renovate[bot]
commented
5 days ago ⚠️ Artifact update problem
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
- any of the package files in this branch needs updating, or
- the branch becomes conflicted, or
- you click the rebase/retry checkbox if found above, or
- you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: Gemfile.lock
Fetching gem metadata from https://rubygems.org/..........
Resolving dependencies...
Could not find compatible versions
Because sinatra-contrib >= 4.0.0, < 4.1.0 depends on sinatra = 4.0.0
and Gemfile depends on sinatra = 4.1.0,
sinatra-contrib >= 4.0.0, < 4.1.0 cannot be used.
So, because Gemfile depends on sinatra-contrib = 4.0.0,
version solving has failed.
This PR contains the following updates:
'4.0.0'->'4.1.0'GitHub Vulnerability Alerts
CVE-2024-21510
Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.
Release Notes
sinatra/sinatra (sinatra)
### [`v4.1.0`](https://redirect.github.com/sinatra/sinatra/blob/HEAD/CHANGELOG.md#410--2024-11-18) [Compare Source](https://redirect.github.com/sinatra/sinatra/compare/v4.0.0...v4.1.0) - New: Add `host_authorization` setting ([#2053](https://redirect.github.com/sinatra/sinatra/pull/2053)) - Defaults to `.localhost`, `.test` and any IP address in development mode. - Security: addresses [CVE-2024-21510](https://redirect.github.com/advisories/GHSA-hxx2-7vcw-mqr3). - Fix: Return an instance of `Sinatra::IndifferentHash` when calling `#except` ([#2044](https://redirect.github.com/sinatra/sinatra/pull/2044)) - Fix: Address warning from `URI` for Ruby 3.4 ([#2060](https://redirect.github.com/sinatra/sinatra/pull/2060)) - Fix: `rackup` no longer depends on WEBrick, recommend Puma instead ([`4a558503`](https://redirect.github.com/sinatra/sinatra/commit/4a558503a0ee41f26d4ebc07b478340e8a8a5ed6)) - Fix: Zeitwerk 2.7.0+ compatibility ([#2050](https://redirect.github.com/sinatra/sinatra/pull/2050)) - Fix: Address warning about Hash construction for Ruby 3.4 ([#2028](https://redirect.github.com/sinatra/sinatra/pull/2028)) - Fix: Declare missing dependencies for Ruby 3.5 ([#2032](https://redirect.github.com/sinatra/sinatra/pull/2032)) - Fix: Compatibility with `--enable-frozen-string-literal` ([#2033](https://redirect.github.com/sinatra/sinatra/pull/2033)) - Fix: Rack 3.1 compatibility ([#2035](https://redirect.github.com/sinatra/sinatra/pull/2035)) - Don't depend on `Rack::Logger` - Don't delete `content-length` header when `Rack::Files` is usedConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.