Bump the bundler group across 1 directory with 6 updates

[dependabot]

Bumps the bundler group with 6 updates in the / directory:

Package	From	To
haml	3.1.2	5.0.0
will_paginate	2.3.15	3.0.5
nokogiri	1.5.0	1.16.5
rake	0.8.7	12.3.3
ffi	1.0.9	1.9.24
rubyzip	0.9.4	1.3.0

Updates haml from 3.1.2 to 5.0.0

Changelog

Sourced from haml's changelog.

5.0.0

Released on April 26, 2017 (diff).

Breaking Changes

• Haml now requires Ruby 2.0.0 or above.

• Rails 3 is no longer supported, matching the official Maintenance Policy for Ruby on Rails. Use Haml 4 if you want to use Rails 3. (Tee Parham)

• Remove :ugly option (#894)

• The haml command's debug option (-d) no longer executes the Haml code, but rather checks the generated Ruby syntax for errors.

• Drop parser/compiler accessor from Haml::Engine. Modify Haml::Engine#initialize options or Haml::Template.options instead. (Takashi Kokubun)

• Drop dynamic quotes support and always escape ' for escape_html/escape_attrs instead. Also, escaped results are slightly changed and always unified to the same characters. (Takashi Kokubun)

• Don't preserve newlines in attributes. (Takashi Kokubun)

• HTML escape interpolated code in filters. #770 (Matt Wildig)

    :javascript
      #{JSON.generate(foo: "bar")}
    Haml 4 output: {"foo":"bar"}
    Haml 5 output: {"foo":"bar"}
  

Added

• Add a tracing option. When enabled, Haml will output a data-trace attribute on each tag showing the path to the source Haml file from which it was generated. Thanks Alex Babkin.
• Add haml_tag_if to render a block, conditionally wrapped in another element (Matt Wildig)
• Support Rails 5.1 Erubi template handler.
• Support Sprockets 3. Thanks Sam Davies and Jeremy Venezia.
• General performance and memory usage improvements. (Akira Matsuda)
• Analyze attribute values by Ripper and render static attributes beforehand. (Takashi Kokubun)
• Optimize attribute rendering about 3x faster. (Takashi Kokubun)
• Add temple gem as dependency and create Haml::TempleEngine class. Some methods in Haml::Compiler are migrated to Haml::TempleEngine. (Takashi Kokubun)

Fixed

• Fix for attribute merging. When an attribute method (or literal nested hash) was used in an old style attribute hash and there is also a (non-static) new style hash there is an error. The fix can result in different behavior in some circumstances. See the commit message for detailed info. (Matt Wildig)
• Make escape_once respect hexadecimal references. (Matt Wildig)

... (truncated)

Commits

• 78e2a09 Version 5.0.0
• e5d6409 Note about #770 in Haml 5 changes
• 1bac6f9 Remove JRuby from allow_failures
• d45c2d4 Add backslash for @ to support JRuby
• 8f20707 Enable frozen_string_literal pragma if possible
• a6bb255 Oops, this was not intentional...
• aa4c397 Fix spec in #867 for pretty mode removal
• 11af795 Fallback to default value of preserve option
• bbbeb7e Update CHANGELOG to include #867
• ed7f24f Merge pull request #867 from redoPop/atful-css
• Additional commits viewable in compare view

Updates will_paginate from 2.3.15 to 3.0.5

Release notes

Sourced from will_paginate's releases.

will_paginate 3.0.5: bugfix & security release

• fix CVE-2013-6459: XSS in generated pagination links
• always call html_safe if available on will_paginate result
• exclude reorder for count queries

will_paginate 2.3.17

• Avoid unintentional SQL queries being triggered by defining respond_to_missing? alongside method_missing?

Commits

• 2c5f1ed v3.0.5
• c62c6f6 prevent tampering with host, port, protocol
• a213b7e add test that page query param will be overriden
• 3f221d4 fix assert method in case of failure
• 83dd3f2 cleaner backtrace in specs
• c78608a always call html_safe on will_paginate result
• 6c55482 add license information to gemspec
• 890e4de don't build Rails 4 against Ruby 1.8, 1.9.2
• 8a0ead9 Rails 4 compat: port named scopes to new syntax
• 56c7ad5 Rails 4 compat: AR::Base.silence requires an argument
• Additional commits viewable in compare view

Updates nokogiri from 1.5.0 to 1.16.5

Release notes

Sourced from nokogiri's releases.

v1.16.5 / 2024-05-13

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-34459. See GHSA-r95h-9x8f-r3f7 for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.7 from v2.12.6. (@​flavorjones)

---

sha256 checksums:

af0f44fa3e664dfb2aa10de8b551447d720c1e8d1f0aa3f35783dcc43e40a874  nokogiri-1.16.5-aarch64-linux.gem
23dc2357b26409a5c33b7e32a82902f0e9995305420f16d1a03ab3ea1a482fec  nokogiri-1.16.5-arm-linux.gem
950d037530edb49f75ad35de0b8038b970a7dda57e2b6326895b0e49fadf6214  nokogiri-1.16.5-arm64-darwin.gem
b7aefc94370c62476b8528e8d8abb6160203abd84a1f4eceda8f1aa8974d9989  nokogiri-1.16.5-java.gem
ec2167160df8fec3137bf95d574ed80ebc1d002bb3b281546b60b4aa9002466e  nokogiri-1.16.5-x64-mingw-ucrt.gem
6984200491fac69974005ecfa2de129d61843d345eafa5d6f58e8b908d1cf107  nokogiri-1.16.5-x64-mingw32.gem
abdc389ab1ec6604492da16bd9d06ad746fdb6bd6a1bd274c400d61ffcadb3c4  nokogiri-1.16.5-x86-linux.gem
63d24981345856f2baf7f4089870a62d3042fb8d3021b280fb04fc052532e3c4  nokogiri-1.16.5-x86-mingw32.gem
71b5f54e378c433d13df67c3b71acc4716129da62402d8181f310c4216a63279  nokogiri-1.16.5-x86_64-darwin.gem
0ca238da870066bed2f7837af6f35791bb9b76c4c5638999c46aac44818a6a97  nokogiri-1.16.5-x86_64-linux.gem
ec36162c68984fa0a90a5c4ae7ab7759460639e716cc1ce75f34c3cb54158ad2  nokogiri-1.16.5.gem

v1.16.4 / 2024-04-10

Dependencies

• [CRuby] Vendored zlib in the precompiled native gems is updated to v1.3.1 from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see this discussion about removing the compression libraries altogether in a future version of Nokogiri.

---

sha256 checksums:

bdb1dc4378ebcf3ade8f440c7df68f6d76946a1a96c4823a2b4c53c01a320cd5  nokogiri-1.16.4-aarch64-linux.gem
0c994b9996d5576eddcc3201a94ef2bff6fc3627c4ae4d2708b0ec9b9743ec6a  nokogiri-1.16.4-arm-linux.gem
8e86abb64c93c06d3c588042a0e757279e8f1dc88b5210a00be892a9a7a27196  nokogiri-1.16.4-arm64-darwin.gem
bf84fa28be4943692bd64772186e0832fb1061f80714ccb93e111e9d72b1cadc  nokogiri-1.16.4-java.gem
a46808467c1f63a2031e1ca0715cd5336bb4ec759e9c0e2f4c951c1cc30994ae  nokogiri-1.16.4-x64-mingw-ucrt.gem
4cdf64bc5e9443ec3e0b595347ecc8affe21968d9ae934c0825d26630ef96468  nokogiri-1.16.4-x64-mingw32.gem
d86d21bae47dd9f6f5223055e45d33fae08b0b89aad94cbc0ece4f4274fa7af5  nokogiri-1.16.4-x86-linux.gem
d488b872884844686780fda7cf5da44ee884d32faa713a55aeb4736d76718168  nokogiri-1.16.4-x86-mingw32.gem
a896e52a56951ffb0e6a9279afbf485d683e357a053d27f4cfcb2a73b0824628  nokogiri-1.16.4-x86_64-darwin.gem
92ff4f09910255fec84b3bc4c4b182e94cada3ed12b9f7a6ea058e0af186fb31  nokogiri-1.16.4-x86_64-linux.gem
</tr></table> 

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.16.5

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-34459. See GHSA-r95h-9x8f-r3f7 for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.7 from v2.12.6. (@​flavorjones)

v1.16.4 / 2024-04-10

Dependencies

• [CRuby] Vendored zlib in the precompiled native gems is updated to v1.3.1 from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see this discussion about removing the compression libraries altogether in a future version of Nokogiri.

v1.16.3 / 2024-03-15

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.6 from v2.12.5. (@​flavorjones)

Changed

• [CRuby] XML::Reader sets the @encoding instance variable during reading if it is not passed into the initializer. Previously, it would remain nil. The behavior of Reader#encoding has not changed. This works around changes to how libxml2 reports the encoding used in v2.12.6.

v1.16.2 / 2024-02-04

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See GHSA-xc9x-jj77-9p9j for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.5 from v2.12.4. (@​flavorjones)

v1.16.1 / 2024-02-03

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.4 from v2.12.3. (@​flavorjones)

... (truncated)

Commits

• cd70bd3 version bump to v1.16.5
• afc36de dep: update vendored libxml2 to v2.12.7 (#3191)
• 41b4f08 ci: add arm64-darwin coverage using macos-14
• 67b9e86 dep: update libxml2 to v2.12.7
• 17c0362 version bump to v1.16.4
• 1c329e9 dep: update to zlib 1.3.1 (v1.16.x) (#3175)
• edeac07 dep: update to zlib 1.3.1
• 80fb608 version bump to v1.16.3
• 710bd96 dep: update libxml 2.12.6 (branch v1.16.x) (#3151)
• 461a96e fix: Reader#read sets @​encoding if it is unset
• Additional commits viewable in compare view

Updates rake from 0.8.7 to 12.3.3

Release notes

Sourced from rake's releases.

rake-10.1.1

Full Changelog: ruby/rake@rake-10.1.0.beta.3...rake-10.1.1

rake-10.1.0

Full Changelog: ruby/rake@rake-10.0.4...rake-10.1.0

rake-10.1.0.beta.3

Full Changelog: ruby/rake@rake-10.1.0.beta.2...rake-10.1.0.beta.3

rake-10.1.0.beta.2

Full Changelog: ruby/rake@rake-10.1.0.beta.1...rake-10.1.0.beta.2

rake-10.1.0.beta.1

Full Changelog: ruby/rake@rake-10.0.4...rake-10.1.0.beta.1

rake-10.0.4

Full Changelog: ruby/rake@rake-10.0.3...rake-10.0.4

rake-10.0.3

Full Changelog: ruby/rake@rake-10.0.2...rake-10.0.3

rake-10.0.2

Full Changelog: ruby/rake@rake-10.0.1...rake-10.0.2

rake-10.0.1

Full Changelog: ruby/rake@rake-10.0.0.beta.2...rake-10.0.1

rake-10.0.0

Full Changelog: ruby/rake@rake-0.9.3.beta.3...rake-10.0.0

rake-10.0.0.beta.2

Full Changelog: ruby/rake@rake-0.9.3.beta.3...rake-10.0.0.beta.2

rake-0.9.6

Full Changelog: ruby/rake@rake-0.9.5...rake-0.9.6

rake-0.9.5

Full Changelog: ruby/rake@rake-0.9.4...rake-0.9.5

rake-0.9.4

Full Changelog: ruby/rake@rake-0.9.3.beta.3...rake-0.9.4

rake-0.9.3

Full Changelog: ruby/rake@rake-0.9.2...rake-0.9.3

rake-0.9.3.beta.3

Full Changelog: ruby/rake@rake-0.9.3.beta.2...rake-0.9.3.beta.3

rake-0.9.3.beta.2

Full Changelog: ruby/rake@rake-0.9.3.beta.1...rake-0.9.3.beta.2

... (truncated)

Changelog

Sourced from rake's changelog.

=== 12.3.3

==== Bug fixes

• Use the application's name in error message if a task is not found. Pull Request #303 by tmatilai

==== Enhancements:

• Use File.open explicitly.

=== 12.3.2

==== Bug fixes

• Fixed test fails caused by 2.6 warnings. Pull Request #297 by hsbt

==== Enhancements:

• Rdoc improvements. Pull Request #293 by colby-swandale
• Improve multitask performance. Pull Request #273 by jsm
• Add alias prereqs. Pull Request #268 by take-cheeze

=== 12.3.1

==== Bug fixes

• Support did_you_mean >= v1.2.0 which has a breaking change on formatters. Pull request #262 by FUJI Goro.

==== Enhancements:

• Don't run task if it depends on already invoked but failed task. Pull request #252 by Gonzalo Rodriguez.
• Make space trimming consistent for all task arguments. Pull request #259 by Gonzalo Rodriguez.
• Removes duplicated inclusion of Rake::DSL in tests. Pull request #254 by Gonzalo Rodriguez.
• Re-raise a LoadError that didn't come from require in the test loader. Pull request #250 by Dylan Thacker-Smith.

=== 12.3.0

==== Compatibility Changes

• Bump required_ruby_version to Ruby 2.0.0. Rake has already

... (truncated)

Commits

• 5c87c46 Bump version to 12.3.3.
• 5b8f8fc Use File.open explicitly.
• 6497ba4 Merge pull request #317 from ruby/ignore-gitignore
• be62efb Removed gitignore from gemspec files.
• 1c22b49 Merge pull request #309 from RDIL/patch-1
• 496944a Remove deprecated travis ci option
• 489c7d8 Merge pull request #307 from ruby/azure-pipelines
• 77eb6d8 Only enabled macOS environment
• 72ffa2e use realpath
• 7744872 Do not specify ruby version of macOS
• Additional commits viewable in compare view

Updates ffi from 1.0.9 to 1.9.24

Changelog

Sourced from ffi's changelog.

1.9.24 / 2018-06-02

Security Note:

This update addresses vulnerability CVE-2018-1000201: DLL loading issue which can be hijacked on Windows OS, when a Symbol is used as DLL name instead of a String. Found by Matthew Bush.

Added:

• Added a CHANGELOG file
• Add mips64(eb) support, and mips r6 support. (#601)

Changed:

• Update libffi to latest changes on master.
• Don't search in hardcoded /usr paths on Windows.
• Don't treat Symbol args different to Strings in ffi_lib.
• Make sure size_t is defined in Thread.c. Fixes #609

1.9.23 / 2018-02-25

Changed:

• Fix unnecessary rebuild of configure in darwin multi arch. Fixes #605

1.9.22 / 2018-02-22

Changed:

• Update libffi to latest changes on master.
• Update detection of system libffi to match new requirements. Fixes #617
• Prefer bundled libffi over system libffi on Mac OS.
• Do closures via libffi. This removes ClosurePool and fixes compat with PaX. #540
• Use a more deterministic gem packaging.
• Fix unnecessary update of autoconf files at gem install.

1.9.21 / 2018-02-06

Added:

• Ruby-2.5 support by Windows binary gems. Fixes #598
• Add missing win64 types.
• Added support for Bitmask. (#573)
• Add support for MSYS2 (#572) and Sparc64 Linux. (#574)

Changed:

• Fix read_string to not throw an error on length 0.
• Don't use absolute paths for sh and env. Fixes usage on Adroid #528
• Use Ruby implementation for which for better compat with Windows. Fixes #315

... (truncated)

Commits

• 4e1051a Run rspec with dots output only
• e70b13d Fix integer parameter range specs
• 55ae232 Fix several specs where raise_error was called without class
• 8821d4f Specify error class for several raise_error calls
• bf48d44 Fix missing C declarations causing compiler warnings
• f569788 Replace symlinks for mips r6 with plain files
• fedbae0 Update CHANGELOG
• a4d4d19 Merge branch 'master' of github.com:ffi/ffi
• 45d8803 Add a CHANGELOG file
• 2ff1d8f Bump VERSION to 1.9.24
• Additional commits viewable in compare view

Updates rubyzip from 0.9.4 to 1.3.0

Release notes

Sourced from rubyzip's releases.

v1.3.0

Security

• Add validate_entry_sizes option so that callers can trust an entry's reported size when using extract #403
  • This option defaults to false for backward compatibility in this release, but you are strongly encouraged to set it to true. It will default to true in rubyzip 2.0.

New Feature

• Add add_stored method to simplify adding entries without compression #366

Tooling / Documentation

• Add more gem metadata links #402

v1.2.4

• Do not rewrite zip files opened with open_buffer that have not changed #360

Tooling / Documentation

• Update example_recursive.rb in README #397
• Hold CI at trusty for now, automatically pick the latest ruby patch version, use rbx-4 and hold jruby at 9.1 #399

v1.2.3

• Allow tilde in zip entry names #391 (fixes regression in 1.2.2 from #376)
• Support frozen string literals in more files #390
• Require pathname explicitly #388 (fixes regression in 1.2.2 from #376)

Tooling / Documentation:

• CI updates #392, #394
  • Bump supported ruby versions and add 2.6
  • JRuby failures are no longer ignored (reverts #375 / part of #371)
• Add changelog entry that was missing for last release #387
• Comment cleanup #385

Since the GitHub release information for 1.2.2 is missing, I will also include it here:

1.2.2

NB: This release drops support for extracting symlinks, because there was no clear way to support this securely. See rubyzip/rubyzip#376 for details.

• Fix CVE-2018-1000544 #376 / #371
• Fix NoMethodError: undefined method `glob' #363
• Fix handling of stored files (i.e. files not using compression) with general purpose bit 3 set #358
• Fix close on StringIO-backed zip file #353
• Add Zip.force_entry_names_encoding option #340
• Update rubocop, apply auto-fixes, and fix regressions caused by said auto-fixes #332, #355
• Save temporary files to temporary directory (rather than current directory) #325

Tooling / Documentation:

... (truncated)

Changelog

Sourced from rubyzip's changelog.

1.3.0 (2019-09-25)

Security

• Add validate_entry_sizes option so that callers can trust an entry's reported size when using extract #403
  • This option defaults to false for backward compatibility in this release, but you are strongly encouraged to set it to true. It will default to true in rubyzip 2.0.

New Feature

• Add add_stored method to simplify adding entries without compression #366

Tooling / Documentation

• Add more gem metadata links #402

1.2.4 (2019-09-06)

• Do not rewrite zip files opened with open_buffer that have not changed #360

Tooling / Documentation

• Update example_recursive.rb in README #397
• Hold CI at trusty for now, automatically pick the latest ruby patch version, use rbx-4 and hold jruby at 9.1 #399

1.2.3

• Allow tilde in zip entry names #391 (fixes regression in 1.2.2 from #376)
• Support frozen string literals in more files #390
• Require pathname explicitly #388 (fixes regression in 1.2.2 from #376)

Tooling / Documentation:

• CI updates #392, #394
  • Bump supported ruby versions and add 2.6
  • JRuby failures are no longer ignored (reverts #375 / part of #371)
• Add changelog entry that was missing for last release #387
• Comment cleanup #385

1.2.2

NB: This release drops support for extracting symlinks, because there was no clear way to support this securely. See rubyzip/rubyzip#376 for details.

• Fix CVE-2018-1000544 #376 / #371
• Fix NoMethodError: undefined method `glob' #363
• Fix handling of stored files (i.e. files not using compression) with general purpose bit 3 set #358
• Fix close on StringIO-backed zip file #353
• Add Zip.force_entry_names_encoding option #340
• Update rubocop, apply auto-fixes, and fix regressions caused by said auto-fixes #332, #355
• Save temporary files to temporary directory (rather than current directory) #325

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.