🚨 [security] Update sinatra: 2.2.0 → 2.2.4 (patch) #271
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![depfu[bot]](https://avatars.githubusercontent.com/in/715?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ sinatra (2.2.0 → 2.2.4) · Repo · Changelog
Security Advisories 🚨
🚨 Sinatra vulnerable to Reflected File Download attack
Release Notes
2.2.3 (from changelog)
2.2.2 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
✳️ rack (2.2.3 → 2.2.4) · Repo · Changelog
Security Advisories 🚨
🚨 Denial of Service Vulnerability in Rack Multipart Parsing
🚨 Possible shell escape sequence injection vulnerability in Rack
Commits
See the full diff on Github. The new version differs by 18 commits:
fixup changelogbump versionBetter handling of case-insensitive headers for `Rack::Etag` middleware. (#1919)Add 'custom exception on params too deep error' change to CHANGELOG. (#1914)Expect additional optional version segment in version test. (#1913)Merge branch '2-2-sec' into 2-2-stableupdate changelogbump versionEscape untrusted text when loggingRestrict broken mime parsingEnsure Rack::QueryParser::ParamsTooDeepError is inherited from RangeError. (#1864)Add Ruby 2.3 compatibility for tests, add Ruby 2.3 to CI. (#1863)Merge pull request #1839 from RubyElders/2-2-stable-ciReplace CircleCI with GitHub Actions.Newer rubies spec compatibility.Merge pull request #1838 from RubyElders/custom-range-exception-2-2Use custom exception on params too deep error.Don't ary.inspect in the lint assertions (backport) (#1765)Commits
See the full diff on Github. The new version differs by 64 commits:
Bump version to 2.0.2Merge pull request #134 from magni-/pp/ruby-3.2-fixDon't call #=~ on objects that don't respond to itUpdate Node.parse parameter definition to work in Ruby 3.2Test on Ruby@head as wellBump version to 2.0.1Merge pull request #129 from dentarg/improve-ciTest with Ruby 2.2 to 2.5Allow JRuby to fail, as it isn't supported yetBump actions/checkoutSet a resonable timeout for CIRun CI on all branchesRemove superfluous commentsMerge pull request #132 from eregon/ci-no-fail-fastOnly use coverage on CRubyDo not cancel other CI jobs when one failsMerge pull request #131 from eregon/truffleruby-ciMerge pull request #130 from eregon/fix-ruby2_keywords-usageFix usage of PP in testsAdd TruffleRuby in CIFix usage of ruby2_keywords, only use it for blocks which delegateBump version to 2.0Merge pull request #127 from sinatra/fix-circular-dependencyFix circular dependency warningMerge pull request #126 from sinatra/ruby3-supportUpdate code climate badgeFix issue with Ruby 3 keyword argumentsMerge pull request #116 from epergo/ep/remove-sinatra-extensionMerge pull request #120 from olleolleolle/patch-2Merge pull request #121 from olleolleolle/patch-3Merge pull request #123 from mishina2228/show-ci-resultsBump version to v1.1.2Pin simplecov to ~> 0.17.0Add jruby 9.3 to CIMerge pull request #119 from olleolleolle/patch-1Merge pull request #124 from mishina2228/update-document-for-edge-versionUpdate doc for using the edge version [ci skip]Remove `--tty` option to show test resultsMerge pull request #122 from michal-granec/handle-frozen-string-literalUse String.new instead of quotes #110Drop "executables" directive from mustermannDrop "executables" directive from gemspecCI: Add Ruby 3.1 to build matrixRemove extension for Sinatraupdate build status badgeMerge pull request #117 from namusyaka/actionsdelete .travis.ymlswitch ci from travis to GitHub ActionsMerge pull request #111 from olleolleolle/patch-1Merge pull request #113 from olleolleolle/patch-3Merge pull request #112 from olleolleolle/patch-2Merge pull request #115 from epergo/ep/remove-redcarpet-dependencyRemove redcarpet dependency as it not being usedCI: Drop EOL'd Ruby versionsCI: Allow 3.0&JRuby to fail, shorthand Ruby namesCI: Update patch versions of Ruby in the matrixAvoid "deprecated Object#=~ is called on Integer"CI: sudo: false is a noop, nowMerge pull request #109 from nateberkopec/patch-1Update/reword Ruby version supportMerge pull request #108 from olleolleolle/patch-1README: Drop defunct badge for gemnasiumYARD: avoid redundant @see bracesUpdate mustermann.rbRelease Notes
2.2.3 (from changelog)
2.2.2 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
2.0.11 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 23 commits:
v2.0.11Update CHANGELOGGitHub Workflow: Be consistent in variable formattingGitHub Workflow: Add title for the different variationsWork around heredoc line number bug in testsGemfile: Only load one of RDiscount and BlueClothGemfile: Remove support for 1.9WikiCloth: Use rinku for auto-linking in testsPandoc: Make footnote test less specificPandoc: Handle the new way of specifying smartypantsCommonMarker: Remove test for optionsAsciiDoctor: Remove test for deprecated docbook45Initial GitHub Actions supportUpdate .travis.ymlSass: Support sass-embedded gemAdd Tilt::EmacsOrg supportAllow all options available in CommonMarkerFix Ruby 3.0 compatibility.GitHub is HTTPS by defaultUpdate .travis.ymlFix markdown documentation 404Fix #extensions_for for RedcarpetTemplateHandle rendering BasicObject instancesDepfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands