Changelog
*Sourced from [rack's changelog](https://github.com/rack/rack/blob/master/CHANGELOG.md).*
> ## [1.6.12] - 2019-12-08
>
> - [[CVE-2019-16782](https://nvd.nist.gov/vuln/detail/CVE-2019-16782)] Prevent timing attacks targeted at session ID lookup. ([@tenderlove](https://github.com/tenderlove), [@rafaelfranca](https://github.com/rafaelfranca))
>
> ## [2.0.7] - 2019-04-02
>
> ### Fixed
>
> - Remove calls to `#eof?` on Rack input in `Multipart::Parser`, as this breaks the specification. ([@matthewd](https://github.com/matthewd))
> - Preserve forwarded IP addresses for trusted proxy chains. ([@SamSaffron](https://github.com/SamSaffron))
>
> ## [2.0.6] - 2018-11-05
>
> ### Fixed
>
> - [[CVE-2018-16470](https://nvd.nist.gov/vuln/detail/CVE-2018-16470)] Reduce buffer size of `Multipart::Parser` to avoid pathological parsing. ([@tenderlove](https://github.com/tenderlove))
> - Fix a call to a non-existing method `#accepts_html` in the `ShowExceptions` middleware. ([@tomelm](https://github.com/tomelm))
> - [[CVE-2018-16471](https://nvd.nist.gov/vuln/detail/CVE-2018-16471)] Whitelist HTTP and HTTPS schemes in `Request#scheme` to prevent a possible XSS attack. ([@PatrickTulskie](https://github.com/PatrickTulskie))
>
> ## [2.0.5] - 2018-04-23
>
> ### Fixed
>
> - Record errors originating from invalid UTF8 in `MethodOverride` middleware instead of breaking. ([@mclark](https://github.com/mclark))
>
> ## [2.0.4] - 2018-01-31
>
> ### Changed
>
> - Ensure the `Lock` middleware passes the original `env` object. ([@lugray](https://github.com/lugray))
> - Improve performance of `Multipart::Parser` when uploading large files. ([@tompng](https://github.com/tompng))
> - Increase buffer size in `Multipart::Parser` for better performance. ([@jkowens](https://github.com/jkowens))
> - Reduce memory usage of `Multipart::Parser` when uploading large files. ([@tompng](https://github.com/tompng))
> - Replace ConcurrentRuby dependency with native `Queue`. ([@devmchakan](https://github.com/devmchakan))
>
> ### Fixed
>
> - Require the correct digest algorithm in the `ETag` middleware. ([@matthewd](https://github.com/matthewd))
>
> ### Documentation
>
> - Update homepage links to use SSL. ([@hugoabonizio](https://github.com/hugoabonizio))
>
> ## [2.0.3] - 2017-05-15
>
> ### Changed
>
> - Ensure `env` values are ASCII 8-bit encoded. ([@eileencodes](https://github.com/eileencodes))
>
> ### Fixed
> ... (truncated)
Commits
- [`de902e4`](https://github.com/rack/rack/commit/de902e48d1c971fe145002039121afb69e10af5a) Merge branch '1-6-sec' into 1-6-stable
- [`b7d6546`](https://github.com/rack/rack/commit/b7d6546e2e21a620559b498707f65f5206f662e2) Bump version
- [`d3e2f88`](https://github.com/rack/rack/commit/d3e2f88c17dad2c7997e453d7ef518dd6e751ac8) making diff smaller
- [`99a8a87`](https://github.com/rack/rack/commit/99a8a8776513839b5da4af393b67afe95a9412d8) fix memcache tests on 1.6
- [`f2cb48e`](https://github.com/rack/rack/commit/f2cb48e50e507e638973f331d4a62099fae567ec) fix tests on 1.6
- [`7ff635c`](https://github.com/rack/rack/commit/7ff635c51d29f3e19377855f6010574fb2e8e593) Introduce a new base class to avoid breaking when upgrading
- [`3232f93`](https://github.com/rack/rack/commit/3232f9370d099e784a16c01d32e8a2da4a953f18) Add a version prefix to the private id to make easier to migrate old values
- [`15da2e5`](https://github.com/rack/rack/commit/15da2e5d95228d0b3fcdb38b2a562efc333402f0) Fallback to the public id when reading the session in the pool adapter
- [`1a532d1`](https://github.com/rack/rack/commit/1a532d13eee9d5546349b5253a204187773de151) Also drop the session with the public id when destroying sessions
- [`9fe40c6`](https://github.com/rack/rack/commit/9fe40c68b514e0f4a947577e4b903a9ae477365e) Fallback to the legacy id when the new id is not found
- Additional commits viewable in [compare view](https://github.com/rack/rack/compare/1.5.2...1.6.12)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/relrod/rublets/network/alerts).
Bumps rack from 1.5.2 to 1.6.12.
Changelog
*Sourced from [rack's changelog](https://github.com/rack/rack/blob/master/CHANGELOG.md).* > ## [1.6.12] - 2019-12-08 > > - [[CVE-2019-16782](https://nvd.nist.gov/vuln/detail/CVE-2019-16782)] Prevent timing attacks targeted at session ID lookup. ([@tenderlove](https://github.com/tenderlove), [@rafaelfranca](https://github.com/rafaelfranca)) > > ## [2.0.7] - 2019-04-02 > > ### Fixed > > - Remove calls to `#eof?` on Rack input in `Multipart::Parser`, as this breaks the specification. ([@matthewd](https://github.com/matthewd)) > - Preserve forwarded IP addresses for trusted proxy chains. ([@SamSaffron](https://github.com/SamSaffron)) > > ## [2.0.6] - 2018-11-05 > > ### Fixed > > - [[CVE-2018-16470](https://nvd.nist.gov/vuln/detail/CVE-2018-16470)] Reduce buffer size of `Multipart::Parser` to avoid pathological parsing. ([@tenderlove](https://github.com/tenderlove)) > - Fix a call to a non-existing method `#accepts_html` in the `ShowExceptions` middleware. ([@tomelm](https://github.com/tomelm)) > - [[CVE-2018-16471](https://nvd.nist.gov/vuln/detail/CVE-2018-16471)] Whitelist HTTP and HTTPS schemes in `Request#scheme` to prevent a possible XSS attack. ([@PatrickTulskie](https://github.com/PatrickTulskie)) > > ## [2.0.5] - 2018-04-23 > > ### Fixed > > - Record errors originating from invalid UTF8 in `MethodOverride` middleware instead of breaking. ([@mclark](https://github.com/mclark)) > > ## [2.0.4] - 2018-01-31 > > ### Changed > > - Ensure the `Lock` middleware passes the original `env` object. ([@lugray](https://github.com/lugray)) > - Improve performance of `Multipart::Parser` when uploading large files. ([@tompng](https://github.com/tompng)) > - Increase buffer size in `Multipart::Parser` for better performance. ([@jkowens](https://github.com/jkowens)) > - Reduce memory usage of `Multipart::Parser` when uploading large files. ([@tompng](https://github.com/tompng)) > - Replace ConcurrentRuby dependency with native `Queue`. ([@devmchakan](https://github.com/devmchakan)) > > ### Fixed > > - Require the correct digest algorithm in the `ETag` middleware. ([@matthewd](https://github.com/matthewd)) > > ### Documentation > > - Update homepage links to use SSL. ([@hugoabonizio](https://github.com/hugoabonizio)) > > ## [2.0.3] - 2017-05-15 > > ### Changed > > - Ensure `env` values are ASCII 8-bit encoded. ([@eileencodes](https://github.com/eileencodes)) > > ### Fixed > ... (truncated)Commits
- [`de902e4`](https://github.com/rack/rack/commit/de902e48d1c971fe145002039121afb69e10af5a) Merge branch '1-6-sec' into 1-6-stable - [`b7d6546`](https://github.com/rack/rack/commit/b7d6546e2e21a620559b498707f65f5206f662e2) Bump version - [`d3e2f88`](https://github.com/rack/rack/commit/d3e2f88c17dad2c7997e453d7ef518dd6e751ac8) making diff smaller - [`99a8a87`](https://github.com/rack/rack/commit/99a8a8776513839b5da4af393b67afe95a9412d8) fix memcache tests on 1.6 - [`f2cb48e`](https://github.com/rack/rack/commit/f2cb48e50e507e638973f331d4a62099fae567ec) fix tests on 1.6 - [`7ff635c`](https://github.com/rack/rack/commit/7ff635c51d29f3e19377855f6010574fb2e8e593) Introduce a new base class to avoid breaking when upgrading - [`3232f93`](https://github.com/rack/rack/commit/3232f9370d099e784a16c01d32e8a2da4a953f18) Add a version prefix to the private id to make easier to migrate old values - [`15da2e5`](https://github.com/rack/rack/commit/15da2e5d95228d0b3fcdb38b2a562efc333402f0) Fallback to the public id when reading the session in the pool adapter - [`1a532d1`](https://github.com/rack/rack/commit/1a532d13eee9d5546349b5253a204187773de151) Also drop the session with the public id when destroying sessions - [`9fe40c6`](https://github.com/rack/rack/commit/9fe40c68b514e0f4a947577e4b903a9ae477365e) Fallback to the legacy id when the new id is not found - Additional commits viewable in [compare view](https://github.com/rack/rack/compare/1.5.2...1.6.12)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/relrod/rublets/network/alerts).