Merge pull request opf#17535 from opf/fix/bump_gems

Fix/bump gems

Gemfile

@@ -95,7 +95,7 @@ gem "escape_utils", "~> 1.3"
 # Syntax highlighting used in html-pipeline with rouge
 gem "rouge", "~> 4.5.1"
 # HTML sanitization used for html-pipeline
-gem "sanitize", "~> 6.1.0"
+gem "sanitize", "~> 7.0.0"
 # HTML autolinking for mails and urls (replaces autolink)
 gem "rinku", "~> 2.0.4", require: %w[rinku rails_rinku]
 # Version parsing with semver
@@ -137,7 +137,7 @@ gem "rack-protection", "~> 3.2.0"
 gem "rack-attack", "~> 6.7.0"
 
 # CSP headers
-gem "secure_headers", "~> 7.0.0"
+gem "secure_headers", "~> 7.1.0"
 
 # Browser detection for incompatibility checks
 gem "browser", "~> 6.2.0"
@@ -191,7 +191,7 @@ gem "puma", "~> 6.5"
 gem "puma-plugin-statsd", "~> 2.0"
 gem "rack-timeout", "~> 0.7.0", require: "rack/timeout/base"
 
-gem "nokogiri", "~> 1.17.0"
+gem "nokogiri", "~> 1.18.1"
 
 gem "carrierwave", "~> 1.3.4"
 gem "carrierwave_direct", "~> 2.1.0"
@@ -218,7 +218,7 @@ gem "dry-monads"
 gem "dry-validation"
 
 # ActiveRecord extension which adds typecasting to store accessors
-gem "store_attribute", "~> 1.0"
+gem "store_attribute", "~> 2.0"
 
 # Appsignal integration
 gem "appsignal", "~> 3.10.0", require: false
@@ -356,7 +356,7 @@ group :development, :test do
   gem "erblint-github", require: false
 
   # Brakeman scanner
-  gem "brakeman", "~> 6.2.0"
+  gem "brakeman", "~> 7.0.0"
 
   # i18n-tasks helps find and manage missing and unused translations.
   gem "i18n-tasks", "~> 1.0.13", require: false

Gemfile.lock

@@ -344,16 +344,16 @@ GEM
     awesome_nested_set (3.8.0)
       activerecord (>= 4.0.0, < 8.1)
     aws-eventstream (1.3.0)
-    aws-partitions (1.1023.0)
-    aws-sdk-core (3.214.0)
+    aws-partitions (1.1031.0)
+    aws-sdk-core (3.214.1)
       aws-eventstream (~> 1, >= 1.3.0)
       aws-partitions (~> 1, >= 1.992.0)
       aws-sigv4 (~> 1.9)
       jmespath (~> 1, >= 1.6.1)
     aws-sdk-kms (1.96.0)
       aws-sdk-core (~> 3, >= 3.210.0)
       aws-sigv4 (~> 1.5)
-    aws-sdk-s3 (1.176.1)
+    aws-sdk-s3 (1.177.0)
       aws-sdk-core (~> 3, >= 3.210.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.5)
@@ -385,11 +385,11 @@ GEM
       erubi (~> 1.4)
       parser (>= 2.4)
       smart_properties
-    bigdecimal (3.1.8)
+    bigdecimal (3.1.9)
     bindata (2.5.0)
     bootsnap (1.18.4)
       msgpack (~> 1.2)
-    brakeman (6.2.2)
+    brakeman (7.0.0)
       racc
     browser (6.2.0)
     builder (3.3.0)
@@ -443,7 +443,7 @@ GEM
     crass (1.0.6)
     css_parser (1.21.0)
       addressable
-    csv (3.3.1)
+    csv (3.3.2)
     cuprite (0.15.1)
       capybara (~> 3.0)
       ferrum (~> 0.15.0)
@@ -480,15 +480,16 @@ GEM
       zeitwerk (~> 2.6)
     dry-container (0.11.0)
       concurrent-ruby (~> 1.0)
-    dry-core (1.0.2)
+    dry-core (1.1.0)
       concurrent-ruby (~> 1.0)
       logger
       zeitwerk (~> 2.6)
-    dry-inflector (1.1.0)
-    dry-initializer (3.1.1)
-    dry-logic (1.5.0)
+    dry-inflector (1.2.0)
+    dry-initializer (3.2.0)
+    dry-logic (1.6.0)
+      bigdecimal
       concurrent-ruby (~> 1.0)
-      dry-core (~> 1.0, < 2)
+      dry-core (~> 1.1)
       zeitwerk (~> 2.6)
     dry-monads (1.6.0)
       concurrent-ruby (~> 1.0)
@@ -515,7 +516,7 @@ GEM
       dry-initializer (~> 3.0)
       dry-schema (>= 1.12, < 2)
       zeitwerk (~> 2.6)
-    dumb_delegator (1.0.0)
+    dumb_delegator (1.1.0)
     em-http-request (1.1.7)
       addressable (>= 2.3.4)
       cookiejar (!= 0.3.1)
@@ -539,13 +540,13 @@ GEM
       rubocop (>= 1)
       smart_properties
     erblint-github (1.0.1)
-    erubi (1.13.0)
+    erubi (1.13.1)
     escape_utils (1.3.0)
     et-orbi (1.2.11)
       tzinfo
     eventmachine (1.2.7)
     eventmachine_httpserver (0.2.1)
-    excon (1.2.2)
+    excon (1.2.3)
     factory_bot (6.5.0)
       activesupport (>= 5.0.0)
     factory_bot_rails (6.4.4)
@@ -565,7 +566,7 @@ GEM
       concurrent-ruby (~> 1.1)
       webrick (~> 1.7)
       websocket-driver (~> 0.7)
-    ffi (1.17.0)
+    ffi (1.17.1)
     flamegraph (0.9.5)
     fog-aws (3.30.0)
       base64 (~> 0.2.0)
@@ -580,7 +581,7 @@ GEM
     fog-json (1.2.0)
       fog-core
       multi_json (~> 1.10)
-    fog-xml (0.1.4)
+    fog-xml (0.1.5)
       fog-core
       nokogiri (>= 1.5.11, < 2.0.0)
     formatador (1.1.0)
@@ -643,7 +644,7 @@ GEM
     hashdiff (1.1.2)
     hashery (2.1.2)
     hashie (3.6.0)
-    highline (3.1.1)
+    highline (3.1.2)
       reline
     html-pipeline (2.14.3)
       activesupport (>= 2)
@@ -709,7 +710,7 @@ GEM
     launchy (3.0.1)
       addressable (~> 2.8)
       childprocess (~> 5.0)
-    lefthook (1.10.0)
+    lefthook (1.10.1)
     letter_opener (1.10.0)
       launchy (>= 2.2, < 4)
     letter_opener_web (3.0.0)
@@ -730,7 +731,7 @@ GEM
       activesupport (>= 4)
       railties (>= 4)
       request_store (~> 1.0)
-    loofah (2.23.1)
+    loofah (2.24.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     lookbook (2.3.4)
@@ -774,7 +775,7 @@ GEM
     mutex_m (0.3.0)
     net-http (0.6.0)
       uri
-    net-imap (0.5.1)
+    net-imap (0.5.5)
       date
       net-protocol
     net-ldap (0.19.0)
@@ -785,10 +786,10 @@ GEM
     net-smtp (0.5.0)
       net-protocol
     nio4r (2.7.4)
-    nokogiri (1.17.2)
+    nokogiri (1.18.1)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    oj (3.16.8)
+    oj (3.16.9)
       bigdecimal (>= 3.0)
       ostruct (>= 0.2)
     okcomputer (1.18.5)
@@ -821,18 +822,19 @@ GEM
       view_component (>= 3.1, < 4.0)
     openproject-token (4.0.0)
       activemodel
-    openssl (3.2.0)
+    openssl (3.3.0)
     openssl-signature_algorithm (1.3.0)
       openssl (> 2.0)
     optimist (3.2.0)
     os (1.1.4)
     ostruct (0.6.1)
-    ox (2.14.18)
+    ox (2.14.19)
+      bigdecimal (>= 3.0)
     paper_trail (15.2.0)
       activerecord (>= 6.1)
       request_store (~> 1.4)
     parallel (1.26.3)
-    parallel_tests (4.7.2)
+    parallel_tests (4.8.0)
       parallel
     parser (3.3.6.0)
       ast (~> 2.4.1)
@@ -957,7 +959,7 @@ GEM
     rb-fsevent (0.11.2)
     rb-inotify (0.11.1)
       ffi (~> 1.0)
-    rb_sys (0.9.103)
+    rb_sys (0.9.105)
     rbtrace (0.5.1)
       ffi (>= 1.0.6)
       msgpack (>= 0.4.3)
@@ -971,7 +973,7 @@ GEM
       redis-client (>= 0.22.0)
     redis-client (0.23.0)
       connection_pool
-    regexp_parser (2.9.3)
+    regexp_parser (2.10.0)
     reline (0.6.0)
       io-console (~> 0.5)
     representable (3.2.0)
@@ -1033,10 +1035,10 @@ GEM
       rubocop (~> 1.61)
     rubocop-openproject (0.2.0)
       rubocop
-    rubocop-performance (1.23.0)
+    rubocop-performance (1.23.1)
       rubocop (>= 1.48.1, < 2.0)
       rubocop-ast (>= 1.31.1, < 2.0)
-    rubocop-rails (2.27.0)
+    rubocop-rails (2.28.0)
       activesupport (>= 4.2.0)
       rack (>= 1.1)
       rubocop (>= 1.52.0, < 2.0)
@@ -1063,10 +1065,10 @@ GEM
     rubyzip (2.3.2)
     safety_net_attestation (0.4.0)
       jwt (~> 2.0)
-    sanitize (6.1.3)
+    sanitize (7.0.0)
       crass (~> 1.0.2)
-      nokogiri (>= 1.12.0)
-    secure_headers (7.0.0)
+      nokogiri (>= 1.16.8)
+    secure_headers (7.1.0)
     securerandom (0.4.1)
     selenium-devtools (0.131.0)
       selenium-webdriver (~> 4.2)
@@ -1105,7 +1107,7 @@ GEM
       sprockets (>= 3.0.0)
     ssrf_filter (1.0.8)
     stackprof (0.2.26)
-    store_attribute (1.3.1)
+    store_attribute (2.0.0)
       activerecord (>= 6.1)
     stringex (2.8.6)
     stringio (3.1.2)
@@ -1121,7 +1123,7 @@ GEM
     table_print (1.5.7)
     terminal-table (3.0.2)
       unicode-display_width (>= 1.1.1, < 3)
-    test-prof (1.4.3)
+    test-prof (1.4.4)
     text-hyphen (1.5.0)
     thor (1.3.2)
     thread_safe (0.3.6)
@@ -1156,7 +1158,7 @@ GEM
     vcr (6.3.1)
       base64
     vernier (1.5.0)
-    view_component (3.20.0)
+    view_component (3.21.0)
       activesupport (>= 5.2.0, < 8.1)
       concurrent-ruby (~> 1.0)
       method_source (~> 1.0)
@@ -1186,7 +1188,8 @@ GEM
       hashdiff (>= 0.4.0, < 2.0.0)
     webrick (1.9.1)
     websocket (1.2.11)
-    websocket-driver (0.7.6)
+    websocket-driver (0.7.7)
+      base64
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.5)
     will_paginate (4.0.1)
@@ -1219,7 +1222,7 @@ DEPENDENCIES
   axe-core-rspec
   bcrypt (~> 3.1.6)
   bootsnap (~> 1.18.0)
-  brakeman (~> 6.2.0)
+  brakeman (~> 7.0.0)
   browser (~> 6.2.0)
   budgets!
   capybara (~> 3.40.0)
@@ -1292,7 +1295,7 @@ DEPENDENCIES
   multi_json (~> 1.15.0)
   my_page!
   net-ldap (~> 0.19.0)
-  nokogiri (~> 1.17.0)
+  nokogiri (~> 1.18.1)
   oj (~> 3.16.0)
   okcomputer (~> 1.18.1)
   omniauth!
@@ -1376,8 +1379,8 @@ DEPENDENCIES
   ruby-prof
   ruby-progressbar (~> 1.13.0)
   rubytree (~> 2.1.0)
-  sanitize (~> 6.1.0)
-  secure_headers (~> 7.0.0)
+  sanitize (~> 7.0.0)
+  secure_headers (~> 7.1.0)
   selenium-devtools
   selenium-webdriver (~> 4.20)
   semantic (~> 1.6.1)
@@ -1389,7 +1392,7 @@ DEPENDENCIES
   sprockets (~> 3.7.2)
   sprockets-rails (~> 3.5.1)
   stackprof
-  store_attribute (~> 1.0)
+  store_attribute (~> 2.0)
   stringex (~> 2.8.5)
   structured_warnings (~> 0.4.0)
   svg-graph (~> 2.2.0)

config/initializers/store_attribute.rb

@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+# -- copyright
+# OpenProject is an open source project management software.
+# Copyright (C) 2025 the OpenProject GmbH
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License version 3.
+#
+# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
+# Copyright (C) 2006-2013 Jean-Philippe Lang
+# Copyright (C) 2010-2013 the ChiliProject Team
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+#
+# See COPYRIGHT and LICENSE files for more details.
+# ++
+
+# From v1.0 to v2.0 of store_attribute, the value for store_attribute_unset_values_fallback_to_default changed from
+# false to true. This initializer sets it back to false to keep the behavior consistent with the previous version.
+
+StoreAttribute.store_attribute_unset_values_fallback_to_default = false

lib/open_project/patches/secure_headers_turbo_aware_nonce.rb

@@ -37,6 +37,6 @@ def content_security_policy_script_nonce(request)
   end
 end
 
-OpenProject::Patches.patch_gem_version "secure_headers", "7.0.0" do
+OpenProject::Patches.patch_gem_version "secure_headers", "7.1.0" do
   SecureHeaders.singleton_class.prepend OpenProject::Patches::SecureHeadersTurboAwareNonce
 end