🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
See #476 for more details and to discuss this release.
Breaking Changes
Ruby >= 3.0 and Rails >= 6.1 are now required. Lock dotenv to ~> 2.0 if you are using an outdated Ruby or Rails version. #466, #471
\n is no longer expanded into a newline in quoted strings. Use multi-line strings with real line breaks, or set DOTENV_LINEBREAK_MODE=legacy to preserve the old behavior. @nitsujri#423
Fixed precedence when using Dotenv::Rails.overload. So now .env.development.local will overwrite .env.local, which will overwrite .env.development, which will overwrite .env. @eriklovmo - #460
The instrumentation event dotenv.load has been renamed to load.dotenv to properly make use of namespaces in ActiveSupport::Notifications#472
Other improvements
All changes to ENV will be logged in Rails apps. #473
Fixed an issue where rake loaded development files (.env*development) for test-related tasks. #470
Add -i/--ignore option to dotenv CLI to optionally ignore missing files. @stevenharman#463
The dotenv-rails gem is now superfluous. It's not technically deprecated yet and will continue to work, but the dotenv gem does the same thing. #468
Dotenv::Railtie has been deprecated. Use Dotenv::Rails. #468
Dotenv.overload has been replaced with overwrite. overload will still work and is not technically deprecated, but documentation refers to Dotenv.overwrite now. #469
See #476 for more details and to discuss this release.
Breaking Changes
Ruby >= 3.0 and Rails >= 6.1 are now required. Lock dotenv to ~> 2.0 if you are using an outdated Ruby or Rails version. #466, #471
\n is no longer expanded into a newline in quoted strings. Use multi-line strings with real line breaks, or set DOTENV_LINEBREAK_MODE=legacy to preserve the old behavior. @nitsujri#423
Fixed precedence when using Dotenv::Rails.overload. So now .env.development.local will overwrite .env.local, which will overwrite .env.development, which will overwrite .env. @eriklovmo - #460
The instrumentation event dotenv.load has been renamed to load.dotenv to properly make use of namespaces in ActiveSupport::Notifications#472
Other improvements
All changes to ENV will be logged in Rails apps. #473
Fixed an issue where rake loaded development files (.env*development) for test-related tasks. #470
Add -i/--ignore option to dotenv CLI to optionally ignore missing files. @stevenharman#463
The dotenv-rails gem is now superfluous. It's not technically deprecated yet and will continue to work, but the dotenv gem does the same thing. #468
Dotenv::Railtie has been deprecated. Use Dotenv::Rails. #468
Dotenv.overload has been replaced with overwrite. overload will still work and is not technically deprecated, but documentation refers to Dotenv.overwrite now. #469
Third time’s a charm? Remember: ‘ensure’ is almost always the wrong way to go (for results… it’s great for cleaning up).
5.22.1 (from changelog)
1 bug fix:
Don’t exit non-zero if no tests ran and no filter (aka, the test file is empty). (I’m starting to think the exit 1 thing for @tenderlove was a mistake…)
5.22.0 (from changelog)
1 minor enhancement:
Added “did you mean” output if your –name filter matches nothing. (tenderlove)
2 bug fixes:
Big cleanup of test filtering. Much prettier / more functional.
Fix situation where Assertion#location can’t find the location. (pftg)
There is a possible denial of service vulnerability in the header parsing
routines in Rack. This vulnerability has been assigned the CVE identifier
CVE-2024-26146.
Versions Affected: All. Not affected: None Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1
Impact
Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted.
Ruby 3.2 has mitigations for this problem, so Rack applications using
Ruby 3.2 or newer are unaffected.
Releases
The fixed releases are available at the normal locations.
There is a possible DoS vulnerability relating to the Range request header in
Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.
Carefully crafted Range headers can cause a server to respond with an
unexpectedly large response. Responding with such large responses could lead
to a denial of service issue.
Vulnerable applications will use the Rack::File middleware or the Rack::Utils.byte_ranges methods (this includes Rails applications).
Releases
The fixed releases are available at the normal locations.
There is a possible denial of service vulnerability in the content type
parsing component of Rack. This vulnerability has been assigned the CVE
identifier CVE-2024-25126.
Carefully crafted content type headers can cause Rack’s media type parser to
take much longer than expected, leading to a possible denial of service
vulnerability.
Impacted code will use Rack’s media type parser to parse content type headers.
This code will look like below:
request.media_type
## OR
request.media_type_params
## OR
Rack::MediaType.type(content_type)
Some frameworks (including Rails) call this code internally, so upgrading is
recommended!
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Releases
The fixed releases are available at the normal locations.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu cancel merge
Cancels automatic merging of this PR
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ dotenv-rails (2.8.1 → 3.1.0) · Repo · Changelog
Release Notes
3.1.0
3.0.3
3.0.2
3.0.1
3.0.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ bigdecimal (indirect, 3.1.5 → 3.1.6) · Repo · Changelog
Release Notes
3.1.6
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 14 commits:
Bump up version to 3.1.6
Merge pull request #284 from ruby/drop-2-5-related-code
Merge pull request #282 from oleksii-leonov/patch-1
Refine test code related unsupported Ruby version
Add LICENSE file to gem files
Merge pull request #283 from ruby/fix-test-bundled-gems-3-4
Don't use : for Windows platforms
BigDecimal.allocate is obsoleted too
BigDecimal() is obsoleted today. We shouldn't test it
We need to care assert_no_memory_leak too
Simplified LOAD_PATH delegation for assert_in_out_err
Support ruby/bigdecimal repository cases
Added current directory to LOAD_PATH of assert_in_out_err for test-bundled-gems at ruby/ruby
Correctly computing loop iterations in `BigDecimal#sqrt` (#280)
↗️ dotenv (indirect, 2.8.1 → 3.1.0) · Repo · Changelog
Release Notes
3.1.0
3.0.3
3.0.2
3.0.1
3.0.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ io-console (indirect, 0.7.1 → 0.7.2) · Repo
Release Notes
0.7.2
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 20 commits:
Bump up version to 0.7.2
Re-omit this kwarg check failing in CI
Cursor operations depend only on raw and syswrite
Improve stty console logic
Only warn about stty when VERBOSE
Use stty on MacOS arm64
Raise ENOTTY when not a tty
Expand strict keywords to other forms of raw
Set console to nil if stdin/out are not tty
Strict keywords on console#raw
Move IO.console def to common code
Only warn when using Linux arch is untested
`IO_CONSOLE_VERSION` is no longer a macro
Define IO::ConsoleMode::VERSION from console.c
Provide a 'Changelog' link on rubygems.org/gems/io-console
Bump actions/upload-artifact from 3 to 4
bump up to 0.7.2.dev.1
[DOC] Add missing documents
Add RDoc coverage task
Extract CSI sequence
↗️ irb (indirect, 1.11.1 → 1.11.2) · Repo
Release Notes
1.11.2
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 26 commits:
Bump version to v1.11.2 (#865)
Polish tracer integration and tests (#864)
Fix usage of tracer gem and add tests (#857)
Bump actions/checkout from 3 to 4
Remove unused variable
Consume the warning for non-existent history path
Require pathname (#860)
Add a warning for when the history path doesn't exist (#852)
Add rubocop with a few basic styling rules (#849)
Reset history counter even when @loaded_history_lines is not defined (#853)
Skip re-setup when creating a child session (#850)
Omit 2 encoding error related tests for TruffleRuby (#854)
Fix undef and alias indent (#838)
Try to use irb instead of rubygems for completion test
Reword history file documentation and fix typo (#842)
diabled ==> disabled
Synatx ==> Syntax
assigment ==> assignment
yamatanarroroti ==> yamatanooroti
reseting ==> resetting
configuation ==> configuration
recever ==> receiver
inifinity ==> infinity
overrided ==> overridden
Forward-port ruby-core changes (#841)
Fix documentation typo, `niL` -> `nil`
↗️ minitest (indirect, 5.21.2 → 5.22.2) · Repo · Changelog
Release Notes
5.22.2 (from changelog)
5.22.1 (from changelog)
5.22.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 8 commits:
prepped for release
- Third time's a charm? Remember: 'ensure' is almost always the wrong way to go.
prepped for release
- Don't exit non-zero if no tests ran and no filter (aka, the test file is empty).
prepped for release
+ Added "did you mean" output if your --name filter matches nothing. (tenderlove)
- Big cleanup of test filtering. Much prettier / more functional.
- Fix situation where Assertion#location can't find the location. (pftg)
↗️ rack (indirect, 2.2.8 → 2.2.8.1) · Repo · Changelog
Security Advisories 🚨
🚨 Possible Denial of Service Vulnerability in Rack Header Parsing
🚨 Possible DoS Vulnerability with Range Header in Rack
🚨 Denial of Service Vulnerability in Rack Content-Type Parsing
Release Notes
2.2.8.1
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 4 commits:
bump version
Avoid 2nd degree polynomial regexp in MediaType
Return an empty array when ranges are too large
Fixing ReDoS in header parsing
↗️ reline (indirect, 0.4.2 → 0.4.3) · Repo
Release Notes
0.4.3
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 5 commits:
Bump version to v0.4.3 (#642)
Use gray and white as the default dialog theme (#637)
Do not include a backtick in error messages and backtraces (#640)
C for vi mode (#472)
Add metadata for rubygems.org (#638)
↗️ thor (indirect, 1.3.0 → 1.3.1) · Repo · Changelog
Release Notes
1.3.1
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 21 commits:
Prepare for 1.3.1
Merge pull request #876 from andrewn617/improve-boolean-parse-documentation
Fix test on Ruby head
Merge pull request #873 from viktorianer/fix-uncomment-lines-space-which-existed-before-the-comment-hash
Merge pull request #872 from ancao90/fix-documentation
Improve the code documentation with indentation (#863)
Merge pull request #871 from m-nakamura145/update-checkout-action
Merge pull request #869 from amatsuda/bundler_24_warnings
Update .github/workflows/tests.yml
Merge pull request #867 from p8/refactor/remove-string-encode-conditional
Merge pull request #866 from m-nakamura145/update-ci-matrix
Merge pull request #865 from takmar/fix-typo
Document the '--skip-' option for boolean options.
Fix uncomment_lines method to preserve indentation correctly
fix documentation of action `copy_file`
Bump actions/checkout
Avoid loading bundler 2.4.22 that vendorizes thor 1.3.0
Fix typo
Remove String#encode conditional required by Ruby < 2.6
Add Ruby 3.3 to CI matrix
Simply dump strings to escape
↗️ zeitwerk (indirect, 2.6.12 → 2.6.13) · Repo · Changelog
Release Notes
2.6.13 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 13 commits:
Ready for 2.6.13
Document null inflector and case-insensitive file systems
Add test coverage for symlinks and for_gem
Merge pull request #286 from m-nakamura145/update-actions-checkout
Bump actions/checkout
Revise the conceptual translation of for_gem
Delete comment in Kernel#require decoration
Merge pull request #279 from stevenharman/typo_and_doc_tweeks
Fix small typo & clarify some grammar in the docs
Merge pull request #278 from m-nakamura145/update-ci-matrix
Add Ruby 3.3 to CI matrix
Revise docs re the null inflector and Rails
Provide a null inflector
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase
.All Depfu comment commands