Bump the bundler group across 1 directory with 6 updates

[dependabot]

Bumps the bundler group with 6 updates in the / directory:

Package	From	To
redcarpet	3.2.3	3.5.1
rexml	3.2.6	3.2.7
rack	3.0.11	3.1.3
sidekiq	7.2.0	7.2.4
puma	6.4.0	6.4.2
sinatra	1.0	4.0.0

Updates redcarpet from 3.2.3 to 3.5.1

Release notes

Sourced from redcarpet's releases.

Redcarpet v3.5.1

Fix a security vulnerability using :quote in combination with the :escape_html option.

Reported by Johan Smits.

v3.5.0

This release mostly ships with bug fixes and tiny improvements.

Improvements

• Avoid mutating the options hash passed to a render object (See #663).

• Automatically enable the fenced_code_blocks option passing a HTML_TOC object to the Markdown object's constructor since some languages rely on the sharp to comment code (See #451).

• Remove the rel and rev attributes from the output generated for footnotes as they don't pass the HTML 5 validation (See #536).

• Allow passing Range objects to the nesting_level option to have a higher level of customization for table of contents (See #519):

  Redcarpet::Render::HTML_TOC.new(nesting_level: 2..5)

Bug fixes

• Fix a segfault rendering quotes using StripDown and the :quote option.

• Fix SmartyPants single quotes right after a link. For example:

  [John](http://john.doe)'s cat

  Will now properly converts ' to a right single quote (i.e. ’).

v3.4.0

Redcarpet v3.4.0

This new release ships with a bunch of bug fixes especially regarding anchor generation.

Improvements to anchor generation

The anchor generation now relies on a djb2 hashing algorithm whenever the generated anchor is empty as non alpha-numeric chars. This is specifically interesting for CJK contents as Redcarpet used to generate empty anchors dealing with titles in these locales.

Special thanks to Alexey Kopytko and namusyaka for their work on that !

Also now, the html-escaped entities are removed from anchors generated with the HTML render in order to be consistent with the HTML_TOC render and as it is more expected.

Other improvements

• Table headers don't require a minimum of three dashes anymore; a single one can be used for each row.
• The Markdown and rendering options are now exposed through a Hash inside the @options instance variable inside your custom render objects.

Bug fixes

... (truncated)

Changelog

Sourced from redcarpet's changelog.

Version 3.5.1 (Security)

• Fix a security vulnerability using :quote in combination with the :escape_html option.

  Reported by Johan Smits.

Version 3.5.0

• Avoid mutating the options hash passed to a render object.

  Refs #663.

  Max Schwenk

• Fix a segfault rendering quotes using StripDown and the :quote option.

  Fixes #639.

• Fix warning: instance variable @options not initialized when running under verbose mode (-w, $VERBOSE = true).

• Fix SmartyPants single quotes right after a link. For example:

  [John](http://john.doe)'s cat

  Will now properly converts ' to a right single quote (i.e. ’).

  Fixes #624.

• Remove the rel and rev attributes from the output generated for footnotes as they don't pass the HTML 5 validation.

  Fixes #536.

• Automatically enable the fenced_code_blocks option passing a HTML_TOC object to the Markdown object's constructor since some languages rely on the sharp to comment code.

  Fixes #451.

• Allow passing Range objects to the nesting_level option to have a higher level of customization for table of contents:

  Redcarpet::Render::HTML_TOC.new(nesting_level: 2..5)

... (truncated)

Commits

• a699c82 Fix a security issue using :quote with :escape_html
• 6270d6b Redcarpet v3.5.0
• 94f6e27 Tiny follow-up to #663
• 3100f65 Merge pull request #663 from maschwenk/dont-mutate-options
• fc52d9c Add regression test
• 03e7997 Don't mutated passed options
• 92a7b3a Fix a segfault with StripDown and the :quote option
• 7352162 Merge pull request #649 from rbalint/master
• e23383e Merge pull request #650 from kolen/fix-warning-options-not-initialized
• 6b86656 Fix "instance variable @​options not initialized" warning
• Additional commits viewable in compare view

Updates rexml from 3.2.6 to 3.2.7

Release notes

Sourced from rexml's releases.

REXML 3.2.7 - 2024-05-16

Improvements

• Improve parse performance by using StringScanner.

  • GH-106

  • GH-107

  • GH-108

  • GH-109

  • GH-112

  • GH-113

  • GH-114

  • GH-115

  • GH-116

  • GH-117

  • GH-118

  • GH-119

  • GH-121

  • Patch by NAITOH Jun.

• Improved parse performance when an attribute has many <s.

  • GH-126

Fixes

• XPath: Fixed a bug of normalize_space(array).

  • GH-110

  • GH-111

  • Patch by flatisland.

• XPath: Fixed a bug that wrong position is used with nested path.

  • GH-110

  • GH-122

  • Reported by jcavalieri.

  • Patch by NAITOH Jun.

• Fixed a bug that an exception message can't be generated for invalid encoding XML.

  • GH-29

  • GH-123

  • Reported by DuKewu.

  • Patch by NAITOH Jun.

... (truncated)

Changelog

Sourced from rexml's changelog.

3.2.7 - 2024-05-16 {#version-3-2-7}

Improvements

• Improve parse performance by using StringScanner.

  • GH-106

  • GH-107

  • GH-108

  • GH-109

  • GH-112

  • GH-113

  • GH-114

  • GH-115

  • GH-116

  • GH-117

  • GH-118

  • GH-119

  • GH-121

  • Patch by NAITOH Jun.

• Improved parse performance when an attribute has many <s.

  • GH-126

Fixes

• XPath: Fixed a bug of normalize_space(array).

  • GH-110

  • GH-111

  • Patch by flatisland.

• XPath: Fixed a bug that wrong position is used with nested path.

  • GH-110

  • GH-122

  • Reported by jcavalieri.

  • Patch by NAITOH Jun.

• Fixed a bug that an exception message can't be generated for invalid encoding XML.

  • GH-29

  • GH-123

  • Reported by DuKewu.

... (truncated)

Commits

• 085def0 Add 3.2.7 entry
• 4325835 Read quoted attributes in chunks (#126)
• e77365e Exclude older than 2.6 on macos-14
• bf2c8ed Move development dependencies to Gemfile (#124)
• d78118d Fix a problem that parse exception message can't be generated for invalid enc...
• 06be5cf xpath: Fix wrong position with nested path (#122)
• 030bfb4 Change attribute.has_key?(name) to attributes[name]. (#121)
• 0496940 Optimize the parse_attributes method to use Source#match to parse XML. (#119)
• d4e79f2 Make the test suite compatible with --enable-frozen-string-literal (#120)
• 77cb0dc Separate IOSource#ensure_buffer from IOSource#match. (#118)
• Additional commits viewable in compare view

Updates rack from 3.0.11 to 3.1.3

Changelog

Sourced from rack's changelog.

Changelog

All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference Keep A Changelog.

Unreleased

Fixed

• Fix passing non-strings to Rack::Utils.escape_html. (#2202, [@​earlopain])
• Rack::MockResponse gracefully handles empty cookies (#2203 @​wynksaiddestroy)

Added

• Introduce Rack::VERSION constant. (#2199, [@​ioquatix])

Changed

• Invalid cookie keys will now raise an error. (#2193, [@​ioquatix])

Removed

• Rack::Request#values_at is removed. (#2200, [@​ioquatix])
• Rack::Logger is removed with no replacement. (#2196, [@​ioquatix])

[3.1.2] - 2024-06-11

• Rack::Response will take in to consideration chunked encoding responses (#2204, [@​tenderlove])

[3.1.1] - 2024-06-11

• Oops! I shouldn't have shipped that

[3.1.0] - 2024-06-11

Rack v3.1 is primarily a maintenance release that removes features deprecated in Rack v3.0. Alongside these removals, there are several improvements to the Rack SPEC, mainly focused on enhancing input and output handling. These changes aim to make Rack more efficient and align better with the requirements of server implementations and relevant HTTP specifications.

SPEC Changes

• rack.input is now optional. (#1997, #2018, [@​ioquatix])
• PATH_INFO is now validated according to the HTTP/1.1 specification. (#2117, #2181, [@​ioquatix])
  • OPTIONS * is now accepted. (#2114, @​doriantaylor)
• Introduce optional rack.protocol request and response header for handling connection upgrades. (#1954, [@​ioquatix])

Added

• Introduce Rack::Multipart::MissingInputError for improved handling of missing input in #parse_multipart. (#2018, [@​ioquatix])
• Introduce module Rack::BadRequest which is included in multipart and query parser errors. (#2019, [@​ioquatix])
• Add .mjs MIME type (#2057, @​axilleas)
• set_cookie_header utility now supports the partitioned cookie attribute. This is required by Chrome in some embedded contexts. (#2131, @​flavio-b)

... (truncated)

Commits

• See full diff in compare view

Updates sidekiq from 7.2.0 to 7.2.4

Changelog

Sourced from sidekiq's changelog.

7.2.4

• Fix XSS in metrics filtering introduced in 7.2.0, CVE-2024-32887 Thanks to @​UmerAdeemCheema for the security report.

7.2.3

• Support Dragonfly.io as an alternative Redis implementation
• Fix error unpacking some compressed error backtraces #6241
• Fix potential heartbeat data leak #6227
• Add ability to find a currently running work by jid [Removing attribute_accessor docs duplication rails/rails#6212, fatkodima]

7.2.2

• Add Process.warmup call in Ruby 3.3+
• Batch jobs now skip transactional push #6160

7.2.1

• Add Sidekiq::Work type which replaces the raw Hash as the third parameter in Sidekiq::WorkSet#each { |pid, tid, hash| ... } #6145
• DEPRECATED: direct access to the attributes within the hash block parameter above. The Sidekiq::Work instance contains accessor methods to get at the same data, e.g.

work["queue"] # Old
work.queue # New

• Fix Ruby 3.3 warnings around base64 gem [Date.today + 6.days => Sat, 03 Sep 3431  rails/rails#6151, earlopain]

Commits

• 30786e0 Fix for CVE-2024-32887
• 371884e changes
• 0787900 prep for release
• b554667 Fix Rack deprecation
• e57a47e Fix session secret error in tests with rails 71
• 33006ba Fix build, latest ent changes
• 79d254d Add **kwargs to dynamic redis client method definition (#6249)
• cee6f0e Fix typos (#6245)
• 56cab5f formatting
• 24e3f68 Use lax decoding, fixes #6241
• Additional commits viewable in compare view

Updates puma from 6.4.0 to 6.4.2

Release notes

Sourced from puma's releases.

6.4.1

• Bugfixes

  • DSL#warn_if_in_single_mode - fixup when workers set via CLI (#3256)
  • Fix idle-timeout not working in cluster mode (#3235, #3228, #3282, #3283)
  • Fix worker 0 timing out during phased restart (#3225, #2786)
  • context_builder.rb - require openssl if verify_mode != 'none' (#3179)
  • Make puma cluster process suitable as PID 1 (#3255)
  • Improve Puma::NullIO consistency with real IO (#3276)
  • extconf.rb - fixup to detect openssl info in Ruby build (#3271, #3266)
  • MiniSSL.java - set serialVersionUID, fix RaiseException deprecation (#3270)
  • dsl.rb - fix warn_if_in_single_mode when WEB_CONCURRENCY is set (#3265, #3264)

• Maintenance

  • LOTS of test refactoring to make tests more stable and easier to write - thanks to @​MSP-Greg!
  • Fix bug in tests re: TestPuma::HOST4 (#3254)
  • Dockerfile for minimal repros: use Ruby 3.2, expect bundler installed (#3245)
  • fix define_method calls, use Symbol parameter instead of String (#3293)

• Docs

  • README.md - add the puma-acme plugin (#3301)
  • Remove --keep-file-descriptors flag from systemd docs (#3248)
  • Note symlink mechanism in restart documentation for hot restart (#3298)

Changelog

Sourced from puma's changelog.

6.4.2 / 2024-01-08

• Security
  • Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. (GHSA-c2f4-cvqm-65w2)

6.4.1 / 2024-01-03

• Bugfixes

  • DSL#warn_if_in_single_mode - fixup when workers set via CLI (#3256)
  • Fix idle-timeout not working in cluster mode (#3235, #3228, #3282, #3283)
  • Fix worker 0 timing out during phased restart (#3225, #2786)
  • context_builder.rb - require openssl if verify_mode != 'none' (#3179)
  • Make puma cluster process suitable as PID 1 (#3255)
  • Improve Puma::NullIO consistency with real IO (#3276)
  • extconf.rb - fixup to detect openssl info in Ruby build (#3271, #3266)
  • MiniSSL.java - set serialVersionUID, fix RaiseException deprecation (#3270)
  • dsl.rb - fix warn_if_in_single_mode when WEB_CONCURRENCY is set (#3265, #3264)

• Maintenance

  • LOTS of test refactoring to make tests more stable and easier to write - thanks to @​MSP-Greg!
  • Fix bug in tests re: TestPuma::HOST4 (#3254)
  • Dockerfile for minimal repros: use Ruby 3.2, expect bundler installed (#3245)
  • fix define_method calls, use Symbol parameter instead of String (#3293)

• Docs

  • README.md - add the puma-acme plugin (#3301)
  • Remove --keep-file-descriptors flag from systemd docs (#3248)
  • Note symlink mechanism in restart documentation for hot restart (#3298)

Commits

• 5fc43d7 5.6.8 and 6.4.2
• dfbba22 6.4.2
• 60d5ee3 Merge pull request from GHSA-c2f4-cvqm-65w2
• a287025 6.4.1 version tick!
• 32a629d 6.4.1
• 7e17826 [Fix #3282] idle-timeout not waiting on all workers in cluster mode (#3283)
• 437142e README.md - add the puma-acme plugin (#3301)
• e9125fa [CI] Change all workflow file extensions to '.yml' (#3300)
• d49dec9 [CI] Add Ruby 3.3, use 'rubygems: latest' in tests.yaml MRI (#3299)
• 2d27225 Note symlink mechanism in restart documentation for hot restart (#3298)
• Additional commits viewable in compare view

Updates sinatra from 1.0 to 4.0.0

Changelog

Sourced from sinatra's changelog.

4.0.0. / 2024-01-19

• New: Add support for Rack 3 (#1857)

  • Note: you may want to read the [Rack 3 Upgrade Guide]

• Require Ruby 2.7.8 as minimum Ruby version (#1993)

• Breaking change: Drop support for Rack 2 (#1857)

  • Note: when using Sinatra to start the web server, you now need the rackup gem installed

• Breaking change: Remove the IndifferentHash initializer (#1982)

• Breaking change: Disable session_hijacking protection by default (#1984)

• Breaking change: Remove Rack::Protection::EncryptedCookie (#1989)

  • Note: cookies are still encrypted (by [Rack::Session::Cookie])

#1857: sinatra/sinatra#1857 #1993: sinatra/sinatra#1993 #1982: sinatra/sinatra#1982 #1984: sinatra/sinatra#1984 #1989: sinatra/sinatra#1989 [Rack::Session::Cookie]: https://github.com/rack/rack-session [Rack 3 Upgrade Guide]: https://github.com/rack/rack/blob/main/UPGRADE-GUIDE.md

3.2.0 / 2023-12-29

• New: Add #except method to Sinatra::IndifferentHash (#1940)

• New: Use Exception#detailed_message to show backtrace (#1952)

• New: Add Sinatra::HamlHelpers to sinatra-contrib (#1960)

• Fix: Add base64 to rack-protection runtime dependencies (#1946)

• Fix: Avoid open-ended dependencies for sinatra-contrib and rack-protection (#1949)

• Fix: Helpful message when Sinatra::Runner times out (#1975)

• Fix: Ruby 3.3 + Bundler 2.5 compatibility (#1975)

#1940: sinatra/sinatra#1940 #1946: sinatra/sinatra#1946 #1949: sinatra/sinatra#1949 #1952: sinatra/sinatra#1952 #1960: sinatra/sinatra#1960 #1975: sinatra/sinatra#1975

3.1.0 / 2023-08-07

... (truncated)

Commits

• b626e2d 4.0.0 release (#1996)
• e56f657 Require Ruby 2.7.8 as minimum Ruby version (#1993)
• 9993829 CI: remove rack monkey patches
• 09f1c2b CI: rdiscount 2.2.7.3 resolved the TruffleRuby issue
• c43e097 CI: use the released version of childprocess
• 739eaa0 CI: no need to set RUBY_ENGINE
• d872057 CI: no need to set Encoding.default_external
• 9c14764 Remove Rack::Protection::EncryptedCookie (#1989)
• 667056c CI: allow ruby-head to fail
• 393bb7c Avoid using deprecated Rack::Response#header
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.