search

reedhhw / github-slideshow

A robot powered training repository :robot:
https://lab.github.com/githubtraining/introduction-to-github
MIT License
2 stars 0 forks source link

🚨 [security] Update octokit: 4.18.0 → 4.25.1 (minor) #1457

Closed depfu[bot] closed 6 months ago

depfu[bot] commented 2 years ago

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ octokit (indirect, 4.18.0 → 4.25.1) · Repo · Changelog

Security Advisories 🚨

🚨 Octokit gem published with world-writable files

Impact

Versions 4.23.0
and 4.24.0 of the octokit gem
were published containing world-writeable files.

Specifically, the gem was packed
with files having their permissions set to -rw-rw-rw- (i.e. 0666) instead of rw-r--r--
(i.e. 0644). This means everyone who is not the owner (Group and Public) with access
to the instance where this release had been installed could modify the world-writable
files from this gem.

Malicious code already present and running on your machine,
separate from this package, could modify the gem’s files and change its behavior
during runtime.

Patches

Workarounds

Users can use the previous version of the gem v4.22.0.
Alternatively, users can modify the file permissions manually until they are able
to upgrade to the latest version.

Release Notes

4.25.1

  • Stop configuring Faraday's retry middleware twice (@Edouard-chin)
  • Fix various Ruby warnings (e.g. missing parentheses) (@coryf)

4.25.0

NOTE: This remediates A security advisory was published on versions 4.23.0 and 4.24.0 of this gem. You can read more about this in the published security advisory.

DX Improvements

CI Improvements

Updates all build scripts to be more durable and adds details on how to run a manual file integrity check by @nickfloyd in #1446

Housekeeping

  • Drop support for Ruby 1.9.2 in Octokit::Client::Contents#create_contents by @timrogers in #1442

Full Changelog: v4.24.0...v4.25.0

4.24.0

Known issues

Note: This release fixes the issue around autoloading modules causing some modules to not load before use #1428

Code improvements

CI Improvements

  • Adds Code QL analysis to octokit.rb via @nickfloyd

Bug fixes

Full Changelog: v4.23.0...v4.24.0

4.23.0

Code improvements

CI Improvements

Performance improvements

Bug fixes

Documentation

Full Changelog: v4.22.0...v4.23.0

4.22.0

Deprecation Fix

Code Improvements

CI and dependency updates

Documentation

4.21.0

API Support

Error handling

Code clean up

Documentation

4.20.0

API Support

Bug fixes

  • #1309 Paginate outside_collaborators calls @sds
  • #1316 Uses of FaradayMiddleware#on_complete should not be private @tarebyte

Code improvements

Documentation

4.19.0

Code Improvements

API Support

Documentation

CI and dependency updates

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ addressable (indirect, 2.7.0 → 2.8.0) · Repo · Changelog

Security Advisories 🚨

🚨 Regular Expression Denial of Service in Addressable templates

Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption,
leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input,
but nonetheless, no previous security advisory for Addressable has cautioned against doing this.
Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.

Release Notes

2.8.0 (from changelog)

  • fixes ReDoS vulnerability in Addressable::Template#match
  • no longer replaces + with spaces in queries for non-http(s) schemes
  • fixed encoding ipv6 literals
  • the :compacted flag for normalized_query now dedupes parameters
  • fix broken escape_component alias
  • dropping support for Ruby 2.0 and 2.1
  • adding Ruby 3.0 compatibility for development tasks
  • drop support for rack-mount and remove Addressable::Template#generate
  • performance improvements
  • switch CI/CD to GitHub Actions

Does any of this look wrong? Please let us know.

↗️ faraday (indirect, 1.0.1 → 2.3.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sawyer (indirect, 0.8.2 → 0.9.2) · Repo

Release Notes

0.9.1

What's Changed

  • Specify correct minimal Faraday version by @skryukov in #73

New Contributors

Full Changelog: v0.9.0...v0.9.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

🆕 faraday-net_http (added, 2.0.3)

🆕 ruby2_keywords (added, 0.0.5)

🗑️ multipart-post (removed)

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
changelogg[bot] commented 2 years ago

Hey! Changelogs info seems to be missing or might be in incorrect format. Please use the below template in PR description to ensure Changelogg can detect your changes:

    - (tag) changelog_text
or
```
- tag: changelog_text
```
**OR**
You can add tag in PR header or while doing a commit too
```    
(tag) PR header
```
or
```
tag: PR header
```
Valid tags: **added** / **feat**, **changed**, **deprecated**, **fixed** / **fix**, **removed**, **security**, **build**, **ci**, **chore**, **docs**, **perf**, **refactor**, **revert**, **style**, **test**
Thanks!
For more info, check out [changelogg docs](https://docs.changelogg.io/)
performance-testing-bot[bot] commented 2 years ago

Unable to locate .performanceTestingBot config file

pull-request-quantifier-deprecated[bot] commented 2 years ago

This PR has 20 quantified lines of changes. In general, a change size of upto 200 lines is ideal for the best PR experience!

Quantification details

``` Label : Extra Small Size : +11 -9 Percentile : 8% Total files changed: 1 Change summary by file extension: .lock : +11 -9 ``` > Change counts above are quantified counts, based on the [PullRequestQuantifier customizations](https://github.com/microsoft/PullRequestQuantifier/blob/main/docs/prquantifier-yaml.md).

Why proper sizing of changes matters

Optimal pull request sizes drive a better predictable PR flow as they strike a balance between between PR complexity and PR review overhead. PRs within the optimal size (typical small, or medium sized PRs) mean: - Fast and predictable releases to production: - Optimal size changes are more likely to be reviewed faster with fewer iterations. - Similarity in low PR complexity drives similar review times. - Review quality is likely higher as complexity is lower: - Bugs are more likely to be detected. - Code inconsistencies are more likely to be detetcted. - Knowledge sharing is improved within the participants: - Small portions can be assimilated better. - Better engineering practices are exercised: - Solving big problems by dividing them in well contained, smaller problems. - Exercising separation of concerns within the code changes. #### What can I do to optimize my changes - Use the PullRequestQuantifier to quantify your PR accurately - Create a context profile for your repo using the [context generator](https://github.com/microsoft/PullRequestQuantifier/releases) - Exclude files that are not necessary to be reviewed or do not increase the review complexity. Example: Autogenerated code, docs, project IDE setting files, binaries, etc. Check out the `Excluded` section from your `prquantifier.yaml` context profile. - Understand your typical change complexity, drive towards the desired complexity by adjusting the label mapping in your `prquantifier.yaml` context profile. - Only use the labels that matter to you, [see context specification](./docs/prquantifier-yaml.md) to customize your `prquantifier.yaml` context profile. - Change your engineering behaviors - For PRs that fall outside of the desired spectrum, review the details and check if: - Your PR could be split in smaller, self-contained PRs instead - Your PR only solves one particular issue. (For example, don't refactor and code new features in the same PR). #### How to interpret the change counts in git diff output - One line was added: `+1 -0` - One line was deleted: `+0 -1` - One line was modified: `+1 -1` (git diff doesn't know about modified, it will interpret that line like one addition plus one deletion) - Change percentiles: Change characteristics (addition, deletion, modification) of this PR in relation to all other PRs within the repository.

Was this comment helpful? :thumbsup:  :ok_hand:  :thumbsdown: (Email) Customize PullRequestQuantifier for this repository.

secure-code-warrior-for-github[bot] commented 2 years ago

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try this challenge in Secure Code Warrior

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try this challenge in Secure Code Warrior

404 - Not Found | OWASP Foundation
404 - Not Found on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
squash-labs[bot] commented 2 years ago

Manage this branch in Squash

Test this branch here: https://depfuupdateoctokit-4251-0eff3.squash.io
vizipi[bot] commented 2 years ago

Pull request analysis by VIZIPI

Below you will find who is the most qualified team member to review your code. This analysis includes his/her work on the code included in this Pull request, in addition to their experience in code affected by these changes ( partly found within the list of potential missing files below )   Feedback always welcome

Reviewers with knowledge related to these changes

Match % Person Commit Count Common Files
100.00 % reedhhw 2 1

Potential missing files from this Pull request

No commonly committed files found with a 40% threashold

Committed file ranks

  • 99.13%[Gemfile.lock]
    • depfu[bot] commented 6 months ago

    Closing because this update has already been applied