Bump ratpack.version from 1.7.5 to 1.7.6

[dependabot]

Bumps ratpack.version from 1.7.5 to 1.7.6.

Updates ratpack-core from 1.7.5 to 1.7.6

Release notes

Sourced from ratpack-core's releases.

v1.7.6

This release includes a fix for a security vulnerability. This upgrade is recommended for all Ratpack users.

Versions of Ratpack 0.9.10 through and including 1.7.5 are vulnerable to CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (aka. XSS),
in the development error handler. An attacker can utilize this to perform XSS when an exception message contains untrusted data.

This vulnerability only exists in the handler that renders an internal server error as a readable HTML page which is activates when Ratpack is running in development mode. This mode is only activate by user request (i.e. setting development(true) in the ServerConfig, setting RATPACK_DEVELOPMENT=true in the environment), or when Ratpack detects it is running in an IDE (i.e. IntelliJ), being run by the Groovy shell, or attached to a debugger. By default, Ratpack sets development(false) when packaged as a Jar.

Users should verify that they are not running Ratpack with development mode activated in production environments.

We would like to thank Jonathan Leitschuh for reporting this vulnerability.

Please see the security advisory for this issue for more information.

Commits

• ab1e96d Version 1.7.6
• 3cd6c38 Fix the jruby/compass issues with the shutdown of torquebox.
• 00ca7f2 chore: fix formatting in spec
• c1d4357 Escape user input rendered to the response in the development error handler.
• 32617ce Use zip64 for the site JAR
• 06be2e8 Use zip64 for the site JAR
• 000b33c Use zip64 for the site JAR
• 04800b2 Begin version 1.7.6
• See full diff in compare view

Updates ratpack-guice from 1.7.5 to 1.7.6

Release notes

Sourced from ratpack-guice's releases.

v1.7.6

This release includes a fix for a security vulnerability. This upgrade is recommended for all Ratpack users.

Versions of Ratpack 0.9.10 through and including 1.7.5 are vulnerable to CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (aka. XSS),
in the development error handler. An attacker can utilize this to perform XSS when an exception message contains untrusted data.

This vulnerability only exists in the handler that renders an internal server error as a readable HTML page which is activates when Ratpack is running in development mode. This mode is only activate by user request (i.e. setting development(true) in the ServerConfig, setting RATPACK_DEVELOPMENT=true in the environment), or when Ratpack detects it is running in an IDE (i.e. IntelliJ), being run by the Groovy shell, or attached to a debugger. By default, Ratpack sets development(false) when packaged as a Jar.

Users should verify that they are not running Ratpack with development mode activated in production environments.

We would like to thank Jonathan Leitschuh for reporting this vulnerability.

Please see the security advisory for this issue for more information.

Commits

• ab1e96d Version 1.7.6
• 3cd6c38 Fix the jruby/compass issues with the shutdown of torquebox.
• 00ca7f2 chore: fix formatting in spec
• c1d4357 Escape user input rendered to the response in the development error handler.
• 32617ce Use zip64 for the site JAR
• 06be2e8 Use zip64 for the site JAR
• 000b33c Use zip64 for the site JAR
• 04800b2 Begin version 1.7.6
• See full diff in compare view

Updates ratpack-test from 1.7.5 to 1.7.6

Release notes

Sourced from ratpack-test's releases.

v1.7.6

This release includes a fix for a security vulnerability. This upgrade is recommended for all Ratpack users.

Versions of Ratpack 0.9.10 through and including 1.7.5 are vulnerable to CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (aka. XSS),
in the development error handler. An attacker can utilize this to perform XSS when an exception message contains untrusted data.

This vulnerability only exists in the handler that renders an internal server error as a readable HTML page which is activates when Ratpack is running in development mode. This mode is only activate by user request (i.e. setting development(true) in the ServerConfig, setting RATPACK_DEVELOPMENT=true in the environment), or when Ratpack detects it is running in an IDE (i.e. IntelliJ), being run by the Groovy shell, or attached to a debugger. By default, Ratpack sets development(false) when packaged as a Jar.

Users should verify that they are not running Ratpack with development mode activated in production environments.

We would like to thank Jonathan Leitschuh for reporting this vulnerability.

Please see the security advisory for this issue for more information.

Commits

• ab1e96d Version 1.7.6
• 3cd6c38 Fix the jruby/compass issues with the shutdown of torquebox.
• 00ca7f2 chore: fix formatting in spec
• c1d4357 Escape user input rendered to the response in the development error handler.
• 32617ce Use zip64 for the site JAR
• 06be2e8 Use zip64 for the site JAR
• 000b33c Use zip64 for the site JAR
• 04800b2 Begin version 1.7.6
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.