[Security] Bump ffi from 1.9.8 to 1.13.0

[dependabot-preview[bot]]

Bumps ffi from 1.9.8 to 1.13.0. This update includes a security fix.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

ruby-ffi DDL loading issue on Windows OS ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be hijacked on Windows OS, when a Symbol is used as DLL name instead of a String This vulnerability appears to have been fixed in v1.9.24 and later.

Patched versions: >= 1.9.24 Unaffected versions: none

Changelog

Sourced from ffi's changelog.

1.13.0 / 2020-06-01

Added:

• Add TruffleRuby support. Almost all specs are running on TruffleRuby and succeed. #768
• Add ruby source files to the java gem. This allows to ship the Ruby library code per platform java gem and add it as a default gem to JRuby. #763
• Add FFI::Platform::LONG_DOUBLE_SIZE
• Add bounds checks for writing to an inline char[] . #756
• Add long double as callback return value. #771
• Update type definitions and add types from stdint.h and stddef.h on i386-windows, x86_64-windows, x86_64-darwin, x86_64-linux, arm-linux, powerpc-linux. #749
• Add new type definitions for powerpc-openbsd and sparcv9-openbsd. #775, #778

Changed:

• Raise required ruby version to >= 2.3.
• Lots of cleanups and improvements in library, specs and benchmarks.
• Fix a lot of compiler warnings at the C-extension
• Fix several install issues on MacOS:
  • Look for libffi in SDK paths, since recent versions of macOS removed it from /usr/include . #757
  • Fix error ld: library not found for -lgcc_s.10.4
  • Don't built for i386 architecture as it is deprecated
• Several fixes for MSVC build on Windows. #779
• Use ucrtbase.dll as default C library on Windows instead of old msvcrt.dll. #779
• Update builtin libffi to fix a Powerpc issue with parameters of type long
• Allow unmodified sourcing of (the ruby code of) this gem in JRuby and TruffleRuby as a default gem. #747
• Improve check to detect if a module has a #find_type method suitable for FFI. This fixes compatibility with stdlib mkmf . #776

Removed:

• Reject callback with :string return type at definition, because it didn't work so far and is not save to use. #751, #782

1.12.2 / 2020-02-01

• Fix possible segfault at FFI::Struct#[] and []= after GC.compact . #742

1.12.1 / 2020-01-14

Added:

• Add binary gem support for ruby-2.7 on Windows

1.12.0 / 2020-01-14

Added:

• FFI::VERSION is defined as part of require 'ffi' now. It is no longer necessary to require 'ffi/version' .

... (truncated)

Commits

• 426be5e Don't cross build extension for ruby-2.2 per "rake gem:windows"
• c17db09 Update release date in CHANGELOG
• abecee3 Remove code required for ruby prior 2.3
• 6624359 Raise minimum ruby version to 2.3
• 7ef4f5a Bump VERSION to 1.13.0
• a8fd5b3 Add 1.13.0 to CHANGELOG
• ce9de53 Use shorter const names like in other files
• d510675 Merge pull request #782 from larskanis/reject_string_callback
• e2b1c7e Reject callback with :string return type
• 6a14427 Merge branch 'master' of https://github.com/ffi/ffi
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)

[dependabot-preview[bot]]

Superseded by #36.