search

sadovnik / reader

A simple feed reader app https://reader-app.herokuapp.com
2 stars 0 forks source link

🚨 [security] Update annotate: 2.7.4 → 3.2.0 (major) #315

Open depfu[bot] opened 2 years ago

depfu[bot] commented 2 years ago

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ annotate (2.7.4 → 3.2.0) · Repo · Changelog

Release Notes

3.2.0

What's Changed

  • Fix undefined method error when spatial column does not have srid (#920) @oieioi
  • Fix: use klass.table_name instead of guessing from associated models (#847) @ocarta-l
  • Bump nokogiri from 1.11.2 to 1.11.7 in /spec/integration/rails_6.0.2.1 (#886) @dependabot
  • Bump puma from 4.3.7 to 5.3.2 in /spec/integration/rails_5.2.4.1 (#887) @dependabot
  • get_loaded_model_by_path is supposed to be nil-safe (#883) @sato11
  • Fix CI builds and update dependencies (#884) @ctran
  • Fix ci: conflicts with removed gems (#865) @ocarta-l
  • Allow get_loaded_model to succeed when $LOAD_PATH contains non-string values (#848) @Hamms
  • Bump rack from 2.1.2 to 2.2.3 in /spec/integration/rails_5.2.4.1 (#820) @dependabot
  • Bump rack from 2.1.2 to 2.2.3 in /spec/integration/rails_6.0.2.1 (#819) @dependabot
  • Bump websocket-extensions from 0.1.4 to 0.1.5 in /spec/integration/rails_6.0.2.1 (#813) @dependabot
  • Bump websocket-extensions from 0.1.4 to 0.1.5 in /spec/integration/rails_5.2.4.1 (#812) @dependabot
  • Bump puma from 4.3.3 to 4.3.5 in /spec/integration/rails_5.2.4.1 (#809) @dependabot
  • Bump puma from 4.3.3 to 4.3.5 in /spec/integration/rails_6.0.2.1 (#808) @dependabot
  • Use ruby/setup-ruby since actions/ruby is deprecated (#855) @ctran
  • Fix typo invlaid -> invalid (#835) @olleolleolle
  • Enable bundler caching for travis (#853) @Taher-Ghaleb
  • Automate release notes with release-drafter.yml (#846) @ctran
  • Fix: RuntimeError: Don't know how to build task 'db:migrate' (#844) @onk
  • Only return valid models from get_loaded_model_by_path (#801) @macobo
  • load :set_annotation_options before running :annotate_routes (#803) @javawizard
  • Add annotation hooks for db-specific migration tasks (#686) @paul-mannino
  • ActiveAdmin: Allow for both singular and plural model names (#776) @vfonic
  • Adding option to skip loading models from subdirectories (#767) @ethanbresler
  • gemspec: Add metadata URIs (#798) @olleolleolle
  • Move some code to AnnotateModels::FilePatterns (#794) @nard-tech
  • Fix typos (#795) @henrik
  • Add methods to AnnotateRoutes::HeaderGenerator and refactor methods (#792) @nard-tech
  • Fix output for multiline column comments (#779) @tmr08c
  • Reactors AnnotateModels.get_schema_info (#791) @tmr08c
  • Refactor AnnotateRoutes by adding AnnotateRoutes::HeaderGenerator (#790) @nard-tech
  • Fix "undefined method `<'" error message (#774) @erikkessler1
  • Turn on integration tests in CI (#788) @drwl
  • Add integration test for rails g annotate:install (#783) @drwl
  • Some project clean up (#786) @drwl

What's Changed

  • Factory Girl -> Factory Bot by @henrik in #759
  • Refactor test cases of AnnotateRoutes - completed version by @nard-tech in #760
  • Bump nokogiri from 1.10.7 to 1.10.8 in /spec/integration/rails_6.0.2.1 by @dependabot in #765
  • Bump nokogiri from 1.10.7 to 1.10.8 in /spec/integration/rails_5.2.4.1 by @dependabot in #766
  • Bump puma from 3.12.2 to 4.3.3 in /spec/integration/rails_5.2.4.1 by @dependabot in #769
  • Bump puma from 4.3.1 to 4.3.3 in /spec/integration/rails_6.0.2.1 by @dependabot in #771
  • [Revert #677] Fix column default annotations by @drwl in #768
  • Bump project required ruby version to >= 2.4 by @drwl in #772
  • Refactor by adding AnnotateRoutes::Helpers by @nard-tech in #770
  • Make travis.yml valid and to unblock gem releases by @drwl in #782
  • Some project clean up by @drwl in #786
  • Add integration test for rails g annotate:install by @drwl in #783
  • Turn on integration tests in CI by @drwl in #788
  • Fix "undefined method `<'" error message by @erikkessler1 in #774
  • Refactor AnnotateRoutes by adding AnnotateRoutes::HeaderGenerator by @nard-tech in #790
  • Reactors AnnotateModels.get_schema_info by @tmr08c in #791
  • Fix output for multiline column comments by @tmr08c in #779
  • Add methods to AnnotateRoutes::HeaderGenerator and refactor methods by @nard-tech in #792
  • Fix typos by @henrik in #795
  • Move some code to AnnotateModels::FilePatterns by @nard-tech in #794
  • gemspec: Add metadata URIs by @olleolleolle in #798
  • Adding option to skip loading models from subdirectories by @ethanbresler in #767
  • ActiveAdmin: Allow for both singular and plural model names by @vfonic in #776
  • Add annotation hooks for db-specific migration tasks by @paul-mannino in #686
  • load :set_annotation_options before running :annotate_routes by @javawizard in #803
  • Only return valid models from get_loaded_model_by_path by @macobo in #801
  • Fix: RuntimeError: Don't know how to build task 'db:migrate' by @onk in #844
  • Automate release notes with release-drafter.yml by @ctran in #846
  • Enable bundler caching for travis by @Taher-Ghaleb in #853
  • Fix typo invlaid -> invalid by @olleolleolle in #835
  • Use ruby/setup-ruby since actions/ruby is deprecated by @ctran in #855
  • Bump puma from 4.3.3 to 4.3.5 in /spec/integration/rails_6.0.2.1 by @dependabot in #808
  • Bump puma from 4.3.3 to 4.3.5 in /spec/integration/rails_5.2.4.1 by @dependabot in #809
  • Bump websocket-extensions from 0.1.4 to 0.1.5 in /spec/integration/rails_5.2.4.1 by @dependabot in #812
  • Bump websocket-extensions from 0.1.4 to 0.1.5 in /spec/integration/rails_6.0.2.1 by @dependabot in #813
  • Bump rack from 2.1.2 to 2.2.3 in /spec/integration/rails_6.0.2.1 by @dependabot in #819
  • Bump rack from 2.1.2 to 2.2.3 in /spec/integration/rails_5.2.4.1 by @dependabot in #820
  • Allow get_loaded_model to succeed when $LOAD_PATH contains non-string values by @Hamms in #848
  • Fix ci: conflicts with removed gems by @ocarta-l in #865
  • Fix CI builds and update dependencies by @ctran in #884
  • get_loaded_model_by_path is supposed to be nil-safe by @sato11 in #883
  • Bump puma from 4.3.7 to 5.3.2 in /spec/integration/rails_5.2.4.1 by @dependabot in #887
  • Bump nokogiri from 1.11.2 to 1.11.7 in /spec/integration/rails_6.0.2.1 by @dependabot in #886
  • Fix: use klass.table_name instead of guessing from associated models by @ocarta-l in #847
  • Fix undefined method error when spatial column does not have srid by @oieioi in #920
  • Loosen activerecord restriction to work with rails 7 by @dabit in #912
  • Bump puma from 5.3.2 to 5.6.1 in /spec/integration/rails_5.2.4.1 by @dependabot in #925
  • Bump addressable from 2.7.0 to 2.8.0 in /spec/integration/rails_6.0.2.1 by @dependabot in #889

New Contributors

Full Changelog: v3.1.0...v3.2.0

2.7.5 (from changelog)

See github.com/ctran/annotate_models/releases/tag/v2.7.5

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.1.5 → 1.1.9) · Repo · Changelog

Release Notes

1.1.9 (from changelog)

concurrent-ruby:

  • (#866) Child promise state not set to :pending immediately after #execute when parent has completed
  • (#905, #872) Fix RubyNonConcurrentPriorityQueue#delete method
  • (2df0337d) Make sure locks are not shared on shared when objects are dup/cloned
  • (#900, #906, #796, #847, #911) Fix Concurrent::Set tread-safety issues on CRuby
  • (#907) Add new ConcurrentMap backend for TruffleRuby

1.1.8 (from changelog)

  • (#885) Fix race condition in TVar for stale reads
  • (#884) RubyThreadLocalVar: Do not iterate over hash which might conflict with new pair addition

1.1.7 (from changelog)

concurrent-ruby:

  • (#879) Consider falsy value on Concurrent::Map#compute_if_absent for fast non-blocking path
  • (#876) Reset Async queue on forking, makes Async fork-safe
  • (#856) Avoid running problematic code in RubyThreadLocalVar on MRI that occasionally results in segfault
  • (#853) Introduce ThreadPoolExecutor without a Queue

1.1.6 (from changelog)

concurrent-ruby:

  • (#841) Concurrent.disable_at_exit_handlers! is no longer needed and was deprecated.
  • (#841) AbstractExecutorService#auto_terminate= was deprecated and has no effect. Set :auto_terminate option instead when executor is initialized.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ i18n (indirect, 1.6.0 → 1.9.1) · Repo · Changelog

Release Notes

1.9.1

What's Changed

Full Changelog: v1.9.0...v1.9.1

1.9.0

Minor version bump: The number of changes in this release are more than I would feel comfortable including in a point release. Therefore, I have bumped the minor version number here. -- @radar

What's Changed

New Contributors

Full Changelog: v1.8.11...v1.9.0

1.8.11

What's Changed

New Contributors

Full Changelog: v1.8.10...v1.8.11

1.8.10

  • Fix string locale will trigger on_fallback hook - #562

1.8.9

  • Rely on Ruby 3's native Hash#except method -- #557

This release also contains several build related updates -- rather than listing them out here, you can see the compare view between 1.8.8 and 1.8.9.

1.8.8

  • Fixed threadsafety issues in Simple backend: #554
  • Re-attempt to fix threadsafety of fallbacks: #548
  • Use OpenSSL::Digest instead of usual Digest libraries: #549
  • Goodbye, post-install message #552
  • Use Rails' main branch, instead of master #553

1.8.7

  • Fixed a regression with fallback logic: see issues #547, #546 and #542.

1.8.6

  • Fallbacks are now stored in Thread.current for multi-threading compatibility: #542
  • no-op arguments are no longer allowed for I18n.t calls -- fixes an incompatibility with Ruby 3.0: #545

This gem's GitHub workflow files have been updated to ensure compatibility between new Rails versions (6.1) and the new Ruby release (3.0). See the "Actions" tab on GitHub for the full range of supported Rails and Ruby versions.

1.8.4

  • Fixed issue where fallbacks were not working when I18n.fallbacks was an array - #534
  • Fixed conditional around deprecating constant of INTERPOLATION_PATTERN - #531

1.8.3

Compare view: v1.8.2...v1.8.3

Features / Improvements

  • Memory and speed improvements - #527+ #528
  • Add option to disable fallbacks for I18n.exists? check - #482
  • Add an on_fallback hook to allow users to be notified when a fallback happens - #520

Bug Fixes

  • Fix an issue with deep_merge and chain fallback backends - #499 & #509
  • Fix an issue with Rails ordinal number proc and keyword splatting - #521
  • Pass options as keyword arguments to translation procs - #529
  • Fix pluralize on unknown locale with attributes - #519

1.8.2

  • Restoration of #499 via #509 - deep_merge! & deep_merge methods appear again in the Hash refinement.
  • An issue was introduced in v1.7.0 where some translations were returned as hashes, see #510. This was fixed in 1b5e345, and is available in this release.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.11.3 → 5.15.0) · Repo · Changelog

Release Notes

5.15.0 (from changelog)

  • 1 major enhancement:

    • assert_throws returns the value returned, if any. (volmer)

  • 3 minor enhancements:

    • Added -S <CODES> option to skip reporting of certain types of output

    • Enable Ruby deprecation warnings by default. (casperisfine)

    • Use Etc.nprocessors by default in order to maximize cpu usage. (tonytonyjan)

  • 6 bug fixes:

    • Close then unlink tempfiles on Windows. (nobu)

    • Fixed #skip_until for windows paths. (MSP-Greg)

    • Fixed a bunch of tests for jruby and windows. (MSP-Greg)

    • Fixed marshalling of specs if they error. (tenderlove, jeremyevans, et al)

    • Updated deprecation message for block expectations. (blowmage)

    • Use Kernel.warn directly in expectations in case CUT defines their own warn. (firien)

5.14.4 (from changelog)

  • 1 bug fix:

    • Fixed deprecation warning using stub with methods using keyword arguments. (Nakilon)

5.14.3 (from changelog)

  • 1 bug fix:

    • Bumped require_ruby_version to < 4 (trunk = 3.1).

5.14.2 (from changelog)

  • 1 bug fix:

    • Bumped ruby version to include 3.0 (trunk).

5.14.0 (from changelog)

  • 2 minor enhancements:

    • Block-assertions (eg assert_output) now error if raised inside the block. (casperisfine)

    • Changed assert_raises to only catch Assertion since that covers Skip and friends.

  • 3 bug fixes:

    • Added example for value wrapper with block to Expectations module. (stomar)

    • Fixed use of must/wont_be_within_delta on Expectation instance. (stomar)

    • Renamed UnexpectedError#exception to #error to avoid problems with reraising. (casperisfine)

5.13.0 (from changelog)

  • 9 minor enhancements:

    • Added Minitest::Guard#osx?

    • Added examples to documentation for assert_raises. (lxxxvi)

    • Added expectations #path_must_exist and #path_wont_exist. Not thrilled with the names.

    • Added fail_after(year, month, day, msg) to allow time-bombing after a deadline.

    • Added skip_until(year, month, day, msg) to allow deferring until a deadline.

    • Deprecated Minitest::Guard#maglev?

    • Deprecated Minitest::Guard#rubinius?

    • Finally added assert_path_exists and refute_path_exists. (deivid-rodriguez)

    • Refactored and pulled Assertions#things_to_diff out of #diff. (BurdetteLamar)

  • 3 bug fixes:

    • Fix autorun bug that affects fork exit status in tests. (dylanahsmith/jhawthorn)

    • Improved documentation for _/value/expect, especially for blocks. (svoop)

    • Support new Proc#to_s format. (ko1)

5.12.2 (from changelog)

  • 1 bug fix:

    • After chatting w/ @y-yagi and others, decided to lower support to include ruby 2.2.

5.12.1 (from changelog)

  • 1 minor enhancement:

    • Added documentation for Reporter classes. (sshaw)

  • 3 bug fixes:

    • Avoid using 'match?' to support older ruby versions. (y-yagi)

    • Fixed broken link to reference on goodness-of-fit testing. (havenwood)

    • Update requirements in readme and Rakefile/hoe spec.

5.12.0 (from changelog)

  • 8 minor enhancements:

    • Added a descriptive error if assert_output or assert_raises called without a block. (okuramasafumi)

    • Changed mu_pp_for_diff to make having both n and \n easier to debug.

    • Deprecated $N for specifying number of parallel test runners. Use MT_CPU.

    • Deprecated use of global expectations. To be removed from MT6.

    • Extended Assertions#mu_pp to encoding validity output for strings to improve diffs.

    • Extended Assertions#mu_pp to output encoding and validity if invalid to improve diffs.

    • Extended Assertions#mu_pp_for_diff to make escaped newlines more obvious in diffs.

    • Fail gracefully when expectation used outside of `it`.

  • 3 bug fixes:

    • Check `option` klass before match. Fixes 2.6 warning. (y-yagi)

    • Fixed Assertions#diff from recalculating if set to nil

    • Fixed spec section of readme to not use deprecated global expectations. (CheezItMan)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rake (indirect, 12.3.2 → 13.0.6) · Repo · Changelog

Security Advisories 🚨

🚨 OS Command Injection in Rake

There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in
Rake::FileList when supplying a filename that begins with the pipe character
|.

Release Notes

13.0.6 (from changelog)

  • Additional fix for #389 Pull request #390 by hsbt

13.0.5 (from changelog)

  • Fixed the regression of #388 Pull request #389 by hsbt

13.0.4 (from changelog)

  • Fix rake test loader swallowing useful error information. Pull request #367 by deivid-rodriguez

  • Add -C/–directory option the same as GNU make. Pull request #376 by nobu

13.0.3 (from changelog)

  • Fix breaking change of execution order on TestTask. Pull request #368 by ysakasin

13.0.1 (from changelog)

Bug fixes

  • Fixed bug: Reenabled task raises previous exception on second invokation Pull Request #271 by thorsteneckel

  • Fix an incorrectly resolved arg pattern Pull Request #327 by mjbellantoni

13.0.0 (from changelog)

Enhancements

  • Follows recent changes on keyword arguments in ruby 2.7. Pull Request #326 by nobu

  • Make `PackageTask` be able to omit parent directory while packing files Pull Request #310 by tonytonyjan

  • Add order only dependency Pull Request #269 by take-cheeze

Compatibility changes

  • Drop old ruby versions(< 2.2)

12.3.3 (from changelog)

Bug fixes

  • Use the application's name in error message if a task is not found. Pull Request #303 by tmatilai

Enhancements:

  • Use File.open explicitly.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tzinfo (indirect, 1.2.5 → 1.2.9) · Repo · Changelog

Release Notes

1.2.9

  • Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

TZInfo v1.2.9 on RubyGems.org

1.2.8

  • Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. The 64-bit section is now always used regardless of whether Time has support for 64-bit times. #120.
  • Rubinius is no longer supported.

TZInfo v1.2.8 on RubyGems.org

1.2.7

  • Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
  • Fixed warnings when running on Ruby 2.8. #112.

TZInfo v1.2.7 on RubyGems.org

1.2.6

  • Timezone#strftime('%s', time) will now return the correct number of seconds since the epoch. #91.
  • Removed the unused TZInfo::RubyDataSource::REQUIRE_PATH constant.
  • Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode.
  • Fixed warnings when running on Ruby 2.7. #106 and #111.

TZInfo v1.2.6 on RubyGems.org

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)