chore(deps): Bump the bundler group across 1 directory with 3 updates

[dependabot]

Bumps the bundler group with 3 updates in the / directory: addressable, erb and net-imap.

Updates addressable from 2.8.9 to 2.9.0

Changelog

Sourced from addressable's changelog.

Addressable 2.9.0

• fixes ReDoS vulnerability in Addressable::Template#match (fixes incomplete remediation in 2.8.10)

Addressable 2.8.10

• fixes ReDoS vulnerability in Addressable::Template#match

Commits

• 0c3e858 Revving version and changelog
• 91915c1 Fixing additional vulnerable paths
• a091e39 Add many more adversarial test cases to ensure we don't have any ReDoS regres...
• 463a819 Regenerate gemspec on newer rubygems
• 0afcb0b Improve from O(n^2) to O(n)
• c87f768 Fix a ReDoS vulnerability in URI template matching
• See full diff in compare view

Updates erb from 6.0.2 to 6.0.4

Release notes

Sourced from erb's releases.

v6.0.4

Full Changelog: ruby/erb@v6.0.3...v6.0.4

v6.0.3

What's Changed

• Exclude dependabot updates from release note by @​hsbt in ruby/erb#101
• Fix typo: rename BDSL to BSDL by @​djkazunoko in ruby/erb#103
• Freeze src in initialize by @​jhawthorn in ruby/erb#105
• Use tag instead of branch with lewagon/wait-on-check-action by @​hsbt in ruby/erb#107
• fix: exclude some files from published gem by @​G-Rath in ruby/erb#108

New Contributors

• @​djkazunoko made their first contribution in ruby/erb#103
• @​G-Rath made their first contribution in ruby/erb#108

Full Changelog: ruby/erb@v6.0.1...v6.0.3

Changelog

Sourced from erb's changelog.

6.0.4

• Prohibit def_method on marshal-loaded ERB instances

6.0.3

• Exclude some files from published gem ruby/erb#108

Commits

• 4d2b45e Version 6.0.4
• 9d017be Prohibit def_method on marshal-loaded ERB instances
• 9c8fa8a Version 6.0.3
• 0ebc6ae Bump rubygems/release-gem from 1.1.2 to 1.2.0
• 25a729a Bump step-security/harden-runner from 2.15.0 to 2.16.1
• 9820802 Bump actions/create-github-app-token from 2 to 3
• 2611366 Bump lewagon/wait-on-check-action from 1.5.0 to 1.6.0
• 890d87f Use github.token instead of missing MATZBOT_DEPENDABOT_MERGE_TOKEN secret
• afc32b6 Fix dependabot auto-merge by using GH_TOKEN env var
• 2fd0a6b fix: exclude some files from published gem (#108)
• Additional commits viewable in compare view

Updates net-imap from 0.6.3 to 0.6.4

Release notes

Sourced from net-imap's releases.

v0.6.4

What's Changed

🔒 Security

This release contains fixes for multiple vulnerabilities concerning STARTTLS stripping, argument validation, and denial of service attacks.

[!WARNING] ruby/net-imap#664 fixes a STARTTLS stripping vulnerability (GHSA-vcgp-9326-pqcp). Without this fix, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS.

[!IMPORTANT] Argument validation is significantly improved. Several injection vulnerabilities have been fixed: ruby/net-imap#657 fixes CRLF/command/argument injection via Symbol arguments (GHSA-75xq-5h9v-w6px). ruby/net-imap#658 fixes CRLF/command/argument injection via the attr argument to #store/#uid_store (GHSA-hm49-wcqc-g2xg) ruby/net-imap#659 fixes CRLF/command/argument injection via the storage_limit argument to #setquota (GHSA-hm49-wcqc-g2xg). ruby/net-imap#660 fixes CRLF/command injection via RawData (GHSA-hm49-wcqc-g2xg):

• #search and #uid_search send criteria as raw data, when it is a String
• #fetch and #uid_fetch send attr as raw data, when it is a String. When attr is an Array, its String members are sent as raw data.

[!CAUTION] RawData does not defend against other forms of argument injection! It is an intentionally low-level API.

[!NOTE] Two denial of service vulnerabilities have been addressed. These are generally only relevant when connecting to an untrusted hostile server (or without TLS).

ruby/net-imap#642 fixes quadratic time complexity when reading large responses containing many string literals (GHSA-q2mw-fvj9-vvcw). ruby/net-imap#654 adds a configurable max_iterations count for SCRAM-* authentication (GHSA-87pf-fpwv-p7m7).

The default ScramAuthenticator#max_iterations is 2**31 - 1 (max 32-bit signed int), which was already OpenSSL's maximum value. It provides no protection against hostile servers unless it is explicitly set to a lower value by the user.

Breaking Changes

• ⚡ ResponseReader memoizes Config#max_response_size in ruby/net-imap#642. Changes to #max_response_size now take effect once per response, not on every IO#read. NOTE: It is not expected that this will affect any current usage. See the PR for details.

Added

• ✨ Support BINARY extention to #append (RFC3516) by @​nevans in ruby/net-imap#616
• ✨ Support LITERAL+ and LITERAL- non-synchronizing literals (RFC7888) by @​nevans in ruby/net-imap#649
• 🔒 Add ScramAuthenticator#max_iterations by @​nevans in ruby/net-imap#654
• 🏷️ Add number64 and nz-number64 to NumValidator by @​nevans in ruby/net-imap#625
• ♻️ Add MailboxQuota#quota_root alias by @​nevans in ruby/net-imap#636
• 🔍 Simplify Net::IMAP#inspect with basic state by @​nevans in ruby/net-imap#612
• 🥅 Add ResponseParseError#parser_methods (and override #==) by @​nevans in ruby/net-imap#615

Fixed

... (truncated)

Commits

• 3e49067 🔖 Bump version to 0.6.4
• 0ede4c4 🔀 Merge pull request #664 from ruby/security/STARTTLS-stripping
• 51ae360 ♻️ Add command response handler before command is sent
• 24d5c77 🔒🥅 Handle tagged "OK" to incomplete command
• 62eea6f 🔒🥅 Ensure STARTTLS tagged response was handled
• 46636ca ❌🔒 Add failing test for STARTTLS stripping
• e3b0105 ✅♻️ Inline current STARTLS stripping test
• be32e71 📚 Improve documentation of RawData arguments
• 47c7218 🐛 Validate RawData and wait to continue literals
• 0ec4fd3 🥅 Validate #setquota storage limit argument
• Additional commits viewable in compare view

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud