Bump the bundler group with 10 updates

[dependabot]

Bumps the bundler group with 10 updates:

Package	From	To
actionmailer	7.1.3.4	7.1.4.1
actionpack	7.1.3.4	7.1.4.1
actiontext	7.1.3.4	7.1.4.1
net-imap	0.4.10	0.5.9
nokogiri	1.16.7	1.18.8
rack	2.2.9	2.2.17
rails-html-sanitizer	1.6.0	1.6.2
rexml	3.3.6	3.3.9
uri	0.13.0	0.13.2
webrick	1.8.1	1.8.2

Updates actionmailer from 7.1.3.4 to 7.1.4.1

Release notes

Sourced from actionmailer's releases.

7.1.4.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Avoid regex backtracking in HTTP Token authentication

  [CVE-2024-47887]

• Avoid regex backtracking in query parameter filtering

  [CVE-2024-41128]

Active Job

• No changes.

Action Mailer

• Avoid regex backtracking in block_format helper

  [CVE-2024-47889]

Action Cable

• No changes.

Active Storage

• No changes.

... (truncated)

Commits

• 5b5f0da Preparing for 7.1.4.1 release
• 76ae935 Update CHANGELOGs
• 3612e3e Avoid backtracking in ActionMailer block_format
• 1f56fd6 Merge pull request #52962 from rails/rm-releser
• 6f57590 Preparing for 7.1.4 release
• eedbe69 Merge branch '7-1-sec' into 7-1-stable
• 0dc6be2 Merge branch 'rm-trix-7-1' into 7-1-stable
• bb28ca8 Merge pull request #51510 from fatkodima/remove-ostruct
• ed84c0d Merge branch '7-1-sec' into 7-1-stable
• 8e2101f Merge branch '7-1-sec' into 7-1-stable
• Additional commits viewable in compare view

Updates actionpack from 7.1.3.4 to 7.1.4.1

Release notes

Sourced from actionpack's releases.

7.1.4.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Avoid regex backtracking in HTTP Token authentication

  [CVE-2024-47887]

• Avoid regex backtracking in query parameter filtering

  [CVE-2024-41128]

Active Job

• No changes.

Action Mailer

• Avoid regex backtracking in block_format helper

  [CVE-2024-47889]

Action Cable

• No changes.

Active Storage

• No changes.

... (truncated)

Commits

• 5b5f0da Preparing for 7.1.4.1 release
• 76ae935 Update CHANGELOGs
• b0fe99f Avoid backtracking in filtered_query_string
• 7c13988 Avoid backtracking in Token#raw_params
• 1f56fd6 Merge pull request #52962 from rails/rm-releser
• 6f57590 Preparing for 7.1.4 release
• 63fe89d Sync changelog
• 6036b65 Merge pull request #52138 from skipkayhil/hm-rack-input-is-optional
• 578eb9a Move the rewind code closer to the reason why we need to rewind
• 213538e Consider selenium-webdriver version for Ruby 2.7
• Additional commits viewable in compare view

Updates actiontext from 7.1.3.4 to 7.1.4.1

Release notes

Sourced from actiontext's releases.

7.1.4.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Avoid regex backtracking in HTTP Token authentication

  [CVE-2024-47887]

• Avoid regex backtracking in query parameter filtering

  [CVE-2024-41128]

Active Job

• No changes.

Action Mailer

• Avoid regex backtracking in block_format helper

  [CVE-2024-47889]

Action Cable

• No changes.

Active Storage

• No changes.

... (truncated)

Commits

• 5b5f0da Preparing for 7.1.4.1 release
• 76ae935 Update CHANGELOGs
• de0df7c Avoid backtracing in plain_text_for_blockquote_node
• 1f56fd6 Merge pull request #52962 from rails/rm-releser
• 6f57590 Preparing for 7.1.4 release
• fef23ff Merge pull request #52281 from jagthedrummer/jeremy/action-text-content-trix-fix
• 2b05f76 Merge pull request #52093 from p8/actiontext/fix-remote-image-preview
• 1a5896f Fix action-text-attachment HTML escaping regression test
• 01f27a6 Add missing authors in CHANGELOG
• eedbe69 Merge branch '7-1-sec' into 7-1-stable
• Additional commits viewable in compare view

Updates net-imap from 0.4.10 to 0.5.9

Release notes

Sourced from net-imap's releases.

v0.5.9

What's Changed

Added

• ✨ Add Net::IMAP::SequenceSet() coercion method by @​nevans in ruby/net-imap#490

Fixed

• 🐛 Fix SequenceSet#include? handling of invalid inputs by @​nevans in ruby/net-imap#479

Documentation

• 📚🐛 Fix SequenceSet documentation errors by @​nevans in ruby/net-imap#480
• 📚🐛 Fix doc & error msg for SequenceSet coersion by @​nevans in ruby/net-imap#483
• 📚 RDoc updates for SequenceSet by @​nevans in ruby/net-imap#489

Other Changes

• ♻️ Short-circuit frozen SequenceSet modifications by @​nevans in ruby/net-imap#473
• 🐛 Always remove idle response handler after done by @​nevans in ruby/net-imap#481
• ♻️ Move SequenceSet autoload by @​nevans in ruby/net-imap#491
• ♻️ Avoid unnecessary allocation in SequenceSet[] by @​nevans in ruby/net-imap#492
• 🧵 Close socket in #disconnect before waiting for lock & thread join by @​nevans in ruby/net-imap#493
• 🧵 Improve synchronization of connection_state transitions by @​nevans in ruby/net-imap#494

Miscellaneous

• ♻️ Generate same stringprep tables with ruby 3.4 by @​nevans in ruby/net-imap#469
• ✅ CI: Mark ruby head on windows as "experimental" by @​nevans in ruby/net-imap#472
• ✅ Update Regexp.linear_time? tests for non-CRuby by @​nevans in ruby/net-imap#477
• ✅ Add timeouts to CI workflow by @​nevans in ruby/net-imap#478
• ✅ Update ResponseReader, UIDFetchData, DeprecatedClientOptions tests by @​nevans in ruby/net-imap#476
• ⏪ Revert #472 (✅ CI: Mark ruby head on windows as "experimental") by @​nevans in ruby/net-imap#482
• ➕ Add benchmark to Gemfile to silence warnings by @​nevans in ruby/net-imap#486
• ⬆️ Bump step-security/harden-runner from 2.12.0 to 2.12.1 by @​dependabot in ruby/net-imap#488

Full Changelog: ruby/net-imap@v0.5.8...v0.5.9

v0.5.8

What's Changed

Added

• ✨ Add SequenceSet#min(count) and #max(count) by @​nevans in ruby/net-imap#460
• ✨ Add SequenceSet#above and SequenceSet#below by @​nevans in ruby/net-imap#462

Fixed

• 🐛 Check for Ractor (for JRuby, TruffleRuby) by @​nevans in ruby/net-imap#453, reported by @​rammpeter in ruby/net-imap#452
• 🐛 Fix SequenceSet#slice with range (start...0) by @​nevans in ruby/net-imap#456
• 🐛 Fix inconsistently frozen SequenceSet#[] result by @​nevans in ruby/net-imap#458
• 🐛 Fix SequenceSet#xor crash when set is frozen by @​nevans in ruby/net-imap#457
• 🐛 Fix SequenceSet#slice when length > result size by @​nevans in ruby/net-imap#459

Documentation

• 📚 Various SequenceSet rdoc improvements by @​nevans in ruby/net-imap#465

Miscellaneous

• ⬆️ Bump step-security/harden-runner from 2.11.1 to 2.12.0 by @​dependabot in ruby/net-imap#455

... (truncated)

Commits

• 0f8c37a 🔖 Bump version to 0.5.9
• 0c89bb1 🔀 Merge pull request #494 from ruby/synchronize-state-transitions
• b6e8e5a 🔀 Merge pull request #493 from ruby/synchronize-disconnect-logout
• 0d7810e 🧵 Synchronize state_authenticated!
• 0c919fb ♻️ Simplify shutdown of socket in #disconnect
• ff6dd40 🧵 Set logout state earlier (in reciever thread)
• 9becbf1 🧵 Don't lock around socket close in #disconnect
• e4a8c0e 🧵 Short-circuit logout state transition
• 5bddf68 📖 Document that #disconnect joins receiver thread
• 17b6463 🧵 Join the receiver after closing the socket
• Additional commits viewable in compare view

Updates nokogiri from 1.16.7 to 1.18.8

Release notes

Sourced from nokogiri's releases.

v1.18.8 / 2025-04-21

Security

• [CRuby] Vendored libxml2 is updated to v2.13.8 to address CVE-2025-32414 and CVE-2025-32415. See GHSA-5w6v-399v-w3cc for more information.

36badd2eb281fca6214a5188e24a34399b15d89730639a068d12931e2adc210e  nokogiri-1.18.8-aarch64-linux-gnu.gem
664e0f9a77a7122a66d6c03abba7641ca610769a4728db55ee1706a0838b78a2  nokogiri-1.18.8-aarch64-linux-musl.gem
483b5b9fb33653f6f05cbe00d09ea315f268f0e707cfc809aa39b62993008212  nokogiri-1.18.8-arm64-darwin.gem
17de01ca3adf9f8e187883ed73c672344d3dbb3c260f88ffa1008e8dc255a28e  nokogiri-1.18.8-arm-linux-gnu.gem
6e6d7e71fc39572bd613a82d528cf54392c3de1ba5ce974f05c832b8187a040b  nokogiri-1.18.8-arm-linux-musl.gem
8c7464875d9ca7f71080c24c0db7bcaa3940e8be3c6fc4bcebccf8b9a0016365  nokogiri-1.18.8.gem
41002596960ff854198a20aaeb34cff0d445406d5ad85ba7ca9c3fd0c8f03de0  nokogiri-1.18.8-java.gem
11ab0f76772c5f2d718fb253fca5b74c6ef7628b72bbf8deba6ab1ffc93344cf  nokogiri-1.18.8-x64-mingw-ucrt.gem
024cdfe7d9ae3466bba6c06f348fb2a8395d9426b66a3c82f1961b907945cc0c  nokogiri-1.18.8-x86_64-darwin.gem
4a747875db873d18a2985ee2c320a6070c4a414ad629da625fbc58d1a20e5ecc  nokogiri-1.18.8-x86_64-linux-gnu.gem
ddd735fba49475a395b9ea793bb6474e3a3125b89960339604d08a5397de1165  nokogiri-1.18.8-x86_64-linux-musl.gem

v1.18.7 / 2025-03-31

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.7, which is a bugfix release.

57a064ab5440814a69a0e040817bd8154adea68a30d2ff2b3aa515a6a06dbb5f  nokogiri-1.18.7-aarch64-linux-gnu.gem
3e442dc5b69376e84288295fe37cbb890a21ad816a7e571e5e9967b3c1e30cd3  nokogiri-1.18.7-aarch64-linux-musl.gem
083abb2e9ed2646860f6b481a981485a658c6064caafaa81bf1cda1bada2e9d5  nokogiri-1.18.7-arm64-darwin.gem
337d9149deb5ae01022dff7c90f97bed81715fd586aacab0c5809ef933994c5e  nokogiri-1.18.7-arm-linux-gnu.gem
97a26edcc975f780a0822aaf7f7d7427c561067c1c9ee56bd3542960f0c28a6e  nokogiri-1.18.7-arm-linux-musl.gem
6b63ff5defe48f30d1d3b3122f65255ca91df2caf5378c6e0482ce73ff46fb31  nokogiri-1.18.7.gem
2cb83666f35619ec59d24d831bf492e49cfe27b112c222330ee929737f42f2eb  nokogiri-1.18.7-java.gem
681148fbc918aa5d54933d8b48aeb9462ab708d23409797ed750af961107f72b  nokogiri-1.18.7-x64-mingw-ucrt.gem
081d1aa517454ba3415304e2ea51fe411d6a3a809490d0c4aa42799cada417b7  nokogiri-1.18.7-x86_64-darwin.gem
3a0bf946eb2defde13d760f869b61bc8b0c18875afdd3cffa96543cfa3a18005  nokogiri-1.18.7-x86_64-linux-gnu.gem
9d83f8ec1fc37a305fa835d7ee61a4f37899e6ccc6dcb05be6645fa9797605af  nokogiri-1.18.7-x86_64-linux-musl.gem

v1.18.6 / 2025-03-24

Fixed

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.18.8 / 2025-04-21

Security

• [CRuby] Vendored libxml2 is updated to v2.13.8 to address CVE-2025-32414 and CVE-2025-32415. See GHSA-5w6v-399v-w3cc for more information.

v1.18.7 / 2025-03-31

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.7, which is a bugfix release.

v1.18.6 / 2025-03-24

Fixed

• [JRuby] In HTML documents, Node#attribute now returns the correct attribute. This has been broken, and returning nil, since v1.17.0. (#3487) @​flavorjones

v1.18.5 / 2025-03-19

Fixed

• [JRuby] Update JRuby's XML serialization so it outputs namespaces exactly like CRuby. (#3455, #3456) @​johnnyshields

v1.18.4 / 2025-03-14

Security

• [CRuby] Vendored libxslt is updated to v1.1.43 to address CVE-2025-24855 and CVE-2024-55549. See GHSA-mrxw-mxhj-p664 for more information.

v1.18.3 / 2025-02-18

Security

• [CRuby] Vendored libxml2 is updated v2.13.6 to address CVE-2025-24928 and CVE-2024-56171. See GHSA-vvfq-8hwr-qm4m for more information.

v1.18.2 / 2024-01-19

Fixed

• When performing a CSS selector query, an XML document's root namespace declarations should not be applied to wildcard selectors ("*"). Fixes a bug introduced in v1.17.0. (#3411) @​flavorjones

v1.18.1 / 2024-12-29

... (truncated)

Commits

• 9187f4a version bump to v1.18.8
• 1deea04 dep: libxml2 to v2.13.8 (branch v1.18.x) (#3509)
• 6457fe6 dep: libxml2 to v2.13.8
• 13e8aa4 version bump to v1.18.7
• 605699d dep: bump libxml2 to 2.13.7 (v1.18.x backport) (#3495)
• 804e590 dep: bump libxml2 to 2.13.7
• 52bf15b dep(dev): drop Rubocop from JRuby deps
• 189769d version bump to v1.18.6
• de4982f fix(jruby): Node#attribute in HTML documents (v1.18.x) (#3492)
• 7d95b0f fix(jruby): Node#attribute in HTML documents
• Additional commits viewable in compare view

Updates rack from 2.2.9 to 2.2.17

Changelog

Sourced from rack's changelog.

Changelog

All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference Keep A Changelog.

Unreleased

SPEC Changes

• Request environment keys must now be strings. #2310, [@​jeremyevans])
• Add nil as a valid return from a Response body.to_path (#2318, [@​MSP-Greg])

Added

• Introduce Rack::VERSION constant. (#2199, [@​ioquatix])
• ISO-2022-JP encoded parts within MIME Multipart sections of an HTTP request body will now be converted to UTF-8. (#2245, @​nappa)

Changed

• Invalid cookie keys will now raise an error. (#2193, [@​ioquatix])
• Rack::MediaType#params now handles empty strings. (#2229, [@​jeremyevans])
• Avoid unnecessary calls to the ip_filter lambda to evaluate Request#ip (#2287, [@​willbryant])
• Only calculate Request#ip once per request (#2292, [@​willbryant])

Deprecated

• Rack::Auth::AbstractRequest#request is deprecated without replacement. (#2229, [@​jeremyevans])
• Rack::Request#parse_multipart (private method designed to be overridden in subclasses) is deprecated without replacement. (#2229, [@​jeremyevans])

Removed

• Rack::Request#values_at is removed. (#2200, [@​ioquatix])
• Rack::Logger is removed with no replacement. (#2196, [@​ioquatix])
• Automatic cache invalidation in Rack::Request#{GET,POST} has been removed. (#2230, [@​jeremyevans])
• Support for CGI::Cookie has been removed. (#2332, [@​ioquatix])

Fixed

• Rack::RewindableInput::Middleware no longer wraps a nil input. (#2259, @​tt)
• Fix NoMethodError in Rack::Request#wrap_ipv6 when x-forwarded-host is empty. (#2270, @​oieioi)
• Fix the specification for SERVER_PORT which was incorrectly documented as required to be an Integer if present - it must be a String containing digits only. (#2296, [@​ioquatix])
• SERVER_NAME and HTTP_HOST are now more strictly validated according to the relevant specifications. (#2298, [@​ioquatix])

[3.1.16] - 2025-06-04

Security

• CVE-2025-49007 Fix ReDoS in multipart request.

[3.1.15] - 2025-05-18

... (truncated)

Commits

• 9163ac3 Bump patch version.
• 8e52d2a Backport #2263 to v2.2, fix: malformed charset param (#2338)
• 2a32eca Bump patch version.
• 034a13c Change CGI::Cookie.new to Cookie.new (#2335)
• d2b6af2 Bump patch version.
• f34f2eb Feature detect CGI::Cookie. (#2333)
• 2f928b9 Replace usage of CGI::Cookie (#2329)
• 543d935 [2.2] Update test suite for Ruby 3.5
• d0dcf75 Bump patch version.
• fd44bd7 Remove 2nd argument to unescape.
• Additional commits viewable in compare view

Updates rails-html-sanitizer from 1.6.0 to 1.6.2

Release notes

Sourced from rails-html-sanitizer's releases.

v1.6.2 / 2024-12-12

• PermitScrubber fully supports frozen "allowed tags".

  v1.6.1 introduced safety checks that may remove unsafe tags from the allowed list, which introduced a regression for applications passing a frozen array of allowed tags. Tags and attributes are now properly copied when they are passed to the scrubber.

  Fixes #195.

  Mike Dalessio

1.6.1 / 2024-12-02

This is a performance and security release which addresses several possible XSS vulnerabilities.

• The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.

  This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).

  Mike Dalessio

• Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content), regardless of the prune: option value. Previously, disallowed tags were "stripped" unless the gem was configured with the prune: true option.

  The CVEs addressed by this change are:

  • CVE-2024-53986 (GHSA-638j-pmjw-jq48)
  • CVE-2024-53987 (GHSA-2x5m-9ch4-qgrr)

  Mike Dalessio

• The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags are removed from the allow-list.

  The CVEs addressed by this change are:

  • CVE-2024-53988 (GHSA-cfjx-w229-hgx5)
  • CVE-2024-53989 (GHSA-rxv5-gxqc-xx8g)

  Please note that we may restore support for allowing "noscript" in a future release. We do not expect to ever allow "mglyph" or "malignmark", though, especially since browser support is minimal for these tags.

  Mike Dalessio

... (truncated)

Changelog

Sourced from rails-html-sanitizer's changelog.

v1.6.2 / 2024-12-12

• PermitScrubber fully supports frozen "allowed tags".

  v1.6.1 introduced safety checks that may remove unsafe tags from the allowed list, which introduced a regression for applications passing a frozen array of allowed tags. Tags and attributes are now properly copied when they are passed to the scrubber.

  Fixes #195.

  Mike Dalessio

1.6.1 / 2024-12-02

This is a performance and security release which addresses several possible XSS vulnerabilities.

• The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.

  This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).

  Mike Dalessio

• Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content), regardless of the prune: option value. Previously, disallowed tags were "stripped" unless the gem was configured with the prune: true option.

  The CVEs addressed by this change are:

  • CVE-2024-53986 (GHSA-638j-pmjw-jq48)
  • CVE-2024-53987 (GHSA-2x5m-9ch4-qgrr)

  Mike Dalessio

• The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags are removed from the allow-list.

  The CVEs addressed by this change are:

  • CVE-2024-53988 (GHSA-cfjx-w229-hgx5)
  • CVE-2024-53989 (GHSA-rxv5-gxqc-xx8g)

  Please note that we may restore support for allowing "noscript" in a future release. We do not expect to ever allow "mglyph" or "malignmark", though, especially since browser support is minimal for these tags.

  Mike Dalessio

• Improve performance by eliminating needless operations on attributes that are being removed. #188

... (truncated)

Commits

• 9160d49 version bump to v1.6.2
• 5843d4d fix: PermitScrubber accepts frozen tags
• 5e96b19 version bump to v1.6.1
• 383cc7c doc: update CHANGELOG with assigned CVEs
• a7b0cfe Combine the noscript/mglyph prevention blocks
• 5658335 Merge branch 'h1-2509647-noscript' into flavorjones-2024-security-fixes
• 65fb72f Merge branch 'h1-2519936-mglyph-foster-parenting' into flavorjones-2024-secur...
• 3fe22a8 Merge branch 'h1-2519936-foreign-ns-confusion' into flavorjones-2024-security...
• d7a94c1 Merge branch 'h1-2503220-nokogiri-serialization' into flavorjones-2024-securi...
• 3fd6e65 doc: update CHANGELOG
• Additional commits viewable in compare view

Updates rexml from 3.3.6 to 3.3.9

Release notes

Sourced from rexml's releases.

REXML 3.3.9 - 2024-10-24

Improvements

• Improved performance.
  • GH-210
  • Patch by NAITOH Jun.

Fixes

• Fixed a parse bug for text only invalid XML.

  • GH-215
  • Patch by NAITOH Jun.

• Fixed a parse bug that &#0x...; is accepted as a character reference.

Thanks

• NAITOH Jun

REXML 3.3.8 - 2024-09-29

Improvements

• SAX2: Improve parse performance.
  • GH-207
  • Patch by NAITOH Jun.

Fixes

• Fixed a bug that unexpected attribute namespace conflict error for the predefined "xml" namespace is reported.
  • GH-208
  • Patch by KITAITI Makoto

Thanks

• NAITOH Jun

• KITAITI Makoto

REXML 3.3.7 - 2024-09-04

Improvements

• Added local entity expansion limit methods
  • GH-192
  • GH-202
  • Reported by takuya kodama.

... (truncated)

Changelog

Sourced from rexml's changelog.

3.3.9 - 2024-10-24 {#version-3-3-9}

Improvements

• Improved performance.
  • GH-210
  • Patch by NAITOH Jun.

Fixes

• Fixed a parse bug for text only invalid XML.

  • GH-215
  • Patch by NAITOH Jun.

• Fixed a parse bug that &#0x...; is accepted as a character reference.

Thanks

• NAITOH Jun

3.3.8 - 2024-09-29 {#version-3-3-8}

Improvements

• SAX2: Improve parse performance.
  • GH-207
  • Patch by NAITOH Jun.

Fixes

• Fixed a bug that unexpected attribute namespace conflict error for the predefined "xml" namespace is reported.
  • GH-208
  • Patch by KITAITI Makoto

Thanks

• NAITOH Jun

• KITAITI Makoto

3.3.7 - 2024-09-04 {#version-3-3-7}

Improvements

• Added local entity expansion limit methods
  • GH-192
  • GH-202
  • Reported by takuya kodama.

... (truncated)

Commits

• 38eaa86 Add 3.3.9 entry
• ce59f2e parser: fix a bug that &#0x...; is accepted as a character reference
• a09646d test: fix indent
• cf0fb9c Fix IOSource#readline for @pending_buffer (#215)
• 1d0c362 Optimize IOSource#read_until method (#210)
• 622011f Bump version
• 036d508 test: avoid using needless non ASCII characters
• 4197054 Add 3.3.8 entry
• 78f8712 Fix handling with "xml:" prefixed namespace (#208)
• 2e1cd64 Optimize SAX2Parser#get_namespace (#207)
• Additional commits viewable in compare view

Updates uri from 0.13.0 to 0.13.2

Release notes

Sourced from uri's releases.

v0.13.2

What's Changed

• Remove userinfo for v0.13.x by @​hsbt in ruby/uri#155

Full Changelog: ruby/uri@v0.13.1...v0.13.2

v0.13.1

What's Changed

• Define RFC2396_PARSER for Ruby 3.3 by @​hsbt in ruby/uri#119

Full Changelog: ruby/uri@v0.13.0...v0.13.1

Commits

• cef02d6 Bump up v0.13.2
• 07fe169 Merge pull request #155 from ruby/remove-userinfo-v0-13
• 75aeb4a Fix merger of URI with authority component
• cc7d2c7 Truncate userinfo with URI#join, URI#merge and URI#+
• 56490e4 Bump up 0.13.1
• 108c95c Merge pull request #119 from ruby/define-rfc2396-parser
• 133e151 Exclude Ruby 2.5 from macos-latest that is macos-14
• 09a5a9e Define RFC2396_PARSER for migrating with the development version
• See full diff in compare view

Updates webrick from 1.8.1 to 1.8.2

Release notes

Sourced from webrick's releases.

v1.8.2

What's Changed

• Drop commented-out line by @​olleolleolle in ruby/webrick#108
• Add Ruby 3.1 & 3.2 to CI matrix by @​tricknotes in ruby/webrick#109
• Fix/redos by @​ooooooo-q in ruby/webrick#114
• Raise HTTPStatus::BadRequest for requests with invalid/duplicate content-length headers by @​jeremyevans in ruby/webrick#120
• Bump actions/checkout from 3 to 4 by @​dependabot in ruby/webrick#121
• Improve CI by @​hsbt in ruby/webrick#123
• Fix WEBrick::TestFileHandler#test_short_filename test not working on mswin by @​KJTsanaktsidis in ruby/webrick#128
• Fix bug chunk extension detection by @​jeremyevans in ruby/webrick#125
• Fix CI. by @​ioquatix in ruby/webrick#131
• Merge multiple cookie headers, preserving semantic correctness. by @​ioquatix in ruby/webrick#130
• Test on macos-latest by @​byroot in ruby/webrick#132
• Require CRLF line endings in request line and headers by @​jeremyevans in ruby/webrick#138
• Prefer squigly heredocs. by @​ioquatix in ruby/webrick#143
• Only strip space and horizontal tab in headers by @​jeremyevans in ruby/webrick#141
• Treat missing CRLF separator after headers as an EOFError by @​jeremyevans in ruby/webrick#142
• Return 400 response for chunked requests with unexpected data after chunk by @​jeremyevans in ruby/webrick#136
• Fix reference to URI::REGEXP::PATTERN::HOST by @​casperisfine in ruby/webrick#144
• Prevent request smuggling by @​jeremyevans in ruby/webrick#146

New Contributors

• @​tricknotes made their first contribution in ruby/webrick#109
• @​ooooooo-q made their first contribution in ruby/webrick#114
• @​KJTsanaktsidis made their first contribution in ruby/webrick#128
• @​byroot made their first contribution in ruby/webrick#132
• @​casperisfine made their first contribution in ruby/webrick#144

Full Changelog: ruby/webrick@v1.8.1...v1.8.2

Commits

• 0fb9de6 Bump up v1.8.2
• b9a4c81 Removed trailing spaces
• f5faca9 Prevent request smuggling
• 0c600e1 Fix reference to URI::REGEXP::PATTERN::HOST
• 15a9391 Return 400 response for chunked requests with unexpected data after chunk
• 2b38d56 Treat missing CRLF separator after headers as an EOFError
• e4efb4a Remove unnecessary gsub calls in test_httprequest.rb
• 426e214 Only strip space and horizontal tab in headers
• e72cb69 Prefer squigly heredocs. (#143)
• ee60354 Require CRLF line endings in request line and headers
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[Lockyy]

@dependabot rebase

[Lockyy]

@dependabot recreate

[github-actions]

AKS review app deployed to https://find-a-lost-trn-review-pr-1187.test.teacherservices.cloud

[github-actions]

Review app for PR 1187 was deleted