🚨 [security] Update commonmarker: 0.17.13 → 0.23.4 (major)

[depfu[bot]]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ commonmarker (indirect, 0.17.13 → 0.23.4) · Repo

Security Advisories 🚨

🚨 Integer overflow in cmark-gfm table parsing extension leads to heap memory corruption

Impact

CommonMarker uses cmark-gfm for rendering Github Flavored Markdown.
An integer overflow in cmark-gfm's table row parsing
may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX
columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution.

If affected versions of CommonMarker are used for rendering remote user controlled markdown, this
vulnerability may lead to Remote Code Execution (RCE).

Patches

This vulnerability has been patched in the following CommonMarker release:

• v0.23.4

Workarounds

The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling any use of the
table extension will prevent this vulnerability from being triggered.

Release Notes

0.22.0

• Drop ruby-enum (#140)

0.21.0

• Add support for tasklist_item_checked=: #116

0.19.0

• Support tasklists: #94
• Indicate the context of a parse/render option error: #97

0.18.0

• Default to being safe: #81

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ github-pages (223 → 225) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ activesupport (indirect, 6.0.4.4 → 6.0.4.6) · Repo · Changelog

Release Notes

6.0.4.6 (from changelog)

• Fix Reloader method signature to work with the new Executor signature

6.0.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 6 commits:

• Preparing for 6.0.4.6 release
• Prepare release
• Fix reloader to work with new Executor signature
• Preparing for 6.0.4.5 release
• Preparing for release
• ActionDispatch::Executor don't fully trust `body#close`

↗️ dnsruby (indirect, 1.61.7 → 1.61.9) · Repo

Commits

See the full diff on Github. The new version differs by 14 commits:

• Merge branch 'master' of github.com:alexdalitz/dnsruby into master
• Update release notes and version for 1.61.9 release
• Merge pull request #181 from casperisfine/drop-ftp-dep
• Remove dependency on net-ftp
• Up version to 1.61.8 ready for release
• SimpleCov.start not working in ruby 3.1
• Add Ruby 3.1 to git workflow tests
• code format
• Remove ruby-head from Github tests for now
• update minitest and rake
• Merge branch 'master' of github.com:alexdalitz/dnsruby into master
• dnssec=true in demo/digdlv.rb
• Merge pull request #178 from casperisfine/ruby-3.1-compat
• Fix compatibility with Ruby 3.1

↗️ faraday (indirect, 1.8.0 → 1.10.0) · Repo · Changelog

Release Notes

1.10.0

What's Changed

• Add JSON middleware by @iMacTia in #1400

Full Changelog: v1.9.3...v1.10.0

1.9.3

What's Changed

• Re-add support for Ruby 2.4+ by @iMacTia in #1371

Full Changelog: v1.9.2...v1.9.3

1.9.2

What's Changed

• Add alias with legacy name to gemified middleware by @iMacTia in #1372

Full Changelog: v1.9.1...v1.9.2

1.9.1

What's Changed

• Update adapter dependencies in Gemspec by @iMacTia in #1370

Full Changelog: v1.9.0...v1.9.1

1.9.0

What's Changed

• Use external multipart and retry middleware by @iMacTia in #1367

Full Changelog: v1.8.0...v1.9.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 14 commits:

• Version bump to 1.10.0
• Add JSON middleware (#1400)
• Version bump to 1.9.3
• Re-add support for Ruby 2.4+ (#1371)
• Version bump to 1.9.2
• Add alias with legacy name to gemified middleware (#1372)
• Version bump to 1.9.1
• Update adapter dependencies in Gemspec (#1370)
• Update CI branches
• Update CI with correct ruby versions
• Require Ruby 2.6+
• Use external multipart and retry middleware
• Version bump to 1.8.1
• Remove version lock from `faraday-net_http`

↗️ ffi (indirect, 1.15.4 → 1.15.5) · Repo · Changelog

Release Notes

1.15.5 (from changelog)

Fixed:

• Fix long double argument or return values on 32bit i686. #849
• FFI::ConstGenerator: avoid usage of the same binary file simultaneously. #929

Added:

• Add Windows fat binary gem for Ruby-3.1

Removed:

• Remove Windows fat binary gem for Ruby < 2.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

• Add ffi-1.15.5 to CHANGELOG
• Bump VERSION to 1.15.5
• Merge pull request #929 from maierru/fix/shared_tmp_inside_docker
• prevent usage same binary file simultaneously
• Add support for x64-mingw-ucrt aka RubyInstaller-3.1.0-x64 and parallel build
• Merge pull request #919 from xtkoba/issue849
• Keep `LONGDOUBLE_ADJ >= sizeof(long double)`

↗️ jekyll-commonmark (indirect, 1.3.1 → 1.4.0) · Repo · Changelog

Release Notes

1.4.0

Minor Enhancements

• Require at least commonmarker-0.22 (#44)
• Highlight fenced code-block contents with Rouge (#29)

Bug Fixes

• Refactor away extra abstractions (#53)

Development Fixes

• DRY begin-rescue-end block with a private helper (#28)
• Fix failing CI builds (#33)
• Remove gemspec dependency on Jekyll (#34)
• Test rendering with invalid configuration (#27)
• Refactor to improve readability (#37)
• Set up Continuous Integration via GH Actions (#46)
• Clean up gemspec (#47)
• Add workflow to release gem via GH Actions (#54)

Documentation

• Update README to link to commonmarker (#38)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 42 commits:

• Release :gem: v1.4.0
• Update history to reflect merge of #54 [ci skip]
• Add workflow to release gem via GH Actions (#54)
• Update history to reflect merge of #53 [ci skip]
• Refactor away extra abstractions (#53)
• Update history to reflect merge of #47 [ci skip]
• Clean up gemspec (#47)
• Test gem build and gem install via GH Actions CI
• Fix interpolation in workflow `job.name`
• `matrix.include` should be `array` not `object`
• Update history to reflect merge of #46 [ci skip]
• Set up Continuous Integration via GH Actions (#46)
• Update history to reflect merge of #44 [ci skip]
• Merge pull request #44 from jekyll/support-cm-022
• Bump required minimum Ruby version to Ruby 2.6
• Require at least commonmarker-0.22
• chore(ci): test against latest versions
• Update history to reflect merge of #38 [ci skip]
• Update README to link to commonmarker (#38)
• Update history to reflect merge of #37 [ci skip]
• Refactor to improve readability (#37)
• Update history to reflect merge of #27 [ci skip]
• Test rendering with invalid configuration (#27)
• Merge pull request #35 from torrocus/master
• feat: Remove Ruby 2.3 from AppVeyor configuration (end support for Ruby 2.3 EOL)
• docs: Remove gemnasium badge (no longer available)
• chore(ci): test Ruby 2.7
• feat: end support for Ruby 2.3 EOL
• chore(ci): test current stable versions
• chore: test latest rubocop
• chore: ignore vendor/bundle
• chore(dev): simplify require for version
• Update history to reflect merge of #34 [ci skip]
• Merge pull request #34 from ashmaroli/remove-jekyll-dependency
• Update jekyll-commonmark.gemspec
• Remove gemspec dependency on Jekyll
• Update history to reflect merge of #33 [ci skip]
• Fix failing CI builds (#33)
• Update history to reflect merge of #28 [ci skip]
• DRY begin-rescue-end block with a private helper (#28)
• Update history to reflect merge of #29 [ci skip]
• Highlight fenced code-block contents with Rouge (#29)

↗️ jekyll-commonmark-ghpages (indirect, 0.1.6 → 0.2.0) · Repo

Commits

See the full diff on Github. The new version differs by 12 commits:

• Merge pull request #21 from github/bump-commonmarker
• Also bump jekyll-commonmark
• Remove old CI
• Drop 2.5 and update rubygems
• Update actions
• Remove Ruby 2.5
• Add file
• More tweaks
• Install bundler in the ci
• Install dependencies
• Add draft ci
• Bump commonmarker to the latest

↗️ jekyll-seo-tag (indirect, 2.7.1 → 2.8.0) · Repo · Changelog

Release Notes

2.8.0

Minor Enhancements

• Allow to set type for author (#427)
• Allow setting author.url (#453)
• Implement Facebook domain verification (#455)
• Add og:image:alt and twitter:image:alt (#438)
• Sort JSON-LD data by key (#458)

Bug Fixes

• Set the default og:type to 'website' (#391)
• Template: Remove double new line (#454)

Development Fixes

• Fix typo in source code comment (#449)
• Set up Continuous Integration via GH Actions (#450)
• Bump RuboCop to v1.18.x (#452)
• Add workflow to release gem via GH Actions

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 27 commits:

• Release :gem: v2.8.0
• Update history to reflect merge of #458 [ci skip]
• Sort JSON-LD data by key (#458)
• Add workflow to release gem via GH Actions
• Reduce verbosity of workflow job names
• Update history to reflect merge of #454 [ci skip]
• Template: Remove double new line (#454)
• Update history to reflect merge of #438 [ci skip]
• Add `og:image:alt` and `twitter:image:alt` (#438)
• Update history to reflect merge of #455 [ci skip]
• Implement Facebook domain verification (#455)
• Update history to reflect merge of #391 [ci skip]
• Set the default og:type to 'website' (#391)
• Update history to reflect merge of #453 [ci skip]
• Allow setting `author.url` (#453)
• Profile using an intermediate shell script
• Profile with multiple Jekyll versions
• Update history to reflect merge of #452 [ci skip]
• Bump RuboCop to v1.18.x (#452)
• Update third-party repo profile workflow config
• Update history to reflect merge of #450 [ci skip]
• Set up Continuous Integration via GH Actions (#450)
• Update history to reflect merge of #449 [ci skip]
• docs: fix typo (#449)
• Update history to reflect merge of #427 [ci skip]
• Allow to set type for author (#427)
• Remove redundant escapes inside regexp literal

↗️ listen (indirect, 3.7.0 → 3.7.1) · Repo · Changelog

Release Notes

3.7.1

• Issue #548: fix error when renaming folder (#552) @ColinDKelley
• issue #550: fix README to document start rather than unpause (#551) @ColinDKelley
• Issue #543: Ignore emacs backup/swap files by default. (#546) @zw963

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

• release v3.7.1
• issue #548: remove superstitious ||= {} since that is implied in the @tree hash
• issue #548: use empty_dirname? method
• issue #548: remove _auto_hash in favor of a reset_tree method
• issue #548: dir_entries now skips non-dir entries entirely
• issue #548: refactor to add () around include? args
• issue #550: fix README to document start rather than unpause
• Refactor to use \A \z instead of ^ $ in ignore regexp pattern.
• Ignore emacs backup/swap files by default.

↗️ nokogiri (indirect, 1.13.2 → 1.13.3) · Repo · Changelog

Release Notes

1.13.3

1.13.3 / 2022-02-21

Fixed

• [CRuby] Revert a HTML4 parser bug in libxml 2.9.13 (introduced in Nokogiri v1.13.2). The bug causes libxml2's HTML4 parser to fail to recover when encountering a bare < character in some contexts. This version of Nokogiri restores the earlier behavior, which is to recover from the parse error and treat the < as normal character data (which will be serialized as < in a text node). The bug (and the fix) is only relevant when the RECOVER parse option is set, as it is by default. [#2461]

---

SHA256 checksums:

025a4e333f6f903072a919f5f75b03a8f70e4969dab4280375b73f9d8ff8d2c0  nokogiri-1.13.3-aarch64-linux.gem
b9cb59c6a6da8cf4dbee5dbb569c7cc95a6741392e69053544e0f40b15ab9ad5  nokogiri-1.13.3-arm64-darwin.gem
e55d18cee64c19d51d35ad80634e465dbcdd46ac4233cb42c1e410307244ebae  nokogiri-1.13.3-java.gem
53e2d68116cd00a873406b8bdb90c78a6f10e00df7ddf917a639ac137719b67b  nokogiri-1.13.3-x64-mingw-ucrt.gem
b5f39ebb662a1be7d1c61f8f0a2a683f1bb11690a6f00a99a1aa23a071f80145  nokogiri-1.13.3-x64-mingw32.gem
7c0de5863aace4bbbc73c4766cf084d1f0b7a495591e46d1666200cede404432  nokogiri-1.13.3-x86-linux.gem
675cc3e7d7cca0d6790047a062cd3aa3eab59e3cb9b19374c34f98bade588c66  nokogiri-1.13.3-x86-mingw32.gem
f445596a5a76941a9d1980747535ab50d3399d1b46c32989bc26b7dd988ee498  nokogiri-1.13.3-x86_64-darwin.gem
3f6340661c2a283b337d227ea224f859623775b2f5c09a6bf197b786563958df  nokogiri-1.13.3-x86_64-linux.gem
bf1b1bceff910abb0b7ad825535951101a0361b859c2ad1be155c010081ecbdc  nokogiri-1.13.3.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 2 commits:

• version bump to v1.13.3
• fix: revert libxml2 regression with HTML4 recovery

↗️ octokit (indirect, 4.21.0 → 4.22.0) · Repo · Changelog

Release Notes

4.22.0

Deprecation Fix

• #1359 Fix Faraday deprecation warning @ybiquitous

Code Improvements

• #1336 Update regex for create ref @thepwagner
• #1350 Support pagination in compare api @mrpinsky

CI and dependency updates

• #1353 Add Ruby 3.0 support for CI builds @olleolleolle
• #1387 Update pry-byebug requirement @ashishkeshan

Documentation

• #1376 Update example README code with token filtering @bencolon
• #1381 Update organization migration documentation links @rzhade3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 32 commits:

• Release 4.22.0
• Update to 4.22
• Merge pull request #1376 from bencolon/readme_logger_update
• Merge branch '4-stable' into readme_logger_update
• Merge pull request #1381 from rzhade3/rzhade3/update-migration-docs
• Merge branch '4-stable' into rzhade3/update-migration-docs
• Merge pull request #1359 from ybiquitous/issue-1357
• Merge branch '4-stable' into issue-1357
• Merge pull request #1387 from ashishkeshan/fix-ruby-head-CI-suite
• don't require pry-byebug on ruby -V >= 3.2
• Update broken migration documentation links
• Improve debugging logger example code in README
• Add workaround into `FollowRedirects` middleware
• Replace `:token_auth` with `:authorization, 'token'`
• Call `dup` before using `@middleware`
• Change `MIDDLEWARE` to `MIDDLEWARE.dup`
• Replace `#set_authorization_header` with `#request`
• Merge branch '4-stable' into issue-1357
• Merge pull request #1353 from olleolleolle/patch-1
• Fix deprecation warning since Faraday 1.7.1
• CI: Add 3.0 to matrix
• Merge pull request #1350 from mrpinsky/mrpinsky/paginated-compare
• Support pagination in `compare`
• Merge pull request #1341 from octokit/revert-1338-4-stable
• Revert "Update README to remove Octokit client instance creation with username and password."
• Merge pull request #1338 from RaminMammadzada/4-stable
• Merge branch '4-stable' into 4-stable
• Update README.md
• Update README to remove unnecessary brackets from command.
• Merge pull request #1336 from thepwagner/create-spec-match-input-start
• Update README to change Octokit client instance creation.
• create_ref: match start of input

↗️ rb-fsevent (indirect, 0.11.0 → 0.11.1) · Repo

Release Notes

0.11.1

• rescue Errno::EBADF when closing pipe #92

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• Release version 0.11.1
• Merge pull request #92 from estraph/raph/rescue-errbadf-on-close
• rescue Errno::EBADF when closing pipe

↗️ zeitwerk (indirect, 2.5.2 → 2.5.4) · Repo · Changelog

Release Notes

2.5.4 (from changelog)

• If a file did not define the expected constant, there was a reload, and there were on_unload callbacks, Zeitwerk still tried to access the constant during reload, which raised. This has been corrected.

2.5.3 (from changelog)

• The change introduced in 2.5.2 implied a performance regression that was particularly dramatic in Ruby 3.1. We'll address #198 in a different way.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

• Version 2.5.4
• Be resilient to Zeitwerk::NameError in on_unload callbacks
• Fix typo in README
• Merge pull request #203 from Shopify/update-kernel-require-comment
• Update the Kernel#require comment about prepend
• Update documentation of the Kernel#require wrapper
• Update documentation of the Kernel#require wrapper
• Version 2.5.3
• Revert "Store directories in $LOADED_FEATURES"

🆕 faraday-multipart (added, 1.0.3)

🆕 faraday-retry (added, 1.0.3)

🗑️ ruby-enum (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu[bot]]

Closing because this update has already been applied