🚨 [security] Update rake: 12.3.2 → 13.0.1 (major)#234
Open
depfu[bot] wants to merge 1 commit intomasterfrom
Open
🚨 [security] Update rake: 12.3.2 → 13.0.1 (major)#234depfu[bot] wants to merge 1 commit intomasterfrom
depfu[bot] wants to merge 1 commit intomasterfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🚨 Your version of rake has known security vulnerabilities 🚨
Advisory: CVE-2020-8130
Disclosed: August 29, 2019
URL: https://github.com/advisories/GHSA-jppv-gw3r-w3q8
OS Command Injection in Rake
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
Release Notes
13.0.1 (from changelog)
13.0.0 (from changelog)
12.3.3 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 75 commits:
Bump version to 13.0.1Fixed build failure of the latest GitHub ActionsMerge pull request #271 from thorsteneckel/bugfix-reenable_invocation_exceptionMerge pull request #327 from mjbellantoni/mjb-order-only-arg-fixMerge pull request #329 from jeremyevans/skip-taint-test-on-2.7Skip a taint test on Ruby 2.7Merge pull request #328 from orien/gem-metadataAdd project metadata to the gemspecUpdate comments to reflect the current stateFix an incorrectly resolved arg patternPrepare to release rake 13Use RUBY insted of BUNDLE_RUBY for test-bundled-gems of ruby/ruby.bump version to 13.0.0.pre.1Merge pull request #325 from nobu/update-required_ruby_versionMerge pull request #326 from nobu/update-keyword-argsUpdate keyword arguments mergerReduce repeated codeRemoved stale skipsDrop old ruby versions which are no longer testedMerge pull request #324 from ruby/use-setup-ruby-on-macosTry to use setup-ruby on macosRemoved truffleruby temporary.2.1 is not provided by binary installation2.3 is provided by GitHub Actions, We need to switch 2.1.Added trufflerubyThere is no binaries of 2.0 and 2.1 on RVMSet the explicitly versions.Added the old versionsUse the latest version of JRubyMerge pull request #269 from take-cheeze/order_onlyMerge pull request #310 from tonytonyjan/without_parent_dirRemoved status badge of Travis.Merge pull request #321 from ruby/cleanup-gemspecRemoved rdoc.Use Gemfile instead of Gem::Specification#add_development_dependency.Merge pull request #322 from ruby/actions-2Good bye Travis. Thanks for your contribution.Enabled coveralls service on macOS env.Try to use rvm on GitHub ActionsRemoved the badge of appveyor.Merge pull request #320 from ruby/actionsRemoved duplicated tasks with GitHub Actions.Split install and test tasks.setup-ruby is not support macOS env.Windows env only provide Ruby 2.4+Fixed build names.Added Windows and macOS.Enabled build matrix.Update ruby.ymlBump version to 12.3.3.Use File.open explicitly.Merge pull request #317 from ruby/ignore-gitignoreRemoved gitignore from gemspec files.feat: add `without_parent_dir` to `PackageTask`Merge pull request #309 from RDIL/patch-1Remove deprecated travis ci optionMerge pull request #307 from ruby/azure-pipelinesOnly enabled macOS environmentuse realpathDo not specify ruby version of macOSIgnore matrix build for macOSRenameRemoved non supported versions.Extracted ruby versions for matrixAdded missing vmImageApplied matrix build for the multiple platforms.Set up CI with Azure PipelinesMerge pull request #305 from aycabta/use-2.6.1Use Ruby 2.6.1Merge pull request #303 from tmatilai/app-name-in-errorUse the application's name in error message if a task is not foundMerge pull request #301 from ruby/colby/update-rubocopfix outstanding rubocop warningsMerge pull request #300 from ruby/colby/add-ruby-2.6Add ruby 2.6.0 to .travis.yml✳️ annotate (2.7.4 → 3.1.0) · Repo · Changelog
Release Notes
2.7.5 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
✳️ nokogiri (1.10.2 → 1.10.9) · Repo · Changelog
Release Notes
1.10.9
1.10.8
1.10.7
1.10.6
1.10.5
1.10.4
1.10.3
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 40 commits:
version bump to v1.10.9update CHANGELOGChange return type to RubyArrayupdate CHANGELOG for #1985Work around a bug in libxml2version bump to v1.10.8update CHANGELOG for v1.10.8remove patches from the hoe Manifestupdate to use rake-compiler ~1.1.0backport libxml2 patch for CVE-2020-7595version bump to v1.10.7update CHANGELOGFix the patch from #1953 to work with both `git` and `patch`Fix typo in generated metadataadd gem metadataversion bump to v1.10.6update CHANGELOGAdd a patch to fix libxml2.la's pathadd security note to CHANGELOGversion bump to v1.10.5update CHANGELOGdependency: update libxslt to 1.1.34 finaldependency: update libxml to 2.9.10 finaladd suppressions for ruby 2.7update CHANGELOG with correct release date for v1.10.4update rake-compiler commands to install bundlerversion bump to v1.10.4Merge branch '1915-css-tokenizer-load-file-vulnerability_v1.10.x' into v1.10.xupdate CHANGELOGregenerate lexical scanner using rexical 1.0.7eliminate `eval` from Builder#initializerufo formattingrubocop security scan is run as part of the `test` rake targetadd rubocop as a dev dependencyadding a temporary pipeline for v1.10.xversion bump to v1.10.3Merge pull request #1898 from sparklemotion/1892-libxslt-patch-for-usn-3947Backport libxslt patch for CVE-2019-11068Merge branch 'concourse-icons'ci: add icons to concourse resourcesRelease Notes
1.1.6 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
1.0.6
1.0.5
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 8 commits:
Release 1.0.6Limit number values to a sensible rangeUpdate historyAdd project metadata to the gemspecRelease 1.0.5Remove test files and omit themRemove 1.9.3 from the test matrixUpdate Travis test matrixRelease Notes
1.9.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 7 commits:
Bump version to 1.9.0Change default :bufvar from 'String.new' to '::String.new' to work with BasicObjectTry to get Travis passingUse minitest-global_expecations in tests to avoid deprecation issues with minitest 5.12Test JRuby 9.2 on TravisTest on TruffleRuby on TravisCI: Add Ruby 2.6 to the matrixRelease Notes
1.8.2
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 65 commits:
Bump to 1.8.2Fix regression introduced by b7f69f78Add pry to GemfileExpand post-install message to clarify for new appsBump to 1.8.1Merge pull request #508 from ruby-i18n/revert-499-chain-fallback-backendsRevert "Chain fallback backends"Bump to 1.8.0Merge pull request #499 from vipera/chain-fallback-backendsBump to 1.7.1Merge pull request #503 from CrAsH1101/preserve-count-optionAdd test for preserving count optionMerge pull request #505 from peterberkenbosch/update-readme-with-gh-workflow-badgeReplace TravisCI badge with GH Actions badgeMerge pull request #504 from ruby-i18n/bump-ruby-rails:wave: Travis CI :cry:Ignore Ruby 2.3.8 + Rails 6.0.xCorrect Rails version numberCorrect more ruby versionsUse actions/checkout@v2Ignore Rails 6.0.0 + Ruby 2.4Specify exact versions for eregon/use-ruby-actionUse eregon/use-ruby-action for Ruby 2.7, 2.3 + JRuby supportUndo required_ruby_version bumpAdd missing GemfileFail slowlyBump Ruby + Rails versionsMerge pull request #501 from alchimere/add-user-friendly-comment-on-translate-kwargsAdd comment on kwargs to avoid new people open issues like #500Preserve count optionI18n::Backend::Chain#translations fallback mergeUse activesupport implementation of Hash#deep_merge!Merge pull request #495 from ghiculescu/pluralization_fallback_testAdd tests for existing behaviorMerge pull request #480 from Tietew/exclude-count-on-retrieve-linkAdd JRuby to build pipelineAdd Ruby 2.3 to Ruby pipelineOne i in gemfileExclude Ruby 2.4.x + Rails master Gemfile buildUpdate ruby.ymlUpdate ruby.ymlExclude :count option on retrieve linkBump to 1.7.0Merge pull request #491 from ruby-i18n/pipe-interpolationAllow pipes in interpolationsMerge pull request #486 from amatsuda/kwargs_2.7Merge pull request #487 from amatsuda/httpsKeyword arguments have to be explicitly double-splatted in Ruby 2.7+GitHub is https by defaultMerge pull request #488 from amatsuda/reduce_allocationsMerge pull request #489 from lbraun/fix-typosFix typosNo need to dup before creating another Hash instance via Hash#rejectMerge pull request #483 from hsbt/remove-rubyforgeRemoved rubyforge_project from gemspec. Because rubyforge was EOL.Merge pull request #481 from ahorek/public#include is public since ruby 2.1Merge pull request #476 from TaigaMikami/masterFix typo :)Merge pull request #475 from KaanOzkan/raise-disabledRaise disabled during boot inside fallbackMerge pull request #470 from gburgett/patch-1Merge branch 'master' into patch-1Use each_with_object and more descriptive namesUpdate spec for new behavior of chain backendRelease Notes
2.4.0
2.3.1
2.3.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Commits
See the full diff on Github. The new version differs by 13 commits:
Changelog and prepare for releaseFEATURE: update for latest parity with mime types dataRemove unsupported rubies from travis test matrixrelax bundler versionUpdate benchmark in readmeAdd gems to Gemfile for bench scriptAllow custom db pathsUpdate benchmarkTest on Ruby 2.5 and Ruby 2.6Merge pull request #16 from Aqualon/readme_improvementsFix some typos/whitespaceFix link to bench.rbbump cache on travisRelease Notes
5.14.0 (from changelog)
5.13.0 (from changelog)
5.12.2 (from changelog)
5.12.1 (from changelog)
5.12.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 54 commits:
prepped for releaseClosed temporary IOs when exiting capture_subprocess_io. (doudou)- Added example for value wrapper with block to Expectations module. (stomar)Added minitest_log to known modules (BurdetteLamar)+ Block-assertions (eg assert_output) now error if raised inside the block. (casperisfine)- Fixed use of must/wont_be_within_delta on Expectation instance. (stomar)+ Changed assert_raises to only catch Assertion since that covers Skip and friends.- Renamed UnexpectedError#exception to #error to avoid problems with reraising. (casperisfine)prepped for release+ Deprecated Minitest::Guard#maglev?+ Added skip_until(year, month, day, msg) to allow deferring until a deadline.Reworked some of metametameta to be more flexible.+ Added expectations #path_must_exist and #path_wont_exist. Not thrilled with the names.re-sorted assertions after path additions+ Finally added assert_path_exists and refute_path_exists. (deivid-rodriguez)+ Refactored and pulled Assertions#things_to_diff out of #diff. (BurdetteLamar)- Fix autorun bug that affects fork exit status in tests. (dylanahsmith/jhawthorn)+ Added examples to documentation for assert_raises. (lxxxvi)- Support new Proc#to_s format. (ko1)- Improved documentation for _/value/expect, especially for blocks. (svoop)prepped for release- After chatting w/ @y-yagi and others, decided to lower support to include ruby 2.2.prepped for release- Fixed broken link to reference on goodness-of-fit testing. (havenwood)Added mini-apivore to readme.- Update requirements in readme and Rakefile/hoe spec.+ Added documentation for Reporter classes. (sshaw)Added minitest-global_expectations to readme. (jeremyevans)- Avoid using 'match?' to support older ruby versions. (y-yagi)Tweaked multithreading section of README. (iHiD)prepped for releaseReworked the \n vs \\n mu_pp_for_diff situation.Extended assert_mu_pp and assert_mu_pp_for_diff to auto-quote strings to make tests more grokkable.minor editing to commentTurn off parallelism on stub and spec meta tests because they hit class methods (globals)Added mutant-minitest to readme. (mjb)+ Add a descriptive error if assert_output or assert_raises called without a block. (okuramasafumi)- Check `option[:filter]` klass before match. Fixes 2.6 warning. (y-yagi)Fixed 2.6 warning in test_refute_match_matcher_object by adding explicit =~ method. (y-yagi)Added doco for using Rake::TestTask. (schneems)Added minitest-mock_expectations to readme. (bogdanvlviv)- Fixed spec section of readme to not use deprecated global expectations. (CheezItMan)minor rearrangement of requiresAdded tests for message and using message/lambad w/ assertions.+ Changed mu_pp_for_diff to make having both \n and \\n easier to debug.Overhauled and sorted test_minitest_assertions.rb in prep for new mu_pp_for_diff changes.Split tests out into test_minitest_assertions.rb- Fixed Assertions#diff from recalculating if set to nil+ Deprecated $N for specifying number of parallel test runners. Use MT_CPU.+ Extended Assertions#mu_pp to encoding validity output for strings to improve diffs.+ Deprecated use of global expectations. To be removed from MT6.+ Fail gracefully when expectation used outside of `it`.Converted all minitest/spec tests over to use _ to avoid deprecation warnings.Avoid teardown assertion check if test is skippedRelease Notes
2.5.2 (from changelog)
2.4.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 67 commits:
Fix error: use of undeclared identifier 'EV_USE_LINUXAIO'.RuboCop...........Bump version.Replace usage of `long` with `size_t` in memory allocation functions.Fix `ev_backend_poll` so that it doesn't generate warnings.Detect aio_abi.h and define EV_USE_LINUXAIO if present.Add project metadata to the gemspecUpdate README.mdBump version.Add missing closing ')' on assert call in ev_port.cAdd notes about release process.Update license details.Report supported backends and current backend.Bump version.Test empty selector timeout.Update to libev-4.27.Merge pull request #219 from Jesus/masterAdds Puma to the list of projects using nio4rAllow calling `deregister` on closed IO objects (#217)Travis -add testing on OpenSSL 1.0.1 (trusty) & 1.1.1 (bionic & osx) [skip appveyor]Update `CHANGES.md` and `README.md`.Enable KQUEUE on macOS 10.14+.Don't freeze strings in file with `frozen_string_literal`.Bump minimum supported Ruby to 2.3.Update travis config.Set TRUFFLERUBY_RECOMPILE_OPENSSL to workaround OpenSSL issuesmonitor.rb :nodoc => :nodoc: [skip ci]Skip IO.try_convert in ruby code for SSL SocketsSplit some OpenSSL specs into TLSv1.2 and TLSv1.3.gitignore - add .rspec_status [skip ci]appveyor.yml - update with Ruby x64 - 2.5, 2.6, & head/trunkBump version.Restore piratey patches.Use `struct ev_loop` in `selector.c`.Use `struct ev_loop`.Update libev to v4.25.Doesn't seem like gem/bundler update is required.Run truffleruby with NIO4R_PURE.Skip SSL spec on JRuby because the socket isn't readable for some reason.Fix rubocop.Don't invoke `monitor.close` after related IO has already been closed.Prefer generic latest stable jruby in travis config.Java Extension: use at least Java 1.8, avoid warningsTravis: update to jruby-9.2.5.0 (#197)Don't allow 2.6 to fail.Fix trailing whitespace.Increase and embed select precision on a per-test basis.Simplify rubocop usage.Remove Ruby 2.2 since it's no longer supported by bundler.Try reverting select timeout.Try to detect unwritable OpenSSL socket.Fix rubocop.Remove pending check since it appears to be unnecessary.Merge pull request #200 from boutil/patch-1Fix travis os: name.Simplify travis build matrix.Rework port allocation and selector timeouts. Fixes #184.allow failures for Ruby 2.6 for nowMerge pull request #199 from boutil/masterIncrease size of RSA keys to 2048 bitsUpdate travis config, add support for truffleruby.Merge pull request #192 from junaruga/feature/doc-ruby-2.5Merge pull request #191 from junaruga/feature/travis-updateAdd Ruby 2.5 to supported platforms.Update Rubies to the latest version on Travis CI.Merge pull request #190 from olleolleolle/patch-4Travis: jruby-9.2.0.0Release Notes
2.2.2 (from changelog)
2.2.1 (from changelog)
2.2.0 (from changelog)
2.1.2 (from changelog)
2.1.1 (from changelog)
2.1.0 (from changelog)
2.0.8 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
1.3.0
1.2.0
1.1.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 30 commits:
v1.3.0Merge pull request #102 from orien/gem-metadataAdd project metadata to the gemspecMatch Loofah's API changes.Prepare 1.2.0Remove needless white list sanitizer deprecationsMerge pull request #96 from olleolleolle/patch-1CI: Drop unused sudo: false Travis directiveMerge pull request #95 from rwojnarowski/patch-1Deprecated warning text, missing spacePrepare version 1.1.0Merge pull request #91 from JuanitoFatas/doc/scrubbersMerge pull request #92 from JuanitoFatas/link-sanitizerImprove LinkSanitizer's documentationhref is not a HTML elementImprove Scrubber documentationsMerge pull request #87 from JuanitoFatas/migrate-to-safelistMigrate to SafeListSanitizerMerge pull request #90 from JuanitoFatas/jf.fix-testsUpdate test behavior for Nokogiri > 1.9.1.Merge pull request #89 from JuanitoFatas/rubiesMerge pull request #88 from JuanitoFatas/jf.relax-bundler-dependencyUpdate Ruby version matrix on CIUse a inclusive Bundler versionMerge pull request #86 from tebs/fix-documentation-linkFix Nokogiri link in documentation[ci skip] Please don't send more PRs trying to bump Loofah.Merge pull request #71 from nicolasleger/patch-1[CI] Allow failure with ruby head[CI] Test against Ruby 2.5Release Notes
1.2.6
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 27 commits:
Update copyright years.Preparing v1.2.6.Replace expired gem signing certificate.Fix a comment.Ruby Enterprise Edition requires older versions of RubyGems and Bundler.Fix block not being called by RubyCoreSupport.open_file on JRuby 9.2.Revert "Try and fix an incorrect rake version being picked with JRuby 1.7."Try and fix an incorrect rake version being picked with JRuby 1.7.Convert to UNIX line endings.Simplify minitest version constraint.Update to Ruby v2.7.0-rc2.Run CI tests on Windows with AppVeyor.Enable verbose test output.Update Travis CI Ruby versions.Prevent bundler from attempting to use version minitest v5.12.0.Allow newer versions of Rake that fix warnings with Ruby 2.7.Eliminate a warning when calling File.open with keyword arguments.Suppress deprecation warnings due to Object#untaint on Ruby 2.7.Fix test failures on Ruby 1.8.7 caused by DateTime issues.Remove the unused REQUIRE_PATH constant from RubyDataSource.Fix SecurityErrors when loading data in safe mode.Test that RUBY_ENGINE is defined.Skip tests that fail due to Ruby bug 14060 on Ruby 2.4.4.Update to the latest Ruby, JRuby and Rubinius releases.Fix a documentation typo.Return the correct seconds since the epoch value for strftime with %s.Restrictions on timezones only apply to older (pre-1.9) Ruby releases.Release Notes
0.1.4 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 7 commits:
Bump version to 0.1.4Change markdown formatting of docs.Fix deprecation warning about =~ being called on TrueClass.Fix RSpec warnings about raise_error with no arguments.Update Travis target versions.Switch license to Apache 2.0.Test on Ruby 2.5.0.Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands