🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
Versions 4.23.0
and 4.24.0 of the octokit gem
were published containing world-writeable files.
Specifically, the gem was packed
with files having their permissions set to -rw-rw-rw- (i.e. 0666) instead of rw-r--r--
(i.e. 0644). This means everyone who is not the owner (Group and Public) with access
to the instance where this release had been installed could modify the world-writable
files from this gem.
Malicious code already present and running on your machine,
separate from this package, could modify the gem’s files and change its behavior
during runtime.
Users can use the previous version of the gem v4.22.0.
Alternatively, users can modify the file permissions manually until they are able
to upgrade to the latest version.
✅ NOTE: This remediates A security advisory was published on versions 4.23.0 and 4.24.0 of this gem. You can read more about this in the published security advisory. ✅
The next major release is here, and it comes almost 2 years after the release of v1.0!
This release changes the way you use Faraday and embraces a new paradigm of Faraday as an ecosystem, rather than a library.
What does that mean? It means that Faraday is less of a bundled tool and more of a framework for the community to build on top of.
As a result, all adapters and some middleware have moved out and are now shipped as standalone gems 🙌!
But this doesn't mean that upgrading from Faraday 1.x to Faraday 2.0 should be hard, in fact we've listed everything you need to do in the UPGRADING.md doc.
Moreover, we've setup a new awesome-faraday repository that will showcase a curated list of adapters and middleware 😎.
This release was the result of the efforts of the core team and all the contributors, new and old, that have helped achieve this milestone 👏.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗️ octokit (indirect, 4.22.0 → 4.25.1) · Repo · Changelog
Security Advisories 🚨
🚨 Octokit gem published with world-writable files
Release Notes
4.25.1
4.25.0
4.24.0
4.23.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ faraday (indirect, 1.10.0 → 2.3.0) · Repo · Changelog
Release Notes
2.3.0
2.2.0
2.1.0
2.0.1
2.0.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ faraday-net_http (indirect, 1.0.1 → 2.0.3) · Repo · Changelog
Release Notes
2.0.3
2.0.2
2.0.1
2.0.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 18 commits:
Version bump to 2.0.3Add `Errno::EALREADY` to list of Net::HTTP exceptionsFix incorrect customization block in READMEVersion bump to 2.0.2Anchor Encoding references to avoid faraday-encoding conflicts (#18)Add Ruby 3.1 to CI (#15)Version bump to 2.0.1Make faraday a development dependency again.Bump Faraday and gem version to 2.0.Move documentation from Faraday website to READMEVersion bump to 2.0.0.alpha-2Honor Content-Type charset (#13)fix: gemspec metadata for changelog notesrefactor: CI: Inline scripts, cache gemschore: Move development deps to GemfileVersion bump to 2.0.0.alpha-1Update gem to be compatible with Faraday 2.0 (#9)Improve CI and test against Ruby 3 (#3)↗️ sawyer (indirect, 0.8.2 → 0.9.2) · Repo
Release Notes
0.9.1
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 8 commits:
Release 0.9.2Version bump to 0.9.2Add `dig` and `fetch` to `Sawyer::Resource` (#74)Version bump to 0.9.1Specify correct minimal Faraday version (#73)Version bump to 0.9.0Enhance Faraday Support (#72)Allow closing underlying connection. (#67)🗑️ faraday-em_http (removed)
🗑️ faraday-em_synchrony (removed)
🗑️ faraday-excon (removed)
🗑️ faraday-httpclient (removed)
🗑️ faraday-multipart (removed)
🗑️ faraday-net_http_persistent (removed)
🗑️ faraday-patron (removed)
🗑️ faraday-rack (removed)
🗑️ faraday-retry (removed)
🗑️ multipart-post (removed)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands