🚨 [security] Update graphiql-rails 1.9.0 → 1.10.1 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ graphiql-rails (1.9.0 → 1.10.1) · Repo · Changelog

Release Notes

1.10.1 (from changelog)

• Update routes.rb for Rails 8 compatibility #119

1.10.0 (from changelog)

• Update to React 18.2.0
• Update to GraphiQL 3.1.1
• Use .min versions of JS dependencies
• Add support for Propshaft
• Remove fetch polyfill
• Don't set headers whose procs evaluate to nil
• Add input_value_deprecation flag to introspect deprecated arguments

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ builder (indirect, 3.2.4 → 3.3.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.3.1 → 1.3.4) · Repo · Changelog

Release Notes

1.3.4

What's Changed

• Update comment for JRuby variant of processor_count to reality by @meineerde in #1054
• Add Concurrent.cpu_requests that is cgroups aware. by @heka1024 in #1058
• Fix the doc of Concurrent.available_processor_count by @y-yagi in #1059
• Fix the return value of Concurrent.available_processor_count when cpu.cfs_quota_us is -1 by @y-yagi in #1060

New Contributors

• @heka1024 made their first contribution in #1058
• @y-yagi made their first contribution in #1059

Full Changelog: v1.3.3...v1.3.4

1.3.3

What's Changed

• Improve speed for windows Get-CimInstance by @Earlopain in #1053

Full Changelog: v1.3.2...v1.3.3

1.3.2

What's Changed

• Fix method name in CHANGELOG.md by @nertzy in #1049
• Remove dependency on win32ole by @Earlopain in #1051

New Contributors

• @nertzy made their first contribution in #1049
• @Earlopain made their first contribution in #1051

Full Changelog: v1.3.1...v1.3.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ erubi (indirect, 1.12.0 → 1.13.0) · Repo · Changelog

Release Notes

1.13.0 (from changelog)

* Define Erubi.h as a module function (jeremyevans)

Add erubi/capture_block, supporting capturing block output via standard <%= and <%== tags (jeremyevans)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ irb (indirect, 1.13.1 → 1.14.0) · Repo

Release Notes

1.14.0

What's Changed

✨ Enhancements

• Stop echoing or storing command calls' nil return value by @st0012 in #972
• Introduce cd command by @st0012 in #971
• Return only commands when completing help command's argument by @st0012 in #973

🐛 Bug Fixes

• Allow assigning and using local variable name conflicting with command by @tompng in #961

🛠 Other Changes

• Bump version to v1.14.0 by @st0012 in #980

Full Changelog: v1.13.2...v1.14.0

1.13.2

What's Changed

🐛 Bug Fixes

• Add a new initialization step to validate IRB.conf's values by @st0012 in #953
• Reorder ruby lex clauses for unrecoverable first by @kddnewton in #956
• Remove useless Reline::Key.new and update wrong comment for alt+d by @tompng in #963
• Add accidentally dropped disable_irb command back by @st0012 in #964

📚 Documentation

• Help users choose between helper methods and commands in the extension document by @st0012 in #965

🛠 Other Changes

• Enhance regexp to account for prism error messages by @kddnewton in #954
• Clean up tmpdir by @nobu in #955
• Suppress Ruby warnings in certain backtrace filtering tests by @st0012 in #966
• fix typos in the Index of Command-Line Options by @Suban05 in #967
• Cleanup irbrc generator cache always at teardown by @tompng in #968
• Invalid encoding symbol now raises SyntaxError also in 3.3 by @tompng in #969
• Bump version to v1.13.2 by @st0012 in #970

New Contributors

• @kddnewton made their first contribution in #954
• @Suban05 made their first contribution in #967

Full Changelog: v1.13.1...v1.13.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.23.1 → 5.25.1) · Repo · Changelog

Release Notes

5.25.0 (from changelog)

• 2 minor enhancements:

  • Fixed some inefficiencies filtering and matching (mostly backtraces).

  • Refactored siginfo handler to reduce runtime costs. Saved ~30%!

• 5 bug fixes:

  • Added missing rdoc to get back to 100% coverage.

  • Cleaning up ancient code checking for defined?(Encoding) and the like.

  • Disambiguated some shadowed variables in minitest/compress.

  • Fixed an ironic bug if using string-literals AND Werror.

  • Improve description of test:slow task. (stomar)

5.24.1 (from changelog)

• 1 bug fix:

  • Fix the error message when an extension is invalid value. (y-yagi)

5.24.0 (from changelog)

• 2 minor enhancements:

  • Added Minitest.register_plugin.

  • Extended plugin system to work with modules/classes for opt-out plugins.

• 1 bug fix:

  • Removed anacronism, but allow load_plugins to exit gracefully if –disable=gems.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.16.5 → 1.16.7) · Repo · Changelog

Release Notes

1.16.7

v1.16.7 / 2024-07-27

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.9, which the upstream release notes state is a security release to address CVE-2024-40896. Nokogiri's maintainers believe this vulnerability does not affect users of Nokogiri, but we advise upgrading at your earliest convenience anyway.

---

sha256 checksums:

78778d35f165b59513be31c0fe232c63a82cf97626ffba695b5f822e5da1d74b  nokogiri-1.16.7-aarch64-linux.gem
c84cdb9e3aa44c35bbb981b20175838c4b2066c26c5cb118f31f177168a42fc3  nokogiri-1.16.7-arm-linux.gem
276dcea1b988a5b22b5acc1ba901d24b8e908c40b71dccd5d54a2ae279480dad  nokogiri-1.16.7-arm64-darwin.gem
044c45ca46abc2b6135a85ab39a546ff2f0434d43142bc59b83e5b1068876a42  nokogiri-1.16.7-java.gem
01ed785392f9cbdfd45e0e5ef6ad6d2c80a6128672589448f18952168bd68e56  nokogiri-1.16.7-x64-mingw-ucrt.gem
d8fd5c675743b85354c9098117bfa9e703c7cacab8c33e5190104ea8218ad1ec  nokogiri-1.16.7-x64-mingw32.gem
dddbf1c1ef99ce9fab98302b14f8bacb703e6f16e89b99f05ecee8a1fca23664  nokogiri-1.16.7-x86-linux.gem
b6517d995b024739cbb81251a26866d40e1ccb151936b5bb0977e7487f4e617c  nokogiri-1.16.7-x86-mingw32.gem
630732b80fc572690eab50c73a1f18988f3ac401ed0b67ca9956ba2b1e2c3faa  nokogiri-1.16.7-x86_64-darwin.gem
9e1e428641d5942af877c60b418c71163560e9feb4a5c4015f3230a8b86a40f6  nokogiri-1.16.7-x86_64-linux.gem
f819cbfdfb0a7b19c9c52c6f2ca63df0e58a6125f4f139707b586b9511d7fe95  nokogiri-1.16.7.gem

1.16.6

v1.16.6 / 2024-06-13

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.8, which the release notes state is a bugfix release.

---

sha256 checksums:

7f4c37ee2dd9c97fdfb6278cf3d9dd2078651f241eed320e26902135dbf78183  nokogiri-1.16.6-aarch64-linux.gem
73d7a7ca569308f181a234269e6607c9acb26ecc93ccbb05998d24a9546c0a94  nokogiri-1.16.6-arm-linux.gem
43e8a783697c65413408a4923b5c2ed6bea6632cfdab4da220446b601733fa4b  nokogiri-1.16.6-arm64-darwin.gem
993ec13a1f0fb2261913e62e1f7a662c77108b1a59c903033eac432f74437275  nokogiri-1.16.6-java.gem
285687f16c330a9b61793d9d45913becf7a9aa82b0ce15c48fc1e0d6c6c9972f  nokogiri-1.16.6-x64-mingw-ucrt.gem
dbbefbfabe363daaa90e7c0b15854769e17ee5b8ae243014e0e55c01047eb5cd  nokogiri-1.16.6-x64-mingw32.gem
dedac3ee38b4deed1141747f04dd5ac512ef9165259cec66ec934edaa8a2a848  nokogiri-1.16.6-x86-linux.gem
5080e9512e3ba320aef074c16a23aef737301ac0e3b7a173a299dcaaa40b6a20  nokogiri-1.16.6-x86-mingw32.gem
92fa413d866baf9b609f17558ecfbcf950d5373213babcf4ce11d7eaed4b21cf  nokogiri-1.16.6-x86_64-darwin.gem
769bd2c14ad76dd5a7e14c867741cf2e3b8c25626a34f40aee7b0b998b8de820  nokogiri-1.16.6-x86_64-linux.gem
935fe4dd67d4377f4a05002acb1ffbadbcae265ea8e7869fc40e3a8121f3e1ef  nokogiri-1.16.6.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ racc (indirect, 1.8.0 → 1.8.1) · Repo · Changelog

Release Notes

1.8.1

What's Changed

• Use require_relative in the Racc codebase by @koic in #269
• Fix a typo by @koic in #270
• Provide a 'Changelog' link on rubygems.org/gems/racc by @mark-young-atg in #271
• Fix RDoc main file to "README.rdoc" by @ydah in #274
• Fix file path and line number errors when using +, * and () by @ydah in #273
• Bump up v1.8.1 by @yui-knk in #275

New Contributors

• @koic made their first contribution in #269
• @mark-young-atg made their first contribution in #271

Full Changelog: v1.8.0...v1.8.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rack (indirect, 3.0.11 → 3.1.7) · Repo · Changelog

Security Advisories 🚨

🚨 Rack ReDoS Vulnerability in HTTP Accept Headers Parsing

Summary

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Rack::Request::Helpers module when parsing HTTP Accept headers. This vulnerability can be exploited by an attacker sending specially crafted Accept-Encoding or Accept-Language headers, causing the server to spend excessive time processing the request and leading to a Denial of Service (DoS).

Details

The fix for GHSA-54rr-7fvw-6x8f was not applied to the main branch and thus while the issue was fixed for the Rack v3.0 release series, it was not fixed in the v3.1 release series until v3.1.5.

Release Notes

3.1.7 (from changelog)

Fixed

• Do not remove escaped opening/closing quotes for content-disposition filenames. (#2229, @jeremyevans)
• Fix encoding setting for non-binary IO-like objects in MockRequest#env_for. (#2227, @jeremyevans)
• Rack::Response should not generate invalid content-length header. (#2219, @ioquatix)
• Allow empty PATH_INFO. (#2214, @ioquatix)

3.1.6 (from changelog)

• Fix several edge cases in Rack::Request#parse_http_accept_header's implementation. (#2226, @ioquatix)

3.1.5 (from changelog)

Security

• Fix potential ReDoS attack in Rack::Request#parse_http_accept_header. (GHSA-cj83-2ww7-mvq7, @dwisiswant0)

3.1.4 (from changelog)

Fixed

• Fix Rack::Lint matching some paths incorrectly as authority form. (#2220, @ioquatix)

3.1.2 (from changelog)

• Rack::Response will take in to consideration chunked encoding responses (#2204, [@tenderlove])

3.1.1 (from changelog)

• Oops! I shouldn't have shipped that

3.1.0 (from changelog)

Rack v3.1 is primarily a maintenance release that removes features deprecated in Rack v3.0. Alongside these removals, there are several improvements to the Rack SPEC, mainly focused on enhancing input and output handling. These changes aim to make Rack more efficient and align better with the requirements of server implementations and relevant HTTP specifications.

SPEC Changes

• rack.input is now optional. (#1997, #2018, @ioquatix)
• PATH_INFO is now validated according to the HTTP/1.1 specification. (#2117, #2181, @ioquatix)
  • OPTIONS * is now accepted. (#2114, @doriantaylor)
• Introduce optional rack.protocol request and response header for handling connection upgrades. (#1954, @ioquatix)

Added

• Introduce Rack::Multipart::MissingInputError for improved handling of missing input in #parse_multipart. (#2018, @ioquatix)
• Introduce module Rack::BadRequest which is included in multipart and query parser errors. (#2019, @ioquatix)
• Add .mjs MIME type (#2057, @axilleas)
• set_cookie_header utility now supports the partitioned cookie attribute. This is required by Chrome in some embedded contexts. (#2131, @flavio-b)
• Introduce rack.early_hints for sending 103 Early Hints informational responses. (#1831, @casperisfine, @jeremyevans)

Changed

• MIME type for JavaScript files (.js) changed from application/javascript to text/javascript (1bd0f15, @ioquatix)
• Update MIME types associated to .ttf, .woff, .woff2 and .otf extensions to use mondern font/* types. (#2065, @davidstosik)
• Rack::Utils.escape_html is now delegated to CGI.escapeHTML. ' is escaped to #39; instead of #x27;. (decimal vs hexadecimal) (#2099, @JunichiIto)
• Clarify use of @buffered and only update content-length when Rack::Response#finish is invoked. (#2149, @ioquatix)

Deprecated

• Deprecate automatic cache invalidation in Request#{GET,POST} (#2073, @jeremyevans)
• Only cookie keys that are not valid according to the HTTP specifications are escaped. We are planning to deprecate this behaviour, so now a deprecation message will be emitted in this case. In the future, invalid cookie keys may not be accepted. (#2191, @ioquatix)
• Rack::Logger is deprecated. (#2197, @ioquatix)
• Add fallback lookup and deprecation warning for obsolete status symbols. (#2137, @wtn)

Removed

• Remove deprecated Rack::Auth::Digest with no replacement. (#1966, @ioquatix)
• Remove deprecated Rack::Cascade::NotFound with no replacement. (#1966, @ioquatix)
• Remove deprecated Rack::Chunked with no replacement. (#1966, @ioquatix)
• Remove deprecated Rack::File, use Rack::Files instead. (#1966, @ioquatix)
• Remove deprecated Rack::QueryParser key_space_limit parameter with no replacement. (#1966, @ioquatix)
• Remove deprecated Rack::Response#header, use Rack::Response#headers instead. (#1966, @ioquatix)
• Remove deprecated cookie methods from Rack::Utils: add_cookie_to_header, make_delete_cookie_header, add_remove_cookie_to_header. (#1966, @ioquatix)
• Remove deprecated Rack::Utils::HeaderHash. (#1966, @ioquatix)
• Remove deprecated Rack::VERSION, Rack::VERSION_STRING, Rack.version, use Rack.release instead. (#1966, @ioquatix)
• Remove non-standard status codes 306, 509, & 510 and update descriptions for 413, 422, & 451. (#2137, @wtn)
• Remove any dependency on transfer-encoding: chunked. (#2195, @ioquatix)

Fixed

• In Rack::Files, ignore the Range header if served file is 0 bytes. (#2159, [@zarqman])

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ reline (indirect, 0.5.8 → 0.5.9) · Repo

Release Notes

0.5.9

What's Changed

🐛 Bug Fixes

• In ed_search_[prev|next]_history, make the cursor come to the end of the line when there is no search substr by @QWYNG in #714
• Change Reline::ANSI to a general io by @tompng in #659

🛠 Other Changes

• Overhaul io gate structure by @st0012 in #666
• Improve key binding match/matching check by @tompng in #709
• Ensure no escape sequence before printing prompt by @tompng in #716
• Refactor input key reading by @tompng in #712
• Remove instance variable @first_char by @tompng in #717
• Suppress warning(Ruby 3.4) requiring fiddle from terminfo.rb by @tompng in #721
• Add more fallbacks when terminfo or fiddle is not available by @tompng in #722
• Bump version to 0.5.9 by @ima1zumi in #724

New Contributors

• @QWYNG made their first contribution in #714

Full Changelog: v0.5.8...v0.5.9

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ stringio (indirect, 3.1.0 → 3.1.1) · Repo · Changelog

Release Notes

3.1.1

Improvements

• JRuby: Improved.

  • GH-83
  • GH-84
  • GH-85

• Added StringIO::MAX_LENGTH.

• Added support for NULL StringIO by StringIO.new(nil).

• Improved IO compatibility for partial read.

  • GH-95
  • https://bugs.ruby-lang.org/issues/20418

Fixes

• Fixed a bug that coderange isn't updated after overwrite.
  • Reported by Tiago Cardoso.
  • https://bugs.ruby-lang.org/issues/20185
  • GH-77
  • GH-79

Thanks

• Tiago Cardoso

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ zeitwerk (indirect, 2.6.15 → 2.6.17) · Repo · Changelog

Release Notes

2.6.17 (from changelog)

• Fix log message when eager loading a directory ends.

2.6.16 (from changelog)

• Logging prints a message when a directory that was not ignored is skipped anyway because it contains no Ruby files.

• Internal refactors.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🗑️ sprockets (removed)

🗑️ sprockets-rails (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)