🚨 [security] Update github-pages: 207 → 227 (major)

depfu[bot] commented 2 years ago

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ github-pages (207 → 227) · Repo

Release Notes

Too many releases to show here. View the full release notes.

Sorry, we couldn't find anything useful about this release.

↗️ activesupport (indirect, 6.0.3.2 → 6.0.5.1) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ addressable (indirect, 2.7.0 → 2.8.0) · Repo · Changelog

Security Advisories 🚨

🚨 Regular Expression Denial of Service in Addressable templates

Release Notes

2.8.0 (from changelog)

Does any of this look wrong? Please let us know.

↗️ commonmarker (indirect, 0.17.13 → 0.23.5) · Repo · Changelog

Security Advisories 🚨

🚨 Integer overflow in cmark-gfm table parsing extension leads to heap memory corruption

Release Notes

0.18.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.1.7 → 1.1.10) · Repo · Changelog

Release Notes

1.1.9 (from changelog)

1.1.8 (from changelog)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ dnsruby (indirect, 1.61.4 → 1.61.9) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ em-websocket (indirect, 0.5.1 → 0.5.3) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ethon (indirect, 0.12.0 → 0.15.0) · Repo · Changelog

Release Notes

0.15.0 (from changelog)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ execjs (indirect, 2.7.0 → 2.8.1) · Repo

Release Notes

2.8.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ faraday (indirect, 1.0.1 → 2.3.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ffi (indirect, 1.13.1 → 1.15.5) · Repo · Changelog

Release Notes

1.15.5 (from changelog)

1.15.4 (from changelog)

1.15.3 (from changelog)

1.15.2 (from changelog)

1.15.1 (from changelog)

1.15.0 (from changelog)

1.14.2 (from changelog)

1.14.1 (from changelog)

1.14.0 (from changelog)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ github-pages-health-check (indirect, 1.16.1 → 1.17.9) · Repo

Release Notes

1.17.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ html-pipeline (indirect, 2.14.0 → 2.14.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ http_parser.rb (indirect, 0.6.0 → 0.8.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll (indirect, 3.9.0 → 3.9.2) · Repo · Changelog

Release Notes

3.9.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-commonmark (indirect, 1.3.1 → 1.4.0) · Repo · Changelog

Release Notes

1.4.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-commonmark-ghpages (indirect, 0.1.6 → 0.2.0) · Repo

Release Notes

0.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-feed (indirect, 0.13.0 → 0.15.1) · Repo · Changelog

Release Notes

0.14.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-mentions (indirect, 1.5.1 → 1.6.0) · Repo · Changelog

Release Notes

1.6.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-redirect-from (indirect, 0.15.0 → 0.16.0) · Repo · Changelog

Release Notes

0.16.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-remote-theme (indirect, 0.4.1 → 0.4.3) · Repo

Release Notes

0.4.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-seo-tag (indirect, 2.6.1 → 2.8.0) · Repo · Changelog

Release Notes

2.7.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-theme-architect (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-theme-cayman (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-theme-dinky (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-theme-hacker (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.1.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-theme-leap-day (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-theme-merlot (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-theme-midnight (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-theme-minimal (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-theme-modernist (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-theme-primer (indirect, 0.5.4 → 0.6.0) · Repo

Release Notes

0.6.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-theme-slate (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-theme-tactile (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-theme-time-machine (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jemoji (indirect, 0.11.1 → 0.12.0) · Repo · Changelog

Release Notes

0.12.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ kramdown (indirect, 2.3.0 → 2.3.2) · Repo · Changelog

Security Advisories 🚨

🚨 Remote code execution in Kramdown

↗️ listen (indirect, 3.2.1 → 3.7.1) · Repo · Changelog

Release Notes

3.3.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_portile2 (indirect, 2.4.0 → 2.8.0) · Repo · Changelog

Release Notes

2.5.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.14.2 → 5.16.2) · Repo · Changelog

Release Notes

5.16.2 (from changelog)

5.16.1 (from changelog)

5.16.0 (from changelog)

5.15.0 (from changelog)

5.14.4 (from changelog)

5.14.3 (from changelog)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.10.10 → 1.13.7) · Repo · Changelog

Security Advisories 🚨

🚨 Improper Handling of Unexpected Data Type in Nokogiri

🚨 Integer Overflow or Wraparound in libxml2 affects Nokogiri

🚨 Denial of Service (DoS) in Nokogiri on JRuby

🚨 Inefficient Regular Expression Complexity in Nokogiri

🚨 Out-of-bounds Write in zlib affects Nokogiri

🚨 XML Injection in Xerces Java affects Nokogiri

🚨 Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)

🚨 Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby

🚨 Update packaged dependency libxml2 from 2.9.10 to 2.9.12

🚨 Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ octokit (indirect, 4.18.0 → 4.25.1) · Repo · Changelog

Security Advisories 🚨

🚨 Octokit gem published with world-writable files

Release Notes

4.19.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ public_suffix (indirect, 3.1.1 → 4.0.7) · Repo · Changelog

Release Notes

4.0.7 (from changelog)

4.0.6 (from changelog)

4.0.5 (from changelog)

4.0.4 (from changelog)

4.0.3 (from changelog)

4.0.2 (from changelog)

4.0.1 (from changelog)

4.0.0 (from changelog)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rb-fsevent (indirect, 0.10.4 → 0.11.1) · Repo

Release Notes

0.11.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rexml (indirect, 3.2.4 → 3.2.5) · Repo · Changelog

Security Advisories 🚨

🚨 XML round-trip vulnerability in REXML

Release Notes

3.2.5 (from changelog)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rouge (indirect, 3.19.0 → 3.26.0) · Repo · Changelog

Release Notes

3.20.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rubyzip (indirect, 2.3.0 → 2.3.2) · Repo · Changelog

Release Notes

2.3.2 (from changelog)

2.3.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sawyer (indirect, 0.8.2 → 0.9.2) · Repo

Release Notes

0.9.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ simpleidn (indirect, 0.1.1 → 0.2.1) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tzinfo (indirect, 1.2.7 → 1.2.9) · Repo · Changelog

Release Notes

1.2.8

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ unf_ext (indirect, 0.0.7.7 → 0.0.8.2) · Repo · Changelog

Release Notes

0.0.8.2 (from changelog)

0.0.8.1 (from changelog)

0.0.8 (from changelog)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ unicode-display_width (indirect, 1.7.0 → 1.8.0) · Repo · Changelog

Release Notes

1.8.0 (from changelog)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ zeitwerk (indirect, 2.4.0 → 2.6.0) · Repo · Changelog

Release Notes

2.6.0 (from changelog)

2.5.4 (from changelog)

2.5.3 (from changelog)

2.5.1 (from changelog)

2.5.0 (from changelog)

2.4.2 (from changelog)

2.4.1 (from changelog)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 faraday-net_http (added, 2.0.3)

🆕 jekyll-include-cache (added, 0.2.1)

🆕 racc (added, 1.6.0)

🆕 ruby2_keywords (added, 0.0.5)

🗑️ multipart-post (removed)

🗑️ ruby-enum (removed)

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

changelogg[bot] commented 2 years ago

Hey! Changelogs info seems to be missing or might be in incorrect format. Please use the below template in PR description to ensure Changelogg can detect your changes:

    - (tag) changelog_text

or
```
- tag: changelog_text
```
**OR**
You can add tag in PR header or while doing a commit too
```    
(tag) PR header
```
or
```
tag: PR header
```
Valid tags: **added** / **feat**, **changed**, **deprecated**, **fixed** / **fix**, **removed**, **security**, **build**, **ci**, **chore**, **docs**, **perf**, **refactor**, **revert**, **style**, **test**
Thanks!
For more info, check out [changelogg docs](https://docs.changelogg.io/)

performance-testing-bot[bot] commented 2 years ago

Unable to locate .performanceTestingBot config file

secure-code-warrior-for-github[bot] commented 2 years ago

Micro-Learning Topic: External entity injection (Detected by phrase)

Matched on "XXE"

What is this? (2min video)

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Try this challenge in Secure Code Warrior

Micro-Learning Topic: XML injection (Detected by phrase)

Matched on "XML Injection"

What is this? (2min video)

XML injection is a vulnerability affecting the handling of XML documents used by an application. If an application uses unsafe inputs as part of an XML document, it may result in corrupted XML that changes the behaviour of application components that use the modified document. Where XML documents are accepted by an application, it may allow information disclosure, denial of service or unauthorised file access if certain XML processing is permitted.

Try this challenge in Secure Code Warrior

Micro-Learning Topic: Integer overflow (Detected by phrase)

Matched on "Integer overflow"

What is this? (2min video)

Integer overflow occurs when the result of arithmetic operation is greater than the maximum value the integer data type can store. For example, if an integer data type allows integers up to two bytes or 16 bits in length (or an unsigned number up to decimal 65,535), and two integers are to be added together that will exceed the value of 65,535, the result will be integer overflow.

Try this challenge in Secure Code Warrior

Micro-Learning Topic: Regular expression denial of service (Detected by phrase)

Matched on "Regular Expression Denial of Service"

What is this? (2min video)

Denial of Service (DoS) attacks caused by Regular Expression which causes the system to hang or cause them to work very slowly when attacker sends a well-crafted input(exponentially related to input size).Denial of service attacks significantly degrade the service quality experienced by legitimate users. These attacks introduce large response delays, excessive losses, and service interruptions, resulting in direct impact on availability.

Try this challenge in Secure Code Warrior

Micro-Learning Topic: Denial of service (Detected by phrase)

Matched on "Denial of Service"

The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service

Try this challenge in Secure Code Warrior

squash-labs[bot] commented 2 years ago

Manage this branch in Squash

Test this branch here: https://depfuupdategithub-pages-227-afcgg.squash.io

vizipi[bot] commented 2 years ago

Pull request analysis by VIZIPI

Below you will find who is the most qualified team member to review your code. This analysis includes his/her work on the code included in this Pull request, in addition to their experience in code affected by these changes ( partly found within the list of potential missing files below ) Feedback always welcome

No other active qualified developers found to review these specific changes. You might consider involving more team members with these code segments.

Potential missing files from this Pull request

No commonly committed files found with a 40% threashold

Committed file ranks

(click to expand)

99.13%[Gemfile.lock]

guardrails[bot] commented 2 years ago

:warning: We detected 1 security issue in this pull request:

Vulnerable Libraries (1)

Severity | Details ----- | -------- High | [rouge@3.26.0](https://github.com/reedhhw/github-slideshow/blob/18870f6b52b98a7e078c68d08b3c6ac03dd76f7b/Gemfile.lock#L78) - **no patch available** More info on how to fix Vulnerable Libraries in [General](https://docs.guardrails.io/docs/en/vulnerabilities/general/using_vulnerable_libraries.html?utm_source=ghpr#).

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

secure-code-warrior-for-github[bot] commented 2 years ago

Micro-Learning Topic: Vulnerable library (Detected by phrase)

Matched on "Vulnerable Libraries"

What is this? (2min video)

Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.

Try this challenge in Secure Code Warrior

depfu[bot] commented 6 months ago

Closing because this update has already been applied

reedhhw / github-slideshow