seq-code / registry

https://seqco.de
MIT License
2 stars 0 forks source link

Bump sqlite3 from 1.5.0 to 1.5.1 #68

Closed dependabot[bot] closed 2 years ago

dependabot[bot] commented 2 years ago

Bumps sqlite3 from 1.5.0 to 1.5.1.

Release notes

Sourced from sqlite3's releases.

1.5.1 / 2022-09-29

Dependencies

  • Vendored sqlite is updated to v3.39.4.

Security

The vendored version of sqlite, v3.39.4, should be considered to be a security release. From the release notes:

Version 3.39.4 is a minimal patch against the prior release that addresses issues found since the prior release. In particular, a potential vulnerability in the FTS3 extension has been fixed, so this should be considered a security update.

In order to exploit the vulnerability, an attacker must have full SQL access and must be able to construct a corrupt database with over 2GB of FTS3 content. The problem arises from a 32-bit signed integer overflow.

For more information please see GHSA-mgvv-5mxp-xq67.


sha256:

f9094440f8e561c5d37cf66a13c807f60ce5013d0a40ee5ee5942906b9cc77c4  sqlite3-1.5.1-aarch64-linux.gem
8ef2be3d373b4e4c4c3f7622b63403d1f7109fa5b9d922203ce29671f19d6b32  sqlite3-1.5.1-arm-linux.gem
aa38f01893530612dd1cb3083dc34fe3a22a7cb00393f9bdaa67c4498b228e06  sqlite3-1.5.1-arm64-darwin.gem
7940ee9080313fa44c9b33cd7c24c069f40f208b970234867239ef6b6d24db31  sqlite3-1.5.1-x64-mingw-ucrt.gem
1ee072798f8e10df1f34a8ee884eaad82a2d40b0cbbe5ebca2bcf937a9ca954c  sqlite3-1.5.1-x64-mingw32.gem
0e3807ad01aa6c77896d68658706b950328dd991e1dc8e9c56cafa69d64b4282  sqlite3-1.5.1-x86-linux.gem
319b1227e4983549f35997518dfa48df89239055e2460ec13277d84b2f3b200f  sqlite3-1.5.1-x86_64-darwin.gem
d983ba51eff37c3679963949f4132b32f528d0a0bc3df09150c8e1a0a88e0444  sqlite3-1.5.1-x86_64-linux.gem
9148b84e4810284fe18573fce214060011d3f7af3a46a3ebd65b066da8242fbc  sqlite3-1.5.1.gem
Changelog

Sourced from sqlite3's changelog.

v1.5.0 and v1.5.1 mistakenly packaged the tarball for sqlite v3.38.5 in the vanilla "ruby" platform gem, resulting in downloading the intended tarball over the network at installation time (or, if the network was not available, failure to install). Note that the precompiled native gems were not affected by this issue. #352

1.5.1 / 2022-09-29

Dependencies

  • Vendored sqlite is updated to v3.39.4.

Security

The vendored version of sqlite, v3.39.4, should be considered to be a security release. From the release notes:

Version 3.39.4 is a minimal patch against the prior release that addresses issues found since the prior release. In particular, a potential vulnerability in the FTS3 extension has been fixed, so this should be considered a security update.

In order to exploit the vulnerability, an attacker must have full SQL access and must be able to construct a corrupt database with over 2GB of FTS3 content. The problem arises from a 32-bit signed integer overflow.

For more information please see GHSA-mgvv-5mxp-xq67.

1.5.0 / 2022-09-08

Packaging

Faster, more reliable installation

Native (precompiled) gems are available for Ruby 2.6, 2.7, 3.0, and 3.1 on all these platforms:

  • aarch64-linux
  • arm-linux
  • arm64-darwin
  • x64-mingw32 and x64-mingw-ucrt
  • x86-linux
  • x86_64-darwin
  • x86_64-linux

If you are using one of these Ruby versions on one of these platforms, the native gem is the recommended way to install sqlite3-ruby.

See the README for more information.

More consistent developer experience

Both the native (precompiled) gems and the vanilla "ruby platform" (source) gem include sqlite v3.39.3 by default.

Defaulting to a consistent version of sqlite across all systems means that your development environment behaves exactly like your production environment, and you have access to the latest and greatest features of sqlite.

... (truncated)

Commits
  • 8ab3ecc version bump to 1.5.1
  • b026da1 Merge pull request #349 from sparklemotion/flavorjones-update-sqlite-3.39.4
  • 8ebb39d dep: update packaged sqlite3 to v3.39.4
  • 4bf6f66 doc: clarify how to avoid installing a native gem
  • See full diff in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/seq-code/registry/network/alerts).