🚨 [security] Update jquery-rails: 4.2.1 → 4.3.5 (minor)

[depfu]

---

🚨 Your version of jquery-rails has known security vulnerabilities 🚨

Advisory: CVE-2019-11358
Disclosed: April 19, 2019
URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/

Prototype pollution attack through jQuery $.extend

jQuery before 3.4.0 mishandles jQuery.extend(true, {}, ...) because of
bject.prototype pollution. If an unsanitized source object contained an
enumerable proto property, it could extend the native Object.prototype.

🚨 We recommend to merge and deploy this update as soon as possible! 🚨

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ jquery-rails (4.2.1 → 4.3.5) · Repo · Changelog

Release Notes

4.3.5 (from changelog)

More info than we can show here.

4.3.4 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 44 commits:

• Prepare to 4.3.5
• Upgrade jQuery to 3.4.1
• Prepare to 4.3.4
• Upgrade jQuery to 3.4.0
• Merge pull request #264 from ScottGrimmett/patch-1
• Update README.md
• Merge pull request #259 from nisusam/fix_invalid_link
• Fix invalid link for `Rails Core Team`
• Merge pull request #255 from lanzhiheng/bugfix/we-can-not-input-jquery-code-without-semicolon
• Fix we can not input jquery code without semicolon.
• Prepare to 4.3.3
• Upgrade jQuery 3 to 3.3.1
• Prepare for 4.3.2 release
• Upgrade jQuery 3 to 3.3.0
• Merge pull request #251 from andrewhaines/rails-ujs-doc-update
• Added rails-ujs disambiguation for Rails 5.1 and up
• Merge pull request #250 from nicolasleger/patch-1
• [CI] Test agains Ruby 2.5
• Merge pull request #245 from hartator/patch-1
• Add small explanation about how to install for Rails 5.1 and up
• Merge pull request #243 from juank-pa/support_even_more_css_selectors
• Merge branch 'master' into support_even_more_css_selectors
• Merge pull request #242 from juank-pa/add_support_for_multiple_matches
• Merge pull request #241 from juank-pa/fix_bug_with_single_quoted_escaped_html
• Add support for multiple matches
• Support even more css selectors
• Fix bug with single quoted escaped html
• Upgrade jquery to 3.2.1
• Upgrade jquery to 3.2.0
• nokogiri-1.7 requires ruby version >= 2.1.0
• Merge pull request #236 from mrhead/improve-selector-matching
• Upgrade jQuery to 3.1.1
• rails 4.2 requires json 1.8
• ruby 2.2.2 is supported by rack 2 and rails 5
• ruby < 2.2.2 doesn't support rails 5
• rack 2 requires Ruby version >= 2.2.2
• bundle rack 2 that is required by rails 5
• ruby 2.4 requires json 2, and json 2 doesn't support ruby 1
• Remove unnecessary characters from regex
• Add possibility to test HTML attribute selectors
• Merge pull request #232 from MSathieu/master
• Fix TravisCI
• Merge pull request #233 from prathamesh-sonpatki/patch-1
• Fix version in CHANGELOG

↗️ builder (indirect, 3.2.3 → 3.2.4) · Repo · Changelog

↗️ concurrent-ruby (indirect, 1.0.5 → 1.1.6) · Repo · Changelog

Release Notes

1.1.6 (from changelog)

More info than we can show here.

1.1.5 (from changelog)

More info than we can show here.

1.1.4 (from changelog)

More info than we can show here.

1.1.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ crass (indirect, 1.0.3 → 1.0.6) · Repo · Changelog

Release Notes

1.0.6

More info than we can show here.

1.0.5

More info than we can show here.

1.0.4

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 13 commits:

• Release 1.0.6
• Limit number values to a sensible range
• Update history
• Add project metadata to the gemspec
• Release 1.0.5
• Remove test files and omit them
• Remove 1.9.3 from the test matrix
• Update Travis test matrix
• chore: Release 1.0.4
• chore: Enable warnings when running tests
• Address `warning: mismatched indentations at 'when' with 'case'`
• Merge pull request #6 from nicolasleger/patch-1
• [CI] Test against Ruby 2.5

↗️ i18n (indirect, 1.0.0 → 1.8.2) · Repo · Changelog

Release Notes

1.8.2

More info than we can show here.

1.2.0

More info than we can show here.

1.1.1

More info than we can show here.

1.1.0

More info than we can show here.

1.0.1

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ loofah (indirect, 2.2.2 → 2.5.0) · Repo · Changelog

Release Notes

2.5.0 (from changelog)

More info than we can show here.

2.4.0

More info than we can show here.

2.3.1

More info than we can show here.

2.3.0 (from changelog)

More info than we can show here.

2.2.3

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ method_source (indirect, 0.9.0 → 1.0.0) · Repo

Commits

See the full diff on Github. The new version differs by 29 commits:

• Merge pull request #64 from banister/release-1-0-0
• Release v1.0.0
• Merge pull request #63 from banister/travis-removal
• Test solely on CircleCI, remove Travis
• Merge pull request #62 from banister/circleci
• Test on CircleCI
• Merge pull request #61 from jasonkarns/patch-1
• More closely match MIT License text verbatim
• Merge pull request #59 from casperisfine/fix-ruby-2.7
• Test against Ruby 2.7 on CI
• Handle new message for unterminated lists on MRI 2.7
• Merge pull request #60 from casperisfine/fix-ci
• Fix ruby warning in spec_helper
• Add MRI 2.5 and 2.6
• Fix CI build
• Merge pull request #56 from nisusam/fix_documentation_link
• Fix `documentation` link
• Merge pull request #55 from banister/release-0-9-2
• Release v0.9.2
• Merge pull request #54 from banister/52-jruby-patch-removal
• Revert "method_source: fix broken Procs on JRuby 9.2.0.0"
• bump version number to 0.9.1
• Merge pull request #51 from kyrylo/jruby-9200-fix
• method_source: fix broken Procs on JRuby 9.2.0.0
• Merge pull request #50 from mensfeld/master
• remove gemfile lock
• license for the gemspec
• tweaks to .travis.yml
• Run rake gemspec task to bump gemspec data (incl version number)

↗️ minitest (indirect, 5.11.3 → 5.14.0) · Repo · Changelog

Release Notes

5.14.0 (from changelog)

More info than we can show here.

5.13.0 (from changelog)

More info than we can show here.

5.12.2 (from changelog)

More info than we can show here.

5.12.1 (from changelog)

More info than we can show here.

5.12.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 54 commits:

• prepped for release
• Closed temporary IOs when exiting capture_subprocess_io. (doudou)
• - Added example for value wrapper with block to Expectations module. (stomar)
• Added minitest_log to known modules (BurdetteLamar)
• + Block-assertions (eg assert_output) now error if raised inside the block. (casperisfine)
• - Fixed use of must/wont_be_within_delta on Expectation instance. (stomar)
• + Changed assert_raises to only catch Assertion since that covers Skip and friends.
• - Renamed UnexpectedError#exception to #error to avoid problems with reraising. (casperisfine)
• prepped for release
• + Deprecated Minitest::Guard#maglev?
• + Added skip_until(year, month, day, msg) to allow deferring until a deadline.
• Reworked some of metametameta to be more flexible.
• + Added expectations #path_must_exist and #path_wont_exist. Not thrilled with the names.
• re-sorted assertions after path additions
• + Finally added assert_path_exists and refute_path_exists. (deivid-rodriguez)
• + Refactored and pulled Assertions#things_to_diff out of #diff. (BurdetteLamar)
• - Fix autorun bug that affects fork exit status in tests. (dylanahsmith/jhawthorn)
• + Added examples to documentation for assert_raises. (lxxxvi)
• - Support new Proc#to_s format. (ko1)
• - Improved documentation for _/value/expect, especially for blocks. (svoop)
• prepped for release
• - After chatting w/ @y-yagi and others, decided to lower support to include ruby 2.2.
• prepped for release
• - Fixed broken link to reference on goodness-of-fit testing. (havenwood)
• Added mini-apivore to readme.
• - Update requirements in readme and Rakefile/hoe spec.
• + Added documentation for Reporter classes. (sshaw)
• Added minitest-global_expectations to readme. (jeremyevans)
• - Avoid using 'match?' to support older ruby versions. (y-yagi)
• Tweaked multithreading section of README. (iHiD)
• prepped for release
• Reworked the \n vs \\n mu_pp_for_diff situation.
• Extended assert_mu_pp and assert_mu_pp_for_diff to auto-quote strings to make tests more grokkable.
• minor editing to comment
• Turn off parallelism on stub and spec meta tests because they hit class methods (globals)
• Added mutant-minitest to readme. (mjb)
• + Add a descriptive error if assert_output or assert_raises called without a block. (okuramasafumi)
• - Check `option[:filter]` klass before match. Fixes 2.6 warning. (y-yagi)
• Fixed 2.6 warning in test_refute_match_matcher_object by adding explicit =~ method. (y-yagi)
• Added doco for using Rake::TestTask. (schneems)
• Added minitest-mock_expectations to readme. (bogdanvlviv)
• - Fixed spec section of readme to not use deprecated global expectations. (CheezItMan)
• minor rearrangement of requires
• Added tests for message and using message/lambad w/ assertions.
• + Changed mu_pp_for_diff to make having both \n and \\n easier to debug.
• Overhauled and sorted test_minitest_assertions.rb in prep for new mu_pp_for_diff changes.
• Split tests out into test_minitest_assertions.rb
• - Fixed Assertions#diff from recalculating if set to nil
• + Deprecated $N for specifying number of parallel test runners. Use MT_CPU.
• + Extended Assertions#mu_pp to encoding validity output for strings to improve diffs.
• + Deprecated use of global expectations. To be removed from MT6.
• + Fail gracefully when expectation used outside of `it`.
• Converted all minitest/spec tests over to use _ to avoid deprecation warnings.
• Avoid teardown assertion check if test is skipped

↗️ rack (indirect, 2.0.4 → 2.2.2) · Repo · Changelog

Release Notes

2.2.2 (from changelog)

More info than we can show here.

2.2.1 (from changelog)

More info than we can show here.

2.2.0 (from changelog)

More info than we can show here.

2.1.2 (from changelog)

More info than we can show here.

2.1.1 (from changelog)

More info than we can show here.

2.1.0 (from changelog)

More info than we can show here.

2.0.8 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rails-html-sanitizer (indirect, 1.0.4 → 1.3.0) · Repo · Changelog

Release Notes

1.3.0

More info than we can show here.

1.2.0

More info than we can show here.

1.1.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 30 commits:

• v1.3.0
• Merge pull request #102 from orien/gem-metadata
• Add project metadata to the gemspec
• Match Loofah's API changes.
• Prepare 1.2.0
• Remove needless white list sanitizer deprecations
• Merge pull request #96 from olleolleolle/patch-1
• CI: Drop unused sudo: false Travis directive
• Merge pull request #95 from rwojnarowski/patch-1
• Deprecated warning text, missing space
• Prepare version 1.1.0
• Merge pull request #91 from JuanitoFatas/doc/scrubbers
• Merge pull request #92 from JuanitoFatas/link-sanitizer
• Improve LinkSanitizer's documentation
• href is not a HTML element
• Improve Scrubber documentations
• Merge pull request #87 from JuanitoFatas/migrate-to-safelist
• Migrate to SafeListSanitizer
• Merge pull request #90 from JuanitoFatas/jf.fix-tests
• Update test behavior for Nokogiri > 1.9.1.
• Merge pull request #89 from JuanitoFatas/rubies
• Merge pull request #88 from JuanitoFatas/jf.relax-bundler-dependency
• Update Ruby version matrix on CI
• Use a inclusive Bundler version
• Merge pull request #86 from tebs/fix-documentation-link
• Fix Nokogiri link in documentation
• [ci skip] Please don't send more PRs trying to bump Loofah.
• Merge pull request #71 from nicolasleger/patch-1
• [CI] Allow failure with ruby head
• [CI] Test against Ruby 2.5

↗️ rake (indirect, 12.3.1 → 13.0.1) · Repo · Changelog

Release Notes

13.0.1 (from changelog)

More info than we can show here.

13.0.0 (from changelog)

More info than we can show here.

12.3.3 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ thor (indirect, 0.20.0 → 1.0.1) · Repo · Changelog

Release Notes

1.0.1 (from changelog)

More info than we can show here.

1.0.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tzinfo (indirect, 1.2.5 → 1.2.7) · Repo · Changelog

Release Notes

1.2.7

More info than we can show here.

1.2.6

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 46 commits:

• Improve grammar.
• Preparing v1.2.7.
• Update to Ruby 2.7.1.
• Revert to Ruby 2.4.9 and 2.7.0.
• Update to Ruby 2.4.10, 2.5.8, 2.6.6, 2.7.1 and JRuby 9.2.11.1.
• Use shields.io for badges.
• Update copyright years.
• Add a build status badge for AppVeyor.
• Replace broken links.
• Use https for links where available.
• Update to JRuby 9.2.11.0.
• Merge pull request #112.
• Test for just the non-existence of #untaint.
• Fix comments relating to taint/untaint removal.
• Don't rely on lexicographic version comparisons.
• Fix test failures on Ruby 1.8.7.
• Fix erroneous 'wrong number of arguments' errors on JRuby 9.0.5.0.
• `$VERBOSE = false` won't be worked since `rb_warning` is changed to `rb_warn`
• Update to Ruby 2.7.0.
• Update copyright years.
• Preparing v1.2.6.
• Replace expired gem signing certificate.
• Fix a comment.
• Ruby Enterprise Edition requires older versions of RubyGems and Bundler.
• Fix block not being called by RubyCoreSupport.open_file on JRuby 9.2.
• Revert "Try and fix an incorrect rake version being picked with JRuby 1.7."
• Try and fix an incorrect rake version being picked with JRuby 1.7.
• Convert to UNIX line endings.
• Simplify minitest version constraint.
• Update to Ruby v2.7.0-rc2.
• Run CI tests on Windows with AppVeyor.
• Enable verbose test output.
• Update Travis CI Ruby versions.
• Prevent bundler from attempting to use version minitest v5.12.0.
• Allow newer versions of Rake that fix warnings with Ruby 2.7.
• Eliminate a warning when calling File.open with keyword arguments.
• Suppress deprecation warnings due to Object#untaint on Ruby 2.7.
• Fix test failures on Ruby 1.8.7 caused by DateTime issues.
• Remove the unused REQUIRE_PATH constant from RubyDataSource.
• Fix SecurityErrors when loading data in safe mode.
• Test that RUBY_ENGINE is defined.
• Skip tests that fail due to Ruby bug 14060 on Ruby 2.4.4.
• Update to the latest Ruby, JRuby and Rubinius releases.
• Fix a documentation typo.
• Return the correct seconds since the epoch value for strftime with %s.
• Restrictions on timezones only apply to older (pre-1.9) Ruby releases.

---

👉 No CI detected

You don't seem to have any Continuous Integration service set up!

Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.

This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:

• Circle CI, Semaphore and Travis-CI are all excellent options.
• If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github.
• If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with depfu/.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #40.