search

nodunayo / speakerline

Showcasing speakers' proposals and timelines in an effort to demystify the CFP process and help new speakers get started.
http://speakerline.io
MIT License
74 stars 26 forks source link

🚨 [security] Update rspec-rails 6.1.1 → 6.1.2 (patch) #556

Closed depfu[bot] closed 4 months ago

depfu[bot] commented 6 months ago

👉 This PR is queued up to get rebased by Depfu

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rspec-rails (6.1.1 → 6.1.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ bigdecimal (indirect, 3.1.5 → 3.1.7) · Repo · Changelog

Release Notes

3.1.7

What's Changed

  • Use macos-arm-oss and latest versions for test and benchmark CI by @hsbt in #285
  • Support Ruby 3.4's new error message format by @mame in #286
  • Rename rake spec with rake test in documentation by @rhannequin in #287

New Contributors

Full Changelog: v3.1.6...v3.1.7

3.1.6

What's Changed

  • Correctly computing loop iterations in BigDecimal#sqrt by @z2-2z in #280
  • Workaround for test-bundled-gems at ruby/ruby repo by @hsbt in #283
  • Add LICENSE file to gem files by @oleksii-leonov in #282
  • Refine test code related unsupported Ruby version by @hsbt in #284

New Contributors

Full Changelog: v3.1.5...v3.1.6

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ diff-lcs (indirect, 1.5.0 → 1.5.1) · Repo · Changelog

Release Notes

1.5.1 (from changelog)

  • Peter Goldstein updated CI configuration to add Ruby 3.1 and Masato Nakamura added Ruby 3.2 and 3.3. #82, #89

  • Updated the CI configuration, resolving #82 to add Ruby 3.1. Masato

  • Switched to standard ruby formatting.

  • Justin Steele converted the licence file to Markdown. #84

  • Updated the gem SPDX identifier for GPL 2.0 or later, resolving #86 by Vit Ondruch.

  • Resolve a potential security issue with ldiff in its use of IO.read instead of File.read. #91

  • Added MFA authentication requirement for release to RubyGems. #90

  • Added dependabot management for actions and gems. #90

  • Updated CodeQL coniguration. #90

Does any of this look wrong? Please let us know.

↗️ drb (indirect, 2.2.0 → 2.2.1) · Repo

Release Notes

2.2.1

What's Changed

  • Use a single quote instead of a backtick as an open quote by @mame in #25
  • Drop dependency on ruby2_keywords by @Earlopain in #27
  • Fix warnings during test runs by @Earlopain in #26

New Contributors

Full Changelog: v2.2.0...v2.2.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ i18n (indirect, 1.14.1 → 1.14.4) · Repo · Changelog

Release Notes

1.14.4

What's Changed

Note: the racc dependency will be coming back in Version 2.

  • undo strict racc dependency on this branch by @radar in #687

Full Changelog: v1.14.3...v1.14.4

1.14.3

What's Changed

  • Pass options to along to exists? super calls by @radar in #671
  • Improve TOKENIZER by 23% by @kbrock in #668
  • Regex part deux - INTERPOLATION_SYNTAX by @kbrock in #669
  • Raise when translated entry contains interpolations for reserved keywords and no substitutions provided by @fatkodima in #678
  • Implement Fallbacks#inspect and Fallbacks#empty? by @fatkodima in #683

Upkeep

New Contributors

Full Changelog: v1.14.1...v1.14.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ io-console (indirect, 0.7.1 → 0.7.2) · Repo

Release Notes

0.7.2

What's Changed

New Contributors

Full Changelog: v0.7.1...v0.7.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ irb (indirect, 1.11.1 → 1.12.0) · Repo

Release Notes

1.12.0

Highlights

  • The help command now displays a help message directly, instead of opening a ri console.
  • You can now get detailed usage information for specific commands by using help <cmd>. Commands that currently support detailed help messages include:
    • show_source
    • show_doc
    • edit
    • ls
    • We welcome contributions to expand this list!
  • The show_source command can now display methods defined during the IRB session.
  • In irb:rdbg sessions, simply hitting <enter> will now repeat the last command, mirroring the behavior in rdbg sessions.
  • IRB now supports loading .irbrc from multiple locations. This means that for most users, ~/.irbrc will also be loaded when a project/.irbrc is defined.

What's Changed

✨ Enhancements

  • Introduce exit! command by @ignacio-chiazzo in #851
  • Powerup show_source by enabling RubyVM.keep_script_lines by @tompng in #862
  • Repurpose the help command to display the help message by @st0012 in #872
  • Support repeating debugger input by passing empty input to it by @st0012 in #856
  • Revamp help command by @st0012 in #877
  • Add help messages to show_source and show_doc commands by @st0012 in #887
  • Restructure workspace management by @st0012 in #888
  • Allow loading multiple irb files by @hahmed in #859

🐛 Bug Fixes

  • Fix SourceFinder's constant evaluation issue by @st0012 in #869
  • Improve constant lookup in SourceFinder by @tompng in #871
  • Fix irb:rdbg for ruby head by @st0012 in #876

🛠 Other Changes

  • Polish the exit! command and its tests by @st0012 in #867
  • Fix exit! command warning and method behavior by @tompng in #868
  • Refactor eval_path and SourceFinder::Source by @st0012 in #870
  • Update error message assertions for Ruby 3.4 by @st0012 in #874
  • Standardize command related names by @st0012 in #873
  • Load RubyGems explicitly for tests of test/irb by @hsbt in #879
  • Invalid encoding symbols now raise SyntaxError in 3.4 by @nobu in #880
  • Remove IRB::NotImplementedError by @tompng in #878
  • Unroll extension method generation by @st0012 in #882
  • Turn on frozen literal in files by @st0012 in #881
  • Remove remaining frozen_string_literal: false in lib/ by @tompng in #883
  • Remove workaround for empty lines in dynamic_prompt by @tompng in #884
  • Remove useless loaded file check by @tompng in #885
  • Refactor IRB::Context#prompting by @st0012 in #889
  • Escape closing square brackets in regexp by @peterzhu2118 in #892
  • Prevent irb_history's creation during HistoryTest by @st0012 in #893
  • Clear temporary directories by @nobu in #894
  • Bump version to v1.12.0 by @st0012 in #895

New Contributors

Full Changelog: v1.11.2...v1.12.0

1.11.2

What's Changed

🐛 Bug Fixes

🛠 Other Changes

New Contributors

Full Changelog: v1.11.1...v1.11.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.21.2 → 5.22.3) · Repo · Changelog

Release Notes

5.22.2 (from changelog)

  • 1 bug fix:

    • Third time’s a charm? Remember: ‘ensure’ is almost always the wrong way to go (for results… it’s great for cleaning up).

5.22.1 (from changelog)

  • 1 bug fix:

    • Don’t exit non-zero if no tests ran and no filter (aka, the test file is empty). (I’m starting to think the exit 1 thing for @tenderlove was a mistake…)

5.22.0 (from changelog)

  • 1 minor enhancement:

    • Added “did you mean” output if your –name filter matches nothing. (tenderlove)

  • 2 bug fixes:

    • Big cleanup of test filtering. Much prettier / more functional.

    • Fix situation where Assertion#location can’t find the location. (pftg)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.16.2 → 1.16.3) · Repo · Changelog

Release Notes

1.16.3

v1.16.3 / 2024-03-15

Dependencies

Changed

  • [CRuby] XML::Reader sets the @encoding instance variable during reading if it is not passed into the initializer. Previously, it would remain nil. The behavior of Reader#encoding has not changed. This works around changes to how libxml2 reports the encoding used in v2.12.6.

sha256 checksums:

3d806263a0548e5163ff256655d78a87998fa83a5ae256b83c14a1a97731e824  nokogiri-1.16.3-aarch64-linux.gem
cfb923c02bde065005e2521f0a6883c63cf305cb899a9dd4c74897731bb2af1d  nokogiri-1.16.3-arm-linux.gem
5d3268558c002fa493e33076798cfda1df8effbd5363060dc41595cfebb1cf90  nokogiri-1.16.3-arm64-darwin.gem
6bf0918233959c7d5e703061ada0f436544612397475a866aa314071f02bfabb  nokogiri-1.16.3-java.gem
656f163dd287671c3a28157a2e853ee1a36afeb3f4185a78af863f3980efc58d  nokogiri-1.16.3-x64-mingw-ucrt.gem
7330f65cf2f8fa442327112b6515b4988f396d23010d33571714fd2ac0648fb9  nokogiri-1.16.3-x64-mingw32.gem
08d8a369940fa2309379cd8af1e7b3cc702b0115d3ddd197cfa7b33daedfd541  nokogiri-1.16.3-x86-linux.gem
cd26e99fa6388cd73c8892bb99ac98af162fe83c8f71c6473dfeba7aac76bcb9  nokogiri-1.16.3-x86-mingw32.gem
bc22786f4db4c32a5587e3b77a106408148d3bb1602dd0b52c0f5c968c42d17d  nokogiri-1.16.3-x86_64-darwin.gem
47a3330e41b49a100225b6fab490b2dc43410931e01e791886e0c2998412e8cb  nokogiri-1.16.3-x86_64-linux.gem
498aa253ccd5b89a0fa5c4c82b346d22176fc865f4a12ef8da642064d1d3e248  nokogiri-1.16.3.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rack (indirect, 2.2.8 → 2.2.8.1) · Repo · Changelog

Security Advisories 🚨

🚨 Possible Denial of Service Vulnerability in Rack Header Parsing

There is a possible denial of service vulnerability in the header parsing
routines in Rack. This vulnerability has been assigned the CVE identifier
CVE-2024-26146.

Versions Affected: All. Not affected: None Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1

Impact

Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue. Accept and
Forwarded headers are impacted.

Ruby 3.2 has mitigations for this problem, so Rack applications using
Ruby 3.2 or newer are unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

🚨 Possible DoS Vulnerability with Range Header in Rack

There is a possible DoS vulnerability relating to the Range request header in
Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.

Versions Affected: >= 1.3.0. Not affected: < 1.3.0 Fixed Versions: 3.0.9.1, 2.2.8.1

Impact

Carefully crafted Range headers can cause a server to respond with an
unexpectedly large response. Responding with such large responses could lead
to a denial of service issue.

Vulnerable applications will use the Rack::File middleware or the
Rack::Utils.byte_ranges methods (this includes Rails applications).

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

🚨 Denial of Service Vulnerability in Rack Content-Type Parsing

There is a possible denial of service vulnerability in the content type
parsing component of Rack. This vulnerability has been assigned the CVE
identifier CVE-2024-25126.

Versions Affected: >= 0.4 Not affected: < 0.4 Fixed Versions: 3.0.9.1, 2.2.8.1

Impact

Carefully crafted content type headers can cause Rack’s media type parser to
take much longer than expected, leading to a possible denial of service
vulnerability.

Impacted code will use Rack’s media type parser to parse content type headers.
This code will look like below:

request.media_type

## OR
request.media_type_params

## OR
Rack::MediaType.type(content_type)

Some frameworks (including Rails) call this code internally, so upgrading is
recommended!

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Release Notes

2.2.8.1

What's Changed

  • Fixed ReDoS in Accept header parsing [CVE-2024-26146]
  • Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
  • Reject Range headers which are too large [CVE-2024-26141]

Full Changelog: v2.2.8...v2.2.8.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ reline (indirect, 0.4.2 → 0.4.3) · Repo

Release Notes

0.4.3

What's Changed

✨ Enhancements

🛠 Other Changes

  • Add metadata for rubygems.org by @m-nakamura145 in #638
  • [Feature #16495] Do not include a backtick in error messages and backtraces by @hsbt in #640
  • Bump version to v0.4.3 by @st0012 in #642

New Contributors

Full Changelog: v0.4.2...v0.4.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rspec-core (indirect, 3.12.2 → 3.13.0) · Repo · Changelog

Release Notes

3.13.0 (from changelog)

Full Changelog

Enhancements:

  • Support the --backtrace flag when using the JSON formatter. (Matt Larraz, #2980)
  • Ignore commented out lines in CLI config files (e.g. .rspec). (Junichi Ito, #2984)
  • Add pending_failure_output config option to allow skipping backtraces or muting pending specs output. (Phil Pirozhkov, #2957)
  • Process --dry-run before configuration flags that read files so that introspecting it returns the correct value. (Xenor Chang, #3008)
  • Allow specifying custom ordering strategies via --order. (Jon Rowe, #3025)
  • Use the improved syntax_suggest output for SyntaxError when available. (Richard Schneeman, #3015, #3026)
  • Add config option (RSpec::Core::Configuration#full_cause_backtrace) to print the entire backtrace of an exception cause. (David Taylor, #3046)

3.12.3 (from changelog)

Full Changelog

Bug fixes:

  • Use __send__ in output wrapper to avoid issues with IO objects that implement send like Socket. (Richard Platel, #3045)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rspec-expectations (indirect, 3.12.3 → 3.13.0) · Repo · Changelog

Release Notes

3.13.0 (from changelog)

Full Changelog

Enhancements:

  • Update eq and eql matchers to better highlight difference in string encoding. (Alan Foster, #1425)

3.12.4 (from changelog)

Full Changelog

Bug Fixes:

  • Fix the diff for redefined actual and reassigned @actual in compound expectations failure messages. (Phil Pirozhkov, #1440)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rspec-mocks (indirect, 3.12.6 → 3.13.0) · Repo · Changelog

Release Notes

3.13.0 (from changelog)

Full Changelog

Enhancements:

  • Add an array_excluding matcher for arguments. (Zane Wolfgang Pickett, #1528)

3.12.7 (from changelog)

Full Changelog

Bug Fixes:

  • Reduce allocations from "any_instance" style mocks. (Carlos Palhares, #1479)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rspec-support (indirect, 3.12.1 → 3.13.1) · Repo · Changelog

Release Notes

3.13.1 (from changelog)

Full Changelog

Bug Fixes:

  • Exclude ruby internal require warnings from RSpec::Support::CallerFilter#first_non_rspec_line. (Jon Rowe, #593)

3.13.0 (from changelog)

Full Changelog

Enchancements

  • Add RubyFeatures#supports_syntax_suggest?. (Jon Rowe, #571)

3.12.2 (from changelog)

Full Changelog

Bug Fixes:

  • Properly surface errors from in_sub_process. (Jon Rowe, #575)
  • Add magic comment for freezing string literals. (Josh Nichols, #586)
  • Allow string keys for keyword arguments during verification of method signatures, (but only on Ruby 3+). (@malcolmohare, #591)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ thor (indirect, 1.3.0 → 1.3.1) · Repo · Changelog

Release Notes

1.3.1

What's Changed

New Contributors

Full Changelog: v1.3.0...v1.3.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ zeitwerk (indirect, 2.6.12 → 2.6.13) · Repo · Changelog

Release Notes

2.6.13 (from changelog)

  • There is a new experimental null inflector that simply returns its input unchanged:

    loader.inflector = Zeitwerk::NullInflector.new

    Projects using this inflector are expected to define their constants in files and directories with names exactly matching them:

    User.rb       -> User
HTMLParser.rb -> HTMLParser
Admin/Role.rb -> Admin::Role

    Please see its documentation for further details.

  • Documentation improvements.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🗑️ ruby2_keywords (removed)

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)