian Gregg

6.0.2.1 (from changelog)

No changes.

6.0.2 (from changelog)

Eager load translations during initialization.

Diego Plentz

Use per-thread CPU time clock on ActiveSupport::Notifications.

George Claghorn

6.0.1 (from changelog)

ActiveSupport::SafeBuffer supports Enumerator methods.

Shugo Maeda

The Redis cache store fails gracefully when the server returns a "max number of clients reached" error.

Brandon Medenwald

Fixed that mutating a value returned by a memory cache store would unexpectedly change the cached value.

Jonathan Hyman
The default inflectors in zeitwerk mode support overrides:
# config/initializers/zeitwerk.rb
Rails.autoloaders.each do |autoloader|
  autoloader.inflector.inflect(
    "html_parser" => "HTMLParser",
    "ssl_error"   => "SSLError"
  )
end
That way, you can tweak how individual basenames are inflected without touching Active Support inflection rules, which are global. These inflectors fallback to String#camelize, so existing inflection rules are still taken into account for non-overridden basenames.

Please, check the autoloading guide for zeitwerk mode if you prefer not to depend on String#camelize at all.

Xavier Noria
Improve Range#===, Range#include?, and Range#cover? to work with beginless (startless) and endless range targets.

Allen Hsu, Andrew Hodgkinson

Don't use Process#clock_gettime(CLOCK_PROCESS_CPUTIME_ID) on Solaris

Iain Beeston

6.0.0 (from changelog)

Let require_dependency in zeitwerk mode look the autoload paths up for better backwards compatibility.

Xavier Noria

Let require_dependency in zeitwerk mode support arguments that respond to to_path for better backwards compatibility.

Xavier Noria
Make ActiveSupport::Logger Fiber-safe. Fixes #36752.

Use Fiber.current.__id__ in ActiveSupport::Logger#local_level= in order to make log level local to Ruby Fibers in addition to Threads.

Example:
logger = ActiveSupport::Logger.new(STDOUT)
logger.level = 1
p "Main is debug? #{logger.debug?}"
Fiber.new {

logger.local_level = 0

p "Thread is debug? #{logger.debug?}"

}.resume
p "Main is debug? #{logger.debug?}"
Before:
Main is debug? false
Thread is debug? true
Main is debug? true
After:
Main is debug? false
Thread is debug? true
Main is debug? false
Alexander Varnin
Do not delegate missing marshal_dump and _dump methods via the delegate_missing_to extension. This avoids unintentionally adding instance variables when calling Marshal.dump(object), should the delegation target of object be a method which would otherwise add them. Fixes #36522.

Aaron Lipman

5.2.4.4 (from changelog)

No changes.

5.2.4.3 (from changelog)

[CVE-2020-8165] Deprecate Marshal.load on raw cache read in RedisCacheStore

[CVE-2020-8165] Avoid Marshal.load on raw cache value in MemCacheStore

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.1.6 → 1.1.7) · Repo · Changelog

Release Notes

1.1.7 (from changelog)

concurrent-ruby:

(#879) Consider falsy value on Concurrent::Map#compute_if_absent for fast non-blocking path

(#876) Reset Async queue on forking, makes Async fork-safe

(#856) Avoid running problematic code in RubyThreadLocalVar on MRI that occasionally results in segfault

(#853) Introduce ThreadPoolExecutor without a Queue

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ dnsruby (indirect, 1.61.3 → 1.61.4) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ em-websocket (indirect, 0.5.1 → 0.5.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ faraday (indirect, 1.0.0 → 1.0.1) · Repo · Changelog

Release Notes

1.0.1

Fixes:

Use Net::HTTP#start(&block) to ensure closed TCP connections (#1117)

Fully qualify constants to be checked (#1122)

Allows parse method to be private/protected in response middleware (#1123)

Encode Spaces in Query Strings as '%20' Instead of '+' (#1125)

Limits rack to v2.0.x (#1127)

Adapter Registry reads also use mutex (#1136)

Documentation:

Retry middleware documentation fix (#1109)

Docs(retry): precise usage of retry-after (#1111)

README: Link the logo to the website (#1112)

Website: add search bar (#1116)

Fix request/response mix-up in docs text (#1132)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ffi (indirect, 1.12.2 → 1.13.1) · Repo · Changelog

Release Notes

1.13.1 (from changelog)

Changed:

Revert use of ucrtbase.dll as default C library on Windows-MINGW. ucrtbase.dll is still used on MSWIN target. #790

Test for ffi_prep_closure_loc() to make sure we can use this function. This fixes incorrect use of system libffi on MacOS Mojave (10.14). #787

Update types.conf on x86_64-dragonflybsd

1.13.0 (from changelog)

Added:

Add TruffleRuby support. Almost all specs are running on TruffleRuby and succeed. #768

Add ruby source files to the java gem. This allows to ship the Ruby library code per platform java gem and add it as a default gem to JRuby. #763

Add FFI::Platform::LONG_DOUBLE_SIZE

Add bounds checks for writing to an inline char[] . #756

Add long double as callback return value. #771

Update type definitions and add types from stdint.h and stddef.h on i386-windows, x86_64-windows, x86_64-darwin, x86_64-linux, arm-linux, powerpc-linux. #749

Add new type definitions for powerpc-openbsd and sparcv9-openbsd. #775, #778

Changed:

Raise required ruby version to >= 2.3.

Lots of cleanups and improvements in library, specs and benchmarks.

Fix a lot of compiler warnings at the C-extension

Fix several install issues on MacOS:

Look for libffi in SDK paths, since recent versions of macOS removed it from /usr/include . #757

Fix error ld: library not found for -lgcc_s.10.4

Don't built for i386 architecture as it is deprecated

Several fixes for MSVC build on Windows. #779

Use ucrtbase.dll as default C library on Windows instead of old msvcrt.dll. #779

Update builtin libffi to fix a Powerpc issue with parameters of type long

Allow unmodified sourcing of (the ruby code of) this gem in JRuby and TruffleRuby as a default gem. #747

Improve check to detect if a module has a #find_type method suitable for FFI. This fixes compatibility with stdlib mkmf . #776

Removed:

Reject callback with :string return type at definition, because it didn't work so far and is not save to use. #751, #782

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ html-pipeline (indirect, 2.12.3 → 2.14.0) · Repo · Changelog

Release Notes

2.14.0

Make Rinku configurable: #335

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll (indirect, 3.8.5 → 3.9.0) · Repo · Changelog

Release Notes

3.9.0

Minor Enhancements

Allow use of kramdown v2 (#8322)

Add default language for kramdown syntax highlighting (#8325)

3.8.7

Fixes

Prevent console warnings with Ruby 2.7 (#7948)

3.8.6

Bug Fixes

Update log output for an invalid theme directory (#7734)

Memoize SiteDrop#documents to reduce allocations (#7722)

Excerpt handling of custom and intermediate tags (#7467)

Escape valid special chars in a site's path name (#7573)

Revert memoizing Site#docs_to_write and refactor #documents (#7689)

Fix broken include_relative usage in excerpt (#7690)

Install platform-specific gems as required (3c06609)

Security Fixes

Theme gems: ensure directories aren't symlinks (#7424)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-feed (indirect, 0.13.0 → 0.15.0) · Repo · Changelog

Release Notes

0.15.0

Minor Enhancements

Add support for drafts (#316)

0.14.0

Minor Enhancements

add support for categories (#153) (#233)

add support for tags (#264)

Make posts limit configurable (#314)

XML escape the title field of feed_meta (#306)

Bug Fixes

Fix feed link when post title contains HTML (#305)

Development Fixes

Use Dir to list source files (#309)

Require Ruby >=2.4.0 (#307)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-mentions (indirect, 1.5.1 → 1.6.0) · Repo · Changelog

Release Notes

1.6.0

Minor Enhancements

Allow configuring base URL in page front matter (#72)

Incorporate document data only if it has override (#73)

Development Fixes

ci: test against Jekyll 4.0

style: target Ruby 2.4

ignore vendor/bundle

Bug Fixes

Support handling body tag across multiple lines (#70)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-redirect-from (indirect, 0.15.0 → 0.16.0) · Repo · Changelog

Release Notes

0.16.0

Minor Enhancements

Allows generation of redirects.json to be disabled (#207)

Allow redirects from and for subclasses of page and document (#204)

Bug Fixes

Use Hash#key? instead of Hash#keys.any? (#201)

Development Fixes

Target Ruby 2.4

Stop testing with backwards-compatible site config (#211)

Documentation

Simplifies YAML for redirect_to (#185)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-remote-theme (indirect, 0.4.1 → 0.4.2) · Repo

Release Notes

0.4.2

Jekyll 4.0 support (#61)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-theme-hacker (indirect, 0.1.1 → 0.1.2) · Repo

Release Notes

0.1.2

Allow Jekyll v4

Return to home on click page title #47

Show full header h1 for smaller displays #49

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jemoji (indirect, 0.11.1 → 0.12.0) · Repo · Changelog

Release Notes

0.12.0

Minor Enhancements

perf: don't load Gemoji into memory immediately (#106)

Development Fixes

deps: Ruby > 2.4 (EOL)

ci: test with Ruby 2.7

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ kramdown (indirect, 1.17.0 → 2.3.0) · Repo · Changelog

Security Advisories 🚨

🚨 Unintended read access in kramdown gem

The kramdown gem before 2.3.0 for Ruby processes the template option inside
Kramdown documents by default, which allows unintended read access (such as
template="/etc/passwd") or unintended embedded Ruby code execution (such as a
string that begins with template="string://<%= `). NOTE: kramdown is used in
Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

↗️ minitest (indirect, 5.14.0 → 5.14.2) · Repo · Changelog

Release Notes

5.14.2 (from changelog)

1 bug fix:

Bumped ruby version to include 3.0 (trunk).

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.10.9 → 1.10.10) · Repo · Changelog

Release Notes

1.10.10

1.10.10 / 2020-07-06

Features

[MRI] Cross-built Windows gems now support Ruby 2.7 [#2029]. Note that prior to this release, the v1.11.x prereleases provided this support.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ octokit (indirect, 4.17.0 → 4.18.0) · Repo

Release Notes

4.18.0

Documentation

#1200 Fix an API link in the Search client @NickLaMuro

Preview Header Support

#1183 Enable issue events API to return project events @gammons

#1203 Update deprecated application API to new preview @oreoshake

Bug Fixes

#1201 Fix random test failures @MSP-Greg

#1218 Fix incorrect URLs for the Authorizations client @tarebyte

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rb-fsevent (indirect, 0.10.3 → 0.10.4) · Repo

Release Notes

0.10.4

Remove bundler development dependency #85

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rouge (indirect, 3.13.0 → 3.23.0) · Repo · Changelog

Release Notes

3.23.0

This release has two new lexers: one for PostScript and one for systemd unit files. There's also fixes for the Kotlin, Ruby and Rust lexers. Thanks to all the contributors who help make Rouge better. Don't forget to wear a mask!

3.22.0

This is a small release with just one update: a major rewrite of the PHP lexer. Hopefully the improved level of detail makes your PHP code look prettier but do report any issues you find with it!

3.21.0

This release has three new lexers, one for BrightScript, one for Janet and one for SSH Config. There's also fixes for the Batchfile, C++, Jinja, Perl, PowerShell, Rego, Sass, SCSS and Twig lexers. Happy highlighting!

3.20.0

We've got some new lexers again! This release includes lexers for Augeas, BibTeX, HLSL, LiveScript, Velocity and Zig. On top of that, we have fixes for the C++, Diff, Haskell, HTML, JavaScript, JSX, OpenType Feature File, PowerShell, TSX and TypeScript lexers.

I'd like to especially call out @lkinasiewicz for the LiveScript lexer. This was originally submitted back in 2017 and it's great to have it finally part of Rouge! The backlog of outstanding PRs is still too long but we are slowly making progress. As I like to say: forward, not backward; upward, not forward; and always twirling, twirling, twirling towards freedom!

3.19.0

No new lexers this but release but we do have fixes for the JavaScript, Kotlin, Python, SPARQL and Turtle lexers. In addition, there have been some under the hood improvements to how keywords are generated for certain languages.

Stay safe everyone!

3.18.0

This release includes new lexers for Cypher, Datastudio, GHC Cmm, ISBL, Rego, Solidity and YANG. It also incorporates fixes for the C++, CMake, Console, F#, JSON, JSONDOC, Kotlin, Markdown, Pascal, PHP, Python, Racket, Ruby, Terraform, TypeScript and Vue lexers. Which seems like quite a lot. Enjoy!

3.17.0

This release includes the ECL lexer as a new lexer. It also incorporates fixes for the CoffeeScript, Markdown, NASM, Ruby, Scala and Varnish lexers. Enjoy your syntax highlighting! 🎉

3.16.0

This release includes one new lexer: the Varnish lexer! We also have fixes for the D, Java, Lua, NASM, Objective-C, PowerShell, Rust, Shell, TOML and TypeScript lexers.

Thank you to all the contributors who've helped make Rouge better!

3.15.0

This release includes three new lexers: FreeFEM, GHC and Objective-C++. Thanks to contributions from the community, we also have fixes for the Console, Jinja, LLVM, Python, Rust and Swift lexers. Finally, you should now be able to pass 'false' as an option after a fix to how CGI-style options are parsed.

Happy new year to everyone! We look forward to another year of Rouge 😃

3.14.0

This release includes fixes for the JSONDOC, Liquid, Magik and TOML lexers as well as the addition of the NES Assembly and Slice lexers.

If all goes according to plan, this will be the last release for 2019. Thanks to all the contributors who improved Rouge—this library wouldn't be what it is without you. See you all again in the new year!

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ruby-enum (indirect, 0.7.2 → 0.8.0) · Repo · Changelog

Release Notes

0.8.0 (from changelog)

#22: Added Ruby::Enum#each_key and Ruby::Enum#each_value - @dblock.

#22: Dropped support for Ruby 2.2 - @dblock.

#22: Upgraded RuboCop to 0.80.1 - @dblock.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rubyzip (indirect, 2.2.0 → 2.3.0) · Repo · Changelog

Release Notes

2.3.0

Fix frozen string literal error #431

Set OutputStream.write_buffer's buffer to binmode #439

Upgrade rubocop and fix various linting complaints #437 #440

Tooling:

Add a bin/console script for development #420

Update rake requirement (development dependency only) to fix a security alert.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ typhoeus (indirect, 1.3.1 → 1.4.0) · Repo · Changelog

Release Notes

1.4.0 (from changelog)

Full Changelog

1 feature

Faraday adapter exceptions namespace compatibility with Faraday v1 (@iMacTia in #616)

3 Others

Yard warning fixes (@olleolleolle in #622)

Add more Ruby versions in CI matrix (@olleolleolle in #623)

Use of argument passed in function instead of attr_reader (@v-kolesnikov in #625)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tzinfo (indirect, 1.2.6 → 1.2.7) · Repo · Changelog

Release Notes

1.2.7

Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.

Fixed warnings when running on Ruby 2.8. #112.

TZInfo v1.2.7 on RubyGems.org

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 kramdown-parser-gfm (added, 1.1.0)

🆕 rexml (added, 3.2.4)

🆕 simpleidn (added, 0.1.1)

🆕 unf (added, 0.1.4)

🆕 unf_ext (added, 0.0.7.7)

🆕 zeitwerk (added, 2.4.0)

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@depfu rebase
Rebases against your default branch and redoes this update

@depfu recreate
Recreates this PR, overwriting any edits that you've made to it

@depfu merge
Merges this PR once your tests are passing and conflicts are resolved

@depfu close
Closes this PR and deletes the branch

@depfu reopen
Restores the branch and reopens this PR (if it's closed)

@depfu pause
Ignores all future updates for this dependency and closes this PR

@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR

@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

gmright2 / DEFOLD_Gmright_INLINE