🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
CommonMarker uses cmark-gfm for rendering Github Flavored Markdown.
An integer overflow in cmark-gfm's table row parsing
may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX
columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution.
If affected versions of CommonMarker are used for rendering remote user controlled markdown, this
vulnerability may lead to Remote Code Execution (RCE).
Patches
This vulnerability has been patched in the following CommonMarker release:
v0.23.4
Workarounds
The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling any use of the
table extension will prevent this vulnerability from being triggered.
[CRuby] Revert a HTML4 parser bug in libxml 2.9.13 (introduced in Nokogiri v1.13.2). The bug causes libxml2's HTML4 parser to fail to recover when encountering a bare < character in some contexts. This version of Nokogiri restores the earlier behavior, which is to recover from the parse error and treat the < as normal character data (which will be serialized as < in a text node). The bug (and the fix) is only relevant when the RECOVER parse option is set, as it is by default. [#2461]
If a file did not define the expected constant, there was a reload, and there were on_unload callbacks, Zeitwerk still tried to access the constant during reload, which raised. This has been corrected.
2.5.3 (from changelog)
The change introduced in 2.5.2 implied a performance regression that was particularly dramatic in Ruby 3.1. We'll address #198 in a different way.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ github-pages (223 → 225) · Repo
Release Notes
225
224
Does any of this look wrong? Please let us know.
Sorry, we couldn't find anything useful about this release.
↗️ activesupport (indirect, 6.0.4.4 → 6.0.4.6) · Repo · Changelog
Release Notes
6.0.4.6 (from changelog)
6.0.4.5 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 6 commits:
Preparing for 6.0.4.6 release
Prepare release
Fix reloader to work with new Executor signature
Preparing for 6.0.4.5 release
Preparing for release
ActionDispatch::Executor don't fully trust `body#close`
↗️ commonmarker (indirect, 0.17.13 → 0.23.4) · Repo
Security Advisories 🚨
🚨 Integer overflow in cmark-gfm table parsing extension leads to heap memory corruption
Release Notes
0.22.0
0.21.0
0.19.0
0.18.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ dnsruby (indirect, 1.61.7 → 1.61.9) · Repo
Commits
See the full diff on Github. The new version differs by 14 commits:
Merge branch 'master' of github.com:alexdalitz/dnsruby into master
Update release notes and version for 1.61.9 release
Merge pull request #181 from casperisfine/drop-ftp-dep
Remove dependency on net-ftp
Up version to 1.61.8 ready for release
SimpleCov.start not working in ruby 3.1
Add Ruby 3.1 to git workflow tests
code format
Remove ruby-head from Github tests for now
update minitest and rake
Merge branch 'master' of github.com:alexdalitz/dnsruby into master
dnssec=true in demo/digdlv.rb
Merge pull request #178 from casperisfine/ruby-3.1-compat
Fix compatibility with Ruby 3.1
↗️ faraday (indirect, 1.8.0 → 1.10.0) · Repo · Changelog
Release Notes
1.10.0
1.9.3
1.9.2
1.9.1
1.9.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 14 commits:
Version bump to 1.10.0
Add JSON middleware (#1400)
Version bump to 1.9.3
Re-add support for Ruby 2.4+ (#1371)
Version bump to 1.9.2
Add alias with legacy name to gemified middleware (#1372)
Version bump to 1.9.1
Update adapter dependencies in Gemspec (#1370)
Update CI branches
Update CI with correct ruby versions
Require Ruby 2.6+
Use external multipart and retry middleware
Version bump to 1.8.1
Remove version lock from `faraday-net_http`
↗️ ffi (indirect, 1.15.4 → 1.15.5) · Repo · Changelog
Release Notes
1.15.5 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 7 commits:
Add ffi-1.15.5 to CHANGELOG
Bump VERSION to 1.15.5
Merge pull request #929 from maierru/fix/shared_tmp_inside_docker
prevent usage same binary file simultaneously
Add support for x64-mingw-ucrt aka RubyInstaller-3.1.0-x64 and parallel build
Merge pull request #919 from xtkoba/issue849
Keep `LONGDOUBLE_ADJ >= sizeof(long double)`
↗️ jekyll-commonmark (indirect, 1.3.1 → 1.4.0) · Repo · Changelog
Release Notes
1.4.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 42 commits:
Release :gem: v1.4.0
Update history to reflect merge of #54 [ci skip]
Add workflow to release gem via GH Actions (#54)
Update history to reflect merge of #53 [ci skip]
Refactor away extra abstractions (#53)
Update history to reflect merge of #47 [ci skip]
Clean up gemspec (#47)
Test gem build and gem install via GH Actions CI
Fix interpolation in workflow `job.name`
`matrix.include` should be `array` not `object`
Update history to reflect merge of #46 [ci skip]
Set up Continuous Integration via GH Actions (#46)
Update history to reflect merge of #44 [ci skip]
Merge pull request #44 from jekyll/support-cm-022
Bump required minimum Ruby version to Ruby 2.6
Require at least commonmarker-0.22
chore(ci): test against latest versions
Update history to reflect merge of #38 [ci skip]
Update README to link to commonmarker (#38)
Update history to reflect merge of #37 [ci skip]
Refactor to improve readability (#37)
Update history to reflect merge of #27 [ci skip]
Test rendering with invalid configuration (#27)
Merge pull request #35 from torrocus/master
feat: Remove Ruby 2.3 from AppVeyor configuration (end support for Ruby 2.3 EOL)
docs: Remove gemnasium badge (no longer available)
chore(ci): test Ruby 2.7
feat: end support for Ruby 2.3 EOL
chore(ci): test current stable versions
chore: test latest rubocop
chore: ignore vendor/bundle
chore(dev): simplify require for version
Update history to reflect merge of #34 [ci skip]
Merge pull request #34 from ashmaroli/remove-jekyll-dependency
Update jekyll-commonmark.gemspec
Remove gemspec dependency on Jekyll
Update history to reflect merge of #33 [ci skip]
Fix failing CI builds (#33)
Update history to reflect merge of #28 [ci skip]
DRY begin-rescue-end block with a private helper (#28)
Update history to reflect merge of #29 [ci skip]
Highlight fenced code-block contents with Rouge (#29)
↗️ jekyll-commonmark-ghpages (indirect, 0.1.6 → 0.2.0) · Repo
Release Notes
0.2.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 12 commits:
Merge pull request #21 from github/bump-commonmarker
Also bump jekyll-commonmark
Remove old CI
Drop 2.5 and update rubygems
Update actions
Remove Ruby 2.5
Add file
More tweaks
Install bundler in the ci
Install dependencies
Add draft ci
Bump commonmarker to the latest
↗️ jekyll-seo-tag (indirect, 2.7.1 → 2.8.0) · Repo · Changelog
Release Notes
2.8.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 27 commits:
Release :gem: v2.8.0
Update history to reflect merge of #458 [ci skip]
Sort JSON-LD data by key (#458)
Add workflow to release gem via GH Actions
Reduce verbosity of workflow job names
Update history to reflect merge of #454 [ci skip]
Template: Remove double new line (#454)
Update history to reflect merge of #438 [ci skip]
Add `og:image:alt` and `twitter:image:alt` (#438)
Update history to reflect merge of #455 [ci skip]
Implement Facebook domain verification (#455)
Update history to reflect merge of #391 [ci skip]
Set the default og:type to 'website' (#391)
Update history to reflect merge of #453 [ci skip]
Allow setting `author.url` (#453)
Profile using an intermediate shell script
Profile with multiple Jekyll versions
Update history to reflect merge of #452 [ci skip]
Bump RuboCop to v1.18.x (#452)
Update third-party repo profile workflow config
Update history to reflect merge of #450 [ci skip]
Set up Continuous Integration via GH Actions (#450)
Update history to reflect merge of #449 [ci skip]
docs: fix typo (#449)
Update history to reflect merge of #427 [ci skip]
Allow to set type for author (#427)
Remove redundant escapes inside regexp literal
↗️ listen (indirect, 3.7.0 → 3.7.1) · Repo · Changelog
Release Notes
3.7.1
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 9 commits:
release v3.7.1
issue #548: remove superstitious ||= {} since that is implied in the @tree hash
issue #548: use empty_dirname? method
issue #548: remove _auto_hash in favor of a reset_tree method
issue #548: dir_entries now skips non-dir entries entirely
issue #548: refactor to add () around include? args
issue #550: fix README to document start rather than unpause
Refactor to use \A \z instead of ^ $ in ignore regexp pattern.
Ignore emacs backup/swap files by default.
↗️ nokogiri (indirect, 1.13.2 → 1.13.3) · Repo · Changelog
Release Notes
1.13.3
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 2 commits:
version bump to v1.13.3
fix: revert libxml2 regression with HTML4 recovery
↗️ octokit (indirect, 4.21.0 → 4.22.0) · Repo · Changelog
Release Notes
4.22.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 32 commits:
Release 4.22.0
Update to 4.22
Merge pull request #1376 from bencolon/readme_logger_update
Merge branch '4-stable' into readme_logger_update
Merge pull request #1381 from rzhade3/rzhade3/update-migration-docs
Merge branch '4-stable' into rzhade3/update-migration-docs
Merge pull request #1359 from ybiquitous/issue-1357
Merge branch '4-stable' into issue-1357
Merge pull request #1387 from ashishkeshan/fix-ruby-head-CI-suite
don't require pry-byebug on ruby -V >= 3.2
Update broken migration documentation links
Improve debugging logger example code in README
Add workaround into `FollowRedirects` middleware
Replace `:token_auth` with `:authorization, 'token'`
Call `dup` before using `@middleware`
Change `MIDDLEWARE` to `MIDDLEWARE.dup`
Replace `#set_authorization_header` with `#request`
Merge branch '4-stable' into issue-1357
Merge pull request #1353 from olleolleolle/patch-1
Fix deprecation warning since Faraday 1.7.1
CI: Add 3.0 to matrix
Merge pull request #1350 from mrpinsky/mrpinsky/paginated-compare
Support pagination in `compare`
Merge pull request #1341 from octokit/revert-1338-4-stable
Revert "Update README to remove Octokit client instance creation with username and password."
Merge pull request #1338 from RaminMammadzada/4-stable
Merge branch '4-stable' into 4-stable
Update README.md
Update README to remove unnecessary brackets from command.
Merge pull request #1336 from thepwagner/create-spec-match-input-start
Update README to change Octokit client instance creation.
create_ref: match start of input
↗️ rb-fsevent (indirect, 0.11.0 → 0.11.1) · Repo
Release Notes
0.11.1
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 3 commits:
Release version 0.11.1
Merge pull request #92 from estraph/raph/rescue-errbadf-on-close
rescue Errno::EBADF when closing pipe
↗️ zeitwerk (indirect, 2.5.2 → 2.5.4) · Repo · Changelog
Release Notes
2.5.4 (from changelog)
2.5.3 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 9 commits:
Version 2.5.4
Be resilient to Zeitwerk::NameError in on_unload callbacks
Fix typo in README
Merge pull request #203 from Shopify/update-kernel-require-comment
Update the Kernel#require comment about prepend
Update documentation of the Kernel#require wrapper
Update documentation of the Kernel#require wrapper
Version 2.5.3
Revert "Store directories in $LOADED_FEATURES"
🆕 faraday-multipart (added, 1.0.3)
🆕 faraday-retry (added, 1.0.3)
🗑️ ruby-enum (removed)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase
.All Depfu comment commands