[Security] Bump redcarpet from 3.2.2 to 3.4.0

[dependabot-preview[bot]]

Bumps redcarpet from 3.2.2 to 3.4.0. This update includes security fixes.

Vulnerabilities fixed

*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/redcarpet/OSVDB-120415.yml).* > **redcarpet Gem for Ruby markdown.c parse_inline() Function XSS** > redcarpet Gem for Ruby contains a flaw that allows a cross-site scripting > (XSS) attack. This flaw exists because the parse_inline() function in > markdown.c does not validate input before returning it to users. This may > allow a remote attacker to create a specially crafted request that would > execute arbitrary script code in a user's browser session within the trust > relationship between their browser and the server. > > Patched versions: >= 3.2.3 > Unaffected versions: none

Release notes

*Sourced from [redcarpet's releases](https://github.com/vmg/redcarpet/releases).* > ## v3.4.0 > ## Redcarpet v3.4.0 > > This new release ships with a bunch of bug fixes especially regarding anchor generation. > > ### Improvements to anchor generation > > The anchor generation now relies on a djb2 hashing algorithm whenever the generated anchor is empty as non alpha-numeric chars. This is specifically interesting for CJK contents as Redcarpet used to generate empty anchors dealing with titles in these locales. > > Special thanks to Alexey Kopytko and namusyaka for their work on that ! > > Also now, the html-escaped entities are removed from anchors generated with the `HTML` render in order to be consistent with the `HTML_TOC` render and as it is more expected. > > ### Other improvements > - Table headers don't require a minimum of three dashes anymore; a single one can be used for each row. > - The Markdown and rendering options are now exposed through a `Hash` inside the `[**options**](https://github.com/options)` instance variable inside your custom render objects. > > ### Bug fixes > - Multiple single quote pairs are parsed correctly with SmartyPants. > - Remove periods at the end of URLs when autolinking to make sure > that links at the end of a sentence get properly generated. > - Avoid escaping ampersands in href links. > > Checkout the [CHANGELOG](https://github.com/vmg/redcarpet/tree/v3.4.0/CHANGELOG.md) for further information and changes. > > ## Redcarpet 3.3.4 > This release simply fixes the `bufprintf` function to correctly work on Windows MinGW-w64 so strings are properly written to the buffer and also skips non-ASCII chars during anchor generation to avoid generating invalid UTF-8 bytes sequences. > > ## Redcarpet 3.3.1 > As of version 3.3.0, the provided `redcarpet` executable no longer worked since it relies on a new `Redcarpet::CLI` class that wasn't available because its file wasn't included in the gemspec. This version fixes this. > > ## Redcarpet 3.3.0 > ## Redcarpet v3.3.0 > > This new release ships with a bunch of bug fixes and improvements especially regarding anchor generation. > > ### Improvements to anchors > > The anchor generation algorithm has been improved. It now correctly strips out non-alphanumeric chars from the generated string ; it tries as much as possible to match the behavior of the Active Support's `#parameterize` method. > > Moreover, Redcarpet used to HTML-escape anchors rendered through the `HTMl_TOC` render. This is no longer the case but if you want this behavior back for any reason, you can now pass the `:escape_html` option instantiating the object. > > ### Redcarpet's command line interface > > The plain old Ruby file that was provided as a bin script now relies on a brand new API that you can use and that uses Ruby's OptionParser. > > This allows you to create custom scripts for your needs. You can handle the provided files as you want and add new options or fall-backs (e.g. an option to use Pygments). Read the documentation of the [`Redcarpet::CLI`](https://github.com/vmg/redcarpet/tree/v3.3.0/lib/redcarpet/cli.rb) class for further information. > > ### Undeprecate the RedCloth API compatibility layer > > ... (truncated)

Changelog

*Sourced from [redcarpet's changelog](https://github.com/vmg/redcarpet/blob/master/CHANGELOG.md).* > ## Version 3.4.0 > > * Rely on djb2 hashing generating anchors with non-ASCII chars. > > Fix issue [#538](https://github-redirect.dependabot.com/vmg/redcarpet/issues/538). > > *Alexey Kopytko*, *namusyaka* > > * Added suppport for HTML 5 `details` and `summary` tags. > > Fix issue [#578](https://github-redirect.dependabot.com/vmg/redcarpet/issues/578). > > *James Edwards-Jones* > > * Multiple single quote pairs are parsed correctly with SmartyPants. > > Fix issue [#549](https://github-redirect.dependabot.com/vmg/redcarpet/issues/549). > > *Jan Jędrychowski* > > * Table headers don't require a minimum of three dashes anymore; a > single one can be used for each row. > > * Remove escaped entities from `HTML` render table of contents' > ids to be consistent with the `HTML_TOC` render. > > Fix issue [#529](https://github-redirect.dependabot.com/vmg/redcarpet/issues/529). > > * Remove periods at the end of URLs when autolinking to make sure > that links at the end of a sentence get properly generated. > > Fix issue [#465](https://github-redirect.dependabot.com/vmg/redcarpet/issues/465). > > * Expose the Markdown and rendering options through a `Hash` inside > the `[**options**](https://github.com/options)` instance variable for custom render objects. > > * Avoid escaping ampersands in href links. > > *Nolan Evans* > > ## Version 3.3.4 > > * Fix `bufprintf` to correctly work on Windows MinGW-w64 so strings > are properly written to the buffer. > > *Kenichi Saita* > > * Fix the header anchor normalization by skipping non-ASCII chars > and not calling tolower because this leads to invalid UTF-8 byte > sequences in the HTML output. (tolower is not locale-aware) > ... (truncated)

Commits

- [`ef93be6`](https://github.com/vmg/redcarpet/commit/ef93be6e09e6dba1bdd5594f14387da4ffb7a15e) Redcarpet v3.4.0 - [`fdec6be`](https://github.com/vmg/redcarpet/commit/fdec6be667c82838d165638f0feef91a1e68d177) Reference the original issue for future reference - [`a666af3`](https://github.com/vmg/redcarpet/commit/a666af35d4cde2653703577c4ed8ec777fba1fa4) Follow up to [#591](https://github-redirect.dependabot.com/vmg/redcarpet/issues/591) - [`cf2da0b`](https://github.com/vmg/redcarpet/commit/cf2da0b0bb40831f55cddac3ac96f05cfb7b8db8) Merge pull request [#591](https://github-redirect.dependabot.com/vmg/redcarpet/issues/591) from sanmai/rndr_header_anchor - [`f2d0ad9`](https://github.com/vmg/redcarpet/commit/f2d0ad999e547a478c23dc38a8f6f484541cdbd9) rndr_header_anchor: use djb2 hash for non-ascii text - [`8d8e1ec`](https://github.com/vmg/redcarpet/commit/8d8e1eca1e6fcce2b4cf22c7f06cbc1facb834c4) rndr_header_anchor: do not remove character if nothing was added - [`820dadb`](https://github.com/vmg/redcarpet/commit/820dadb98b3720811cc20c5570a5d43c796c85fc) Merge pull request [#583](https://github-redirect.dependabot.com/vmg/redcarpet/issues/583) from arbox/fb_correct_version_output - [`4c4c9f2`](https://github.com/vmg/redcarpet/commit/4c4c9f2325f68902d8c745352106fc918286b05f) Corrected the line ending for the version output. - [`8f811de`](https://github.com/vmg/redcarpet/commit/8f811de3a6234e49c1a6f4dd60b4389705794cfc) Improve the custom render example [ci skip] - [`0993c2c`](https://github.com/vmg/redcarpet/commit/0993c2ccaaf06f47eabcdf086b6ca70b12d529dd) Add Rubinius under the allowed failures section - Additional commits viewable in [compare view](https://github.com/vmg/redcarpet/compare/v3.2.2...v3.4.0)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Note: This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking Bump now in your Dependabot dashboard.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.

[dependabot-preview[bot]]

Superseded by #27.