🚨 [security] Update cocoapods-downloader: 1.5.1 → 1.6.0 (minor)

[depfu[bot]]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ cocoapods-downloader (indirect, 1.5.1 → 1.6.0) · Repo · Changelog

Security Advisories 🚨

🚨 Command injection in cocoapods-downloader

The package cocoapods-downloader before 1.6.0, from 1.6.2 and before
1.6.3 are vulnerable to Command Injection via git argument injection. When calling
the Pod::Downloader.preprocess_options function and using git, both the git and
branch parameters are passed to the git ls-remote subcommand in a way that additional
flags can be set. The additional flags can be used to perform a command injection.

Release Notes

1.6.0

Enhancements

• None.

Bug Fixes

• Adds a check for command injections in the input for hg and git.
  orta
  #124

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

• Release 1.6.0
• Add CHANGELOG entry for #124
• Use Ruby 3.0.0 in CI
• Merge pull request #123 from sethfri/ignore-idea
• Merge pull request #124 from CocoaPods/raise_on_cmd_inj
• Adds a check for command injections in the input for hg and git
• Add .idea to .gitignore to ignore JetBrains IDE files
• Merge branch '1-5-stable'
• [CHANGELOG] Add empty Master section

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[codecov-commenter]

Codecov Report

Merging #676 (ea069df) into main (6b7707c) will not change coverage. The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #676   +/-   ##
=======================================
  Coverage   84.75%   84.75%           
=======================================
  Files         157      157           
  Lines        8987     8987           
=======================================
  Hits         7617     7617           
  Misses       1370     1370           

---

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 6b7707c...ea069df. Read the comment docs.

[depfu[bot]]

Closing because this update has already been applied