🚨 [security] [ruby] Update kramdown: 1.17.0 → 2.3.0 (major)

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ kramdown (indirect, 1.17.0 → 2.3.0) · Repo · Changelog

Security Advisories 🚨

🚨 Unintended read access in kramdown gem

The kramdown gem before 2.3.0 for Ruby processes the template option inside
Kramdown documents by default, which allows unintended read access (such as
template="/etc/passwd") or unintended embedded Ruby code execution (such as a
string that begins with template="string://<%= `). NOTE: kramdown is used in
Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

✳️ middleman (4.3.7 → 4.3.11) · Repo · Changelog

↗️ activesupport (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog

Release Notes

5.2.4.4 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 1 commit:

• v5.2.4.4

↗️ backports (indirect, 3.18.1 → 3.20.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 27 commits:

• v3.20.1
• Add `Ractor#[]` and `#[]=`
• Fix `Ractor.current` from threads
• v3.20.0
• Move test first, looks like a thread remains hung from time to time
• Backport `Ractor`
• Add custom FilteredQueue
• v3.19.0
• Add `Symbol#name`
• Add Hash#transform_keys{!} (with hash argument) (Ruby 3.0)
• Add {Hash|ENV}#except (3.0)
• Update spec
• Run RuboCop once only
• Freeze RuboCop
• Backport `Queue#close` and `closed?` (2.3.0)
• Tweak RuboCop rules
• Tweak requires; add 3.0
• Cleanup
• Update specs / mspec
• Add Bignum#dup (2.4.0)
• Switch to github actions
• Satisfy `Style/DocumentDynamicEvalDefinition`
• Run CI on 2.7
• Update RuboCop
• Update rubocop
• v3.18.2
• fix: add missing 2.3.0/string.rb

↗️ concurrent-ruby (indirect, 1.1.6 → 1.1.7) · Repo · Changelog

Release Notes

1.1.7 (from changelog)

concurrent-ruby:

• (#879) Consider falsy value on Concurrent::Map#compute_if_absent for fast non-blocking path
• (#876) Reset Async queue on forking, makes Async fork-safe
• (#856) Avoid running problematic code in RubyThreadLocalVar on MRI that occasionally results in segfault
• (#853) Introduce ThreadPoolExecutor without a Queue

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 42 commits:

• Update rake-compiler-dock to add 2.7 build
• Add 1.1.7 documentation
• Bump version, update doc
• Merge pull request #879 from mtsmfm/consider-falsy-in-compute-if-absent
• Consider falsy value on `Concurrent::Map#compute_if_absent` fast non-blocking path
• Merge pull request #878 from markiz/ma/issue-863
• Merge pull request #877 from mikrobi/patch-1
• Remove outdated documentation about constructor redefinition when including Concurrent::Async
• Update future.md
• Update doc
• Merge pull request #869 from baweaver/baweaver/cleanup/remove-ruby-2-2-references
• Merge pull request #876 from wjordan/fork_async
• Merge pull request #856 from ruby-concurrency/segfault
• Change license file to txt
• Remove ``` from LICENSE.md
• Reset Async queue on fork
• Removes references to static Ruby versions in docs
• Merge pull request #861 from olleolleolle/patch-2
• CI: Use jruby-9.2.11.1
• Merge pull request #859 from olleolleolle/rubinius-ci-config
• CI: Rubinius as rbx-3.107
• Merge pull request #853 from fzakaria/faridzakaria/bounded_queue
• Merge pull request #858 from shanecav84/patch-1
• Merge pull request #857 from olleolleolle/patch-2
• Typo
• Typo
• CI: add jruby-9.2.11.0
• Added changelog description
• make if condition more ruby-idiomatic
• remove 'concurrent/mvar'
• RubyThreadLocalVar: rely on GIL on MRI to avoid problems with thread/mutex/queue in finalizers
• Fix documentation
• remove whitespace
• Simply make queue always false when @synchronous
• Introduce ThreadPoolExecutor without a Queue
• Merge pull request #855 from olleolleolle/patch-2
• Do not allow failures on JRuby 9.2.10.0 Latest on Java 11
• CI: Use JRuby 9.2.10.0
• Merge pull request #854 from bjfish/fix-argument-prefix-warnings
• Fix argument prefix warning
• Merge pull request #852 from fzakaria/remove-unused-line
• Remove unused line

↗️ fastimage (indirect, 2.1.7 → 2.2.1) · Repo

Commits

See the full diff on Github. The new version differs by 23 commits:

• bump version
• Merge pull request #120 from ky1vstar/master
• Update README.textile
• Merge pull request #119 from nbianca/master
• Use frames count instead of delay to check animated GIFs
• Bump version
• Merge pull request #117 from PikachuEXE/replace-deprecated-method-usage
• * Test with 2.7 too
• * Replace URI.escape with ::URI::DEFAULT_PARSER.escape
• Merge pull request #116 from PikachuEXE/fix-incorrect-redirect-response-handling
• Fix handling of redirect response without Location header
• Update url for large image to https
• Fix returning nil if image type not gif for animated
• Merge pull request #114 from nbianca/master
• Add check for animated GIFs
• Revert rake requirement since we still support ruby 1.9.2
• Merge pull request #115 from gschlager/master
• Update rake
• Avoid detecting arbitrary XML as SVG
• Merge pull request #111 from aried3r/ar/travis_update
• Update Ruby 1.9-2.6
• Merge pull request #110 from aried3r/patch-2
• Use SVG Travis CI badge

↗️ ffi (indirect, 1.13.1 → 1.14.2) · Repo · Changelog

Release Notes

1.14.2 (from changelog)

Fixed:

• Fix builtin libffi on newer Ubuntu caused by an outdated Makefile.in . #863

1.14.1 (from changelog)

Changed:

• Revert changes to FFI::Pointer#write_string made in ffi-1.14.0. It breaks compatibilty in a way that can cause hard to find errors. #857

1.14.0 (from changelog)

Added:

• Add types.conf for x86_64-msys, x86_64-haiku, aarch64-openbsd and aarch64-darwin (alias arm64-darwin)
• Add method AbstractMemory#size_limit? . #829
• Add new extconf option --enable-libffi-alloc which is enabled per default on Apple M1 (arm64-darwin).

Changed:

• Do NULL pointer check only when array length > 0 . #305
• Raise an error on an unknown order argument. #830
• Change FFI::Pointer#write_string to terminate with a NUL byte like other string methods. #805
• Update bundled libffi to latest master.

Removed:

• Remove win32/stdint.h and stdbool.h because of copyright issue. #693

Fixed:

• Fix possible UTF-8 load error in loader script interpretation. #792
• Fix segfault on non-array argument to #write_array_of_*
• Fix memory leak in MethodHandle . #815
• Fix possible segfault in combination with fiddle or other libffi using gems . #835
• Fix possibility to use ffi ruby gem with JRuby-9.3 . #763

Does any of this look wrong? Please let us know.

↗️ haml (indirect, 5.1.2 → 5.2.1) · Repo · Changelog

Release Notes

5.2.1

It's time to face the facts that the last release was a LIE. I said we weren't going to release another version of Haml 5.x... and yet, here we are again.

"What's this all about?!?!", you must be screaming at your computer.

Well, our wonderful @k0kubun has given all of us a wonderful present– which is proper multiline-attributes support for Haml. No longer are we forced to either have super long lines or have kinda wonky spacing on our attributes.

How it started:

  .messages-overflow-container{"data-simplebar": true}
    .messages{data: {controller: "chat-messages"}}
  .like-notification{data: {controller: "reaction-notification"}}
  - unless video.finished?
    .message-write{data: { "controller": "chat", "show-when-logged-in": true }}
      .chat-controls
        .write-area{placeholder: 'Send a message', contenteditable: true, role: "textbox", data: {action: "keydown->chat#chatBoxKeyDown", target: "chat.messageInput"}}
        = render "shared/reaction_button"
    .message-login-prompt{data: { "show-when-logged-out": true }}
      %button{data: {action: "authentication#showModal"}} Login To Chat

How it's going:

  .messages-overflow-container{"data-simplebar": true}
    .messages{
      data: { controller: "chat-messages" }
   }
  .like-notification{
    data: { controller: "reaction-notification" } }
  - unless video.finished?
    .message-write{
      data: { 
        "controller": "chat", 
        "show-when-logged-in": true 
      }
    }
      .chat-controls
        .write-area{
          placeholder: 'Send a message', 
          contenteditable: true, 
          role: "textbox", 
          data: {
            action: "keydown->chat#chatBoxKeyDown", 
            target: "chat.messageInput"
          }
        }
        = render "shared/reaction_button"
    .message-login-prompt{data: { "show-when-logged-out": true }}
      %button{
        data: {
          action: "authentication#showModal"
        }
      } Login To Chat

How about THAT! I don't know about you, but this is going to improve my markup by a huge margin. I am super thrilled to get this into our code at @veuelive!

5.2.0

This release is meant to be the final release that's got all the bells and whistles of Haml from the last 10 years. Going forward, new releases will be in the 6.x.x series and will NOT be backwards compatible for many features.

We may do a release of 5.2.1+ if we have security issues come up.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 45 commits:

• Preparing for 5.2.1 Release
• Implement multiline attributes
• fix broken link
• updating version number
• Changing tests to get around a JRuby issue
• Suppress ruby warning when testing output
• Exclude `enable-frozen-string-literal` cases for older rails versions
• Run tests with frozen strings ruby opt
• Avoid unexpected mutation of strings
• Revert an accidental change to fix CI
• Fix small typo.
• remove unused badge
• Couple small renames for “main” branch moveover
• Remove Testing for EOL Ruby Versions
• Breaking Up the Monolitic Engine Tests
• Use The Automatic Template Test Runner
• Move tested contents to files
• Escape attributes regardless of whether it's SafeBuffer or not
• downgrade simplecov version
• add in simplecov and use rails 6 non-rc
• Run the code climate coverate reporter
• Run Coverage for Every Test
• Add changelog for class ordering
• Reorder Class Names
• Update haml-spec
• add changelog entry for #1014
• Do not run escape_html on text/plain files
• Preserve order of class names in Haml tags
• One-line bundler setup
• Update .gitignore
• This will allow you to run the "rake" command by itself, as mentioned in the README, without requiring you to prefix with bundle exec
• Add a changelog entry
• Support Ruby 2.0.0 again
• Fix typo
• This is how refinements works
• Guard against #inspect monkey patches of true/false
• Revert "Update haml-spec"
• Update haml-spec
• Merge pull request #1022 from mehagar/anchor
• Get inserting ruby anchor working
• Install older versions of rubygems and bundler only on Ruby < 2.7
• Fix deprecation warning on #rubinius?
• Ruby 2.2 on Rails 5.2 doesn't seem to work
• Test Ruby 2.7.0 on Travis
• Upgrade teeny versions running on Travis

↗️ middleman-cli (indirect, 4.3.7 → 4.3.11)

Sorry, we couldn't find anything useful about this release.

↗️ middleman-core (indirect, 4.3.7 → 4.3.11)

Sorry, we couldn't find anything useful about this release.

↗️ minitest (indirect, 5.14.1 → 5.14.2) · Repo · Changelog

Release Notes

5.14.2 (from changelog)

• 1 bug fix:

  • Bumped ruby version to include 3.0 (trunk).

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

• prepped for release
• - Bumped ruby version to include 3.0 (trunk).
• whitespace
• I am an idiot... fixed a last-day-of-month testing bug. I don't think I've done that in 15+ years. :P

↗️ parallel (indirect, 1.19.2 → 1.20.1) · Repo

Commits

See the full diff on Github. The new version differs by 16 commits:

• v1.20.1
• Merge pull request #287 from grosser/grosser/eol
• bring back ruby 2.4 since that broke rubocop builds because of some dependency foobar
• Merge pull request #288 from grosser/grosser/ga
• use GA
• v1.20.0
• Merge pull request #285 from grosser/grosser/break
• allow breaking with value
• Merge pull request #278 from grosser/grosser/ci
• remove cert
• fix errors
• bump rake to fix warnings
• bump rails
• bump ruby requirements
• bump AR
• fix ci

↗️ public_suffix (indirect, 4.0.5 → 4.0.6) · Repo · Changelog

Release Notes

4.0.6 (from changelog)

Changed

• Updated definitions.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 6 commits:

• Release 4.0.6
• Last release with 2.3
• Ignore rubocop cop
• Update rubocop
• Updated definitions
• Fix key duplication in codecov.yml (#175)

↗️ tzinfo (indirect, 1.2.7 → 1.2.9) · Repo · Changelog

Release Notes

1.2.9

• Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

TZInfo v1.2.9 on RubyGems.org

1.2.8

• Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. The 64-bit section is now always used regardless of whether Time has support for 64-bit times. #120.
• Rubinius is no longer supported.

TZInfo v1.2.8 on RubyGems.org

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 18 commits:

• Preparing v1.2.9.
• Remove JRuby 9.0.5.0.
• Download GlobalSign Root CA - R3 for use with older Ruby versions.
• Add 1.8.7-head, 1.9.2-p330, jruby-9.0.5.0 and ree to allow failures.
• Update to JRuby 9.2.14.0.
• Ignore generated transations that do not change the offset.
• [ci skip] Add issue number reference.
• Preparing v1.2.8.
• Update time zone test fixtures based on tzdata 2020d.
• Support "slim" zoneinfo files produced by default by zic >= 2020b.
• Use up to date Linux distros to test (where possible).
• Remove the deprecated sudo option.
• Switch to travis-ci.com.
• Update to Ruby 2.7.2 and JRuby 9.2.13.0.
• Revert "Add Ruby 2.7 on AppVeyor."
• Add Ruby 2.7 on AppVeyor.
• Stop supporting Rubinius.
• Update to Ruby 2.4.10.

🆕 rexml (added, 3.2.4)

---

👉 No CI detected

You don't seem to have any Continuous Integration service set up!

Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.

This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:

• Circle CI, Semaphore and Travis-CI are all excellent options.
• If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github.
• If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with depfu/.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)