Bump the bundler group across 1 directory with 15 updates

[dependabot]

Bumps the bundler group with 7 updates in the / directory:

Package	From	To
rails	7.0.2.4	7.0.8.7
puma	6.4.2	6.4.3
dotenv-rails	3.1.2	3.1.7
sidekiq	6.5.5	7.3.7
rubocop-govuk	5.0.2	5.0.7
rexml	3.3.3	3.3.9
fugit	1.11.0	1.11.1

Updates rails from 7.0.2.4 to 7.0.8.7

Release notes

Sourced from rails's releases.

7.0.8.7

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Add validation to content security policies to disallow spaces and semicolons. Developers should use multiple arguments, and different directive methods instead.

  [CVE-2024-54133]

  Gannon McGibbon

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

... (truncated)

Commits

• 778eab8 Preparing for 7.0.8.7 release
• 15c6f15 Update vendored trix version to 1.3.4
• cb16a3b Add CSP directive validation
• bc979c5 Preparing for 7.0.8.6 release
• 4a78225 Fix relesaser Gemfile to include blade and sprockets-export
• 9951c3f Improvements to releaser
• 07f5c9b Fix NoMethodError in ActionMailer block_format
• f61f4ef Preparing for 7.0.8.5 release
• d666c96 Update CHANGELOGs
• 35bf08d Merge pull request #16 from rails/7-0-sec-relase
• Additional commits viewable in compare view

Updates puma from 6.4.2 to 6.4.3

Release notes

Sourced from puma's releases.

6.4.3

• Security
  • Discards any headers using underscores if the non-underscore version also exists. Without this, an attacker could overwrite values set by intermediate proxies (e.g. X-Forwarded-For). (CVE-2024-45614/GHSA-9hf4-67fc-4vf4)

Changelog

Sourced from puma's changelog.

6.4.3 / 2024-09-19

• Security
  • Discards any headers using underscores if the non-underscore version also exists. Without this, an attacker could overwrite values set by intermediate proxies (e.g. X-Forwarded-For). (CVE-2024-45614/GHSA-9hf4-67fc-4vf4)

Commits

• e867e53 6.4.3
• 63a27b5 5.6.9 release note [ci skip]
• cac3fd1 Merge commit from fork
• See full diff in compare view

Updates dotenv-rails from 3.1.2 to 3.1.7

Release notes

Sourced from dotenv-rails's releases.

v3.1.7

What's Changed

• Fix issue with repeated linebreaks when normalizing line endings by @​bkeepers in bkeepers/dotenv#523
• Generate build matrix from endoflife.date by @​bkeepers in bkeepers/dotenv#521

Full Changelog: bkeepers/dotenv@v3.1.6...v3.1.7

3.1.6

What's Changed

• Fix: Restore previous parser behavior of returning existing variables by @​bkeepers in bkeepers/dotenv#519

Full Changelog: bkeepers/dotenv@v3.1.5...v3.1.6

v3.1.5

What's Changed

• Optimize parser by removing repeated hash merges by @​andrewts129 in bkeepers/dotenv#515
• Refactor parser to avoid duplicate scan/gsub by @​bkeepers in bkeepers/dotenv#517
• Fix typo in README by @​JohnYangSam in bkeepers/dotenv#516

New Contributors

• @​JohnYangSam made their first contribution in bkeepers/dotenv#516
• @​andrewts129 made their first contribution in bkeepers/dotenv#515

Full Changelog: bkeepers/dotenv@v3.1.4...v3.1.5

3.1.4

What's Changed

• Fix an error when only the Spring::Client is loaded by @​alpaca-tc in bkeepers/dotenv#512

New Contributors

• @​alpaca-tc made their first contribution in bkeepers/dotenv#512

Full Changelog: bkeepers/dotenv@v3.1.3...v3.1.4

3.1.3

What's Changed

• Only use Spring if already loaded by @​runephilosof-abtion in bkeepers/dotenv#511
• Doc Updates:
  • Spell out 'FILENAME' in readme by @​mikegee in bkeepers/dotenv#505
  • Provide a 'Changelog' link on rubygems.org/gems/dotenv by @​mark-young-atg in bkeepers/dotenv#506
  • README.md: typo "exiting" by @​olleolleolle in bkeepers/dotenv#508
• cleanup: Run standard:fix by @​olleolleolle in bkeepers/dotenv#509

New Contributors

• @​mikegee made their first contribution in bkeepers/dotenv#505
• @​mark-young-atg made their first contribution in bkeepers/dotenv#506
• @​olleolleolle made their first contribution in bkeepers/dotenv#508
• @​runephilosof-abtion made their first contribution in bkeepers/dotenv#511

... (truncated)

Changelog

Sourced from dotenv-rails's changelog.

3.1.7

• Fix issue with repeated linebreaks when normalizing line endings by @​bkeepers in bkeepers/dotenv#523

Full Changelog: bkeepers/dotenv@v3.1.6...v3.1.7

3.1.6

• Fix: Restore previous parser behavior of returning existing variables by @​bkeepers in bkeepers/dotenv#519

Full Changelog: bkeepers/dotenv@v3.1.5...v3.1.6

3.1.5

• Optimize parser by removing repeated hash merges by @​andrewts129 in bkeepers/dotenv#515
• Refactor parser to avoid duplicate scan/gsub by @​bkeepers in bkeepers/dotenv#517
• Fix typo in README by @​JohnYangSam in bkeepers/dotenv#516

New Contributors

• @​JohnYangSam made their first contribution in bkeepers/dotenv#516
• @​andrewts129 made their first contribution in bkeepers/dotenv#515

Full Changelog: bkeepers/dotenv@v3.1.4...v3.1.5

3.1.4

• Fix an error when only the Spring::Client is loaded by @​alpaca-tc in bkeepers/dotenv#512

New Contributors

• @​alpaca-tc made their first contribution in bkeepers/dotenv#512

Full Changelog: bkeepers/dotenv@v3.1.3...v3.1.4

3.1.3

• Only use Spring if already loaded by @​runephilosof-abtion in bkeepers/dotenv#511
• Doc Updates:
  • Spell out 'FILENAME' in readme by @​mikegee in bkeepers/dotenv#505
  • Provide a 'Changelog' link on rubygems.org/gems/dotenv by @​mark-young-atg in bkeepers/dotenv#506
  • README.md: typo "exiting" by @​olleolleolle in bkeepers/dotenv#508
• cleanup: Run standard:fix by @​olleolleolle in bkeepers/dotenv#509

New Contributors

• @​mikegee made their first contribution in bkeepers/dotenv#505
• @​mark-young-atg made their first contribution in bkeepers/dotenv#506
• @​olleolleolle made their first contribution in bkeepers/dotenv#508
• @​runephilosof-abtion made their first contribution in bkeepers/dotenv#511

Full Changelog: bkeepers/dotenv@v3.1.2...v3.1.3

Commits

• 5bbef66 Merge pull request #523 from bkeepers/preserve-linebreaks
• 19a7675 Prepare for 3.1.7 release
• bf87415 Preserve repeated linebreaks when normalizing line endings
• 79c0f1c Merge pull request #521 from bkeepers/endoflife-matrix
• fdd83ed Run tests once/day to test against latest versions
• 882de31 Try continuing when bundle install fails
• eb14723 Getting Ruby and Rails versions from endoflife.date
• ade0fb3 Prepare for v3.1.6 release
• 4c264c2 Merge pull request #519 from bkeepers/fix-518
• d5872c8 Restore previous parser behavior of returning existing variables
• Additional commits viewable in compare view

Updates sidekiq from 6.5.5 to 7.3.7

Changelog

Sourced from sidekiq's changelog.

7.3.7

• Backport Sidekiq::Web.configure for compatibility with 8.0 #6532
• Backport url_params(key) and route_params(key) for compatibility with 8.0 #6532
• Various fixes for UI filtering #6508
• Tune inspect for internal S::Components to keep size managable #6553

7.3.6

• Forward compatibility fixes for Ruby 3.4
• Filtering in the Web UI now works via GET so you can bookmark a filtered view. #6497

7.3.5

• Reimplement retry_all and kill_all API methods to use ZPOPMIN, approximately 30-60% faster. #6481
• Add preload testing binary at examples/testing/sidekiq_boot to verify your Rails app boots correctly with Sidekiq Enterprise's app preloading.
• Fix circular require with ActiveJob adapter #6477
• Fix potential race condition leading to incorrect serialized values for CurrentAttributes #6475
• Restore missing elapsed time when default job logging is disabled

7.3.4

• Fix FrozenError when starting Sidekiq #6470

7.3.3

• Freeze global configuration once boot is complete, to avoid configuration race conditions [#6466, #6465]
• Sidekiq now warns if a job iteration takes longer than the -t timeout setting (defaults to 25 seconds)
• Iteration callbacks now have easy access to job arguments via the arguments method:

def on_stop
  p arguments # => `[123, "string", {"key" => "value"}]`
  id, str, hash = arguments
end

• Iterable jobs can be cancelled via Sidekiq::Client#cancel!:

c = Sidekiq::Client.new
jid = c.push("class" => SomeJob, "args" => [123])
c.cancel!(jid) # => true

• Take over support for ActiveJob's :sidekiq adapter [#6430, fatkodima]
• Ensure CurrentAttributes are in scope when creating batch callbacks #6455
• Add Sidekiq.gem_version API.

... (truncated)

Commits

• 591adc6 changes
• 414180e Tune #inspect output for Sidekiq::Component and Sidekiq::Config to keep size ...
• 4f9a260 changes
• 71ca97f more filtering fixes
• 8831875 Add {url,route}_params accessors for 8.x source compat
• cf7a879 Backport S::Web.configure
• 490eebe 7.x changes
• cf773fb Dead filtering, fixes #6508
• db4dc17 bump
• 3c61a21 bump, prepare for release
• Additional commits viewable in compare view

Updates rubocop-govuk from 5.0.2 to 5.0.7

Changelog

Sourced from rubocop-govuk's changelog.

5.0.7

• Update dependencies

5.0.6

• Update dependencies

5.0.5

• Update dependencies

5.0.4

• Update dependencies

5.0.3

• Update dependencies: rubocop from 1.64.1 to 1.68.0, rubocop-ast from 1.31.3 to 1.26.1, rubocop-rails from 2.25.1 to 2.27.0, rubocop-rspec from 3.0.1 to 3.2.0

Commits

• abb020a Merge pull request #444 from alphagov/release-5.0.7
• 5502476 Release v5.0.7
• 6a96e29 Merge pull request #443 from alphagov/dependabot/bundler/rubocop-rails-eq-2.28.0
• 4d29d89 Update rubocop-rails requirement from = 2.27.0 to = 2.28.0
• 3f12c4a Merge pull request #441 from alphagov/release-5.0.6
• b5ef08c Merge pull request #442 from alphagov/dependabot/bundler/rubocop-ast-eq-1.37.0
• 4cfcaa4 Update rubocop-ast requirement from = 1.36.2 to = 1.37.0
• 4e76685 Release v5.0.6
• ba2711f Merge pull request #440 from alphagov/dependabot/bundler/rubocop-rspec-eq-3.3.0
• 156519c Merge pull request #439 from alphagov/dependabot/bundler/rubocop-eq-1.69.2
• Additional commits viewable in compare view

Updates rexml from 3.3.3 to 3.3.9

Release notes

Sourced from rexml's releases.

REXML 3.3.9 - 2024-10-24

Improvements

• Improved performance.
  • GH-210
  • Patch by NAITOH Jun.

Fixes

• Fixed a parse bug for text only invalid XML.

  • GH-215
  • Patch by NAITOH Jun.

• Fixed a parse bug that &#0x...; is accepted as a character reference.

Thanks

• NAITOH Jun

REXML 3.3.8 - 2024-09-29

Improvements

• SAX2: Improve parse performance.
  • GH-207
  • Patch by NAITOH Jun.

Fixes

• Fixed a bug that unexpected attribute namespace conflict error for the predefined "xml" namespace is reported.
  • GH-208
  • Patch by KITAITI Makoto

Thanks

• NAITOH Jun

• KITAITI Makoto

REXML 3.3.7 - 2024-09-04

Improvements

• Added local entity expansion limit methods
  • GH-192
  • GH-202
  • Reported by takuya kodama.

... (truncated)

Changelog

Sourced from rexml's changelog.

3.3.9 - 2024-10-24 {#version-3-3-9}

Improvements

• Improved performance.
  • GH-210
  • Patch by NAITOH Jun.

Fixes

• Fixed a parse bug for text only invalid XML.

  • GH-215
  • Patch by NAITOH Jun.

• Fixed a parse bug that &#0x...; is accepted as a character reference.

Thanks

• NAITOH Jun

3.3.8 - 2024-09-29 {#version-3-3-8}

Improvements

• SAX2: Improve parse performance.
  • GH-207
  • Patch by NAITOH Jun.

Fixes

• Fixed a bug that unexpected attribute namespace conflict error for the predefined "xml" namespace is reported.
  • GH-208
  • Patch by KITAITI Makoto

Thanks

• NAITOH Jun

• KITAITI Makoto

3.3.7 - 2024-09-04 {#version-3-3-7}

Improvements

• Added local entity expansion limit methods
  • GH-192
  • GH-202
  • Reported by takuya kodama.

... (truncated)

Commits

• 38eaa86 Add 3.3.9 entry
• ce59f2e parser: fix a bug that &#0x...; is accepted as a character reference
• a09646d test: fix indent
• cf0fb9c Fix IOSource#readline for @pending_buffer (#215)
• 1d0c362 Optimize IOSource#read_until method (#210)
• 622011f Bump version
• 036d508 test: avoid using needless non ASCII characters
• 4197054 Add 3.3.8 entry
• 78f8712 Fix handling with "xml:" prefixed namespace (#208)
• 2e1cd64 Optimize SAX2Parser#get_namespace (#207)
• Additional commits viewable in compare view

Updates rubocop-govuk from 5.0.2 to 5.0.7

Changelog

Sourced from rubocop-govuk's changelog.

5.0.7

• Update dependencies

5.0.6

• Update dependencies

5.0.5

• Update dependencies

5.0.4

• Update dependencies

5.0.3

• Update dependencies: rubocop from 1.64.1 to 1.68.0, rubocop-ast from 1.31.3 to 1.26.1, rubocop-rails from 2.25.1 to 2.27.0, rubocop-rspec from 3.0.1 to 3.2.0

Commits

• abb020a Merge pull request #444 from alphagov/release-5.0.7
• 5502476 Release v5.0.7
• 6a96e29 Merge pull request #443 from alphagov/dependabot/bundler/rubocop-rails-eq-2.28.0
• 4d29d89 Update rubocop-rails requirement from = 2.27.0 to = 2.28.0
• 3f12c4a Merge pull request #441 from alphagov/release-5.0.6
• b5ef08c Merge pull request #442 from alphagov/dependabot/bundler/rubocop-ast-eq-1.37.0
• 4cfcaa4 Update rubocop-ast requirement from = 1.36.2 to = 1.37.0
• 4e76685 Release v5.0.6
• ba2711f Merge pull request #440 from alphagov/dependabot/bundler/rubocop-rspec-eq-3.3.0
• 156519c Merge pull request #439 from alphagov/dependabot/bundler/rubocop-eq-1.69.2
• Additional commits viewable in compare view

Updates actionmailer from 7.0.2.4 to 7.0.8.7

Release notes

Sourced from actionmailer's releases.

7.0.8.7

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Add validation to content security policies to disallow spaces and semicolons. Developers should use multiple arguments, and different directive methods instead.

  [CVE-2024-54133]

  Gannon McGibbon

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

... (truncated)

Commits

• 778eab8 Preparing for 7.0.8.7 release
• bc979c5 Preparing for 7.0.8.6 release
• 07f5c9b Fix NoMethodError in ActionMailer block_format
• f61f4ef Preparing for 7.0.8.5 release
• d666c96 Update CHANGELOGs
• 30abd6b Merge pull request #52962 from rails/rm-releser
• 0e5694f Avoid backtracking in ActionMailer block_format
• 40d8b92 Merge pull request #51510 from fatkodima/remove-ostruct
• ec7f253 Preparing for 7.0.8.4 release
• f12d5ae update changelog
• Additional commits viewable in compare view

Updates actionpack from 7.0.2.4 to 7.0.8.7

Release notes

Sourced from actionpack's releases.

7.0.8.7

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Add validation to content security policies to disallow spaces and semicolons. Developers should use multiple arguments, and different directive methods instead.

  [CVE-2024-54133]

  Gannon McGibbon

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

... (truncated)

Commits

• 778eab8 Preparing for 7.0.8.7 release
• cb16a3b Add CSP directive validation
• bc979c5 Preparing for 7.0.8.6 release
• f61f4ef Preparing for 7.0.8.5 release
• d666c96 Update CHANGELOGs
• 30abd6b Merge pull request #52962 from rails/rm-releser
• b1241f4 Avoid backtracking in filtered_query_string
• 56b2fc3 Avoid backtracking in Token#raw_params
• 40d8b92 Merge pull request #51510 from fatkodima/remove-ostruct
• 6da6af8 Merge pull request #52176 from zzak/7-0-selenium-webdriver
• Additional commits viewable in compare view

Updates actiontext from 7.0.2.4 to 7.0.8.7

Release notes

Sourced from actiontext's releases.

7.0.8.7

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Add validation to content security policies to disallow spaces and semicolons. Developers should use multiple arguments, and different directive methods instead.

  [CVE-2024-54133]

  Gannon McGibbon

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

... (truncated)

Commits

• 778eab8 Preparing for 7.0.8.7 release
• 15c6f15 Update vendored trix version to 1.3.4
• bc979c5 Preparing for 7.0.8.6 release
• f61f4ef Preparing for 7.0.8.5 release
• d666c96 Update CHANGELOGs
• 30abd6b Merge pull request #52962 from rails/rm-releser
• 727b094 ActionText: Avoid backtracing in plain_text_for_blockquote_node
• ec7f253 Preparing for 7.0.8.4 release
• f12d5ae update changelog
• 08bc3ce Preparing for 7.0.8.3 release
• Additional commits viewable in compare view

Updates actionview from 7.0.2.4 to 7.0.8.7

Release notes

Sourced from actionview's releases.

7.0.8.7

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Add validation to content security policies to disallow spaces and semicolons. Developers should use multiple arguments, and different directive methods instead.

  [CVE-2024-54133]

  Gannon McGibbon

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

... (truncated)

Commits

• 778eab8 Preparing for 7.0.8.7 release
• bc979c5 Preparing for 7.0.8.6 release
• f61f4ef Preparing for 7.0.8.5 release
• 40d8b92 Merge pull request #51510 from fatkodima/remove-ostruct
• 8559039 Merge pull request #49416 from Shopify/fix-render-call-extractor-on-ruby-3.3
• ec7f253 Preparing for 7.0.8.4 release
• f12d5ae update changelog
• 08bc3ce Preparing for 7.0.8.3 release
• 7c8d2a1 Preparing for 7.0.8.2 release
• 506462a Preparing for 7.0.8.1 release
• Additional commits viewable in compare view

Updates activerecord from 7.0.2.4 to 7.0.8.7

Release notes

Sourced from activerecord's releases.

7.0.8.7

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Add validation to content security policies to disallow spaces and semicolons. Developers should use multiple arguments, and different directive methods instead.

  [CVE-2024-54133]

  Gannon McGibbon

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

... (truncated)

Commits

• 778eab8 Preparing for 7.0.8.7 release
• bc979c5 Preparing for 7.0.8.6 release
• f61f4ef Preparing for 7.0.8.5 release
• 30abd6b Merge pull request #52962 from rails/rm-releser
• 40d8b92 Merge pull request #51510 from fatkodima/remove-ostruct
• 67c2813 Merge pull request #52143 from skipkayhil/hm-fix-7-0-stable-ci
• ec7f253 Preparing for 7.0.8.4 release
• f12d5ae update changelog
• 08bc3ce Preparing for 7.0.8.3 release
• 7c8d2a1 Preparing for 7.0.8.2 release
• Additional commits viewable in compare view

Updates activestorage from 7.0.2.4 to 7.0.8.7

Release notes

Sourced from activestorage's releases.

7.0.8.7

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Add validation to content security policies to disallow spaces and semicolons. Developers should use multiple arguments, and different directive methods instead.

  [CVE-2024-54133]

  Gannon McGibbon

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

... (truncated)

Commits

• 778eab8 Preparing for 7.0.8.7 release
• bc979c5 Preparing for 7.0.8.6 release
• f61f4ef Preparing for 7.0.8.5 release
• 30abd6b Merge pull request #52962 from rails/rm-releser
• 67c2813 Merge pull request #52143 from skipkayhil/hm-fix-7-0-stable-ci
• ec7f253 Preparing for 7.0.8.4 release
• f12d5ae update changelog
• 08bc3ce Preparing for 7.0.8.3 release
• 7c8d2a1 Preparing for 7.0.8.2 release
• 506462a Preparing for 7.0.8.1 release
• Additional commits viewable in compare view

Updates activesupport from 7.0.2.4 to 7.0.8.7

Release notes

Sourced from activesupport's releases.

7.0.8.7

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Add validation to content security policies to disallow spaces and semicolons. Developers should use multiple arguments, and different directive methods instead.

  [CVE-2024-54133]

  Gannon McGibbon

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

... (truncated)

Commits

• 778eab8 Preparing for 7.0.8.7 release
• bc979c5 Preparing for 7.0.8.6 release
• f61f4ef Preparing for 7.0.8.5 release
• 30abd6b Merge pull request #52962 from rails/rm-releser
• fb16c1f Add missing require
• d738eec Merge pull request #51984 from zzak/7-1-51075
• ec7f253 Preparing for 7.0.8.4 release
• f12d5ae update changelog
• 08bc3ce Preparing for 7.0.8.3 release
• 7c8d2a1 Preparing for 7.0.8.2 release
• Additional commits viewable in compare view

Updates fugit from 1.11.0 to 1.11.1

Changelog

Sourced from fugit's changelog.

fugit 1.11.1 released 2024-08-15

• Prevent nat parsing chocking on long input (> 256 chars), gh-104

Commits

• 228b53d Release 1.11.1
• 2a0ec27 Upgrade Ruby test matrix versions
• ad2c1c9 Lower time expectations for labby rubies, gh-104
• 767ef55 Add spec for Fugit.parse() and .do_parse, gh-104
• 025ad7b Bring in spec helpers from raabro
• a9a2628 Add Fugit::Nat.parse() spec input len > 256 gh-104
• 2a11805 Add note about nat 256 char limit, gh-104
• 6a75274 Peg Fugit::Nat.parse(s) at 256 chars, gh-104
• d2f6cf3 Prepare 1.11.1
• See full diff in compare view

Updates rails-html-sanitizer from 1.6.0 to 1.6.2

Release notes

Sourced from rails-html-sanitizer's releases.

v1.6.2 / 2024-12-12

• PermitScrubber fully supports frozen "allowed tags".

  v1.6.1 introduced safety checks that may remove unsafe tags from the allowed list, which introduced a regression for applications passing a frozen array of allowed tags. Tags and attributes are now properly copied when they are passed to the scrubber.

  Fixes #195.

  Mike Dalessio

1.6.1 / 2024-12-02

This is a performance and security release which addresses several possible XSS vulnerabilities.

• The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.

  This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).

  Mike Dalessio

• Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content), regardless of the prune: option value. Previously, disallowed tags were "stripped" unless the gem was configured with the prune: true option.

  The CVEs addressed by this change are:

  • CVE-2024-53986 (GHSA-638j-pmjw-jq48)
  • CVE-2024-53987 (GHSA-2x5m-9ch4-qgrr)

  Mike Dalessio

• The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags are removed from the allow-list.

  The CVEs addressed by this change are:

  • CVE-2024-53988 (GHSA-cfjx-w229-hgx5)
  • CVE-2024-53989 (GHSA-rxv5-gxqc-xx8g)

  Please note that we may restore support for allowing "noscript" in a future release. We do not expect to ever allow "mglyph" or "malignmark", though, especially since browser support is minimal for these tags.

  Mike Dalessio

... (truncated)

Changelog

Sourced from rails-html-sanitizer's changelog.

v1.6.2 / 2024-12-12

• PermitScrubber fully supports frozen "allowed tags".

  v1.6.1 introduced safety checks that may remove unsafe tags from the allowed list, which introduced a regression for applications passing a frozen array of allowed tags. Tags and attributes are now properly copied when they are passed to the scrubber.

  Fixes #195.

  Mike Dalessio

1.6.1 / 2024-12-02

This is a performance and security release which addresses several possible XSS vulnerabilities.

• The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.

  This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).

  Mike Dalessio

• Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content), regardless of the prune: option value. Previously, disallowed tags were "stripped" unless the gem was configured with the prune: true option.

  The CVEs addressed by this change are:

  • CVE-2024-53986 (GHSA-638j-pmjw-jq48)
  • CVE-2024-53987 (GHSA-2x5m-9ch4-qgrr)

  Mike Dalessio

• The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags are removed from the allow-list.

  The CVEs addressed by this change are:

  • CVE-2024-53988 (GHSA-cfjx-w229-hgx5)
  • CVE-2024-53989 (GHSA-rxv5-gxqc-xx8g)

  Please note that we may restore support for allowing "noscript" in a future release. We do not expect to ever allow "mglyph" or "malignmark", though, especially since browser support is minimal for these tags.

  Mike Dalessio

• Improve performance by eliminating needless operations on attributes that are being removed. #188

... (truncated)

Commits

• 9160d49 version bump to v1.6.2
• 5843d4d fix: PermitScrubber accepts frozen tags
• 5e96b19 version bump to v1.6.1
• 383cc7c doc: update CHANGELOG with assigned CVEs
• a7b0cfe Combine the noscript/mglyph prevention blocks
• 5658335 Merge branch 'h1-2509647-noscript' into flavorjones-2024-security-fixes
• 65fb72f Merge branch 'h1-2519936-mglyph-foster-parenting' into flavorjones-2024-secur...
• 3fe22a8 Merge branch 'h1-2519936-foreign-ns-confusion' into flavorjones-2024-security...
• d7a94c1 Merge branch 'h1-2503220-nokogiri-serialization' into flavorjones-2024-securi...
• 3fd...

  Description has been truncated

[github-actions]

Review app deployed to https://get-into-teaching-app-review-4471.test.teacherservices.cloud

[sarahcrack]

Closing this PR as we cannot bump sidekiq at this time.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml