Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency rails to v6.1.7.8 - autoclosed #108

Closed
wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 27, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
rails (source, changelog) 6.1.4.1 -> 6.1.7.8 age adoption passing confidence

Release Notes

rails/rails (rails)

v6.1.7.8

Compare Source

v6.1.7.7: 6.1.7.7

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • No changes.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • Disables the session in ActiveStorage::Blobs::ProxyController
    and ActiveStorage::Representations::ProxyController
    in order to allow caching by default in some CDNs as CloudFlare

    Fixes #​44136

    Bruno Prieto

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.7.6

Compare Source

No changes between this and 6.1.7.5. This release was just to fix file permissions in the previous release.

v6.1.7.5: 6.1.7.5 Release

Compare Source

Active Support

  • Use a temporary file for storing unencrypted files while editing

    [CVE-2023-38037]

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • No changes.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.7.4

Compare Source

Active Support
  • No changes.
Active Model
  • No changes.
Active Record
  • No changes.
Action View
  • No changes.
Action Pack
  • Raise an exception if illegal characters are provide to redirect_to
    [CVE-2023-28362]

    Zack Deveau

Active Job
  • No changes.
Action Mailer
  • No changes.
Action Cable
  • No changes.
Active Storage
  • No changes.
Action Mailbox
  • No changes.
Action Text
  • No changes.
Railties
  • No changes.

v6.1.7.3

Compare Source

Active Support

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • Ignore certain data-* attributes in rails-ujs when element is contenteditable

    [CVE-2023-23913]

Action Pack

  • No changes.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.7.2

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Fix domain: :all for two letter TLD

    This fixes a compatibility issue introduced in our previous security
    release when using domain: :all with a two letter but single level top
    level domain domain (like .ca, rather than .co.uk).

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.7.1

Compare Source

Active Support
Active Model
  • No changes.
Active Record
  • Make sanitize_as_sql_comment more strict

    Though this method was likely never meant to take user input, it was
    attempting sanitization. That sanitization could be bypassed with
    carefully crafted input.

    This commit makes the sanitization more robust by replacing any
    occurrances of "/" or "/" with "/ " or " /". It also performs a
    first pass to remove one surrounding comment to avoid compatibility
    issues for users relying on the existing removal.

    This also clarifies in the documentation of annotate that it should not
    be provided user input.

    [CVE-2023-22794]

  • Added integer width check to PostgreSQL::Quoting

    Given a value outside the range for a 64bit signed integer type
    PostgreSQL will treat the column type as numeric. Comparing
    integer values against numeric values can result in a slow
    sequential scan.

    This behavior is configurable via
    ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.

    [CVE-2022-44566]

Action View
  • No changes.
Action Pack
Active Job
  • No changes.
Action Mailer
  • No changes.
Action Cable
  • No changes.
Active Storage
  • No changes.
Action Mailbox
  • No changes.
Action Text
  • No changes.
Railties
  • No changes.

v6.1.7

Compare Source

Active Support
  • No changes.
Active Model
  • No changes.
Active Record
  • Symbol is allowed by default for YAML columns

    Étienne Barrié

  • Fix ActiveRecord::Store to serialize as a regular Hash

    Previously it would serialize as an ActiveSupport::HashWithIndifferentAccess
    which is wasteful and cause problem with YAML safe_load.

    Jean Boussier

  • Fix PG.connect keyword arguments deprecation warning on ruby 2.7

    Fixes #​44307.

    Nikita Vasilevsky

Action View
  • No changes.
Action Pack
  • No changes.
Active Job
  • No changes.
Action Mailer
  • No changes.
Action Cable
  • No changes.
Active Storage
  • Respect Active Record's primary_key_type in Active Storage migrations. Backported from 7.0.

    fatkodima

Action Mailbox
  • No changes.
Action Text
  • No changes.
Railties
  • No changes.

v6.1.6.1: 6.1.6.1

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • Change ActiveRecord::Coders::YAMLColumn default to safe_load

    This adds two new configuration options The configuration options are as
    follows:

    • config.active_storage.use_yaml_unsafe_load

    When set to true, this configuration option tells Rails to use the old
    "unsafe" YAML loading strategy, maintaining the existing behavior but leaving
    the possible escalation vulnerability in place. Setting this option to true
    is not recommended, but can aid in upgrading.

    • config.active_record.yaml_column_permitted_classes

    The "safe YAML" loading method does not allow all classes to be deserialized
    by default. This option allows you to specify classes deemed "safe" in your
    application. For example, if your application uses Symbol and Time in
    serialized data, you can add Symbol and Time to the allowed list as follows:

    config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
    

    [CVE-2022-32224]

Action View

  • No changes.

Action Pack

  • No changes.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.6: 6.1.6

Compare Source

Active Support
  • Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

    Add the method ERB::Util.xml_name_escape to escape dangerous characters
    in names of tags and names of attributes, following the specification of XML.

    Álvaro Martín Fraguas

Active Model
  • No changes.
Active Record
  • No changes.
Action View
  • Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

    Escape dangerous characters in names of tags and names of attributes in the
    tag helpers, following the XML specification. Rename the option
    :escape_attributes to :escape, to simplify by applying the option to the
    whole tag.

    Álvaro Martín Fraguas

Action Pack
  • Allow Content Security Policy DSL to generate for API responses.

    Tim Wade

Active Job
  • No changes.
Action Mailer
  • No changes.
Action Cable
  • No changes.
Active Storage
  • No changes.
Action Mailbox
  • No changes.
Action Text
  • No changes.
Railties
  • No changes.

v6.1.5.1: 6.1.5.1

Compare Source

Active Support

  • Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

    Add the method ERB::Util.xml_name_escape to escape dangerous characters
    in names of tags and names of attributes, following the specification of XML.

    Álvaro Martín Fraguas

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

    Escape dangerous characters in names of tags and names of attributes in the
    tag helpers, following the XML specification. Rename the option
    :escape_attributes to :escape, to simplify by applying the option to the
    whole tag.

    Álvaro Martín Fraguas

Action Pack

  • Allow Content Security Policy DSL to generate for API responses.

    Tim Wade

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Railties

  • No changes.

v6.1.5: 6.1.5

Compare Source

Active Support
  • Fix ActiveSupport::Duration.build to support negative values.

    The algorithm to collect the parts of the ActiveSupport::Duration
    ignored the sign of the value and accumulated incorrect part values. This
    impacted ActiveSupport::Duration#sum (which is dependent on parts) but
    not ActiveSupport::Duration#eql? (which is dependent on value).

    Caleb Buxton, Braden Staudacher

  • Time#change and methods that call it (eg. Time#advance) will now
    return a Time with the timezone argument provided, if the caller was
    initialized with a timezone argument.

    Fixes #​42467.

    Alex Ghiculescu

  • Clone to keep extended Logger methods for tagged logger.

    Orhan Toy

  • assert_changes works on including ActiveSupport::Assertions module.

    Pedro Medeiros

Active Model
  • Clear secure password cache if password is set to nil

    Before:

    user.password = 'something'
    user.password = nil

    user.password # => 'something'

    Now:

    user.password = 'something'
    user.password = nil

    user.password # => nil

    Markus Doits

  • Fix delegation in ActiveModel::Type::Registry#lookup and ActiveModel::Type.lookup

    Passing a last positional argument {} would be incorrectly considered as keyword argument.

    Benoit Daloze

  • Fix to_json after changes_applied for ActiveModel::Dirty object.

    Ryuta Kamizono

Active Record
  • Fix ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate for Ruby 2.6.

    Ruby 2.6 and 2.7 have slightly different implementations of the String#@​- method.
    In Ruby 2.6, the receiver of the String#@​- method is modified under certain circumstances.
    This was later identified as a bug (https://bugs.ruby-lang.org/issues/15926) and only
    fixed in Ruby 2.7.

    Before the changes in this commit, the
    ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate method, which internally
    calls the String#@​- method, could also modify an input string argument in Ruby 2.6 --
    changing a tainted, unfrozen string into a tainted, frozen string.

    Fixes #​43056

    Eric O'Hanlon

  • Fix migration compatibility to create SQLite references/belongs_to column as integer when
    migration version is 6.0.

    reference/belongs_to in migrations with version 6.0 were creating columns as
    bigint instead of integer for the SQLite Adapter.

    Marcelo Lauxen

  • Fix dbconsole for 3-tier config.

    Eileen M. Uchitelle

  • Better handle SQL queries with invalid encoding.

    Post.create(name: "broken \xC8 UTF-8")

    Would cause all adapters to fail in a non controlled way in the code
    responsible to detect write queries.

    The query is now properly passed to the database connection, which might or might
    not be able to handle it, but will either succeed or failed in a more correct way.

    Jean Boussier

  • Ignore persisted in-memory records when merging target lists.

    Kevin Sjöberg

  • Fix regression bug that caused ignoring additional conditions for preloading
    has_many through relations.

    Fixes #​43132

    Alexander Pauly

  • Fix ActiveRecord::InternalMetadata to not be broken by
    config.active_record.record_timestamps = false

    Since the model always create the timestamp columns, it has to set them, otherwise it breaks
    various DB management tasks.

    Fixes #​42983

    Jean Boussier

  • Fix duplicate active record objects on inverse_of.

    Justin Carvalho

  • Fix duplicate objects stored in has many association after save.

    Fixes #​42549.

    Alex Ghiculescu

  • Fix performance regression in CollectionAssocation#build.

    Alex Ghiculescu

  • Fix retrieving default value for text column for MariaDB.

    fatkodima

Action View
  • preload_link_tag properly inserts as attributes for files with image MIME
    types, such as JPG or SVG.

    Nate Berkopec

  • Add autocomplete="off" to all generated hidden fields.

    Fixes #​42610.

    Ryan Baumann

  • Fix current_page? when URL has trailing slash.

    This fixes the current_page? helper when the given URL has a trailing slash,
    and is an absolute URL or also has query params.

    Fixes #​33956.

    Jonathan Hefner

Action Pack
  • Fix content_security_policy returning invalid directives.

    Directives such as self, unsafe-eval and few others were not
    single quoted when the directive was the result of calling a lambda
    returning an array.

    content_security_policy do |policy|
      policy.frame_ancestors lambda { [:self, "https://example.com"] }
    end

    With this fix the policy generated from above will now be valid.

    Edouard Chin

  • Update HostAuthorization middleware to render debug info only
    when config.consider_all_requests_local is set to true.

    Also, blocked host info is always logged with level error.

    Fixes #​42813.

    Nikita Vyrko

  • Dup arrays that get "converted".

    Fixes #​43681.

    Aaron Patterson

  • Don't show deprecation warning for equal paths.

    Anton Rieder

  • Fix crash in ActionController::Instrumentation with invalid HTTP formats.

    Fixes #​43094.

    Alex Ghiculescu

  • Add fallback host for SystemTestCase driven by RackTest.

    Fixes #​42780.

    Petrik de Heus

  • Add more detail about what hosts are allowed.

    Alex Ghiculescu

Active Job
  • No changes.
Action Mailer
  • No changes.
Action Cable
  • The Action Cable client now ensures successful channel subscriptions:

    • The client maintains a set of pending subscriptions until either
      the server confirms the subscription or the channel is torn down.
    • Rectifies the race condition where an unsubscribe is rapidly followed
      by a subscribe (on the same channel identifier) and the requests are
      handled out of order by the ActionCable server, thereby ignoring the
      subscribe command.

    Daniel Spinosa

  • Truncate broadcast logging messages.

    J Smith

Active Storage
  • Attachments can be deleted after their association is no longer defined.

    Fixes #​42514

    Don Sisco

Action Mailbox
  • Add attachments to the list of permitted parameters for inbound emails conductor.

    When using the conductor to test inbound emails with attachments, this prevents an
    unpermitted parameter warning in default configurations, and prevents errors for
    applications that set:

    config.action_controller.action_on_unpermitted_parameters = :raise

    David Jones, Dana Henke

Action Text
  • Fix Action Text extra trix content wrapper.

    Alexandre Ruban

Railties
  • In zeitwerk mode, setup the once autoloader first, and the main autoloader after it.
    This order plays better with shared namespaces.

    Xavier Noria

  • Handle paths with spaces when editing credentials.

    Alex Ghiculescu

  • Support Psych 4 when loading secrets.

    Nat Morcos

v6.1.4.7: 6.1.4.7

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • No changes.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • Added image transformation validation via configurable allow-list.

    Variant now offers a configurable allow-list for
    transformation methods in addition to a configurable deny-list for arguments.

    [CVE-2022-21831]

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.4.6: 6.1.4.6

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Fix Reloader method signature to work with the new Executor signature

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.4.5: 6.1.4.5

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Under certain circumstances, the middleware isn't informed that the
    response body has been fully closed which result in request state not
    being fully reset before the next request

    [CVE-2022-23633]

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.4.4: 6.1.4.4

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Fix issue with host protection not allowing host with port in development.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.4.3: 6.1.4.3

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • No changes.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • Allow localhost with a port by default in development

    [Fixes: #​43864]

v6.1.4.2: 6.1.4.2

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot requested a review from Clivern as a code owner March 27, 2023 19:48
@renovate renovate bot changed the title Update dependency rails to v6.1.7.3 Update dependency rails to v6.1.7.4 Jun 27, 2023
@renovate renovate bot force-pushed the renovate/ruby-on-rails-packages branch from 5b3b8d0 to 0e79576 Compare August 22, 2023 21:09
@renovate renovate bot changed the title Update dependency rails to v6.1.7.4 Update dependency rails to v6.1.7.6 Aug 22, 2023
@renovate renovate bot force-pushed the renovate/ruby-on-rails-packages branch from 0e79576 to fcacec1 Compare February 21, 2024 19:32
@renovate renovate bot changed the title Update dependency rails to v6.1.7.6 Update dependency rails to v6.1.7.7 Feb 21, 2024
@renovate renovate bot changed the title Update dependency rails to v6.1.7.7 Update dependency rails to v6.1.7.7 - autoclosed Feb 28, 2024
@renovate renovate bot closed this Feb 28, 2024
@renovate renovate bot deleted the renovate/ruby-on-rails-packages branch February 28, 2024 04:10
@renovate renovate bot restored the renovate/ruby-on-rails-packages branch March 2, 2024 17:32
@renovate renovate bot changed the title Update dependency rails to v6.1.7.7 - autoclosed Update dependency rails to v6.1.7.7 Mar 2, 2024
@renovate renovate bot reopened this Mar 2, 2024
@renovate renovate bot force-pushed the renovate/ruby-on-rails-packages branch from fcacec1 to 9cb0a5a Compare June 4, 2024 19:34
@renovate renovate bot changed the title Update dependency rails to v6.1.7.7 Update dependency rails to v6.1.7.8 Jun 4, 2024
@renovate renovate bot changed the title Update dependency rails to v6.1.7.8 Update dependency rails to v6.1.7.8 - autoclosed Jul 4, 2024
@renovate renovate bot closed this Jul 4, 2024
@renovate renovate bot deleted the renovate/ruby-on-rails-packages branch July 4, 2024 15:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants