Bump the bundler group group with 8 updates

[dependabot]

Bumps the bundler group group with 8 updates:

Package	From	To
puma	6.3.0	6.4.2
rails	7.0.5	7.0.8.1
yard	0.9.34	0.9.36
actionpack	7.0.5	7.0.8.1
activesupport	7.0.5	7.0.8.1
nokogiri	1.15.2	1.16.2
rack	2.2.7	2.2.8.1
uri	0.12.1	0.13.0

Updates puma from 6.3.0 to 6.4.2

Release notes

Sourced from puma's releases.

6.4.1

• Bugfixes

  • DSL#warn_if_in_single_mode - fixup when workers set via CLI (#3256)
  • Fix idle-timeout not working in cluster mode (#3235, #3228, #3282, #3283)
  • Fix worker 0 timing out during phased restart (#3225, #2786)
  • context_builder.rb - require openssl if verify_mode != 'none' (#3179)
  • Make puma cluster process suitable as PID 1 (#3255)
  • Improve Puma::NullIO consistency with real IO (#3276)
  • extconf.rb - fixup to detect openssl info in Ruby build (#3271, #3266)
  • MiniSSL.java - set serialVersionUID, fix RaiseException deprecation (#3270)
  • dsl.rb - fix warn_if_in_single_mode when WEB_CONCURRENCY is set (#3265, #3264)

• Maintenance

  • LOTS of test refactoring to make tests more stable and easier to write - thanks to @​MSP-Greg!
  • Fix bug in tests re: TestPuma::HOST4 (#3254)
  • Dockerfile for minimal repros: use Ruby 3.2, expect bundler installed (#3245)
  • fix define_method calls, use Symbol parameter instead of String (#3293)

• Docs

  • README.md - add the puma-acme plugin (#3301)
  • Remove --keep-file-descriptors flag from systemd docs (#3248)
  • Note symlink mechanism in restart documentation for hot restart (#3298)

6.4.0 - The Eagle of Durango

America is #1 in professional cycling, baby!

• Features

  • on_thread_exit hook (#2920)
  • on_thread_start_hook (#3195)
  • Shutdown on idle (#3209, #2580)
  • New error message when control server port taken (#3204)

• Refactor

  • Remove Forwardable dependency (#3191, #3190)
  • Update URLMap Regexp usage for Ruby v3.3 (#3165)

• Bugfixes

  • Bring the cert_pem: parameter into parity with the cert: parameter to ssl_bind. (#3174)
  • Fix using control server with IPv6 host (#3181)
  • control_cli.rb - add require_relative 'log_writer' (#3187)
  • Fix cases where fallback Rack response wasn't sent to the client (#3094)

6.3.1

• Security
  • Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields (GHSA-68xg-gqqm-vgj8)

Changelog

Sourced from puma's changelog.

6.4.2 / 2024-01-08

• Security
  • Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. (GHSA-c2f4-cvqm-65w2)

6.4.1 / 2024-01-03

• Bugfixes

  • DSL#warn_if_in_single_mode - fixup when workers set via CLI (#3256)
  • Fix idle-timeout not working in cluster mode (#3235, #3228, #3282, #3283)
  • Fix worker 0 timing out during phased restart (#3225, #2786)
  • context_builder.rb - require openssl if verify_mode != 'none' (#3179)
  • Make puma cluster process suitable as PID 1 (#3255)
  • Improve Puma::NullIO consistency with real IO (#3276)
  • extconf.rb - fixup to detect openssl info in Ruby build (#3271, #3266)
  • MiniSSL.java - set serialVersionUID, fix RaiseException deprecation (#3270)
  • dsl.rb - fix warn_if_in_single_mode when WEB_CONCURRENCY is set (#3265, #3264)

• Maintenance

  • LOTS of test refactoring to make tests more stable and easier to write - thanks to @​MSP-Greg!
  • Fix bug in tests re: TestPuma::HOST4 (#3254)
  • Dockerfile for minimal repros: use Ruby 3.2, expect bundler installed (#3245)
  • fix define_method calls, use Symbol parameter instead of String (#3293)

• Docs

  • README.md - add the puma-acme plugin (#3301)
  • Remove --keep-file-descriptors flag from systemd docs (#3248)
  • Note symlink mechanism in restart documentation for hot restart (#3298)

6.4.0 / 2023-09-21

• Features

  • on_thread_exit hook (#2920)
  • on_thread_start_hook (#3195)
  • Shutdown on idle (#3209, #2580)
  • New error message when control server port taken (#3204)

• Refactor

  • Remove Forwardable dependency (#3191, #3190)
  • Update URLMap Regexp usage for Ruby v3.3 (#3165)

• Bugfixes

  • Bring the cert_pem: parameter into parity with the cert: parameter to ssl_bind. (#3174)
  • Fix using control server with IPv6 host (#3181)
  • control_cli.rb - add require_relative 'log_writer' (#3187)
  • Fix cases where fallback Rack response wasn't sent to the client (#3094)

6.3.1 / 2023-08-18

• Security

... (truncated)

Commits

• 5fc43d7 5.6.8 and 6.4.2
• dfbba22 6.4.2
• 60d5ee3 Merge pull request from GHSA-c2f4-cvqm-65w2
• a287025 6.4.1 version tick!
• 32a629d 6.4.1
• 7e17826 [Fix #3282] idle-timeout not waiting on all workers in cluster mode (#3283)
• 437142e README.md - add the puma-acme plugin (#3301)
• e9125fa [CI] Change all workflow file extensions to '.yml' (#3300)
• d49dec9 [CI] Add Ruby 3.3, use 'rubygems: latest' in tests.yaml MRI (#3299)
• 2d27225 Note symlink mechanism in restart documentation for hot restart (#3298)
• Additional commits viewable in compare view

Updates rails from 7.0.5 to 7.0.8.1

Release notes

Sourced from rails's releases.

7.0.8.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix possible XSS vulnerability with the translate method in controllers

  CVE-2024-26143

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

... (truncated)

Commits

• 506462a Preparing for 7.0.8.1 release
• 030cd01 update changelog
• 4c83b33 fix XSS vulnerability when using translation
• 723f545 Merge pull request #48869 from brunoprietog/disable-session-active-storage-pr...
• fc734f2 Preparing for 7.0.8 release
• af486be Merge pull request #44370 from mohits/patch-1
• 72bad1a Upgrade stringio to 3.0.8 to make sure guides CI pass
• d230670 Force upgrade bundler to invalidate Bundler cache on CI
• d84000d Require job used in this test file
• 3c17dab We expect queue adapters to be objects, no classes
• Additional commits viewable in compare view

Updates yard from 0.9.34 to 0.9.36

Release notes

Sourced from yard's releases.

Release v0.9.36

• Further XSS fixes for generated frameset pages (#1538)
• Improve tests for Ruby 3.3 compatibility (#1519, #1531)
• Documentation improvements (#1524)

Release v0.9.35

• Fix possible XSS on generated YARD frameset pages (thanks to @​RedYetiDev for finding and patching) (2069e2b).
• Fix errors when using @option on non-method objects (#1508)
• Support Ruby 3.3 changes in Ripper parser (#1510)

Changelog

Sourced from yard's changelog.

0.9.36 - February 29th, 2024

• Further XSS fixes for generated frameset pages (#1538)
• Improve tests for Ruby 3.3 compatibility (#1519, #1531)
• Documentation improvements (#1524)

0.9.35 - February 28th, 2024

• Fix possible XSS on generated YARD frameset pages (thanks to @​RedYetiDev for finding and patching) (2069e2b).
• Fix errors when using @option on non-method objects (#1508)
• Support Ruby 3.3 changes in Ripper parser (#1510)

Commits

• e833aac Tag release v0.9.36
• 1fcb2d8 Merge pull request #1538 from RedYetiDev/patch-2
• a831a59 Fix semicolon
• 2a0b999 assign url_for_main to a variable
• 3059017 Merge pull request #1519 from mtasaka/ruby33_test_fix
• c88406e Update frames.erb
• 7cb3fc5 Merge pull request #1524 from frsantos/fix_tuple_docs
• 04e4c9a Merge pull request #1531 from rafaelfranca/rm-ruby-3.3
• ebf5005 Tag release v0.9.35
• 62e18b4 Prepare changelog
• Additional commits viewable in compare view

Updates actionpack from 7.0.5 to 7.0.8.1

Release notes

Sourced from actionpack's releases.

7.0.8.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix possible XSS vulnerability with the translate method in controllers

  CVE-2024-26143

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

... (truncated)

Commits

• 506462a Preparing for 7.0.8.1 release
• 030cd01 update changelog
• 4c83b33 fix XSS vulnerability when using translation
• fc734f2 Preparing for 7.0.8 release
• f9175db Fix webdrivers on 7-0-stable branch for issue #48973. (#48977)
• ed9f292 Merge tag 'v7.0.7.2' into 7-0-stable
• 3668b4b Preparing for 7.0.7.2 release
• 2294b8b Bumping version
• 2766c93 Merge branch '7-0-sec' into 7-0-stable
• c92caef Preparing for 7.0.7.1 release
• Additional commits viewable in compare view

Updates activesupport from 7.0.5 to 7.0.8.1

Release notes

Sourced from activesupport's releases.

7.0.8.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix possible XSS vulnerability with the translate method in controllers

  CVE-2024-26143

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

... (truncated)

Commits

• 506462a Preparing for 7.0.8.1 release
• 030cd01 update changelog
• fc734f2 Preparing for 7.0.8 release
• 7bf0e43 Fix TimeWithZone#to_s being overriden with ENV set
• f5fd433 Document how to remove to_s deprecation warnings when defaul format is changed
• ed9f292 Merge tag 'v7.0.7.2' into 7-0-stable
• 3668b4b Preparing for 7.0.7.2 release
• 2294b8b Bumping version
• 2766c93 Merge branch '7-0-sec' into 7-0-stable
• c92caef Preparing for 7.0.7.1 release
• Additional commits viewable in compare view

Updates nokogiri from 1.15.2 to 1.16.2

Release notes

Sourced from nokogiri's releases.

v1.16.2 / 2024-02-04

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See GHSA-xc9x-jj77-9p9j for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.5 from v2.12.4. (@​flavorjones)

---

sha256 checksums:

69ba15d2a2498324489ed63850997f0b8f684260114ea81116d3082f16551d2d  nokogiri-1.16.2-aarch64-linux.gem
6a05ce42e3587a40cf8936ece0beaa5d32922254215d2e8cf9ad40588bb42e57  nokogiri-1.16.2-arm-linux.gem
c957226c8e36b31be6a3afb8602e2128282bf8b40ea51016c4cd21aa2608d3f8  nokogiri-1.16.2-arm64-darwin.gem
122652bfc338cd8a54a692ac035e245e41fd3b8283299202ca26e7a7d50db310  nokogiri-1.16.2-java.gem
7344b5072ca69fc5bedb61cb01a3b765b93a27aae5a2a845c2ba7200e4345074  nokogiri-1.16.2-x64-mingw-ucrt.gem
a2a5e184a424111a0d5b77947986484920ad708009c667f061e8d02035c562dd  nokogiri-1.16.2-x64-mingw32.gem
833efddeb51a6c2c9f6356295623c2b2e0d50050d468695c59bd929162953323  nokogiri-1.16.2-x86-linux.gem
e67fc0418dffaff9dc8b1dc65f0605282c3fee9488832d0223b620b4319e0b53  nokogiri-1.16.2-x86-mingw32.gem
5def799e5f139f21a79d7cf71172313a7b6fb0e4b2a31ab9bd5d4ad305994539  nokogiri-1.16.2-x86_64-darwin.gem
5b146240ac6ec6c40fd4367623e74442bca45a542bd3282b1d4d18b07b8e5dfe  nokogiri-1.16.2-x86_64-linux.gem
68922ee5cde27497d995c46f2821957bae961947644eed2822d173daf7567f9c  nokogiri-1.16.2.gem

v1.16.1 / 2024-02-03

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.4 from v2.12.3. (@​flavorjones)

Fixed

• [CRuby] XML::Reader defaults the encoding to UTF-8 if it's not specified in either the document or as a method parameter. Previously non-ASCII characters were serialized as NCRs in this case. #2891 (@​flavorjones)
• [CRuby] Restored support for compilation by GCC versions earlier than 4.6, which was broken in v1.15.0 (540e9aee). #3090 (@​adfoster-r7)
• [CRuby] Patched upstream libxml2 to allow parsing HTML5 in the context of a namespaced node (e.g., foreign content like MathML). [#3112, #3116] (@​flavorjones)
• [CRuby] Fixed a small memory leak in libgumbo (HTML5 parser) when the maximum tree depth limit is hit. [#3098, #3100] (@​stevecheckoway)

---

sha256 checksums:

a541f35e5b9798a0c97300f9ee18f4217da2a2945a6d5499e4123b9018f9cafc  nokogiri-1.16.1-aarch64-linux.gem
6b82affd195000ab2f9c36cc08744ec2d2fcf6d8da88d59a2db67e83211f7c69  nokogiri-1.16.1-arm-linux.gem
</tr></table> 

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.16.2 / 2024-02-04

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See GHSA-xc9x-jj77-9p9j for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.5 from v2.12.4. (@​flavorjones)

v1.16.1 / 2024-02-03

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.4 from v2.12.3. (@​flavorjones)

Fixed

• [CRuby] XML::Reader defaults the encoding to UTF-8 if it's not specified in either the document or as a method parameter. Previously non-ASCII characters were serialized as NCRs in this case. #2891 (@​flavorjones)
• [CRuby] Restored support for compilation by GCC versions earlier than 4.6, which was broken in v1.15.0 (540e9aee). #3090 (@​adfoster-r7)
• [CRuby] Patched upstream libxml2 to allow parsing HTML5 in the context of a namespaced node (e.g., foreign content like MathML). [#3112, #3116] (@​flavorjones)
• [CRuby] Fixed a small memory leak in libgumbo (HTML5 parser) when the maximum tree depth limit is hit. [#3098, #3100] (@​stevecheckoway)

v1.16.0 / 2023-12-27

Notable Changes

Ruby

This release introduces native gem support for Ruby 3.3.

This release ends support for Ruby 2.7, for which upstream support ended 2023-03-31.

Pattern matching

This version marks official support for the pattern matching API in XML::Attr, XML::Document, XML::DocumentFragment, XML::Namespace, XML::Node, and XML::NodeSet (and their subclasses), originally introduced as an experimental feature in v1.14.0. (@​flavorjones)

Documentation on what can be matched:

• XML::Attr#deconstruct_keys
• XML::Document#deconstruct_keys
• XML::Namespace#deconstruct_keys
• XML::Node#deconstruct_keys
• XML::DocumentFragment#deconstruct
• XML::NodeSet#deconstruct

... (truncated)

Commits

• 673756f version bump to v1.16.2
• 74ffd67 dep: update libxml to 2.12.5 (branch v1.16.x) (#3122)
• 0d4018d dep: update libxml2 to v2.12.5
• f33a25f dep: remove patch from #3112 which has been released upstream
• e994168 version bump to v1.16.1
• 77ea2f2 dev: add files to manifest ignore list
• 756f27c build(deps): bump actions/{download,upload}-artifact from 3 to 4
• 464f8d4 .gitignore: clangd-related files
• 2beeb96 doc: update CHANGELOG
• a26536d fix: apply upstream patch for in-context parsing (#3116)
• Additional commits viewable in compare view

Updates rack from 2.2.7 to 2.2.8.1

Release notes

Sourced from rack's releases.

v2.2.8.1

What's Changed

• Fixed ReDoS in Accept header parsing [CVE-2024-26146]
• Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
• Reject Range headers which are too large [CVE-2024-26141]

Full Changelog: rack/rack@v2.2.8...v2.2.8.1

v2.2.8

What's Changed

• Limit file extension length of multipart tempfiles (2.2 backport) by @​dentarg in rack/rack#2075
• CHANGELOG: Add missing 2.2.7 by @​tisba in rack/rack#2081
• Update cookie.rb by @​dchandekstark in rack/rack#2092
• Prefer ubuntu-latest for testing. by @​ioquatix in rack/rack#2095
• Fix inefficient assert pattern in Rack::Lint [2-2-stable] by @​skipkayhil in rack/rack#2101
• Regenerate SPEC [2-2-stable] by @​skipkayhil in rack/rack#2102

New Contributors

• @​tisba made their first contribution in rack/rack#2081
• @​dchandekstark made their first contribution in rack/rack#2092

Full Changelog: rack/rack@v2.2.7...v2.2.8

Commits

• e830011 bump version
• d9c163a Avoid 2nd degree polynomial regexp in MediaType
• 6245768 Return an empty array when ranges are too large
• e4c1177 Fixing ReDoS in header parsing
• f169ff7 Bump patch version.
• 0a46487 Regenerate SPEC (#2102)
• cee73b3 Fix inefficient assert pattern in Rack::Lint (#2101)
• 1fdcf1f Prefer ubuntu-latest for testing. (#2095)
• 287fe43 Update cookie.rb (#2092)
• e7f4869 adds missing 2.2.7 to CHANGELOG.md (#2081)
• Additional commits viewable in compare view

Updates uri from 0.12.1 to 0.13.0

Release notes

Sourced from uri's releases.

v0.13.0

What's Changed

• [DOC] Enhanced RDoc for common methods by @​BurdetteLamar in ruby/uri#48
• [DOC] Common methods rdoc by @​BurdetteLamar in ruby/uri#49
• [DOC] Enhanced RDoc for common methods by @​BurdetteLamar in ruby/uri#50
• Add Ruby 3.2 to CI matrix by @​tricknotes in ruby/uri#51
• [DOC] Common rdoc by @​BurdetteLamar in ruby/uri#52
• [DOC] Enhanced RDoc for URI.decode_www_form by @​BurdetteLamar in ruby/uri#53
• [DOC] Enhanced RDoc for URI by @​BurdetteLamar in ruby/uri#55
• Generate rdoc document by GitHub Pages Action by @​hsbt in ruby/uri#59
• Add documentation links by @​AlexWayfer in ruby/uri#58
• Update test libraries from ruby/ruby 2023-03-24 by @​hsbt in ruby/uri#65
• Switch to use callable workflow for Actions by @​hsbt in ruby/uri#67
• Refine tests by @​nobu in ruby/uri#71
• Drop support for 2.4 by @​nobu in ruby/uri#77
• Update test libraries from ruby/ruby 2023-06-02 by @​nobu in ruby/uri#78
• Use released version of test-unit-ruby-core by @​hsbt in ruby/uri#79
• Refactor RFC3986 regexps to make more readable by @​nobu in ruby/uri#46
• Fix RFC3986 regexps by @​nobu in ruby/uri#81
• Fix host part in relative referece by @​nobu in ruby/uri#84
• String literals are frozen now by @​nobu in ruby/uri#85

New Contributors

• @​BurdetteLamar made their first contribution in ruby/uri#48
• @​AlexWayfer made their first contribution in ruby/uri#58

Full Changelog: ruby/uri@v0.12.0...v0.13.0

Commits

• b50d37f Bump up 0.13.0
• 5c17cd2 add #to_str to URI::Generic
• f4999b6 Merge pull request #88 from ruby/dependabot/github_actions/actions/checkout-4
• b0b029c Bump actions/checkout from 3 to 4
• bec5ef9 Merge pull request #86 from ruby/dependabot/github_actions/actions/upload-pag...
• 5a626d6 Bump actions/upload-pages-artifact from 1 to 2
• e18e657 Bump up v0.12.2
• 9d7bcef Fix quadratic backtracking on invalid port number
• 9010ee2 Fix quadratic backtracking on invalid relative URI
• fd21465 Merge pull request #85 from nobu/frozen-literals
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Superseded by #24.