🚨 [security] [ruby] Update kramdown: 1.17.0 → 2.3.0 (major)
Welcome to Depfu
This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.
After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.
Let us know if you have any questions. Thanks so much for giving Depfu a try!
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗ ️ kramdown (indirect, 1.17.0 → 2.3.0) · Repo · Changelog
Security Advisories 🚨
🚨 Unintended read access in kramdown gem
The kramdown gem before 2.3.0 for Ruby processes the template option inside
Kramdown documents by default, which allows unintended read access (such as
template="/etc/passwd") or unintended embedded Ruby code execution (such as a
string that begins with template="string://<%= `). NOTE: kramdown is used in
Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.
✳ ️ middleman (4.3.7 → 4.3.11) · Repo · Changelog
↗ ️ activesupport (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog
↗ ️ backports (indirect, 3.18.1 → 3.20.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 27 commits:
v3.20.1
Add `Ractor#[]` and `#[]=`
Fix `Ractor.current` from threads
v3.20.0
Move test first, looks like a thread remains hung from time to time
Backport `Ractor`
Add custom FilteredQueue
v3.19.0
Add `Symbol#name`
Add Hash#transform_keys{!} (with hash argument) (Ruby 3.0)
Add {Hash|ENV}#except (3.0)
Update spec
Run RuboCop once only
Freeze RuboCop
Backport `Queue#close` and `closed?` (2.3.0)
Tweak RuboCop rules
Tweak requires; add 3.0
Cleanup
Update specs / mspec
Add Bignum#dup (2.4.0)
Switch to github actions
Satisfy `Style/DocumentDynamicEvalDefinition`
Run CI on 2.7
Update RuboCop
Update rubocop
v3.18.2
fix: add missing 2.3.0/string.rb
↗ ️ concurrent-ruby (indirect, 1.1.6 → 1.1.7) · Repo · Changelog
Release Notes
1.1.7 (from changelog)
concurrent-ruby:
- (#879) Consider falsy value on
Concurrent::Map#compute_if_absent
for fast non-blocking path- (#876) Reset Async queue on forking, makes Async fork-safe
- (#856) Avoid running problematic code in RubyThreadLocalVar on MRI that occasionally results in segfault
- (#853) Introduce ThreadPoolExecutor without a Queue
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 42 commits:
Update rake-compiler-dock to add 2.7 build
Add 1.1.7 documentation
Bump version, update doc
Merge pull request #879 from mtsmfm/consider-falsy-in-compute-if-absent
Consider falsy value on `Concurrent::Map#compute_if_absent` fast non-blocking path
Merge pull request #878 from markiz/ma/issue-863
Merge pull request #877 from mikrobi/patch-1
Remove outdated documentation about constructor redefinition when including Concurrent::Async
Update future.md
Update doc
Merge pull request #869 from baweaver/baweaver/cleanup/remove-ruby-2-2-references
Merge pull request #876 from wjordan/fork_async
Merge pull request #856 from ruby-concurrency/segfault
Change license file to txt
Remove ``` from LICENSE.md
Reset Async queue on fork
Removes references to static Ruby versions in docs
Merge pull request #861 from olleolleolle/patch-2
CI: Use jruby-9.2.11.1
Merge pull request #859 from olleolleolle/rubinius-ci-config
CI: Rubinius as rbx-3.107
Merge pull request #853 from fzakaria/faridzakaria/bounded_queue
Merge pull request #858 from shanecav84/patch-1
Merge pull request #857 from olleolleolle/patch-2
Typo
Typo
CI: add jruby-9.2.11.0
Added changelog description
make if condition more ruby-idiomatic
remove 'concurrent/mvar'
RubyThreadLocalVar: rely on GIL on MRI to avoid problems with thread/mutex/queue in finalizers
Fix documentation
remove whitespace
Simply make queue always false when @synchronous
Introduce ThreadPoolExecutor without a Queue
Merge pull request #855 from olleolleolle/patch-2
Do not allow failures on JRuby 9.2.10.0 Latest on Java 11
CI: Use JRuby 9.2.10.0
Merge pull request #854 from bjfish/fix-argument-prefix-warnings
Fix argument prefix warning
Merge pull request #852 from fzakaria/remove-unused-line
Remove unused line
↗ ️ fastimage (indirect, 2.1.7 → 2.2.1) · Repo
Commits
See the full diff on Github. The new version differs by 23 commits:
bump version
Merge pull request #120 from ky1vstar/master
Update README.textile
Merge pull request #119 from nbianca/master
Use frames count instead of delay to check animated GIFs
Bump version
Merge pull request #117 from PikachuEXE/replace-deprecated-method-usage
* Test with 2.7 too
* Replace URI.escape with ::URI::DEFAULT_PARSER.escape
Merge pull request #116 from PikachuEXE/fix-incorrect-redirect-response-handling
Fix handling of redirect response without Location header
Update url for large image to https
Fix returning nil if image type not gif for animated
Merge pull request #114 from nbianca/master
Add check for animated GIFs
Revert rake requirement since we still support ruby 1.9.2
Merge pull request #115 from gschlager/master
Update rake
Avoid detecting arbitrary XML as SVG
Merge pull request #111 from aried3r/ar/travis_update
Update Ruby 1.9-2.6
Merge pull request #110 from aried3r/patch-2
Use SVG Travis CI badge
↗ ️ ffi (indirect, 1.13.1 → 1.14.2) · Repo · Changelog
Release Notes
1.14.2 (from changelog)
Fixed:
- Fix builtin libffi on newer Ubuntu caused by an outdated Makefile.in . #863
1.14.1 (from changelog)
Changed:
- Revert changes to FFI::Pointer#write_string made in ffi-1.14.0. It breaks compatibilty in a way that can cause hard to find errors. #857
1.14.0 (from changelog)
Added:
- Add types.conf for x86_64-msys, x86_64-haiku, aarch64-openbsd and aarch64-darwin (alias arm64-darwin)
- Add method AbstractMemory#size_limit? . #829
- Add new extconf option --enable-libffi-alloc which is enabled per default on Apple M1 (arm64-darwin).
Changed:
- Do NULL pointer check only when array length > 0 . #305
- Raise an error on an unknown order argument. #830
- Change FFI::Pointer#write_string to terminate with a NUL byte like other string methods. #805
- Update bundled libffi to latest master.
Removed:
- Remove win32/stdint.h and stdbool.h because of copyright issue. #693
Fixed:
- Fix possible UTF-8 load error in loader script interpretation. #792
- Fix segfault on non-array argument to #write_array_of_*
- Fix memory leak in MethodHandle . #815
- Fix possible segfault in combination with fiddle or other libffi using gems . #835
- Fix possibility to use ffi ruby gem with JRuby-9.3 . #763
Does any of this look wrong? Please let us know.
↗ ️ haml (indirect, 5.1.2 → 5.2.1) · Repo · Changelog
Release Notes
5.2.1
It's time to face the facts that the last release was a LIE. I said we weren't going to release another version of Haml 5.x... and yet, here we are again.
"What's this all about?!?!", you must be screaming at your computer.
Well, our wonderful @k0kubun has given all of us a wonderful present– which is proper multiline-attributes support for Haml. No longer are we forced to either have super long lines or have kinda wonky spacing on our attributes.
How it started:
.messages-overflow-container{"data-simplebar": true} .messages{data: {controller: "chat-messages"}} .like-notification{data: {controller: "reaction-notification"}} - unless video.finished? .message-write{data: { "controller": "chat", "show-when-logged-in": true }} .chat-controls .write-area{placeholder: 'Send a message', contenteditable: true, role: "textbox", data: {action: "keydown->chat#chatBoxKeyDown", target: "chat.messageInput"}} = render "shared/reaction_button" .message-login-prompt{data: { "show-when-logged-out": true }} %button{data: {action: "authentication#showModal"}} Login To Chat
How it's going:
.messages-overflow-container{"data-simplebar": true} .messages{ data: { controller: "chat-messages" } } .like-notification{ data: { controller: "reaction-notification" } } - unless video.finished? .message-write{ data: { "controller": "chat", "show-when-logged-in": true } } .chat-controls .write-area{ placeholder: 'Send a message', contenteditable: true, role: "textbox", data: { action: "keydown->chat#chatBoxKeyDown", target: "chat.messageInput" } } = render "shared/reaction_button" .message-login-prompt{data: { "show-when-logged-out": true }} %button{ data: { action: "authentication#showModal" } } Login To Chat
How about THAT! I don't know about you, but this is going to improve my markup by a huge margin. I am super thrilled to get this into our code at @veuelive!
5.2.0
This release is meant to be the final release that's got all the bells and whistles of Haml from the last 10 years. Going forward, new releases will be in the 6.x.x series and will NOT be backwards compatible for many features.
We may do a release of 5.2.1+ if we have security issues come up.
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 45 commits:
Preparing for 5.2.1 Release
Implement multiline attributes
fix broken link
updating version number
Changing tests to get around a JRuby issue
Suppress ruby warning when testing output
Exclude `enable-frozen-string-literal` cases for older rails versions
Run tests with frozen strings ruby opt
Avoid unexpected mutation of strings
Revert an accidental change to fix CI
Fix small typo.
remove unused badge
Couple small renames for “main” branch moveover
Remove Testing for EOL Ruby Versions
Breaking Up the Monolitic Engine Tests
Use The Automatic Template Test Runner
Move tested contents to files
Escape attributes regardless of whether it's SafeBuffer or not
downgrade simplecov version
add in simplecov and use rails 6 non-rc
Run the code climate coverate reporter
Run Coverage for Every Test
Add changelog for class ordering
Reorder Class Names
Update haml-spec
add changelog entry for #1014
Do not run escape_html on text/plain files
Preserve order of class names in Haml tags
One-line bundler setup
Update .gitignore
This will allow you to run the "rake" command by itself, as mentioned in the README, without requiring you to prefix with bundle exec
Add a changelog entry
Support Ruby 2.0.0 again
Fix typo
This is how refinements works
Guard against #inspect monkey patches of true/false
Revert "Update haml-spec"
Update haml-spec
Merge pull request #1022 from mehagar/anchor
Get inserting ruby anchor working
Install older versions of rubygems and bundler only on Ruby < 2.7
Fix deprecation warning on #rubinius?
Ruby 2.2 on Rails 5.2 doesn't seem to work
Test Ruby 2.7.0 on Travis
Upgrade teeny versions running on Travis
↗ ️ middleman-cli (indirect, 4.3.7 → 4.3.11)
Sorry, we couldn't find anything useful about this release.
↗ ️ middleman-core (indirect, 4.3.7 → 4.3.11)
Sorry, we couldn't find anything useful about this release.
↗ ️ minitest (indirect, 5.14.1 → 5.14.2) · Repo · Changelog
Release Notes
5.14.2 (from changelog)
1 bug fix:
Bumped ruby version to include 3.0 (trunk).
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 4 commits:
↗ ️ parallel (indirect, 1.19.2 → 1.20.1) · Repo
Commits
See the full diff on Github. The new version differs by 16 commits:
v1.20.1
Merge pull request #287 from grosser/grosser/eol
bring back ruby 2.4 since that broke rubocop builds because of some dependency foobar
Merge pull request #288 from grosser/grosser/ga
use GA
v1.20.0
Merge pull request #285 from grosser/grosser/break
allow breaking with value
Merge pull request #278 from grosser/grosser/ci
remove cert
fix errors
bump rake to fix warnings
bump rails
bump ruby requirements
bump AR
fix ci
↗ ️ public_suffix (indirect, 4.0.5 → 4.0.6) · Repo · Changelog
Release Notes
4.0.6 (from changelog)
Changed
- Updated definitions.
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 6 commits:
↗ ️ tzinfo (indirect, 1.2.7 → 1.2.9) · Repo · Changelog
Release Notes
1.2.9
- Fixed an incorrect
InvalidTimezoneIdentifier
exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.
1.2.8
- Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. The 64-bit section is now always used regardless of whether Time has support for 64-bit times. #120.
- Rubinius is no longer supported.
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 18 commits:
Preparing v1.2.9.
Remove JRuby 9.0.5.0.
Download GlobalSign Root CA - R3 for use with older Ruby versions.
Add 1.8.7-head, 1.9.2-p330, jruby-9.0.5.0 and ree to allow failures.
Update to JRuby 9.2.14.0.
Ignore generated transations that do not change the offset.
[ci skip] Add issue number reference.
Preparing v1.2.8.
Update time zone test fixtures based on tzdata 2020d.
Support "slim" zoneinfo files produced by default by zic >= 2020b.
Use up to date Linux distros to test (where possible).
Remove the deprecated sudo option.
Switch to travis-ci.com.
Update to Ruby 2.7.2 and JRuby 9.2.13.0.
Revert "Add Ruby 2.7 on AppVeyor."
Add Ruby 2.7 on AppVeyor.
Stop supporting Rubinius.
Update to Ruby 2.4.10.
🆕 rexml (added, 3.2.4)
👉 No CI detected
You don't seem to have any Continuous Integration service set up!
Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.
This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:
- Circle CI, Semaphore and Travis-CI are all excellent options.
- If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github.
- If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with
depfu/
.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase
.
All Depfu comment commands
- @depfu rebase
- Rebases against your default branch and redoes this update
- @depfu recreate
- Recreates this PR, overwriting any edits that you've made to it
- @depfu merge
- Merges this PR once your tests are passing and conflicts are resolved
- @depfu close
- Closes this PR and deletes the branch
- @depfu reopen
- Restores the branch and reopens this PR (if it's closed)
- @depfu pause
- Ignores all future updates for this dependency and closes this PR
- @depfu pause [minor|major]
- Ignores all future minor/major updates for this dependency and closes this PR
- @depfu resume
- Future versions of this dependency will create PRs again (leaves this PR as is)