🚨 [security] Update activesupport 6.1.4.4 → 6.1.7.7 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ activesupport (6.1.4.4 → 6.1.7.7) · Repo · Changelog

Security Advisories 🚨

🚨 Possible File Disclosure of Locally Encrypted Files

There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5

Impact

ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

To work around this issue, you can set your umask to be more restrictive like this:

$ umask 0077

🚨 Possible XSS Security Vulnerability in SafeBuffer#bytesplice

There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
This vulnerability has been assigned the CVE identifier CVE-2023-28120.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3

Impact

ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized.
When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe.

Ruby 3.2 introduced a new bytesplice method which ActiveSupport did not yet understand to be a mutation.
Users on older versions of Ruby are likely unaffected.

All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.

Workarounds

Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.

🚨 ReDoS based DoS vulnerability in Active Support’s underscore

There is a possible regular expression based DoS vulnerability in Active
Support. This vulnerability has been assigned the CVE identifier
CVE-2023-22796.

Versions Affected: All
Not affected: None
Fixed Versions: 6.1.7.1, 7.0.4.1

Impact

A specially crafted string passed to the underscore method can cause the
regular expression engine to enter a state of catastrophic backtracking.
This can cause the process to use large amounts of CPU and memory, leading
to a possible DoS vulnerability.

This affects String#underscore, ActiveSupport::Inflector.underscore,
String#titleize, and any other methods using these.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Workarounds

There are no feasible workarounds for this issue.

Users on Ruby 3.2.0 or greater may be able to reduce the impact by
configuring Regexp.timeout.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 57 commits:

• Preparing for 6.1.7.7 release
• update changelog
• Preparing for 6.1.7.6 release
• Bumping version for new release
• Preparing for 6.1.7.5 release
• bumping version / changelog
• Preparing for 6.1.7.4 release
• Preparing for 6.1.7.3 release
• Prepare version 6.1.7.3
• Version 6.1.7.2
• Version 6.1.7.1
• Make sanitize_as_sql_comment more strict
• Added integer width check to PostgreSQL::Quoting
• Version 6.1.7
• Merge pull request #45872 from the-spectator/correct_hwia_encoding
• Fix tests after cherry-pick of #45773
• Don't handle this change for legacy_connection_handling
• Merge pull request #45773 from eileencodes/only-setup-shared-pools-if-we-have-a-connection
• Merge pull request #45593 from skipkayhil/fix-6-1-compat
• Remove active_record.yaml initializers
• Fix compatability with ruby 2.5
• Allow Symbol by default in YAML columns
• Merge pull request #45591 from Shopify/ar-store-hash-type
• Merge pull request #45578 from natematykiewicz/yaml_safe_load_performance
• Merge branch '6-1-sec' into 6-1-stable
• Preparing for 6.1.6.1 release
• updating version and changelog
• Change ActiveRecord::Coders::YAMLColumn default to safe_load
• Merge pull request #44128 from zzak/issue/44107
• Only test `taint` methods on 2.6 and below
• Fix did you mean tests for ruby-trunk (3.2)
• Fix postgresql reconnection_error test expects wrong exception
• Fix: PG.connect keyword arguments deprecation warning on ruby 2.7
• Preparing for 6.1.6 release
• Preparing for 6.1.6 release
• Merge branch '6-1-sec' into 6-1-stable
• Preparing for 6.1.5.1 release
• updating changelog for release
• Fix migrations compatibility for polymorphic references default index name
• Fix typos [ci skip]
• Preparing for 6.1.5 release
• Update CHANGELOG [ci skip]
• Merge branch '6-1-sec' into 6-1-stable
• Preparing for 6.1.4.7 release
• bumping version
• Require shellwords where it is used
• Deal with Ruby 2.5 as well in this implementation
• Merge branch '6-1-sec' into 6-1-stable
• Preparing for 6.1.4.6 release
• Preparing release
• Merge branch '6-1-sec' into 6-1-stable
• Preparing for 6.1.4.5 release
• Preparing for release
• Fixes ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate for Ruby 2.6
• Merge pull request #44039 from kamipo/bump-year-to-2022
• Merge PR #43295
• Merge branch '6-1-sec' into 6-1-stable

✳️ minitest (5.15.0 → 5.22.2) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.1.9 → 1.2.3) · Repo · Changelog

Release Notes

1.2.3

What's Changed

• Fix TimerTask :execution_interval docs by @freemanoid in #994
• Fix TimerTask docs to not refer to #execute as "blocking" by @bensheldon in #996
• Fix TimerTask example output by @bensheldon in #1003
• Fix broken CI due to rake-compiler error on Ruby < 2.6 by @mattbrictson in #1007
• Fix doc typo: yeild → yield by @mattbrictson in #1006
• Fix DaemonThreadFactory - reuse single Java thread factory by @obulkin in #1009
• Fix sporadic failures testing with JRuby by @headius in #1012
• Allow TimerSet to safely handle an executor raising RejectedExecutionError by @bensheldon in #999
• Use executor from arg in then_on/rescue_on/chain_on for Promises by @tgwizard in #1005
• Allow TimerTask to be initialized with a specified Executor by @bensheldon in #1000
• Create method ThreadPoolExecutor#active_count to expose the number of threads that are actively executing tasks by @bensheldon in #1002
• Drop dependency on mutex_m by @casperisfine in #1013
• Fix compile error on FreeBSD 14 by @janbiedermann in #1014
• Fix spurious return in Promises#wait_until_resolved by @eregon in #1016
• Remove AtomicReferenceMapBackend and CheapLockable by @eregon in #1018
• Add Ruby 3.3 in CI by @eregon in #1021
• docs: fix typo in throttle docs by @G-Rath in #1024
• docs: update promises grammar by @G-Rath in #1026
• Add TimerTask#interval_type option to configure interval calculation by @bensheldon in #997

New Contributors

• @freemanoid made their first contribution in #994
• @bensheldon made their first contribution in #996
• @mattbrictson made their first contribution in #1007
• @obulkin made their first contribution in #1009
• @headius made their first contribution in #1012
• @tgwizard made their first contribution in #1005
• @janbiedermann made their first contribution in #1014
• @G-Rath made their first contribution in #1024

Full Changelog: v1.2.2...v1.2.3

1.2.2

concurrent-ruby 1.2.2:

• (#993) Fix arguments passed to Concurrent::Map's default_proc.

1.2.1

concurrent-ruby 1.2.1:

• (#990) Add missing require 'fiber' for FiberLocalVar.
• (#989) Optimize Concurrent::Map#[] on CRuby by letting the backing Hash handle the default_proc.

1.2.0

concurrent-ruby 1.2.0:

• (#975) Set the Ruby compatibility version at 2.3
• (#962) Fix ReentrantReadWriteLock to use the same granularity for locals as for Mutex it uses.
• (#983) Add FiberLocalVar
• (#934) concurrent-ruby now supports requiring individual classes (public classes listed in the docs), e.g., require 'concurrent/map'
• (#976) Let Promises.any_fulfilled_future take an Event
• Improve documentation of various classes
• (#972) Remove Rubinius-related code

concurrent-ruby-edge 0.7.0:

• (#975) Set the Ruby compatibility version at 2.3
• (#934) concurrent-ruby now supports requiring individual classes (public classes listed in the docs), e.g., require 'concurrent/map'
• (#972) Remove Rubinius-related code

1.1.10

concurrent-ruby:

• (#951) Set the Ruby compatibility version at 2.2
• (#939, #933) The caller_runs fallback policy no longer blocks reads from the job queue by worker threads
• (#938, #761, #652) You can now explicitly prune_pool a thread pool (Sylvain Joyeux)
• (#937, #757, #670) We switched the Yahoo stock API for demos to Alpha Vantage (Gustavo Caso)
• (#932, #931) We changed how SafeTaskExecutor handles local jump errors (Aaron Jensen)
• (#927) You can use keyword arguments in your initialize when using Async (Matt Larraz)
• (#926, #639) We removed timeout from TimerTask because it wasn't sound, and now it's a no-op with a warning (Jacob Atzen)
• (#919) If you double-lock a re-entrant read-write lock, we promote to locked for writing (zp yuan)
• (#915) monotonic_time now accepts an optional unit parameter, as Ruby's clock_gettime (Jean Boussier)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ i18n (indirect, 1.8.11 → 1.14.1) · Repo · Changelog

Release Notes

1.14.1

Included in this release

• Simplify the "Translation missing" message when default is an empty Array by @amatsuda in #662

Maintenance stuff

• Skip CIing on jruby against Rails 5.2 by @amatsuda in #664
• A fix for failing CI against edge Rails by @amatsuda in #663
• Add documentation hint for fallback values by @mark-a in #659
• CI against Ruby 3.2 by @amatsuda in #665
• Fix build warnings in the CI by using actions/checkout@v3 by @amatsuda in #666

Thanks to @amatsuda for these PRs!

New Contributors

• @mark-a made their first contribution in #659

Full Changelog: v1.14.0...v1.14.1

1.14.0

What's Changed

• fix LazyLoadable#available_locales duplicating locales by @ccutrer in #655
• Add more helpful translation error when :default option is provided. by @Nerian in #654
• Fix I18n::Locale::Fallbacks not initializing itself on Ruby 3 by @yheuhtozr in #653
• Fix I18n.t when locale contains separator by @tubaxenor in #656
  • This reverts a change from #651, that was released in v1.13.0

New Contributors

• @ccutrer made their first contribution in #655
• @Nerian made their first contribution in #654
• @yheuhtozr made their first contribution in #653
• @tubaxenor made their first contribution in #656

Full Changelog: v1.13.0...v1.14.0

1.13.0

What's Changed

• Fix symbol resolving with pluralization by @movermeyer in #636
• Updating DEFAULT_APPROXIMATIONS with capitalised German Eszett character for consistency by @lucapericlp in #627
• Fix load_path example in README.md by @nickcampbell18 in #642
• Add support for meridian indicators on Date objects by @movermeyer in #640
• Make translations loading thread-safe by @mensfeld in #644
• Get closer to full CLDR pluralization support by @movermeyer in #634
• Allow passing scope argument to exists? by @misdoro in #647
• Revert #503 changes for Backend::Base by @movermeyer in #637
• Properly stub constants by @fatkodima in #650
• Optimize I18n.t by @fatkodima in #651
• Return same string object when no interpolations were made by @fatkodima in #649

New Contributors

• @lucapericlp made their first contribution in #627
• @nickcampbell18 made their first contribution in #642
• @mensfeld made their first contribution in #644
• @misdoro made their first contribution in #647

Full Changelog: v1.12.0...v1.13.0

1.12.0

What's Changed

• Revert "Add support for CLDR data in I18n::Backend::Pluralization" by @radar in #633 -- this was causing breaking changes unintentionally.

Full Changelog: v1.11.0...v1.12.0

1.11.0

What's Changed

• Consistently return array from bulk lookup, even if translation(s) missing by @sambostock in #628
• Fix typos by @movermeyer in #631
• Add support for CLDR data in I18n::Backend::Pluralization by @movermeyer in #630

New Contributors

• @sambostock made their first contribution in #628

Full Changelog: v1.10.0...v1.11.0

1.10.0

What's Changed

New Features

• LazyLoadable Backend by @paarthmadan in #612
• Add a version badge to README by @mishina2228 in #621

Bug fixes

• Remove warning: assigned but unused variable by @mishina2228 in #611
• Minor I18n.normalize_keys improvement by @codealchemy in #616
• Allow overriding of entry resolving entry resolving separate from defaults by @movermeyer in #622

Other changes

• Remove pry from Gemfile as it is not used by @dvzrv in #608

New Contributors

• @dvzrv made their first contribution in #608
• @mishina2228 made their first contribution in #611

Full Changelog: v1.9.1...v1.10.0

1.9.1

What's Changed

• Revert "Fix missing requires of i18n/core_ext/hash" by @radar in #602
• CI: Lint the GitHub Actions YAML by @olleolleolle in #604

Full Changelog: v1.9.0...v1.9.1

1.9.0

Minor version bump: The number of changes in this release are more than I would feel comfortable including in a point release. Therefore, I have bumped the minor version number here. -- @radar

What's Changed

• No longer rely on refinements for Hash utility methods. by @casperisfine in #573
• Fix typo: function is missing closing parenthesis by @patrickgramatowski in #585
• CI: ruby/setup-ruby with cache by @olleolleolle in #582
• Test on Ruby 3.1 & Rails 7.0x by @radar in #597
• Fix lookups of 0 keys by @movermeyer in #594
• Only deep_symbolize_keys when needed by @paarthmadan in #588
• Symbolize names and freeze values when loading from JSON by @paarthmadan in #587
• Clean up unneeded test aliases by @paarthmadan in #589
• Resolve Symbols using the original fallback locale by @movermeyer in #591
• Conditionally assert load_json returns symbolized data by @paarthmadan in #601
• Symbolize keys and freeze values when loading from YAML by @paarthmadan in #583
• fix ReDoS by @ooooooo-q in #600
• Exclude MissingTranslation options that are not used by the instance by @sundling in #581
• Remove references to default_locale in fallbacks comment by @movermeyer in #576
• API for marking a key as reserved by @ghiculescu in #579
• Fix missing requires of i18n/core_ext/hash by @razum2um in #574
• Fix ArgumentError when Fallbacks#map used as in Hash by @bagilevi in #570

New Contributors

• @patrickgramatowski made their first contribution in #585
• @olleolleolle made their first contribution in #582
• @movermeyer made their first contribution in #594
• @paarthmadan made their first contribution in #588
• @ooooooo-q made their first contribution in #600
• @sundling made their first contribution in #581
• @razum2um made their first contribution in #574
• @bagilevi made their first contribution in #570

Full Changelog: v1.8.11...v1.9.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tzinfo (indirect, 2.0.4 → 2.0.6) · Repo · Changelog

Release Notes

2.0.6

• Eliminate Object#untaint deprecation warnings on JRuby 9.4.0.0. #145.

TZInfo v2.0.6 on RubyGems.org

2.0.5

• Changed DateTime results to always use the proleptic Gregorian calendar. This affects DateTime results prior to 1582-10-15 and any arithmetic performed on the results that would produce a secondary result prior to 1582-10-15.
• Added support for eager loading all the time zone and country data by calling either TZInfo::DataSource#eager_load! or TZInfo.eager_load!. Compatible with Ruby On Rails' eager_load_namespaces. #129.
• Ignore the SECURITY file from Arch Linux's tzdata package. #134.

TZInfo v2.0.5 on RubyGems.org

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 39 commits:

• Fix formatting.
• Preparing v2.0.6.
• Add v1.2.11 from the 1.2 branch.
• Update copyright years.
• Eliminate Object#untaint deprecation warnings on JRuby 9.4.0.0.
• Add Ruby 3.2 and JRuby 9.4.
• Update the dependency on actions/checkout.
• Fix include issues with tests on Ruby 3.2.
• Revert "Workaround for 'Permission denied - NUL' errors with JRuby on Windows."
• Preparing v2.0.5.
• Add v0.3.61 and v1.2.10 from the 0.3 and 1.2 branches.
• Fix relative path loading tests.
• Add a top level eager_load! method for Rails compatibility.
• Support preloading all data from a DataSource.
• Clarify that both files and directories are excluded.
• Tidy up of security file ignoring.
• Merge pull request #133.
• Workaround for 'Permission denied - NUL' errors with JRuby on Windows.
• ignore SECURITY file for Arch tzdata package
• Add Ruby 3.1.
• Update copyright years.
• Update copyright years.
• Fix documentation.
• Fix a typo.
• Continue to use philr/setup-ruby@legacy for Ruby 2.0.0 x86 on Windows.
• Add JRuby 9.3 and update to TruffleRuby 21.
• Switch to ruby/setup-ruby for 1.9.3 (non-Windows) and 2.0.0.
• Always return DateTime results using the proleptic Gregorian calendar.
• Tidy up syntax.
• Fix a grammatical error.
• Add version 0.3.60 from the 0.3 branch.
• Remove an unnecessary or.
• Add RubyGems logo.
• Ignore more warnings from sub-processes.
• Mark truffleruby as experimental.
• Limit json to < 2.5.0 on Windows Ruby 2.0.
• Switch to GitHub Actions for CI.
• [ci skip] Add version 0.3.59 from the 0.3 branch.
• [ci skip] Improve formatting.

↗️ zeitwerk (indirect, 2.5.1 → 2.6.13) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #93.