renovate[bot]
commented
1 year ago ⚠ Artifact update problem
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
- any of the package files in this branch needs updating, or
- the branch becomes conflicted, or
- you click the rebase/retry checkbox if found above, or
- you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: Gemfile.lock
Installing v1 tool bundler v1.17.2
Successfully installed bundler-1.17.2
1 gem installed
Bundler version 1.17.2
Installed v1 bundler in 2 seconds
skip cleanup, not a docker build: 1563ca543ad3
ruby 2.6.0p0 (2018-12-25 revision 66547) [x86_64-linux]
Fetching gem metadata from https://rubygems.org/..........
Fetching gem metadata from https://rubygems.org/.
Resolving dependencies........
Bundler could not find compatible versions for gem "rack":
In Gemfile:
rack (= 2.1.4)
sinatra (= 2.2.3) was resolved to 2.2.3, which depends on
rack (~> 2.2)
0crat
yegor256
rultor
This PR contains the following updates:
'2.0.4'->'2.2.3'GitHub Vulnerability Alerts
CVE-2022-29970
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
CVE-2022-45442
Description
An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input.
References
Release Notes
sinatra/sinatra
### [`v2.2.3`](https://togithub.com/sinatra/sinatra/blob/HEAD/CHANGELOG.md#223--2022-11-25) [Compare Source](https://togithub.com/sinatra/sinatra/compare/v2.2.2...v2.2.3) - Fix: Escape filename in the Content-Disposition header. [#1841](https://togithub.com/sinatra/sinatra/pull/1841) by Kunpei Sakai - Fix: fixed ReDoS for Rack::Protection::IPSpoofing. [#1823](https://togithub.com/sinatra/sinatra/pull/1823) by [@ooooooo-q](https://togithub.com/ooooooo-q) ### [`v2.2.2`](https://togithub.com/sinatra/sinatra/blob/HEAD/CHANGELOG.md#222--2022-07-23) [Compare Source](https://togithub.com/sinatra/sinatra/compare/v2.2.1...v2.2.2) - Update mustermann dependency to version 2. ### [`v2.2.1`](https://togithub.com/sinatra/sinatra/blob/HEAD/CHANGELOG.md#221--2022-07-15) [Compare Source](https://togithub.com/sinatra/sinatra/compare/v2.2.0...v2.2.1) - Fix JRuby regression by using ruby2\_keywords for delegation. [#1750](https://togithub.com/sinatra/sinatra/issues/1750) by Patrik Ragnarsson - Add JRuby to CI. [#1755](https://togithub.com/sinatra/sinatra/issues/1755) by Karol Bucek ### [`v2.2.0`](https://togithub.com/sinatra/sinatra/blob/HEAD/CHANGELOG.md#220--2022-02-15) [Compare Source](https://togithub.com/sinatra/sinatra/compare/v2.1.0...v2.2.0) - Breaking change: Add `#select`, `#reject` and `#compact` methods to `Sinatra::IndifferentHash`. If hash keys need to be converted to symbols, call `#to_h` to get a `Hash` instance first. [#1711](https://togithub.com/sinatra/sinatra/pull/1711) by Olivier Bellone - Handle EOFError raised by Rack and return Bad Request 400 status. [#1743](https://togithub.com/sinatra/sinatra/pull/1743) by tamazon - Minor refactors in `base.rb`. [#1640](https://togithub.com/sinatra/sinatra/pull/1640) by ceclinux - Add escaping to the static 404 page. [#1645](https://togithub.com/sinatra/sinatra/pull/1645) by Chris Gavin - Remove `detect_rack_handler` method. [#1652](https://togithub.com/sinatra/sinatra/pull/1652) by ceclinux - Respect content type set in superclass before filter. Fixes [#1647](https://togithub.com/sinatra/sinatra/issues/1647) [#1649](https://togithub.com/sinatra/sinatra/pull/1649) by Jordan Owens - *Revert "Use prepend instead of include for helpers.* [#1662](https://togithub.com/sinatra/sinatra/pull/1662) by namusyaka - Fix usage of inherited `Sinatra::Base` classes keyword arguments. Fixes [#1669](https://togithub.com/sinatra/sinatra/issues/1669) [#1670](https://togithub.com/sinatra/sinatra/pull/1670) by Cadu Ribeiro - Reduce RDoc generation time by not including every README. Fixes [#1578](https://togithub.com/sinatra/sinatra/issues/1578) [#1671](https://togithub.com/sinatra/sinatra/pull/1671) by Eloy Pérez - Add support for per form csrf tokens. Fixes [#1616](https://togithub.com/sinatra/sinatra/issues/1616) [#1653](https://togithub.com/sinatra/sinatra/pull/1653) by Jordan Owens - Update MAINTENANCE.md with the `stable` branch status. [#1681](https://togithub.com/sinatra/sinatra/pull/1681) by Fredrik Rubensson - Validate expanded path matches `public_dir` when serving static files. [#1683](https://togithub.com/sinatra/sinatra/pull/1683) by cji-stripe - Fix Delegator to pass keyword arguments for Ruby 3.0. [#1684](https://togithub.com/sinatra/sinatra/pull/1684) by andrewtblake - Fix use with keyword arguments for Ruby 3.0. [#1701](https://togithub.com/sinatra/sinatra/pull/1701) by Robin Wallin - Fix memory leaks for proc template. Fixes [#1704](https://togithub.com/sinatra/sinatra/issues/1714) [#1719](https://togithub.com/sinatra/sinatra/pull/1719) by Slevin - Remove unnecessary `test_files` from the gemspec. [#1712](https://togithub.com/sinatra/sinatra/pull/1712) by Masataka Pocke Kuwabara - Docs: Spanish documentation: Update README.es.md with removal of Thin. [#1630](https://togithub.com/sinatra/sinatra/pull/1630) by Espartaco Palma - Docs: German documentation: Fixed typos in German README.md. [#1648](https://togithub.com/sinatra/sinatra/pull/1648) by Juri - Docs: Japanese documentation: Update README.ja.md with removal of Thin. [#1629](https://togithub.com/sinatra/sinatra/pull/1629) by Ryuichi KAWAMATA - Docs: English documentation: Various minor fixes to README.md. [#1663](https://togithub.com/sinatra/sinatra/pull/1663) by Yanis Zafirópulos - Docs: English documentation: Document when `dump_errors` is enabled. Fixes [#1664](https://togithub.com/sinatra/sinatra/issues/1664) [#1665](https://togithub.com/sinatra/sinatra/pull/1665) by Patrik Ragnarsson - Docs: Brazilian Portuguese documentation: Update README.pt-br.md with translation fixes. [#1668](https://togithub.com/sinatra/sinatra/pull/1668) by Vitor Oliveira ##### CI - Use latest JRuby 9.2.16.0 on CI. [#1682](https://togithub.com/sinatra/sinatra/pull/1682) by Olle Jonsson - Switch CI from travis to GitHub Actions. [#1691](https://togithub.com/sinatra/sinatra/pull/1691) by namusyaka - Skip the Slack action if `secrets.SLACK_WEBHOOK` is not set. [#1705](https://togithub.com/sinatra/sinatra/pull/1705) by Robin Wallin - Small CI improvements. [#1703](https://togithub.com/sinatra/sinatra/pull/1703) by Robin Wallin - Drop auto-generated boilerplate comments from CI configuration file. [#1728](https://togithub.com/sinatra/sinatra/pull/1728) by Olle Jonsson ##### sinatra-contrib - Do not raise when key is an enumerable. [#1619](https://togithub.com/sinatra/sinatra/pull/1619) by Ulysse Buonomo ##### Rack protection - Fix broken `origin_whitelist` option. Fixes [#1641](https://togithub.com/sinatra/sinatra/issues/1641) [#1642](https://togithub.com/sinatra/sinatra/pull/1642) by Takeshi YASHIRO ### [`v2.1.0`](https://togithub.com/sinatra/sinatra/blob/HEAD/CHANGELOG.md#210--2020-09-05) [Compare Source](https://togithub.com/sinatra/sinatra/compare/v2.0.8.1...v2.1.0) - Fix additional Ruby 2.7 keyword warnings [#1586](https://togithub.com/sinatra/sinatra/pull/1586) by Stefan Sundin - Drop Ruby 2.2 support [#1455](https://togithub.com/sinatra/sinatra/pull/1455) by Eloy Pérez - Add Rack::Protection::ReferrerPolicy [#1291](https://togithub.com/sinatra/sinatra/pull/1291) by Stefan Sundin - Add `default_content_type` setting. Fixes [#1238](https://togithub.com/sinatra/sinatra/pull/1238) [#1239](https://togithub.com/sinatra/sinatra/pull/1239) by Mike Pastore - Allow `set :Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.