🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
Fix autosave associations with validations added on :base of the associated objects.
fatkodima
Fix result with anonymous PostgreSQL columns of different type from json.
Oleksandr Avoiants
Preserve timestamp when setting an ActiveSupport::TimeWithZone value to timestamptz attribute.
fatkodima
Fix where on association with has_one/has_many polymorphic relations.
Before:
Treasure.where(price_estimates: PriceEstimate.all)#=> SELECT (...) WHERE "treasures"."id" IN (SELECT "price_estimates"."estimate_of_id" FROM "price_estimates")
Later:
Treasure.where(price_estimates: PriceEstimate.all)#=> SELECT (...) WHERE "treasures"."id" IN (SELECT "price_estimates"."estimate_of_id" FROM "price_estimates" WHERE "price_estimates"."estimate_of_type" = 'Treasure')
Lázaro Nixon
Fix decrementing counter caches on optimistically locked record deletion
fatkodima
Ensure binary-destined values have binary encoding during type cast.
Matthew Draper
Preserve existing column default functions when altering table in SQLite.
fatkodima
Remove table alias added when using where.missing or where.associated.
fatkodima
Fix Enumerable#in_order_of to only flatten first level to preserve nesting.
The redirect_to method in Rails allows provided values to contain characters
which are not legal in an HTTP header value. This results in the potential for
downstream services which enforce RFC compliance on HTTP response headers to
remove the assigned Location header. This vulnerability has been assigned the
CVE identifier CVE-2023-28362.
Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4
Impact
This introduces the potential for a Cross-site-scripting (XSS) payload to be
delivered on the now static redirection page. Note that this both requires
user interaction and for a Rails app to be configured to allow redirects to
external hosts (defaults to false in Rails >= 7.0.x).
Releases
The FIXED releases are available at the normal locations.
Workarounds
Avoid providing user supplied URLs with arbitrary schemes to the redirect_to
method.
Release Notes
7.0.6 (from changelog)
No changes.
7.0.5.1 (from changelog)
Raise an exception if illegal characters are provide to redirect_to
[CVE-2023-28362]
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu cancel merge
Cancels automatic merging of this PR
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ railties (7.0.5 → 7.0.6) · Repo · Changelog
Release Notes
7.0.6 (from changelog)
7.0.5.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 15 commits:
Preparing for 7.0.6 releaseUpdate CHANGELOGMerge branch '7-0-sec' into 7-0-stablePreparing for 7.0.5.1 releaseFix EncryptedConfiguration not behaving like HashMerge pull request #46187 from Shopify/memcached-namespace-encoding-keysMerge pull request #47774 from zzak/fix-race-condition-in-evented-file-update-checkerMerge pull request #47748 from Shopify/fix-race-condition-in-evented-file-update-checkerMerge pull request #45061 from matthewd/assert-on-main-threadMerge pull request #48412 from andrewn617/fix_defect_in_enumerable_manyMerge pull request #48348 from fatkodima/fix-humanize-id-suffixMerge pull request #48329 from zzak/unlink-rails-lib-readmeMerge pull request #48321 from moofkit/fix-sentinels-config-with-strings-argumentsMerge pull request #48251 from skipkayhil/hm-rm-explicit-alias-docMerge pull request #48063 from miharekar/fix-nested-in-order-of✳️ activemodel (7.0.5 → 7.0.6) · Repo · Changelog
Release Notes
7.0.6 (from changelog)
7.0.5.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 15 commits:
Preparing for 7.0.6 releaseUpdate CHANGELOGMerge branch '7-0-sec' into 7-0-stablePreparing for 7.0.5.1 releaseFix EncryptedConfiguration not behaving like HashMerge pull request #46187 from Shopify/memcached-namespace-encoding-keysMerge pull request #47774 from zzak/fix-race-condition-in-evented-file-update-checkerMerge pull request #47748 from Shopify/fix-race-condition-in-evented-file-update-checkerMerge pull request #45061 from matthewd/assert-on-main-threadMerge pull request #48412 from andrewn617/fix_defect_in_enumerable_manyMerge pull request #48348 from fatkodima/fix-humanize-id-suffixMerge pull request #48329 from zzak/unlink-rails-lib-readmeMerge pull request #48321 from moofkit/fix-sentinels-config-with-strings-argumentsMerge pull request #48251 from skipkayhil/hm-rm-explicit-alias-docMerge pull request #48063 from miharekar/fix-nested-in-order-of✳️ activerecord (7.0.5 → 7.0.6) · Repo · Changelog
Release Notes
7.0.6 (from changelog)
7.0.5.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 15 commits:
Preparing for 7.0.6 releaseUpdate CHANGELOGMerge branch '7-0-sec' into 7-0-stablePreparing for 7.0.5.1 releaseFix EncryptedConfiguration not behaving like HashMerge pull request #46187 from Shopify/memcached-namespace-encoding-keysMerge pull request #47774 from zzak/fix-race-condition-in-evented-file-update-checkerMerge pull request #47748 from Shopify/fix-race-condition-in-evented-file-update-checkerMerge pull request #45061 from matthewd/assert-on-main-threadMerge pull request #48412 from andrewn617/fix_defect_in_enumerable_manyMerge pull request #48348 from fatkodima/fix-humanize-id-suffixMerge pull request #48329 from zzak/unlink-rails-lib-readmeMerge pull request #48321 from moofkit/fix-sentinels-config-with-strings-argumentsMerge pull request #48251 from skipkayhil/hm-rm-explicit-alias-docMerge pull request #48063 from miharekar/fix-nested-in-order-of✳️ activesupport (7.0.5 → 7.0.6) · Repo · Changelog
Release Notes
7.0.6 (from changelog)
7.0.5.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 15 commits:
Preparing for 7.0.6 releaseUpdate CHANGELOGMerge branch '7-0-sec' into 7-0-stablePreparing for 7.0.5.1 releaseFix EncryptedConfiguration not behaving like HashMerge pull request #46187 from Shopify/memcached-namespace-encoding-keysMerge pull request #47774 from zzak/fix-race-condition-in-evented-file-update-checkerMerge pull request #47748 from Shopify/fix-race-condition-in-evented-file-update-checkerMerge pull request #45061 from matthewd/assert-on-main-threadMerge pull request #48412 from andrewn617/fix_defect_in_enumerable_manyMerge pull request #48348 from fatkodima/fix-humanize-id-suffixMerge pull request #48329 from zzak/unlink-rails-lib-readmeMerge pull request #48321 from moofkit/fix-sentinels-config-with-strings-argumentsMerge pull request #48251 from skipkayhil/hm-rm-explicit-alias-docMerge pull request #48063 from miharekar/fix-nested-in-order-of↗️ actionpack (indirect, 7.0.5 → 7.0.6) · Repo · Changelog
Security Advisories 🚨
🚨 Possible XSS via User Supplied Values to redirect_to
Release Notes
7.0.6 (from changelog)
7.0.5.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 15 commits:
Preparing for 7.0.6 releaseUpdate CHANGELOGMerge branch '7-0-sec' into 7-0-stablePreparing for 7.0.5.1 releaseFix EncryptedConfiguration not behaving like HashMerge pull request #46187 from Shopify/memcached-namespace-encoding-keysMerge pull request #47774 from zzak/fix-race-condition-in-evented-file-update-checkerMerge pull request #47748 from Shopify/fix-race-condition-in-evented-file-update-checkerMerge pull request #45061 from matthewd/assert-on-main-threadMerge pull request #48412 from andrewn617/fix_defect_in_enumerable_manyMerge pull request #48348 from fatkodima/fix-humanize-id-suffixMerge pull request #48329 from zzak/unlink-rails-lib-readmeMerge pull request #48321 from moofkit/fix-sentinels-config-with-strings-argumentsMerge pull request #48251 from skipkayhil/hm-rm-explicit-alias-docMerge pull request #48063 from miharekar/fix-nested-in-order-of↗️ actionview (indirect, 7.0.5 → 7.0.6) · Repo · Changelog
Release Notes
7.0.6 (from changelog)
7.0.5.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 15 commits:
Preparing for 7.0.6 releaseUpdate CHANGELOGMerge branch '7-0-sec' into 7-0-stablePreparing for 7.0.5.1 releaseFix EncryptedConfiguration not behaving like HashMerge pull request #46187 from Shopify/memcached-namespace-encoding-keysMerge pull request #47774 from zzak/fix-race-condition-in-evented-file-update-checkerMerge pull request #47748 from Shopify/fix-race-condition-in-evented-file-update-checkerMerge pull request #45061 from matthewd/assert-on-main-threadMerge pull request #48412 from andrewn617/fix_defect_in_enumerable_manyMerge pull request #48348 from fatkodima/fix-humanize-id-suffixMerge pull request #48329 from zzak/unlink-rails-lib-readmeMerge pull request #48321 from moofkit/fix-sentinels-config-with-strings-argumentsMerge pull request #48251 from skipkayhil/hm-rm-explicit-alias-docMerge pull request #48063 from miharekar/fix-nested-in-order-of↗️ i18n (indirect, 1.14.0 → 1.14.1) · Repo · Changelog
Release Notes
1.14.1
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 12 commits:
Bump to 1.14.1Merge pull request #666 from amatsuda/checkout_v3Fix build warnings in the CI by using actions/checkout@v3Merge pull request #665 from amatsuda/ci_ruby32CI against Ruby 3.2Merge pull request #659 from mark-a/mark-a-fallback-docMerge pull request #662 from amatsuda/default_empty_arrayMerge pull request #663 from amatsuda/fix_rails_edge_ciMerge pull request #664 from amatsuda/skip_jruby_rails52Skip CIing on jruby against Rails 5.2Read AS MemoryStore value via public APISimplify the "Translation missing" message when default is an empty Array↗️ minitest (indirect, 5.18.0 → 5.18.1) · Repo · Changelog
Release Notes
5.18.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 7 commits:
prepped for releaseRemoved 2.6 from CI.- Avoid extra string allocations when filtering tests. (tenderlove)- Only mention deprecated ENV['N'] if it is an integer string.- Push up test_order to Minitest::Runnable to fix minitest/hell. (koic)Use minitest organization in links (hsbt)updated dates / versions in rails faq↗️ racc (indirect, 1.6.2 → 1.7.1) · Repo · Changelog
Release Notes
1.7.1
1.7.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 46 commits:
Bump up v1.7.1Bump up source/target versions for Java extensionMerge pull request #221 from nobu/embedded-pathMerge pull request #223 from nobu/gem-versionFix place to specify rake-compiler versionExpand embedded paths so that the guards can find itAssert no warning from embedded parser-text.rbAssert no warning from parser-text.rbracc/parser-text.rb depends on RakefileMerge pull request #220 from ruby/use-test-unit-ruby-coresync_tool is no longer neededUse released version of test-unit-ruby-coreDon't need Bundler on GemfileBump up source/target JVM versionsBump up v1.7.0Merge pull request #218 from nobu/embed-infoEmbed racc/info.rb tooMerge pull request #213 from jeremyevans/errorsymbolvalueMerge pull request #217 from hkdnet/sample-testUse the current racc for testAdd tests for sample dir and tweak samplesMerge pull request #216 from nobu/trailing-spaces[DOC] Strip trailing spacesMerge pull request #215 from nobu/newline-at-eofAdd a newline at EOF [ci skip]Merge pull request #214 from ruby/flavorjones-20230408-exclude-jruby-head-on-macExclude jruby-head on macOSUpdate test libraries from https://github.com/ruby/ruby/commit/b4e438d8aabaf4bba2b27f374c787543fae07c58Remove ErrorSymbolValue referenceMerge pull request #211 from ruby/improve-actionsExclude jruby, truffleruby and truffleruby-head with macOSExclude JRuby from WindowsTry with macOS and WindowsUse ruby/actions/.github/workflows/ruby_versions.yml@masterUse appropriate name for build jobMerge pull request #209 from petergoldstein/feature/adds_ruby_3_2_to_ciAdds Ruby 3.2 to the CI matrix.Merge pull request #208 from casperisfine/fix-anonymous-evalGet rid of anonymous eval callsMerge pull request #167 from pocke/Make_racc_Ractor_compatibleRemoved unused configurationMerge pull request #207 from ruby/gh-201encodingRemoved old VCS headerRemoved obsoleted CVS sectiontypo fix↗️ rails-dom-testing (indirect, 2.0.3 → 2.1.1) · Repo
Release Notes
2.1.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 56 commits:
Prepare for 2.1.1 releaseMake sure we setup active support before trying to require parts of itMake sure minitest is required before using itPrepare for 2.1.0Add devcontainer configurationMerge pull request #105 from flavorjones/flavorjones-ci-add-3.2-coverageUpdate Gemfile.lockci: add Ruby 3.2 coverageci: cancel in progress and allow workflow dispatchMerge pull request #106 from flavorjones/flavorjones-better-failure-diffUse Minitest::Assertion#diff for content failure messagesMerge pull request #103 from flavorjones/flavorjones-migrate_ci_to_github_actionsdelete .travis.ymlMigrate CI to GitHub ActionsMerge pull request #102 from issyl0/fix-double-period-on-assert_selectselector_assertions/html_selector: No trailing `.` on `content_mismatch`Merge pull request #97 from ghiculescu/blank-bodyBetter error message if response.body is blank or not parseable by NokogiriMerge pull request #76 from speckins/issue-75-multiple-substitution-fixMerge pull request #95 from jbampton/fix-grammarMerge pull request #96 from ghiculescu/wrong-message-argRaise an error if the last arg is the wrong formatFix replacement for multiple substitutionsdocs: fix grammar in the README [ci skip]Merge pull request #92 from seanpdoyle/rename-assert-select-to-assert-domRemove deprecation, document aliasMerge pull request #93 from seanpdoyle/alias-assert-dom-methodsAlias assert_select methods to assert_dom versionsMerge pull request #91 from seanpdoyle/deprecate-assert-selectDeprecate assert_select* in preparation for renameMerge pull request #90 from seanpdoyle/substitution-typesExpand Substitution Matching Types supportMerge pull request #89 from amatsuda/manualoadSimply require rather than autoload + immediately loadMerge pull request #88 from amatsuda/rm_as_concernThese modules uses no AS::Concern featureMerge pull request #85 from rails/dependabot/bundler/activesupport-6.0.3.1Merge pull request #87 from jduff/bump_min_activesupportMerge pull request #84 from jduff/ignore_whitespace_2Bump min version of activesupport requiredHandle differences in interior whitespacemake assert_dom_equal ignore insignificant whitespaceMerge pull request #86 from jduff/update_test_matrixUpdate test matrix to current supported ruby/rails versionsBump activesupport from 6.0.0 to 6.0.3.1Avoid bundling minitest that requires ruby ~> 2.2 for testing rails 4.2.xMerge pull request #82 from rails/dependabot/bundler/nokogiri-1.10.9Bump nokogiri from 1.10.4 to 1.10.9Merge pull request #81 from rails/dependabot/bundler/rake-13.0.1Bump rake from 12.0.0 to 13.0.1Merge pull request #79 from rails/dependabot/bundler/nokogiri-1.10.4Bump nokogiri from 1.7.0 to 1.10.4Merge pull request #74 from yahonda/suppress_ruby260_warningsAddress `warning: mismatched indentations at 'when' with 'case'`Merge pull request #73 from nicolasleger/patch-1[CI] Test agains Ruby 2.5Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands