🚨 [security] Update all of rails: 5.2.4.4 → 5.2.6 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (5.2.4.4 → 5.2.6) · Repo

Release Notes

5.2.6

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Accept base64_urlsafe CSRF tokens to make forward compatible.

  Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
  them difficult to deal with. For example, the common practice of sending
  the CSRF token to a browser in a client-readable cookie does not work properly
  out of the box: the value has to be url-encoded and decoded to survive transport.

  In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently
  safe to transport. Validation accepts both urlsafe tokens, and strict-encoded
  tokens for backwards compatibility.

  How the tokes are encoded is controllr by the action_controller.urlsafe_csrf_tokens
  config.

  In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.

  Atention: If you already upgraded your application to 5.2.5, set the config
  urlsafe_csrf_tokens to true, otherwise your form submission will start to fail
  during the deploy of this new version.

  Rails.application.config.action_controller.urlsafe_csrf_tokens = true

  If you are upgrading from 5.2.4.x, you don't need to change this configuration.

  Scott Blum, Étienne Barrié

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• No changes.

5.2.5

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed mime types data.

  George Claghorn

Railties

• No changes.

5.2.4.6

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Prevent regex DoS in HTTP token authentication
  CVE-2021-22904

• Prevent string polymorphic route arguments.

  url_for supports building polymorphic URLs via an array
  of arguments (usually symbols and records). If a developer passes a
  user input array, strings can result in unwanted route helper calls.

  CVE-2021-22885

  Gannon McGibbon

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• No changes.

5.2.4.5

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Fix possible DoS vector in PostgreSQL money type

  Carefully crafted input can cause a DoS via the regular expressions used
  for validating the money format in the PostgreSQL adapter. This patch
  fixes the regexp.

  Thanks to @dee-see from Hackerone for this patch!

  [CVE-2021-22880]

  Aaron Patterson

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actioncable (indirect, 5.2.4.4 → 5.2.6) · Repo · Changelog

Release Notes

5.2.6 (from changelog)

• No changes.

5.2.5 (from changelog)

• No changes.

5.2.4.6 (from changelog)

• No changes.

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionmailer (indirect, 5.2.4.4 → 5.2.6) · Repo · Changelog

Release Notes

5.2.6 (from changelog)

• No changes.

5.2.5 (from changelog)

• No changes.

5.2.4.6 (from changelog)

• No changes.

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionpack (indirect, 5.2.4.4 → 5.2.6) · Repo · Changelog

Security Advisories 🚨

🚨 Possible Information Disclosure / Unintended Method Execution in Action Pack

There is a possible information disclosure / unintended method execution
vulnerability in Action Pack which has been assigned the CVE identifier
CVE-2021-22885.

Versions Affected: >= 2.0.0.
Not affected: < 2.0.0.
Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact

There is a possible information disclosure / unintended method execution
vulnerability in Action Pack when using the redirect_to or polymorphic_url
helper with untrusted user input.

Vulnerable code will look like this:

redirect_to(params[:some_param])

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Workarounds

To work around this problem, it is recommended to use an allow list for valid
parameters passed from the user. For example:

private def check(param)
  case param
  when "valid"
    param
  else
    "/"
  end
end
def index

redirect_to(check(params[:some_param]))

end

Or force the user input to be cast to a string like this:

def index
  redirect_to(params[:some_param].to_s)
end

🚨 Possible DoS Vulnerability in Action Controller Token Authentication

There is a possible DoS vulnerability in the Token Authentication logic in
Action Controller. This vulnerability has been assigned the CVE identifier
CVE-2021-22904.

Versions Affected: >= 4.0.0
Not affected: < 4.0.0
Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact

Impacted code uses authenticate_or_request_with_http_token or
authenticate_with_http_token for request authentication. Impacted code will
look something like this:

class PostsController < ApplicationController
  before_action :authenticate
private
def authenticate

authenticate_or_request_with_http_token do |token, options|

# ...

end

end

end

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

The following monkey patch placed in an initializer can be used to work around
the issue:

module ActionController::HttpAuthentication::Token
  AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
end

🚨 Possible Information Disclosure / Unintended Method Execution in Action Pack

There is a possible information disclosure / unintended method execution
vulnerability in Action Pack which has been assigned the CVE identifier
CVE-2021-22885.

Versions Affected: >= 2.0.0.
Not affected: < 2.0.0.
Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact

There is a possible information disclosure / unintended method execution
vulnerability in Action Pack when using the redirect_to or polymorphic_url
helper with untrusted user input.

Vulnerable code will look like this:

redirect_to(params[:some_param])

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Workarounds

To work around this problem, it is recommended to use an allow list for valid
parameters passed from the user. For example:

private def check(param)
  case param
  when "valid"
    param
  else
    "/"
  end
end
def index

redirect_to(check(params[:some_param]))

end

Or force the user input to be cast to a string like this:

def index
  redirect_to(params[:some_param].to_s)
end

🚨 Possible DoS Vulnerability in Action Controller Token Authentication

There is a possible DoS vulnerability in the Token Authentication logic in
Action Controller. This vulnerability has been assigned the CVE identifier
CVE-2021-22904.

Versions Affected: >= 4.0.0
Not affected: < 4.0.0
Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact

Impacted code uses authenticate_or_request_with_http_token or
authenticate_with_http_token for request authentication. Impacted code will
look something like this:

class PostsController < ApplicationController
  before_action :authenticate
private
def authenticate

authenticate_or_request_with_http_token do |token, options|

# ...

end

end

end

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

The following monkey patch placed in an initializer can be used to work around
the issue:

module ActionController::HttpAuthentication::Token
  AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
end

Release Notes

5.2.6 (from changelog)

• Accept base64_urlsafe CSRF tokens to make forward compatible.

  Base64 strict-encoded CSRF tokens are not inherently websafe, which makes them difficult to deal with. For example, the common practice of sending the CSRF token to a browser in a client-readable cookie does not work properly out of the box: the value has to be url-encoded and decoded to survive transport.

  In this version, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens for backwards compatibility.

  How the tokes are encoded is controllr by the action_controller.urlsafe_csrf_tokens config.

  In Rails 5.2.5, the CSRF token format was accidentally changed to urlsafe-encoded.

  Atention: If you already upgraded your application to 5.2.5, set the config urlsafe_csrf_tokens to true, otherwise your form submission will start to fail during the deploy of this new version.

  Rails.application.config.action_controller.urlsafe_csrf_tokens = true

  If you are upgrading from 5.2.4.x, you don't need to change this configuration.

  Scott Blum, Étienne Barrié

5.2.5 (from changelog)

• No changes.

5.2.4.6 (from changelog)

• Prevent regex DoS in HTTP token authentication CVE-2021-22904

• Prevent string polymorphic route arguments.

  url_for supports building polymorphic URLs via an array of arguments (usually symbols and records). If a developer passes a user input array, strings can result in unwanted route helper calls.

  CVE-2021-22885

  Gannon McGibbon

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionview (indirect, 5.2.4.4 → 5.2.6) · Repo · Changelog

Release Notes

5.2.6 (from changelog)

• No changes.

5.2.5 (from changelog)

• No changes.

5.2.4.6 (from changelog)

• No changes.

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activejob (indirect, 5.2.4.4 → 5.2.6) · Repo · Changelog

Release Notes

5.2.6 (from changelog)

• No changes.

5.2.5 (from changelog)

• No changes.

5.2.4.6 (from changelog)

• No changes.

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activemodel (indirect, 5.2.4.4 → 5.2.6) · Repo · Changelog

Release Notes

5.2.6 (from changelog)

• No changes.

5.2.5 (from changelog)

• No changes.

5.2.4.6 (from changelog)

• No changes.

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activerecord (indirect, 5.2.4.4 → 5.2.6) · Repo · Changelog

Security Advisories 🚨

🚨 Possible DoS Vulnerability in Active Record PostgreSQL adapter

There is a possible DoS vulnerability in the PostgreSQL adapter in Active
Record. This vulnerability has been assigned the CVE identifier CVE-2021-22880.

Versions Affected: >= 4.2.0
Not affected: < 4.2.0
Fixed Versions: 6.1.2.1, 6.0.3.5, 5.2.4.5

Impact

Carefully crafted input can cause the input validation in the "money" type of
the PostgreSQL adapter in Active Record to spend too much time in a regular
expression, resulting in the potential for a DoS attack.

This only impacts Rails applications that are using PostgreSQL along with
money type columns that take user input.

Workarounds

In the case a patch can't be applied, the following monkey patch can be used
in an initializer:

module ActiveRecord
  module ConnectionAdapters
    module PostgreSQL
      module OID # :nodoc:
        class Money < Type::Decimal # :nodoc:
          def cast_value(value)
            return value unless ::String === value
        value = value.sub(/^\((.+)\)$/, '-\1') # (4)
        case value
        when /^-?\D*+[\d,]+\.\d{2}$/  # (1)
          value.gsub!(/[^-\d.]/, "")
        when /^-?\D*+[\d.]+,\d{2}$/  # (2)
          value.gsub!(/[^-\d,]/, "").sub!(/,/, ".")
        end

        super(value)
      end
    end
  end
end

end

end

Release Notes

5.2.6 (from changelog)

• No changes.

5.2.5 (from changelog)

• No changes.

5.2.4.6 (from changelog)

• No changes.

5.2.4.5 (from changelog)

• Fix possible DoS vector in PostgreSQL money type

  Carefully crafted input can cause a DoS via the regular expressions used for validating the money format in the PostgreSQL adapter. This patch fixes the regexp.

  Thanks to @dee-see from Hackerone for this patch!

  [CVE-2021-22880]

  Aaron Patterson

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activestorage (indirect, 5.2.4.4 → 5.2.6) · Repo · Changelog

Release Notes

5.2.6 (from changelog)

• No changes.

5.2.5 (from changelog)

• Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed mime types data.

  George Claghorn

• The Poppler PDF previewer renders a preview image using the original document's crop box rather than its media box, hiding print margins. This matches the behavior of the MuPDF previewer.

  Vincent Robert

5.2.4.6 (from changelog)

• No changes.

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activesupport (indirect, 5.2.4.4 → 5.2.6) · Repo · Changelog

Release Notes

5.2.6 (from changelog)

• No changes.

5.2.5 (from changelog)

• No changes.

5.2.4.6 (from changelog)

• No changes.

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.1.7 → 1.1.8) · Repo · Changelog

Release Notes

1.1.8 (from changelog)

• (#885) Fix race condition in TVar for stale reads
• (#884) RubyThreadLocalVar: Do not iterate over hash which might conflict with new pair addition

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ erubi (indirect, 1.9.0 → 1.10.0) · Repo · Changelog

Release Notes

1.10.0 (from changelog)

* Improve template parsing, mostly by reducing allocations (jeremyevans)


Do not ship tests in the gem, reducing gem size about 20% (jeremyevans)


Support :literal_prefix and :literal_postfix options for how to output literal tags (e.g. <%% code %>) (jaredcwhite) (#26, #27)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ i18n (indirect, 1.8.5 → 1.8.10) · Repo · Changelog

Release Notes

1.8.10

• Fix string locale will trigger on_fallback hook - #562

1.8.9

• Rely on Ruby 3's native Hash#except method -- #557

This release also contains several build related updates -- rather than listing them out here, you can see the compare view between 1.8.8 and 1.8.9.

1.8.8

• Fixed threadsafety issues in Simple backend: #554
• Re-attempt to fix threadsafety of fallbacks: #548

---

• Use OpenSSL::Digest instead of usual Digest libraries: #549
• Goodbye, post-install message #552
• Use Rails' main branch, instead of master #553

1.8.7

• Fixed a regression with fallback logic: see issues #547, #546 and #542.

1.8.6

• Fallbacks are now stored in Thread.current for multi-threading compatibility: #542
• no-op arguments are no longer allowed for I18n.t calls -- fixes an incompatibility with Ruby 3.0: #545

This gem's GitHub workflow files have been updated to ensure compatibility between new Rails versions (6.1) and the new Ruby release (3.0). See the "Actions" tab on GitHub for the full range of supported Rails and Ruby versions.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ loofah (indirect, 2.7.0 → 2.9.1) · Repo · Changelog

Release Notes

2.9.1

2.9.1 / 2021-04-07

Bug fixes

• Fix a regression in v2.9.0 which inappropriately removed CSS properties with quoted string values. [#202]

2.9.0

2.9.0 / 2021-01-14

• Handle CSS functions in a CSS shorthand property (like background). [#199, #200]

2.8.0

2.8.0 / 2020-11-25

• Allow CSS properties order, flex-direction, flex-grow, flex-wrap, flex-shrink, flex-flow, flex-basis, flex, justify-content, align-self, align-items, and align-content. [#197] (Thanks, @miguelperez!)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ marcel (indirect, 0.3.3 → 1.0.1) · Repo

Release Notes

1.0.1

• Fixes identifying OpenDocument files by magic. 1.0.0 imprecisely identified them as application/zip. (🚨 [security] Update loofah: 2.1.1 → 2.2.1 (minor) #38)
• Fixes identifying .docx, .pptx, and .xlsx files exported from Google Sheets by magic. (Update selenium-webdriver: 3.6.0 → 3.11.0 (minor) #36)
• Identifies vCard files as text/vcard rather than text/x-vcard. (27fac74bd69663495410339bfd40ea8581ba669b)
• Identifies .otf, .woff, and .woff2 files aș font/otf, font/woff, and font/woff2, respectively. (Update uglifier: 3.2.0 → 4.1.8 (major) #37)

1.0.0

The mimemagic dependency—which relies on GPL-licensed mime type data from freedesktop.org’s shared-mime-info project—is removed. Marcel now directly uses mime type data adapted from the Apache Tika project, distributed under the Apache License.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_mime (indirect, 1.0.2 → 1.1.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_portile2 (indirect, 2.5.0 → 2.5.1) · Repo · Changelog

Release Notes

2.5.1

2.5.1 / 2021-04-28

Dependencies

This release ends support for ruby < 2.3.0. If you're on 2.2.x or earlier, we strongly suggest that you find the time to upgrade, because official support for Ruby 2.2 ended on 2018-03-31.

Enhancements

• MiniPortile.execute now takes an optional :env hash, which is merged into the environment variables for the subprocess. Likely this is only useful for specialized use cases. [#99]
• Experimental support for cmake-based projects extended to Windows. (Thanks, @larskanis!)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.14.2 → 5.14.4) · Repo · Changelog

Release Notes

5.14.4 (from changelog)

• 1 bug fix:

  • Fixed deprecation warning using stub with methods using keyword arguments. (Nakilon)

5.14.3 (from changelog)

• 1 bug fix:

  • Bumped require_ruby_version to < 4 (trunk = 3.1).

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nio4r (indirect, 2.5.3 → 2.5.7) · Repo · Changelog

Release Notes

2.5.4 (from changelog)

• #251 Intermittent SEGV during GC. (@boazsegev)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.11.0 → 1.11.3) · Repo · Changelog

Release Notes

1.11.3

1.11.3 / 2021-04-07

Fixed

• [CRuby] Passing non-Node objects to Document#root= now raises an ArgumentError exception. Previously this likely segfaulted. [#1900]
• [JRuby] Passing non-Node objects to Document#root= now raises an ArgumentError exception. Previously this raised a TypeError exception.
• [CRuby] arm64/aarch64 systems (like Apple's M1) can now compile libxml2 and libxslt from source (though we continue to strongly advise users to install the native gems for the best possible experience)

1.11.2

1.11.2 / 2021-03-11

Fixed

• [CRuby] NodeSet may now safely contain Node objects from multiple documents. Previously the GC lifecycle of the parent Document objects could lead to nodes being GCed while still in scope. [#1952]
• [CRuby] Patch libxml2 to avoid "huge input lookup" errors on large CDATA elements. (See upstream GNOME/libxml2#200 and GNOME/libxml2!100.) [#2132].
• [CRuby+Windows] Enable Nokogumbo (and other downstream gems) to compile and link against nokogiri.so by including LDFLAGS in Nokogiri::VERSION_INFO. [#2167]
• [CRuby] {XML,HTML}::Document.parse now invokes #initialize exactly once. Previously #initialize was invoked twice on each object.
• [JRuby] {XML,HTML}::Document.parse now invokes #initialize exactly once. Previously #initialize was not called, which was a problem for subclassing such as done by Loofah.

Improved

• Reduce the number of object allocations needed when parsing an HTML::DocumentFragment. [#2087] (Thanks, @ashmaroli!)
• [JRuby] Update the algorithm used to calculate Node#line to be wrong less-often. The underlying parser, Xerces, does not track line numbers, and so we've always used a hacky solution for this method. [#1223, #2177]
• Introduce --enable-system-libraries and --disable-system-libraries flags to extconf.rb. These flags provide the same functionality as --use-system-libraries and the NOKOGIRI_USE_SYSTEM_LIBRARIES environment variable, but are more idiomatic. [#2193] (Thanks, @eregon!)
• [TruffleRuby] --disable-static is now the default on TruffleRuby when the packaged libraries are used. This is more flexible and compiles faster. (Note, though, that the default on TR is still to use system libraries.) [#2191, #2193] (Thanks, @eregon!)

Changed

• Nokogiri::XML::Path is now a Module (previously it has been a Class). It has been acting solely as a Module since v1.0.0. See 8461c74.

1.11.1

v1.11.1 / 2021-01-06

Fixed

• [CRuby] If libxml-ruby is loaded before nokogiri, the SAX and Push parsers no longer call libxml-ruby's handlers. Instead, they defensively override the libxml2 global handler before parsing. [#2168]

SHA-256 Checksums of published gems

a41091292992cb99be1b53927e1de4abe5912742ded956b0ba3383ce4f29711c  nokogiri-1.11.1-arm64-darwin.gem
d44fccb8475394eb71f29dfa7bb3ac32ee50795972c4557ffe54122ce486479d  nokogiri-1.11.1-java.gem
f760285e3db732ee0d6e06370f89407f656d5181a55329271760e82658b4c3fc  nokogiri-1.11.1-x64-mingw32.gem
dd48343bc4628936d371ba7256c4f74513b6fa642e553ad7401ce0d9b8d26e1f  nokogiri-1.11.1-x86-linux.gem
7f49138821d714fe2c5d040dda4af24199ae207960bf6aad4a61483f896bb046  nokogiri-1.11.1-x86-mingw32.gem
5c26111f7f26831508cc5234e273afd93f43fbbfd0dcae5394490038b88d28e7  nokogiri-1.11.1-x86_64-darwin.gem
c3617c0680af1dd9fda5c0fd7d72a0da68b422c0c0b4cebcd7c45ff5082ea6d2  nokogiri-1.11.1-x86_64-linux.gem
42c2a54dd3ef03ef2543177bee3b5308313214e99f0d1aa85f984324329e5caa  nokogiri-1.11.1.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ railties (indirect, 5.2.4.4 → 5.2.6) · Repo · Changelog

Release Notes

5.2.6 (from changelog)

• No changes.

5.2.5 (from changelog)

• No changes.

5.2.4.6 (from changelog)

• No changes.

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rake (indirect, 13.0.1 → 13.0.3) · Repo · Changelog

Release Notes

13.0.3 (from changelog)

• Fix breaking change of execution order on TestTask. Pull request #368 by ysakasin

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sprockets-rails (indirect, 3.2.1 → 3.2.2) · Repo · Changelog

Release Notes

3.2.2

• Fix extending ActionView::Base instances with Sprockets::Rails::Helper on Rails 6.1
• Fix deprecation warning on Ruby 2.7 [#454]
• action_view/base is no longer required when rake tasks are loaded [#455]
• Asset not precompiled error exception renamed to AssetNotPrecompiledError [#414]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ thor (indirect, 1.0.1 → 1.1.0) · Repo · Changelog

Release Notes

1.1.0 (from changelog)

• Don't use ANSI colors when terminal is dumb.
• Ensure default option/argument is not erroneously aliased.
• Fixes a bug in the calculation of the print_wrapped method.
• Obey :mute and options[:quiet] in Shell#say.
• Support Ruby 3.0.
• Add force option to the gsub_file action.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tzinfo (indirect, 1.2.7 → 1.2.9) · Repo · Changelog

Release Notes

1.2.9

• Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

TZInfo v1.2.9 on RubyGems.org

1.2.8

• Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. The 64-bit section is now always used regardless of whether Time has support for 64-bit times. #120.
• Rubinius is no longer supported.

TZInfo v1.2.8 on RubyGems.org

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🗑️ mimemagic (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #205.