Bumps rack-cors from 1.0.2 to 1.0.5. This update includes a security fix.
Vulnerabilities fixed
*Sourced from The GitHub Security Advisory Database.*
> **High severity vulnerability that affects rack-cors**
> An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
>
> Affected versions: < 1.0.4
Changelog
*Sourced from [rack-cors's changelog](https://github.com/cyu/rack-cors/blob/master/CHANGELOG.md).*
> ## 1.0.5 - 2019-11-14
> ### Changed
> - Update Gem spec to require rack >= 1.6.0
>
> ## 1.0.4 - 2019-11-13
> ### Security
> - Escape and resolve path before evaluating resource rules (thanks to Colby Morgan)
>
> ## 1.0.3 - 2019-03-24
> ### Changed
> - Don't send 'Content-Type' header with pre-flight requests
> - Allow ruby array for vary header config
Commits
- [`b704fda`](https://github.com/cyu/rack-cors/commit/b704fda88298b311218b20452c7004506e800a29) Up rack requirement
- [`baa02d2`](https://github.com/cyu/rack-cors/commit/baa02d22c2d69808fe56e249faa6455a04f01193) Updating Gems to hopefully get rid of alerts in GH
- [`a5e8546`](https://github.com/cyu/rack-cors/commit/a5e854611254efd214f063895384f73aefc06f46) Reduce default max_age to a more sensible value
- [`e4d4fc3`](https://github.com/cyu/rack-cors/commit/e4d4fc362a4315808927011cbe5afcfe5486f17d) Unescape and resolve paths before resource checks
- [`145a5df`](https://github.com/cyu/rack-cors/commit/145a5df2f1a02bcddfaaf7cf61690e330a1d2a84) [CI] Test against Ruby 2.6
- [`f77f89f`](https://github.com/cyu/rack-cors/commit/f77f89f560e948c5e556bc26b254028b5be45562) Version 1.0.3
- [`ddcf819`](https://github.com/cyu/rack-cors/commit/ddcf81970afbf6cedea74d6362cc509d8c102eaf) Clean up gemspec
- [`5fed623`](https://github.com/cyu/rack-cors/commit/5fed623f0c1d2f8c61c8c3804c13adc599c57aac) Update rack gem
- [`1137201`](https://github.com/cyu/rack-cors/commit/1137201a2f2721b82ed1c40aa9ecc5fc74dbc9bd) Update Rails4 example
- [`c62c484`](https://github.com/cyu/rack-cors/commit/c62c484b3d7c9ec9df4fea20438b14d657e45cc4) Remove unnecessary :require option from Gemfile example
- Additional commits viewable in [compare view](https://github.com/cyu/rack-cors/compare/v1.0.2...v1.0.5)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Bumps rack-cors from 1.0.2 to 1.0.5. This update includes a security fix.
Vulnerabilities fixed
*Sourced from The GitHub Security Advisory Database.* > **High severity vulnerability that affects rack-cors** > An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format. > > Affected versions: < 1.0.4Changelog
*Sourced from [rack-cors's changelog](https://github.com/cyu/rack-cors/blob/master/CHANGELOG.md).* > ## 1.0.5 - 2019-11-14 > ### Changed > - Update Gem spec to require rack >= 1.6.0 > > ## 1.0.4 - 2019-11-13 > ### Security > - Escape and resolve path before evaluating resource rules (thanks to Colby Morgan) > > ## 1.0.3 - 2019-03-24 > ### Changed > - Don't send 'Content-Type' header with pre-flight requests > - Allow ruby array for vary header configCommits
- [`b704fda`](https://github.com/cyu/rack-cors/commit/b704fda88298b311218b20452c7004506e800a29) Up rack requirement - [`baa02d2`](https://github.com/cyu/rack-cors/commit/baa02d22c2d69808fe56e249faa6455a04f01193) Updating Gems to hopefully get rid of alerts in GH - [`a5e8546`](https://github.com/cyu/rack-cors/commit/a5e854611254efd214f063895384f73aefc06f46) Reduce default max_age to a more sensible value - [`e4d4fc3`](https://github.com/cyu/rack-cors/commit/e4d4fc362a4315808927011cbe5afcfe5486f17d) Unescape and resolve paths before resource checks - [`145a5df`](https://github.com/cyu/rack-cors/commit/145a5df2f1a02bcddfaaf7cf61690e330a1d2a84) [CI] Test against Ruby 2.6 - [`f77f89f`](https://github.com/cyu/rack-cors/commit/f77f89f560e948c5e556bc26b254028b5be45562) Version 1.0.3 - [`ddcf819`](https://github.com/cyu/rack-cors/commit/ddcf81970afbf6cedea74d6362cc509d8c102eaf) Clean up gemspec - [`5fed623`](https://github.com/cyu/rack-cors/commit/5fed623f0c1d2f8c61c8c3804c13adc599c57aac) Update rack gem - [`1137201`](https://github.com/cyu/rack-cors/commit/1137201a2f2721b82ed1c40aa9ecc5fc74dbc9bd) Update Rails4 example - [`c62c484`](https://github.com/cyu/rack-cors/commit/c62c484b3d7c9ec9df4fea20438b14d657e45cc4) Remove unnecessary :require option from Gemfile example - Additional commits viewable in [compare view](https://github.com/cyu/rack-cors/compare/v1.0.2...v1.0.5)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)