🚨 [security] Update jquery-rails: 4.3.3 → 4.3.5 (patch)

[depfu]

---

🚨 Your version of jquery-rails has known security vulnerabilities 🚨

Advisory: CVE-2019-11358
Disclosed: April 19, 2019
URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/

Prototype pollution attack through jQuery $.extend

jQuery before 3.4.0 mishandles jQuery.extend(true, {}, ...) because of
bject.prototype pollution. If an unsanitized source object contained an
enumerable proto property, it could extend the native Object.prototype.

🚨 We recommend to merge and deploy this update as soon as possible! 🚨

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ jquery-rails (4.3.3 → 4.3.5) · Repo · Changelog

Release Notes

4.3.5 (from changelog)

• update jquery to 3.4.1

4.3.4 (from changelog)

• update jquery to 3.4.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

• Prepare to 4.3.5
• Upgrade jQuery to 3.4.1
• Prepare to 4.3.4
• Upgrade jQuery to 3.4.0
• Merge pull request #264 from ScottGrimmett/patch-1
• Update README.md
• Merge pull request #259 from nisusam/fix_invalid_link
• Fix invalid link for `Rails Core Team`
• Merge pull request #255 from lanzhiheng/bugfix/we-can-not-input-jquery-code-without-semicolon
• Fix we can not input jquery code without semicolon.

✳️ nokogiri (1.10.2 → 1.10.3) · Repo · Changelog

Release Notes

1.10.3

1.10.3 / 2019-04-22

Security Notes

[MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in #1892. Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 5 commits:

• version bump to v1.10.3
• Merge pull request #1898 from sparklemotion/1892-libxslt-patch-for-usn-3947
• Backport libxslt patch for CVE-2019-11068
• Merge branch 'concourse-icons'
• ci: add icons to concourse resources

↗️ rack (indirect, 2.0.6 → 2.0.7) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 4 commits:

• Bumping to 2.0.7 for release
• Merge pull request #1343 from larsxschneider/ls/forward-fix
• Preserve forwarded IP address for trusted proxy chains
• Merge pull request #1201 from janko-m/make-multipart-parsing-work-for-chunked-requests

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #242.