🚨 [security] Update activestorage: 5.2.1 → 5.2.1.1 (minor) #13
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![depfu[bot]](https://avatars.githubusercontent.com/in/715?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🚨 Your version of activestorage has known security vulnerabilities 🚨
Advisory: CVE-2018-16477
Disclosed: November 27, 2018
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/3KQRnXDIuLg
Bypass vulnerability in Active Storage
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
Sorry, we couldn't find anything useful about this release.
✳️ active_model_serializers (0.10.7 → 0.10.8) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 37 commits:
Bump version to v0.10.8Add change to changelogMerge branch 'fix_thread_safety_bug' into 0-10-stableLint per rubocopNote that we dup the entire reflection instanceFix thread unsafe behaviorAdd failing test for reflection thread safety bugMerge pull request #2279 from mkon/link-conditionsvalue is always a linktyposSupport conditions in link statementsMerge pull request #2281 from alvincrespo/alvincrespo-patch-1Merge pull request #2297 from vnbrs/patch-1Update ChangelogMerge branch 'Hirurg103-0-10-stable' into 0-10-stableRemove unnecessary line break from exception messageFix the bug that serializer could not be found if the association's serializer is namespaced but the model is notUpdate ChangelogMerge branch 'f-mer-0-10-stable-eager_load' into 0-10-stableRemove obsolete autoloadsEager load modules on bootMerge pull request #2290 from rails-api/minitest_ciFix Rails masterExclude deprecated rubiesMinitest 5.11 breaks; needs something like ::Minitest::Result.fromMinor doc updateMerge pull request #2260 from abhaynikam/2258-fix-class-name-documentationMerge pull request #2263 from vthomas2007/fix-readme-lint-linksFix Lint links in READMEUpdated the defination for the class_name in documentationwordsmittingUpdated `class_name` defination.Added examples to use `class_name` options for association.Merge pull request #2222 from rails-api/ci_fixJRuby AR adapter are now 5x.0 for Rails 5.x+Merge branch 'quake-collection_cache' into 0-10-stableresolve collection cache error✳️ rails (5.2.1 → 5.2.1.1) · Repo
Commits
See the full diff on Github. The new version differs by 2 commits:
Preparing for 5.2.1.1 releaseDo not deserialize GlobalID objects that were not generated by Active Job✳️ rspec-rails (3.8.0 → 3.8.1) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by 10 commits:
Update version to 3.8.1Changelog for #2036Correct change log to indicate post v.3.8.0 fixes.Prevent ActiveJob::DeserializationError when deserialising expired jobs (#2036)Merge pull request #2034 from jekuta/fix-1877Udpate nokogiri version (#2032)Merge pull request #2027 from benoittgt/bump_bundler_to_last_version_againMerge pull request #2026 from cupakromer/fix-nomethoderror-pathname-fixture-pathAdd project metadata to the gemspec (#2035)Updates maintenance-branch file.Commits
See the full diff on Github. The new version differs by 2 commits:
Preparing for 5.2.1.1 releaseDo not deserialize GlobalID objects that were not generated by Active JobCommits
See the full diff on Github. The new version differs by 2 commits:
Preparing for 5.2.1.1 releaseDo not deserialize GlobalID objects that were not generated by Active JobCommits
See the full diff on Github. The new version differs by 2 commits:
Preparing for 5.2.1.1 releaseDo not deserialize GlobalID objects that were not generated by Active JobCommits
See the full diff on Github. The new version differs by 2 commits:
Preparing for 5.2.1.1 releaseDo not deserialize GlobalID objects that were not generated by Active JobCommits
See the full diff on Github. The new version differs by 2 commits:
Preparing for 5.2.1.1 releaseDo not deserialize GlobalID objects that were not generated by Active JobCommits
See the full diff on Github. The new version differs by 2 commits:
Preparing for 5.2.1.1 releaseDo not deserialize GlobalID objects that were not generated by Active JobCommits
See the full diff on Github. The new version differs by 2 commits:
Preparing for 5.2.1.1 releaseDo not deserialize GlobalID objects that were not generated by Active JobCommits
See the full diff on Github. The new version differs by 2 commits:
Preparing for 5.2.1.1 releaseDo not deserialize GlobalID objects that were not generated by Active JobRelease Notes
1.1.0
concurrent-ruby:
are moved from
concurrent-ruby-edgetoconcurrent-rubyconcurrent-rubyPromise#thenv3.7.0
concurrent-ruby-edge:
lib-edgeCommits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
1.1.1
Commits
See the full diff on Github. The new version differs by 11 commits:
Bump to 1.1.1Update README with usage information in RubyMerge pull request #436 from dduugg/rm-kernel-extrm Kernel core_extMerge pull request #434 from orien/rubygems-project-metadataAdd project metadata to the gemspecMerge pull request #433 from BanzaiMan/patch-1Update Ruby 2.4.x and 2.5.x run timesMerge pull request #353 from PikachuEXE/feature/change-translations-behaviourAdd 'Maintained by' notice to README* Expose translations with option to perform initalizationRelease Notes
2.2.3
Notably, this release addresses CVE-2018-16468.
Commits
See the full diff on Github. The new version differs by 5 commits:
version bump to v2.2.3 and update CHANGELOGremove the svg animate attribute `from` from the allowlistadd formatting to CHANGELOGupdated mailing list to a new Google Groupextract msword html data into an asset fileCommits
See the full diff on Github. The new version differs by 20 commits:
2.7.1 releaseadditionally register UnixToUnix encoding as 'x-uue'IMAP: fix `delete_all` against a readonly connectionFormat generated ruby files by ragel using rufo gemSet full path of the ragel source file to rake taskPerform `gem install bundler` to address `LoadError: cannot load suchFix 7bit/base64 content transfer encoding mismatch2.7.1.rc1 release candidateRestore LF line ending parsingFix quote_token with frozen AS::Multibyte charsCI: test against Rails 5.x for Rubies older than 2.4.1 since Rails 6 requires 2.4.1+Fix token quoting with UTF-8 attributesExpose `Mail::Field#unparsed_value` to read raw fieldsCI: track current jruby release (9.1.15.0)CI: test against Ruby 2.5.xFix parsing boundary containing "=" within invalid Content-TypeFix transfer encoding when message encoding is blankrestore LF->CRLF conversion for properly encoded non-binary messagesFix performance downgrade with Mail::Utilities.to_crlf/to_lfStable branch for 2.7.x releasesRelease Notes
0.3.3
Commits
See the full diff on Github. The new version differs by 10 commits:
v0.3.3Merge pull request #11 from huacnlee/fix-test-file-including-rubygemGemspec ignore test files for reduce gem size from 7.5MB to 7.5KBMerge pull request #8 from junaruga/feature/text-typo-file-namesSuppress warnings when running "gem build marcel.gemspec"Merge pull request #7 from junaruga/hotfix/test-require-pathnameRequire pathname to run tests without Bundler.Fix "warning: `&' interpreted as argument prefix"CI: fix 2.5.0 builds broken by incompatible Bundler/RubyGemsAdd ruby-head on Travis CI.Commits
See the full diff on Github. The new version differs by 12 commits:
Merge pull request #55 from banister/release-0-9-2Release v0.9.2Merge pull request #54 from banister/52-jruby-patch-removalRevert "method_source: fix broken Procs on JRuby 9.2.0.0"bump version number to 0.9.1Merge pull request #51 from kyrylo/jruby-9200-fixmethod_source: fix broken Procs on JRuby 9.2.0.0Merge pull request #50 from mensfeld/masterremove gemfile locklicense for the gemspectweaks to .travis.ymlRun rake gemspec task to bump gemspec data (incl version number)Commits
See the full diff on Github. The new version differs by 11 commits:
version bump to v1.8.5update changelogMerge branch 'fix-1773'Organize imports in XmlNode.java.Allow reparenting nodes to be a child of an empty document.Merge pull request #1786 from sparklemotion/1785-canonical-usnspull in upstream libxml2 patcheschangelogchangelogremove `-Wextra` CFLAGadd tests for pkg-config failure scenarioCommits
See the full diff on Github. The new version differs by 5 commits:
Bumping version for releaseWhitelist http/https schemesReduce buffer size to avoid pathological parsingMerge tag '2.0.5' into 2-0-stableMerge pull request #1296 from tomelm/fix-prefers-plaintextCommits
See the full diff on Github. The new version differs by 2 commits:
Preparing for 5.2.1.1 releaseDo not deserialize GlobalID objects that were not generated by Active JobCommits
See the full diff on Github. The new version differs by 7 commits:
Bump version to 3.8.2Merge pull request #1077 from rspec/update_ffiChangelog for #1076Merge pull request #1075 from rspec/update-travis-build-scripts-2018-09-19-for-masterChangelog for #1073Merge pull request #1073 from jkowens/3-8-maintenanceOnly call to_hash when actual object does not respond to include?Commits
See the full diff on Github. The new version differs by 73 commits:
Prepare to 0.20.3Merge pull request #637 from y-yagi/add_care_of_old_did_you_meanAdd care about old version of `did_you_mean`Prepare to 0.20.2 releaseMerge pull request #636 from y-yagi/fixes_buildRemove the globally installed gem by rvmRun command with bundle execMake sure did_you_mean feature works when the gem is availablePrepare to 0.20.1 releaseMerge pull request #630 from kddeisz/did-you-meanMerge pull request #628 from deivid-rodriguez/abort_on_failureMerge pull request #629 from deivid-rodriguez/fix_warningsFix up keyword argument usage in did_you_mean for ruby 1.8Fix up did_you_mean on older ruby versionsSupport did-you-mean functionality in thorFix "warning: setting Encoding.default_external"Add `abort_on_failure` option to #run actionRemove unused stuffFix "warning: assigned but unused variable - junk"Merge pull request #616 from Choms/masterRe-add versionMerge pull request #623 from marcandre/remove_dupRemove duplicate option creation in specDelete version.rbMerge pull request #620 from MaxLap/fix-invalid-path-displayFix relative_to_original_destination_root and better testsRemove the root path from the absolute path only onceMerge pull request #618 from MaxLap/fix_check_unknownMerge pull request #589 from pocke/correct-linenoFix check_unknown_options! when parsing gets stoppedFix indent calculationSmall change to use more of the terminal sizeFix print_wrapped to properly parse "\x5" newline characterMerge pull request #610 from deivid-rodriguez/skip_exit_status_specs_on_1.8.7Document possible attack vector on `get`Merge pull request #611 from bosoxbill/doc-for-cve-2016-10545Add open-uri referenceAdd language about how not to use ThorSkip exit status specs on 1.8.7Merge pull request #578 from jmax315/masterMerge pull request #608 from y-yagi/fix_typo_in_inject_into_module_testFix typo in `inject_into_module` testMerge pull request #605 from y-yagi/add_merge_action_to_file_collisionMerge pull request #606 from y-yagi/remove_gemnasium_badgeRemove Gemnasium badgeMerge pull request #604 from y-yagi/test_against_latest_rubiesAdd `merge` action to file colision menuTest against latest RubiesMerge pull request #600 from jonathanhefner/fix-comment-regexMerge pull request #601 from pallan/patch-1Updates method documentation for askFix comment_lines regexpMerge pull request #599 from utilum/identifiy_future_ERB_versionsMake sure future versions of ERB are invoked appropriatelyMerge pull request #594 from koic/deprecate_safe_level_of_erb_new_in_ruby_2_6Merge pull request #598 from yahonda/diag595Address #595 by duplicating string objectsDeprecate safe_level of ERB.new in Ruby 2.6Use correct line numbers for `class_eval` and `module_eval` methodsMerge pull request #586 from hsbt/fix-misspellFixed misspelling words.Merge pull request #584 from lostapathy/bump_travis_versionsMerge pull request #583 from lostapathy/fix_travisupdate ruby version in travis configlock hashdiff to <0.3.6 to fix travisFix incorrect use of Process::exit. This fixes open issue #244.Merge pull request #576 from sshaw/masterrequire open-uri when loading http templateMerge pull request #572 from sschuberth/masterIntroduce a constant for the default terminal widthMerge pull request #568 from segiddins/seg-hash-fetch-testsAdd more tests for HashWithIndifferentAccess#fetchRelease should use invoke not executeDepfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands