search

ryanfb / cts-cite-driver

Driver JavaScript app for CTS/CITE integration
http://ryanfb.github.com/cts-cite-driver/
1 stars 3 forks source link

🚨 [security] Update redcarpet: 3.1.2 → 3.4.0 (minor) #8

Closed depfu[bot] closed 5 years ago

depfu[bot] commented 6 years ago
⚠️ No CI detected ⚠️

You don't seem to have any Continuous Integration service set up!

Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.

This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:

* Our friends at [Travis-CI](https://travis-ci.com) provide excellent service. * [Circle CI](https://circleci.com) are good, too, and have a free plan that will cover basic needs. * If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github. * If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with `depfu/`.

It might be necessary to once deactivate and reactivate your project in Depfu for the CI service to be properly detected.


🚨 Your version of redcarpet has known security vulnerabilities 🚨

Advisory: OSVDB-120415 Disclosed: April 07, 2015 URL: http://danlec.com/blog/bug-in-sundown-and-redcarpet

redcarpet Gem for Ruby markdown.c parse_inline() Function XSS

redcarpet Gem for Ruby contains a flaw that allows a cross-site scripting
(XSS) attack. This flaw exists because the parse_inline() function in
markdown.c does not validate input before returning it to users. This may
allow a remote attacker to create a specially crafted request that would
execute arbitrary script code in a user's browser session within the trust
relationship between their browser and the server.


🚨 We recommend to merge and deploy this update as soon as possible! 🚨

We've updated a dependency and here is what you need to know:

gem name version specification old version new version
redcarpet indirect dependency 3.1.2 3.4.0

To resolve a dependency conflict, the update changed a few other dependencies as well:

action gem name old version new version
added addressable 2.5.2
added commonmarker 0.17.7.1
added concurrent-ruby 1.0.5
added ethon 0.11.0
added faraday 0.13.1
added forwardable-extended 2.6.0
added github-pages-health-check 1.3.5
added jekyll-avatar 0.5.0
added jekyll-commonmark 1.1.0
added jekyll-commonmark-ghpages 0.1.3
added jekyll-default-layout 0.1.4
added jekyll-feed 0.9.2
added jekyll-github-metadata 2.9.3
added jekyll-optional-front-matter 0.3.0
added jekyll-readme-index 0.2.0
added jekyll-relative-links 0.5.2
added jekyll-remote-theme 0.2.3
added jekyll-seo-tag 2.3.0
added jekyll-swiss 0.4.0
added jekyll-theme-architect 0.1.0
added jekyll-theme-cayman 0.1.0
added jekyll-theme-dinky 0.1.0
added jekyll-theme-hacker 0.1.0
added jekyll-theme-leap-day 0.1.0
added jekyll-theme-merlot 0.1.0
added jekyll-theme-midnight 0.1.0
added jekyll-theme-minimal 0.1.0
added jekyll-theme-modernist 0.1.0
added jekyll-theme-primer 0.5.2
added jekyll-theme-slate 0.1.0
added jekyll-theme-tactile 0.1.0
added jekyll-theme-time-machine 0.1.0
added jekyll-titles-from-headings 0.5.0
added minima 2.1.1
added multipart-post 2.0.0
added net-dns 0.8.0
added octokit 4.7.0
added pathutil 0.16.1
added public_suffix 2.0.5
added rouge 2.2.1
added ruby-enum 0.7.1
added rubyzip 1.2.1
added sass-listen 4.0.0
added sawyer 0.8.1
added terminal-table 1.8.0
added typhoeus 0.8.0
added unicode-display_width 1.3.0
removed RedCloth 4.2.9
removed blankslate 2.1.2.4
removed celluloid 0.16.0
removed classifier-reborn 2.0.1
removed fast-stemmer 1.0.2
removed hitimes 1.2.2
removed json 1.8.1
removed maruku 0.7.0
removed parslet 1.5.0
removed posix-spawn 0.3.9
removed pygments.rb 0.6.0
removed rdiscount 2.1.7
removed timers 4.0.1
removed toml 0.1.2
removed yajl-ruby 1.1.0
updated activesupport 4.1.6 4.2.9
updated coffee-script 2.3.0 2.4.1
updated coffee-script-source 1.8.0 1.11.1
updated colorator 0.1 1.1.0
updated execjs 2.2.2 2.7.0
updated ffi 1.9.6 1.9.18
updated gemoji 2.1.0 3.0.0
updated github-pages 28 172
updated html-pipeline 1.9.0 2.7.1
updated i18n 0.6.11 0.9.1
updated jekyll 2.4.0 3.6.2
updated jekyll-coffeescript 1.0.0 1.0.2
updated jekyll-gist 1.1.0 1.4.1
updated jekyll-mentions 0.1.3 1.2.0
updated jekyll-redirect-from 0.6.2 0.12.1
updated jekyll-sass-converter 1.2.0 1.5.0
updated jekyll-sitemap 0.6.0 1.1.1
updated jekyll-watch 1.1.1 1.5.1
updated jemoji 0.3.0 0.8.1
updated kramdown 1.3.1 1.14.0
updated liquid 2.6.1 4.0.0
updated listen 2.7.11 3.0.6
updated mercenary 0.3.4 0.3.6
updated minitest 5.4.2 5.10.3
updated rb-fsevent 0.9.4 0.10.2
updated rb-inotify 0.9.5 0.9.10
updated sass 3.4.6 3.5.3
updated thread_safe 0.3.4 0.3.6
updated tzinfo 1.2.2 1.2.4

You should probably take a good look at the info here and the test results before merging this pull request, of course.

What changed?

↗️ redcarpet (indirect, 3.1.2 → 3.4.0) · Repo · Changelog

Release Notes

From the Github release:

Redcarpet v3.4.0

This new release ships with a bunch of bug fixes especially regarding anchor generation.

Improvements to anchor generation

The anchor generation now relies on a djb2 hashing algorithm whenever the generated anchor is empty as non alpha-numeric chars. This is specifically interesting for CJK contents as Redcarpet used to generate empty anchors dealing with titles in these locales.

Special thanks to Alexey Kopytko and namusyaka for their work on that !

Also now, the html-escaped entities are removed from anchors generated with the HTML render in order to be consistent with the HTML_TOC render and as it is more expected.

Other improvements

  • Table headers don't require a minimum of three dashes anymore; a single one can be used for each row.
  • The Markdown and rendering options are now exposed through a Hash inside the @options instance variable inside your custom render objects.

Bug fixes

  • Multiple single quote pairs are parsed correctly with SmartyPants.
  • Remove periods at the end of URLs when autolinking to make sure
    that links at the end of a sentence get properly generated.
  • Avoid escaping ampersands in href links.

Checkout the CHANGELOG for further information and changes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activesupport (indirect, 4.1.6 → 4.2.9) · Repo · Changelog

↗️ coffee-script (indirect, 2.3.0 → 2.4.1) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ coffee-script-source (indirect, 1.8.0 → 1.11.1)

Sorry, we couldn't find anything useful about this release.

↗️ colorator (indirect, 0.1 → 1.1.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 30 commits:

↗️ execjs (indirect, 2.2.2 → 2.7.0) · Repo

Release Notes

From the Github release:

  • Add direct V8 support (via d3)
  • Allow for runtime specific option flags
  • Add MiniRacer runtime support
Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ffi (indirect, 1.9.6 → 1.9.18) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ gemoji (indirect, 2.1.0 → 3.0.0) · Repo

Release Notes

From the Github release:

  • Allow specifying image size with gemoji extract <path> --size=64
Commits

See the full diff on Github. The new version differs by 65 commits:

✳️ github-pages (28 → 172) · Repo

Release Notes

From the Github release:

Include jekyll-commonmark-ghpages and in the gem bundle and configure it when used per GitHub.com's own CommonMarker use. See #500.

↗️ html-pipeline (indirect, 1.9.0 → 2.7.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ i18n (indirect, 0.6.11 → 0.9.1) · Repo · Changelog

Release Notes

From the Github release:

  • Reverted Hash#slice behaviour introduced with #250 - See #390.
  • Fixed a regression caused by #387, where translations may have returned a not-helpful error message - See #389
Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll (indirect, 2.4.0 → 3.6.2) · Repo · Changelog

Release Notes

From the Github release:

Development Fixes

  • Update Rubocop to 0.51.0 (#6444)
  • Add test for layout as string (#6445)

Bug Fixes

  • Problematic UTF+bom files (#6322)
  • Always treat data.layout as a string (#6442)
Commits

See the full diff on Github. The new version differs by 7 commits:

↗️ jekyll-coffeescript (indirect, 1.0.0 → 1.0.2) · Repo · Changelog

Release Notes

From the Github release:

  • Lock coffee-script-source (#16)
  • Load converter only when used. (#11)
  • Test against Jekyll 2 & Jekyll 3 (#13)
Commits

See the full diff on Github. The new version differs by 40 commits:

↗️ jekyll-gist (indirect, 1.1.0 → 1.4.1) · Repo · Changelog

Release Notes

From the Github release:

  • Don't ask .empty? until it's a String. (#38)
  • rename Liquid 4 has_key? to key? to add compatibility for liquid 4 (#41)
  • Test against Ruby 2.1 to 2.4 (#45)
Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-mentions (indirect, 0.1.3 → 1.2.0) · Repo · Changelog

Release Notes

From the Github release:

Development Fixes

  • Inherit Jekyll's rubocop config for consistency (#38)

Minor Enhancements

  • Add support for building the base URL from ENV on Enterprise (#40)
Commits

See the full diff on Github. The new version differs by 64 commits:

↗️ jekyll-redirect-from (indirect, 0.6.2 → 0.12.1) · Repo · Changelog

Release Notes

From the Github release:

Development Fixes

  • Stop testing Ruby 1.9 (#133)

Minor Enhancements

  • Use send to monkey patch to support Ruby < 2.2.0 (#136)
  • set page.output to empty string instead of nil (#137)
Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-sass-converter (indirect, 1.2.0 → 1.5.0) · Repo · Changelog

Release Notes

From the Github release:

  • Allow load_paths in safe mode with sanitization (#50)
  • SCSS converter: expand @config["source"] to be "safer". (#55)
  • Match Ruby versions with jekyll/jekyll (#46)
  • Don't test Jekyll 2.5 against Ruby 2.3. (#52)
Commits

See the full diff on Github. The new version differs by 73 commits:

↗️ jekyll-sitemap (indirect, 0.6.0 → 1.1.1) · Repo · Changelog

Release Notes

From the Github release:

  • Cut a new version to alleviate sha256 checksum issue on RubyGems.org (#165)
Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-watch (indirect, 1.1.1 → 1.5.1) · Repo · Changelog

Release Notes

From the Github release:

  • Remove version lock for listen dependency #50
  • Inherit Jekyll's Rubocop configuration #51
  • Drop support for Jekyll 2.x and Ruby 2.0 #55
  • Ouput fil path to terminal #57
Commits

See the full diff on Github. The new version differs by 71 commits:

↗️ jemoji (indirect, 0.3.0 → 0.8.1) · Repo · Changelog

Release Notes

From the Github release:

  • Remove align attribute for HTML5 compability (#58)
  • Require activesupport >= 4.2.9 (#62)
  • Bump Ruby versions for Travis (#66)
Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ kramdown (indirect, 1.3.1 → 1.14.0) · Repo · Changelog

↗️ liquid (indirect, 2.6.1 → 4.0.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ listen (indirect, 2.7.11 → 3.0.6) · Repo · Changelog

Release Notes

From the Github release:

Bugfixes

  • #364 - fix broken dependency (rb-inotify gem version 0.9.6 was removed from RubyGems) - thanks, @benja83 !
Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mercenary (indirect, 0.3.4 → 0.3.6) · Repo · Changelog

Release Notes

From the Github release:

Bug Fixes

  • Presenter: Options should include those from parent command (#42)
Commits

See the full diff on Github. The new version differs by 20 commits:

↗️ minitest (indirect, 5.4.2 → 5.10.3) · Repo · Changelog

↗️ rb-fsevent (indirect, 0.9.4 → 0.10.2) · Repo

Release Notes

From the Github release:

While procs are flexible about arity, lambdas and converted methods are not. Thus passing in two parameters broke any such callbacks. The only change in this release is that callback block arity is checked before passing in any values.

Commits

See the full diff on Github. The new version differs by 46 commits:

↗️ rb-inotify (indirect, 0.9.5 → 0.9.10) · Repo

Commits

See the full diff on Github. The new version differs by 47 commits:

↗️ sass (indirect, 3.4.6 → 3.5.3) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ thread_safe (indirect, 0.3.4 → 0.3.6) · Repo

Commits

See the full diff on Github. The new version differs by 41 commits:

↗️ tzinfo (indirect, 1.2.2 → 1.2.4) · Repo · Changelog

Release Notes

From the Github release:

  • Ignore the leapseconds file that is included in zoneinfo directories installed with version 2017c and later of the Time Zone Database.

TZInfo v1.2.4 on RubyGems.org

Commits

See the full diff on Github. The new version differs by 37 commits:

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

ryanfb commented 6 years ago

@depfu rebase

depfu[bot] commented 5 years ago

Closing because this library is no longer part of your dependencies