🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.
ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.
Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The fixed releases are available at the normal locations.
Workarounds
To work around this issue, you can set your umask to be more restrictive like this:
$ umask0077
Release Notes
7.0.7.1 (from changelog)
Use a temporary file for storing unencrypted files while editing
[CVE-2023-38037]
7.0.7 (from changelog)
Fix Cache::NullStore with local caching for repeated reads.
fatkodima
Fix to_s with no arguments not respecting custom :default formats
Hartley McGuire
Fix ActiveSupport::Inflector.humanize(nil) raising NoMethodError: undefined method `end_with?' for nil:NilClass.
James Robinson
Fix Enumerable#sum for Enumerator#lazy.
fatkodima, Matthew Draper, Jonathan Hefner
Improve error message when EventedFileUpdateChecker is used without a
compatible version of the Listen gem
Hartley McGuire
7.0.6 (from changelog)
Fix EncryptedConfiguration returning incorrect values for some Hash
methods
Hartley McGuire
Fix arguments being destructed Enumerable#many? with block.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗️ activesupport (indirect, 7.0.4.3 → 7.0.7.2) · Repo · Changelog
Security Advisories 🚨
🚨 Possible File Disclosure of Locally Encrypted Files
Release Notes
7.0.7.1 (from changelog)
7.0.7 (from changelog)
7.0.6 (from changelog)
7.0.5.1 (from changelog)
7.0.5 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 34 commits:
Preparing for 7.0.7.2 release
Bumping version
Preparing for 7.0.7.1 release
updating version / changelog
Use a temporary file for storing unencrypted files while editing
Preparing for 7.0.7 release
Sync CHANGELOG with the changes in the repository
Fix to_s not using :default format with no args
Fix `Cache::NullStore` with local caching for repeated reads
Merge pull request #48800 from robinjam/fix-humanize-nil
Fix `Enumerable#sum` for `Enumerator#lazy`
Add lower bound to Listen gem requirement
Improve error message for missing listen gem
Merge pull request #48693 from zzak/bigdecimal-to_s
Warm-up to avoid autoloads interfering with class serial
Preparing for 7.0.6 release
Update CHANGELOG
Merge branch '7-0-sec' into 7-0-stable
Preparing for 7.0.5.1 release
Fix EncryptedConfiguration not behaving like Hash
Merge pull request #46187 from Shopify/memcached-namespace-encoding-keys
Merge pull request #47774 from zzak/fix-race-condition-in-evented-file-update-checker
Merge pull request #47748 from Shopify/fix-race-condition-in-evented-file-update-checker
Merge pull request #45061 from matthewd/assert-on-main-thread
Merge pull request #48412 from andrewn617/fix_defect_in_enumerable_many
Merge pull request #48348 from fatkodima/fix-humanize-id-suffix
Merge pull request #48329 from zzak/unlink-rails-lib-readme
Merge pull request #48321 from moofkit/fix-sentinels-config-with-strings-arguments
Merge pull request #48251 from skipkayhil/hm-rm-explicit-alias-doc
Merge pull request #48063 from miharekar/fix-nested-in-order-of
Preparing for 7.0.5 release
Sync CHANGELOG
Merge pull request #47805 from fatkodima/fix-in_order_of-duplicates
Merge branch '7-0-4-sec' into 7-0-stable
↗️ i18n (indirect, 1.12.0 → 1.14.1) · Repo · Changelog
Release Notes
1.14.1
1.14.0
1.13.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 51 commits:
Bump to 1.14.1
Merge pull request #666 from amatsuda/checkout_v3
Fix build warnings in the CI by using actions/checkout@v3
Merge pull request #665 from amatsuda/ci_ruby32
CI against Ruby 3.2
Merge pull request #659 from mark-a/mark-a-fallback-doc
Merge pull request #662 from amatsuda/default_empty_array
Merge pull request #663 from amatsuda/fix_rails_edge_ci
Merge pull request #664 from amatsuda/skip_jruby_rails52
Skip CIing on jruby against Rails 5.2
Read AS MemoryStore value via public API
Simplify the "Translation missing" message when default is an empty Array
Bump version to 1.14.0
Merge pull request #656 from tubaxenor/fix-locale-with-separator
Revert normalized_keys before #651
Merge remote-tracking branch 'upstream/prep-1-1-4' into fix-locale-with-separator
Correct translation missing assertions
Revert "make sure I18n.fallbacks updates itself"
Correct translation missing checks
Add documentation hint for fallback values
Fix I18n.t when locale contains separator
Merge pull request #653 from yheuhtozr/patch-1
Merge pull request #654 from Nerian/add-options-to-missing-trabslation-message
Merge pull request #655 from ccutrer/lazy-loadable-duplicate-available-locales
Bump to 1.13.0
fix LazyLoadable#available_locales duplicating locales
When there is a translation missing error, show all the potential keys that would have matched the missing one.
make sure I18n.fallbacks updates itself
Merge pull request #649 from fatkodima/fix-interpolate-same-object
Return same string object when no interpolations were made
Merge pull request #651 from fatkodima/optimizations
Merge pull request #650 from fatkodima/stub_const
Optimize `I18n.t`
Properly stub constants
Merge pull request #637 from movermeyer/movermeyer/nested_pluralization_with_base_backend
Merge pull request #647 from misdoro/exists_scope
Merge pull request #634 from movermeyer/movermeyer/explicit_0_1_and_lateral_inheritance
Allow passing scope argument to exists?
Merge pull request #644 from mensfeld/master
Merge pull request #1 from mensfeld/patch-1
Update simple.rb
Create funding.yml
Merge pull request #640 from movermeyer/movermeyer/date_meridian_indicators
Merge pull request #642 from nickcampbell18/patch-1
Fix load_path example in README.md
Merge pull request #627 from lucapericlp/master
Add support for meridian indicators on `Date` objects
Revert #503 changes for Backend::Base
Merge pull request #636 from movermeyer/movermeyer/pluralization_and_symbol_resolution
Fix symbol resolving with pluralization
Get closer to full CLDR pluralization support
↗️ minitest (indirect, 5.18.0 → 5.19.0) · Repo · Changelog
Release Notes
5.19.0 (from changelog)
5.18.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 12 commits:
prepped for release
+ Add metadata lazy accessor to Runnable / Result. (matteeyah)
- Minitest::TestTask enthusiastically added itself to default. (ParadoxV5)
+ Only load minitest/unit (aka ancient MiniTest compatibility layer) if ENV["MT_COMPAT"]
Replace 'MiniTest' with 'Minitest' in example code. (sambostock)
prepped for release
Removed 2.6 from CI.
- Avoid extra string allocations when filtering tests. (tenderlove)
- Only mention deprecated ENV['N'] if it is an integer string.
- Push up test_order to Minitest::Runnable to fix minitest/hell. (koic)
Use minitest organization in links (hsbt)
updated dates / versions in rails faq
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase
.All Depfu comment commands