Bump the bundler group across 1 directory with 11 updates

[dependabot]

Updates the requirements on dalli, activerecord, actionpack, actionview, activesupport, globalid, loofah, nokogiri, rack, rails-html-sanitizer and rexml to permit the latest version.
Updates dalli from 2.7.11 to 3.2.3

Changelog

Sourced from dalli's changelog.

3.2.3

• Sanitize CAS inputs to ensure additional commands are not passed to memcached (xhzeem / petergoldstein)
• Sanitize input to flush command to ensure additional commands are not passed to memcached (xhzeem / petergoldstein)
• Namespaces passed as procs are now evaluated every time, as opposed to just on initialization (nrw505)
• Fix missing require of uri in ServerConfigParser (adam12)
• Fix link to the CHANGELOG.md file in README.md (rud)

3.2.2

• Ensure apps are resilient against old session ids (kbrock)

3.2.1

• Fix null replacement bug on some SASL-authenticated services (veritas1)

3.2.0

• BREAKING CHANGE: Remove protocol_implementation client option (petergoldstein)
• Add protocol option with meta implementation (petergoldstein)

3.1.6

• Fix bug with cas/cas! with "Not found" value (petergoldstein)
• Add Ruby 3.1 to CI (petergoldstein)
• Replace reject(&:nil?) with compact (petergoldstein)

3.1.5

• Fix bug with get_cas key with "Not found" value (petergoldstein)
• Replace should return nil, not raise error, on miss (petergoldstein)

3.1.4

• Improve response parsing performance (byroot)
• Reorganize binary protocol parsing a bit (petergoldstein)
• Fix handling of non-ASCII keys in get_multi (petergoldstein)

3.1.3

• Restore falsey behavior on delete/delete_cas for nonexistent key (petergoldstein)

... (truncated)

Commits

• 23b2465 Prepare for version 3.2.3
• 72c4171 Fix Rubocop test lints - 2022-10 (#934)
• 48d594d Fixes #932 (#933)
• a8611e2 README: fix link to CHANGELOG.md (#929)
• 4f6ffac Rename History.md to CHANGELOG.md
• 7177ad8 Add changelog entries.
• 2143122 Require "uri" from stdlib (#925)
• b4b2574 Add changelog entry for namespace as proc fix
• f5ec74c Evaluate Proc namespaces every time (not just at initialization) (#923)
• 903295c Fix new Rubocop issues (#924)
• Additional commits viewable in compare view

Updates activerecord from 6.1.3.2 to 6.1.7.1

Release notes

Sourced from activerecord's releases.

v6.1.7.1

Active Support

• Avoid regex backtracking in Inflector.underscore

  [CVE-2023-22796]

Active Model

• No changes.

Active Record

• Make sanitize_as_sql_comment more strict

  Though this method was likely never meant to take user input, it was attempting sanitization. That sanitization could be bypassed with carefully crafted input.

  This commit makes the sanitization more robust by replacing any occurrances of "/" or "/" with "/ " or " /". It also performs a first pass to remove one surrounding comment to avoid compatibility issues for users relying on the existing removal.

  This also clarifies in the documentation of annotate that it should not be provided user input.

  [CVE-2023-22794]

• Added integer width check to PostgreSQL::Quoting

  Given a value outside the range for a 64bit signed integer type PostgreSQL will treat the column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan.

  This behavior is configurable via ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.

  [CVE-2022-44566]

Action View

• No changes.

... (truncated)

Commits

• c443466 Version 6.1.7.1
• 3db858c Make sanitize_as_sql_comment more strict
• 4f44aa9 Added integer width check to PostgreSQL::Quoting
• 9ab3375 Version 6.1.7
• e74d6ee Merge pull request #45872 from the-spectator/correct_hwia_encoding
• 3da5f09 Fix tests after cherry-pick of #45773
• aab3695 Don't handle this change for legacy_connection_handling
• b2e8fb8 Merge pull request #45773 from eileencodes/only-setup-shared-pools-if-we-have...
• 571b4d5 Merge pull request #45593 from skipkayhil/fix-6-1-compat
• efc58ab Remove active_record.yaml initializers
• Additional commits viewable in compare view

Updates actionpack from 6.1.3.2 to 6.1.7.1

Release notes

Sourced from actionpack's releases.

v6.1.7.1

Active Support

• Avoid regex backtracking in Inflector.underscore

  [CVE-2023-22796]

Active Model

• No changes.

Active Record

• Make sanitize_as_sql_comment more strict

  Though this method was likely never meant to take user input, it was attempting sanitization. That sanitization could be bypassed with carefully crafted input.

  This commit makes the sanitization more robust by replacing any occurrances of "/" or "/" with "/ " or " /". It also performs a first pass to remove one surrounding comment to avoid compatibility issues for users relying on the existing removal.

  This also clarifies in the documentation of annotate that it should not be provided user input.

  [CVE-2023-22794]

• Added integer width check to PostgreSQL::Quoting

  Given a value outside the range for a 64bit signed integer type PostgreSQL will treat the column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan.

  This behavior is configurable via ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.

  [CVE-2022-44566]

Action View

• No changes.

... (truncated)

Commits

• c443466 Version 6.1.7.1
• 8dc4595 Avoid regex backtracking on If-None-Match header
• 90e8a90 Use string#split instead of regex for domain parts
• 9ab3375 Version 6.1.7
• f05ac78 Merge branch '6-1-sec' into 6-1-stable
• dc1242f Preparing for 6.1.6.1 release
• 0bce40f updating version and changelog
• 41b0776 Fix did you mean tests for ruby-trunk (3.2)
• 47ff0bd Merge pull request #45141 from eugeneius/dont_call_headers
• d42b549 Preparing for 6.1.6 release
• Additional commits viewable in compare view

Updates actionview from 6.1.3.2 to 6.1.7.1

Release notes

Sourced from actionview's releases.

v6.1.7.1

Active Support

• Avoid regex backtracking in Inflector.underscore

  [CVE-2023-22796]

Active Model

• No changes.

Active Record

• Make sanitize_as_sql_comment more strict

  Though this method was likely never meant to take user input, it was attempting sanitization. That sanitization could be bypassed with carefully crafted input.

  This commit makes the sanitization more robust by replacing any occurrances of "/" or "/" with "/ " or " /". It also performs a first pass to remove one surrounding comment to avoid compatibility issues for users relying on the existing removal.

  This also clarifies in the documentation of annotate that it should not be provided user input.

  [CVE-2023-22794]

• Added integer width check to PostgreSQL::Quoting

  Given a value outside the range for a 64bit signed integer type PostgreSQL will treat the column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan.

  This behavior is configurable via ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.

  [CVE-2022-44566]

Action View

• No changes.

... (truncated)

Commits

• c443466 Version 6.1.7.1
• 9ab3375 Version 6.1.7
• f05ac78 Merge branch '6-1-sec' into 6-1-stable
• dc1242f Preparing for 6.1.6.1 release
• 0bce40f updating version and changelog
• 507b5aa Fix failing test on 6-1-stable for Ruby 2.5 and 2.6
• d42b549 Preparing for 6.1.6 release
• 147557d Preparing for 6.1.6 release
• 7c2da9e Merge pull request #45027 from rails/fix-tag-helper-regression
• e2efc66 Preparing for 6.1.5.1 release
• Additional commits viewable in compare view

Updates activesupport from 6.1.3.2 to 6.1.7.1

Release notes

Sourced from activesupport's releases.

v6.1.7.1

Active Support

• Avoid regex backtracking in Inflector.underscore

  [CVE-2023-22796]

Active Model

• No changes.

Active Record

• Make sanitize_as_sql_comment more strict

  Though this method was likely never meant to take user input, it was attempting sanitization. That sanitization could be bypassed with carefully crafted input.

  This commit makes the sanitization more robust by replacing any occurrances of "/" or "/" with "/ " or " /". It also performs a first pass to remove one surrounding comment to avoid compatibility issues for users relying on the existing removal.

  This also clarifies in the documentation of annotate that it should not be provided user input.

  [CVE-2023-22794]

• Added integer width check to PostgreSQL::Quoting

  Given a value outside the range for a 64bit signed integer type PostgreSQL will treat the column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan.

  This behavior is configurable via ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.

  [CVE-2022-44566]

Action View

• No changes.

... (truncated)

Commits

• c443466 Version 6.1.7.1
• a7cda7e Avoid regex backtracking in Inflector.underscore
• 9ab3375 Version 6.1.7
• ad24aa5 add test for keyword arguments in ActiveSupport::CurrentAttributes.method_mis...
• 11e0b89 fix ActiveSupport::CurrentAttributes.method_missing for Ruby 3
• f05ac78 Merge branch '6-1-sec' into 6-1-stable
• dc1242f Preparing for 6.1.6.1 release
• 0bce40f updating version and changelog
• d42b549 Preparing for 6.1.6 release
• 147557d Preparing for 6.1.6 release
• Additional commits viewable in compare view

Updates globalid from 0.4.2 to 1.0.1

Release notes

Sourced from globalid's releases.

v1.0.1

Possible ReDoS based DoS vulnerability in GlobalID

There is a ReDoS based DoS vulnerability in the GlobalID gem. This vulnerability has been assigned the CVE identifier CVE-2023-22799.

Versions Affected: >= 0.2.1 Not affected: NOTAFFECTED Fixed Versions: 1.0.1

Impact

There is a possible DoS vulnerability in the model name parsing section of the GlobalID gem. Carefully crafted input can cause the regular expression engine to take an unexpected amount of time. All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The FIXED releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Credits

Thank you ooooooo_k for reporting this!

1.0.0

Stable API release.

The code is the same as the 0.6.0 release.

0.6.0

• Add ActiveRecord::FixtureSet.signed_global_id helper to generate signed ids inside fixtures.

v0.5.2

• Add back Ruby 2.5 support so gem install rails works out of the box, thereby satisfying Rails' Ruby version requirement. See rails/rails#42931

v0.5.1

• New: Allow expiration to be turned off globally rails/globalid#128
• Fixed: Support for ruby-head rails/globalid#132
• Maintainance: Drop support for EOL'ed Rubies (< 2.6.0) and Rails 4.2

Commits

• 574b99f Bump version for release
• 4a75ecb Fix ReDoS vulnerability in name parsing
• 42f5ea6 Prepare for 1.0.0
• beab3e4 Prepare to 0.6.0
• 29e12cb Upgrade all development gems
• c894a43 Add devcontainer to allow contributors to have a working environment
• b3ec8b9 Move ActiveRecord::FixtureSet.signed_global_id to this gem
• e9d6ed9 Merge pull request #137 from rails/dependabot/bundler/nokogiri-1.12.5
• a565d31 Bump nokogiri from 1.11.7 to 1.12.5
• 9b1a4d2 Why u no love me?
• Additional commits viewable in compare view

Updates loofah from 2.9.1 to 2.19.1

Release notes

Sourced from loofah's releases.

2.19.1 / 2022-12-13

Security

• Address CVE-2022-23514, inefficient regular expression complexity. See GHSA-486f-hjj9-9vhh for more information.
• Address CVE-2022-23515, improper neutralization of data URIs. See GHSA-228g-948r-83gx for more information.
• Address CVE-2022-23516, uncontrolled recursion. See GHSA-3x8r-x6xp-q4vm for more information.

2.19.0 / 2022-09-14

Features

• Allow SVG 1.0 color keyword names in CSS attributes. These colors are part of the CSS Color Module Level 3 recommendation released 2022-01-18. [#243]

2.18.0 / 2022-05-11

Features

• Allow CSS property aspect-ratio. [#236] (Thanks, @​louim!)

2.17.0 / 2022-04-28

Features

• Allow ARIA attributes. [#232, #233] (Thanks, @​nick-desteffen!)

2.16.0 / 2022-04-01

Features

• Allow MathML elements menclose and ms, and MathML attributes dir, href, lquote, mathsize, notation, and rquote. [#231] (Thanks, @​nick-desteffen!)

2.15.0 / 2022-03-14

Features

• Expand set of allowed protocols to include sms:. [#228] (Thanks, @​brendon!)

2.14.0 / 2022-02-11

Features

• The #to_text method on Loofah::HTML::{Document,DocumentFragment} replaces <br> line break elements with a newline. [#225]

... (truncated)

Changelog

Sourced from loofah's changelog.

2.19.1 / 2022-12-13

Security

• Address CVE-2022-23514, inefficient regular expression complexity. See GHSA-486f-hjj9-9vhh for more information.
• Address CVE-2022-23515, improper neutralization of data URIs. See GHSA-228g-948r-83gx for more information.
• Address CVE-2022-23516, uncontrolled recursion. See GHSA-3x8r-x6xp-q4vm for more information.

2.19.0 / 2022-09-14

Features

• Allow SVG 1.0 color keyword names in CSS attributes. These colors are part of the CSS Color Module Level 3 recommendation released 2022-01-18. [#243]

2.18.0 / 2022-05-11

Features

• Allow CSS property aspect-ratio. [#236] (Thanks, @​louim!)

2.17.0 / 2022-04-28

Features

• Allow ARIA attributes. [#232, #233] (Thanks, @​nick-desteffen!)

2.16.0 / 2022-04-01

Features

• Allow MathML elements menclose and ms, and MathML attributes dir, href, lquote, mathsize, notation, and rquote. [#231] (Thanks, @​nick-desteffen!)

2.15.0 / 2022-03-14

Features

• Expand set of allowed protocols to include sms:. [#228] (Thanks, @​brendon!)

2.14.0 / 2022-02-11

Features

• The #to_text method on Loofah::HTML::{Document,DocumentFragment} replaces <br> line break elements with a newline. [#225]

... (truncated)

Commits

• 3f88063 version bump to v2.19.1
• 9a8dadb docs: preserve the context and decision record
• 86f7f63 fix: replace recursive approach to cdata with escaping solution
• 415677f fix: do not allow "image/svg+xml" in data URIs
• 84ca20c refactor: extract scrub_uri_attribute for downstream use
• 47a835a ci: pin psych to v4 until v5 builds properly on CI
• a6e0a1a fix: replace slow regex attribute check with crass parser
• ea853aa Merge pull request #247 from flavorjones/flavorjones-downstream-test-rhs
• e1f2a4b ci: test downstream rails-html-sanitizer
• 79d65a0 Merge pull request #245 from flavorjones/flavorjones-fix-ruby-2.5-ci
• Additional commits viewable in compare view

Updates nokogiri from 1.11.6 to 1.16.7

Release notes

Sourced from nokogiri's releases.

v1.16.7 / 2024-07-27

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.9, which the upstream release notes state is a security release to address CVE-2024-40896. Nokogiri's maintainers believe this vulnerability does not affect users of Nokogiri, but we advise upgrading at your earliest convenience anyway.

---

sha256 checksums:

78778d35f165b59513be31c0fe232c63a82cf97626ffba695b5f822e5da1d74b  nokogiri-1.16.7-aarch64-linux.gem
c84cdb9e3aa44c35bbb981b20175838c4b2066c26c5cb118f31f177168a42fc3  nokogiri-1.16.7-arm-linux.gem
276dcea1b988a5b22b5acc1ba901d24b8e908c40b71dccd5d54a2ae279480dad  nokogiri-1.16.7-arm64-darwin.gem
044c45ca46abc2b6135a85ab39a546ff2f0434d43142bc59b83e5b1068876a42  nokogiri-1.16.7-java.gem
01ed785392f9cbdfd45e0e5ef6ad6d2c80a6128672589448f18952168bd68e56  nokogiri-1.16.7-x64-mingw-ucrt.gem
d8fd5c675743b85354c9098117bfa9e703c7cacab8c33e5190104ea8218ad1ec  nokogiri-1.16.7-x64-mingw32.gem
dddbf1c1ef99ce9fab98302b14f8bacb703e6f16e89b99f05ecee8a1fca23664  nokogiri-1.16.7-x86-linux.gem
b6517d995b024739cbb81251a26866d40e1ccb151936b5bb0977e7487f4e617c  nokogiri-1.16.7-x86-mingw32.gem
630732b80fc572690eab50c73a1f18988f3ac401ed0b67ca9956ba2b1e2c3faa  nokogiri-1.16.7-x86_64-darwin.gem
9e1e428641d5942af877c60b418c71163560e9feb4a5c4015f3230a8b86a40f6  nokogiri-1.16.7-x86_64-linux.gem
f819cbfdfb0a7b19c9c52c6f2ca63df0e58a6125f4f139707b586b9511d7fe95  nokogiri-1.16.7.gem

v1.16.6 / 2024-06-13

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.8, which the release notes state is a bugfix release.

---

sha256 checksums:

7f4c37ee2dd9c97fdfb6278cf3d9dd2078651f241eed320e26902135dbf78183  nokogiri-1.16.6-aarch64-linux.gem
73d7a7ca569308f181a234269e6607c9acb26ecc93ccbb05998d24a9546c0a94  nokogiri-1.16.6-arm-linux.gem
43e8a783697c65413408a4923b5c2ed6bea6632cfdab4da220446b601733fa4b  nokogiri-1.16.6-arm64-darwin.gem
993ec13a1f0fb2261913e62e1f7a662c77108b1a59c903033eac432f74437275  nokogiri-1.16.6-java.gem
285687f16c330a9b61793d9d45913becf7a9aa82b0ce15c48fc1e0d6c6c9972f  nokogiri-1.16.6-x64-mingw-ucrt.gem
dbbefbfabe363daaa90e7c0b15854769e17ee5b8ae243014e0e55c01047eb5cd  nokogiri-1.16.6-x64-mingw32.gem
dedac3ee38b4deed1141747f04dd5ac512ef9165259cec66ec934edaa8a2a848  nokogiri-1.16.6-x86-linux.gem
5080e9512e3ba320aef074c16a23aef737301ac0e3b7a173a299dcaaa40b6a20  nokogiri-1.16.6-x86-mingw32.gem
92fa413d866baf9b609f17558ecfbcf950d5373213babcf4ce11d7eaed4b21cf  nokogiri-1.16.6-x86_64-darwin.gem
769bd2c14ad76dd5a7e14c867741cf2e3b8c25626a34f40aee7b0b998b8de820  nokogiri-1.16.6-x86_64-linux.gem
935fe4dd67d4377f4a05002acb1ffbadbcae265ea8e7869fc40e3a8121f3e1ef  nokogiri-1.16.6.gem

v1.16.5 / 2024-05-13

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.16.7 / 2024-07-27

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.9, which the upstream release notes state is a security release to address CVE-2024-40896. Nokogiri's maintainers believe this vulnerability does not affect users of Nokogiri, but we advise upgrading at your earliest convenience anyway.

v1.16.6 / 2024-06-13

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.8, which the release notes state is a bugfix release.

v1.16.5

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-34459. See GHSA-r95h-9x8f-r3f7 for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.7 from v2.12.6. (@​flavorjones)

v1.16.4 / 2024-04-10

Dependencies

• [CRuby] Vendored zlib in the precompiled native gems is updated to v1.3.1 from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see this discussion about removing the compression libraries altogether in a future version of Nokogiri.

v1.16.3 / 2024-03-15

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.6 from v2.12.5. (@​flavorjones)

Changed

• [CRuby] XML::Reader sets the @encoding instance variable during reading if it is not passed into the initializer. Previously, it would remain nil. The behavior of Reader#encoding has not changed. This works around changes to how libxml2 reports the encoding used in v2.12.6.

v1.16.2 / 2024-02-04

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See GHSA-xc9x-jj77-9p9j for more information.

... (truncated)

Commits

• d8d6ba3 version bump to v1.16.7
• 76199bb dep: update libxml2 to v2.12.9 (branch v1.16.x) (#3297)
• ca92e48 dep: update packaged libxml2 to v2.12.9
• fb833ea version bump to v1.16.6
• bacc8dc dep: update libxml2 to 2.12.8 (backport to v1.16.x) (#3229)
• cf0579f doc: update CHANGELOG
• 447fd12 dep: update libxml2 to 2.12.8
• cd70bd3 version bump to v1.16.5
• afc36de dep: update vendored libxml2 to v2.12.7 (#3191)
• 41b4f08 ci: add arm64-darwin coverage using macos-14
• Additional commits viewable in compare view

Updates rack from 2.2.3 to 2.2.8.1

Release notes

Sourced from rack's releases.

v2.2.8.1

What's Changed

• Fixed ReDoS in Accept header parsing [CVE-2024-26146]
• Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
• Reject Range headers which are too large [CVE-2024-26141]

Full Changelog: rack/rack@v2.2.8...v2.2.8.1

v2.2.8

What's Changed

• Limit file extension length of multipart tempfiles (2.2 backport) by @​dentarg in rack/rack#2075
• CHANGELOG: Add missing 2.2.7 by @​tisba in rack/rack#2081
• Update cookie.rb by @​dchandekstark in rack/rack#2092
• Prefer ubuntu-latest for testing. by @​ioquatix in rack/rack#2095
• Fix inefficient assert pattern in Rack::Lint [2-2-stable] by @​skipkayhil in rack/rack#2101
• Regenerate SPEC [2-2-stable] by @​skipkayhil in rack/rack#2102

New Contributors

• @​tisba made their first contribution in rack/rack#2081
• @​dchandekstark made their first contribution in rack/rack#2092

Full Changelog: rack/rack@v2.2.7...v2.2.8

v2.2.7

What's Changed

• Correct the year number in the changelog by @​kimulab in rack/rack#2015
• Support underscore in host names for Rack 2.2 (Fixes #2070) by @​jeremyevans in rack/rack#2071

New Contributors

• @​kimulab made their first contribution in rack/rack#2015

Full Changelog: rack/rack@v2.2.6.4...v2.2.7

v2.2.6.4

No release notes provided.

Changelog

Sourced from rack's changelog.

Changelog

All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference Keep A Changelog.

Unreleased

Added

• Introduce Rack::VERSION constant. (#2199, [@​ioquatix])

Changed

• Invalid cookie keys will now raise an error. (#2193, [@​ioquatix])
• Rack::MediaType#params now handles empty strings. (#2229, [@​jeremyevans])

Deprecated

• Rack::Auth::AbstractRequest#request is deprecated without replacement. (#2229, [@​jeremyevans])
• Rack::Request#parse_multipart (private method designed to be overridden in subclasses) is deprecated without replacement. (#2229, [@​jeremyevans])

Removed

• Rack::Request#values_at is removed. (#2200, [@​ioquatix])
• Rack::Logger is removed with no replacement. (#2196, [@​ioquatix])
• Automatic cache invalidation in Rack::Request#{GET,POST} has been removed. (#2230, [@​jeremyevans])

[3.1.7] - 2024-07-11

Fixed

• Do not remove escaped opening/closing quotes for content-disposition filenames. (#2229, [@​jeremyevans])
• Fix encoding setting for non-binary IO-like objects in MockRequest#env_for. (#2227, [@​jeremyevans])
• Rack::Response should not generate invalid content-length header. (#2219, [@​ioquatix])
• Allow empty PATH_INFO. (#2214, [@​ioquatix])

[3.1.6] - 2024-07-03

Fixed

• Fix several edge cases in Rack::Request#parse_http_accept_header's implementation. (#2226, [@​ioquatix])

[3.1.5] - 2024-07-02

Security

• Fix potential ReDoS attack in Rack::Request#parse_http_accept_header. (GHSA-cj83-2ww7-mvq7, @​dwisiswant0)

[3.1.4] - 2024-06-22

Fixed

... (truncated)

Commits

• e830011 bump version
• d9c163a Avoid 2nd degree polynomial regexp in MediaType
• 6245768 Return an empty array when ranges are too large
• e4c1177 Fixing ReDoS in header parsing
• f169ff7 Bump patch version.
• 0a46487 Regenerate SPEC (#2102)
• cee73b3 Fix inefficient assert pattern in Rack::Lint (#2101)
• 1fdcf1f Prefer ubuntu-latest for testing. (#2095)
• 287fe43 Update cookie.rb (#2092)
• e7f4869 adds missing 2.2.7 to CHANGELOG.md (#2081)
• Additional commits viewable in compare view

Updates rails-html-sanitizer from 1.3.0 to 1.4.4

Release notes

Sourced from rails-html-sanitizer's releases.

1.4.4 / 2022-12-13

• Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer.

  Fixes CVE-2022-23517. See GHSA-5x79-w82f-gw8w for more information.

  Mike Dalessio

• Address improper sanitization of data URIs.

  Fixes CVE-2022-23518 and #135. See GHSA-mcvf-2q2m-x72m for more information.

  Mike Dalessio

• Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

  Fixes CVE-2022-23520. See GHSA-rrfc-7g8p-99q8 for more information.

  Mike Dalessio

• Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

  Fixes CVE-2022-23519. See GHSA-9h9g-93gc-623h for more information.

  Mike Dalessio

1.4.3 / 2022-06-09

• Address a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

  Prevent the combination of select and style as allowed tags in SafeListSanitizer.

  Fixes CVE-2022-32209

  Mike Dalessio

1.4.2 / 2021-08-23

• Slightly improve performance.

  Assuming elements are more common than comments, make one less method call per node.

1.4.1 / 2021-08-18

• Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.

  Some scrubbers will want to override the default behavior and allow comments, but v1.4.0 only passed through elements to the scrubber's keep_node? method.

... (truncated)

Changelog

Sourced from rails-html-sanitizer's changelog.

1.4.4 / 2022-12-13

• Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer.

  Fixes CVE-2022-23517. See GHSA-5x79-w82f-gw8w for more information.

  Mike Dalessio

• Address improper sanitization of data URIs.

  Fixes CVE-2022-23518 and #135. See GHSA-mcvf-2q2m-x72m for more information.

  Mike Dalessio

• Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

  Fixes CVE-2022-23520. See GHSA-rrfc-7g8p-99q8 for more information.

  Mike Dalessio

• Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

  Fixes CVE-2022-23519. See GHSA-9h9g-93gc-623h for more information.

  Mike Dalessio

1.4.3 / 2022-06-09

• Address a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

  Prevent the combination of select and style as allowed tags in SafeListSanitizer.

  Fixes CVE-2022-32209

  Mike Dalessio

1.4.2 / 2021-08-23

• Slightly improve performance.

... (truncated)

Commits

• fd63dea version bump to v1.4.4
• 48ae90a dep: bump dependency on loofah
• 0713caf fix: escape CDATA nodes using Loofah's escaping methods
• e6d52d3 revert 45a5c10
• d1223a2 fix: use Loofah's scrub_uri_attribute method
• f0e3347 fix: replace slow regex attribute check with Loofah method
• df03f2f ci: pin system lib test to 20.04
• 3e2a0f3 Merge pull request #145 from rails/flavorjones-get-14x-green
• 11752a6 tests: handle libxml 2.10.0 incorrectly-opened comment parsing
• f83f08c version bump to v1.4.3
• Additional commits viewable in compare view

Updates rexml from 3.2.5 to 3.3.6

Release notes

Sourced from rexml's releases.

REXML 3.3.6 - 2024-08-22

Improvements

• Removed duplicated entity expansions for performance.

  • GH-194
  • Patch by Viktor Ivarsson.

• Improved namespace conflicted attribute check performance. It was too slow for deep elements.

  • Reported by l33thaxor.

Fixes

• Fixed a bug that default entity expansions are counted for security check. Default entity expansions should not be counted because they don't have a security risk.

  • GH-198
  • GH-199
  • Patch Viktor Ivarsson

• Fixed a parser bug that parameter entity references in internal subsets are expanded. It's not allowed in the XML specification.

  • GH-191
  • Patch by NAITOH Jun.

• Fixed a stream parser bug that user-defined entity references in text aren't expanded.

  • GH-200
  • Patch by NAITOH Jun.

Thanks

• Viktor Ivarsson

• NAITOH Jun

• l33thaxor

REXML 3.3.5 - 2024-08-12

Fixes

• Fixed a bug that REXML::Security.entity_expansion_text_limit check has wrong text size calculation in SAX and pull parsers.
  • GH-193
  • GH-195
  • Reported by Viktor Ivarsson.
  • Patch by NAITOH Jun.

... (truncated)

Changelog

Sourced from rexml's changelog.

3.3.6 - 2024-08-22 {#version-3-3-6}

Improvements

• Removed duplicated entity expansions for performance.

  • GH-194
  • Patch by Viktor Ivarsson.

• Improved namespace conflicted attribute check performance. It was too slow for deep elements.

  • Reported by l33thaxor.

Fixes

• Fixed a bug that default entity expansions are counted for security check. Default entity expansions should not be counted because they don't have a security risk.

  • GH-198
  • GH-199
  • Patch Viktor Ivarsson

• Fixed a parser bug that parameter entity references in internal subsets are expanded. It's not allowed in the XML specification.

  • GH-191
  • Patch by NAITOH Jun.

• Fixed a stream parser bug that user-defined entity references in text aren't expanded.

  • GH-200
  • Patch by NAITOH Jun.

Thanks

• Viktor Ivarsson

• NAITOH Jun

• l33thaxor

3.3.5 - 2024-08-12 {#version-3-3-5}

Fixes

• Fixed a bug that REXML::Security.entity_expansion_text_limit check has wrong text size calculation in SAX and pull parsers.
  • GH-193
  • GH-195
  • Reported by Viktor Ivarsson.
  • Patch by NAITOH Jun.

... (truncated)

Commits

• 95871f3 Add 3.3.6 entry
• 7cb5eae parser tree: improve namespace conflicted attribute check performance
• 6109e01 Fix a bug that Stream parser doesn't expand the user-defined entity reference...
• cb15858 parser: keep the current namespaces instead of stack of Set
• 2b47b16 parser: move duplicated end tag check to BaseParser
• 35e1681 test tree-parser: move common method to base class
• 6e00a14 test: fix indent
• df3a0cc test: fix indent
• fdbffe7 Use loop instead of recursive call for Element#namespace
• 6422fa3 Use loop instead of recursive call for Element#root
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.