🚨 [security] Update carrierwave 2.2.2 → 2.2.5 (patch)

[depfu]

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ carrierwave (2.2.2 → 2.2.5) · Repo · Changelog

Security Advisories 🚨

🚨 CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS

###Impact
CarrierWave::Uploader::ContentTypeAllowlist
has a Content-Type allowlist bypass vulnerability, possibly leading to XSS.

The validation in allowlisted_content_type? determines Content-Type
permissions by performing a partial match.
If the content_type argument of allowlisted_content_type? is passed
a value crafted by the attacker, Content-Types not included in the
content_type_allowlist will be allowed.

In addition, by setting the Content-Type configured by the attacker
at the time of file delivery, it is possible to cause XSS on the
user's browser when the uploaded file is opened.

Patches

Upgrade to 3.0.5
or 2.2.5.

Workarounds

When validating with allowlisted_content_type? in
CarrierWave::Uploader::ContentTypeAllowlist,
forward match(\\A) the Content-Type set in content_type_allowlist,
preventing unintentional permission of text/html;image/png when
you want to allow only image/png in content_type_allowlist.

References

OWASP - File Upload Cheat Sheet

Release Notes

2.2.4

Fixed

• Fix Ruby 2.7 keyword argument warning in uploader process (@SuperTux88 #2665, #2636, #2635)

2.2.3

Fixed

• Add workaround for 'undefined method closed?' error caused by ssrf_filter 1.1 (@mshibuya c74579d, #2628)
• Add workaround for the API change in ssrf_filter 1.1 (@BrianHawley #2629, #2625)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ mini_magick (4.11.0 → 4.12.0) · Repo · Changelog

Release Notes

4.12.0

• Added new tmpdir configuration, which defaults to Dir.tmpdir (#541)

  MiniMagick.configure do |config|
    config.tmpdir = File.join(Dir.tmpdir, "/my/new/tmp_dir")
  end

• Don't leave temporary files lying around when MiniMagick::Image#format failed (#547)
• Replace File.exists? with File.exist?, which should fix Ruby 3.2 compatibility (#550)
• Fixed a case where the log could not be parsed correctly when there were multiple lines (#540)
• Added status to the exception message when the ImageMagick command fails (#542)
• Allow passing format to Image#get_pixels so we can request "RGBA" pixels (#537)
• Suppress warning to ambiguous argument (#529)
• Use Thread#join with a timeout argument instead of the Timeout standard library (#525)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ addressable (indirect, 2.8.0 → 2.8.5) · Repo · Changelog

Release Notes

2.8.5 (from changelog)

• Fix thread safety issue with encoding tables (#515)
• Define URI::NONE as a module to avoid serialization issues (#509)
• Fix YAML serialization (#508)

2.8.4 (from changelog)

• Restore Addressable::IDNA.unicode_normalize_kc as a deprecated method (#504)

2.8.3 (from changelog)

• Fix template expand level 2 hash support for non-string objects (#499, #498)

2.8.2 (from changelog)

• Improve cache hits and JIT friendliness (#486)
• Improve code style and test coverage (#482)
• Ensure reset of deferred validation (#481)
• Resolve normalization differences between IDNA::Native and IDNA::Pure (#408, #492)
• Remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438) (accidentally reverted by #449 merge but added back in #492)

2.8.1 (from changelog)

• refactor Addressable::URI.normalize_path to address linter offenses (#430)
• remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438)
• update gemspec to reflect supported Ruby versions (#466, #464, #463)
• compatibility w/ public_suffix 5.x (#466, #465, #460)
• fixes "invalid byte sequence in UTF-8" exception when unencoding URLs containing non UTF-8 characters (#459)
• Ractor compatibility (#449)
• use the whole string instead of a single line for template match (#431)
• force UTF-8 encoding only if needed (#341)

Does any of this look wrong? Please let us know.

↗️ concurrent-ruby (indirect, 1.1.10 → 1.2.2) · Repo · Changelog

Release Notes

1.2.2

concurrent-ruby 1.2.2:

• (#993) Fix arguments passed to Concurrent::Map's default_proc.

1.2.1

concurrent-ruby 1.2.1:

• (#990) Add missing require 'fiber' for FiberLocalVar.
• (#989) Optimize Concurrent::Map#[] on CRuby by letting the backing Hash handle the default_proc.

1.2.0

concurrent-ruby 1.2.0:

• (#975) Set the Ruby compatibility version at 2.3
• (#962) Fix ReentrantReadWriteLock to use the same granularity for locals as for Mutex it uses.
• (#983) Add FiberLocalVar
• (#934) concurrent-ruby now supports requiring individual classes (public classes listed in the docs), e.g., require 'concurrent/map'
• (#976) Let Promises.any_fulfilled_future take an Event
• Improve documentation of various classes
• (#972) Remove Rubinius-related code

concurrent-ruby-edge 0.7.0:

• (#975) Set the Ruby compatibility version at 2.3
• (#934) concurrent-ruby now supports requiring individual classes (public classes listed in the docs), e.g., require 'concurrent/map'
• (#972) Remove Rubinius-related code

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ffi (indirect, 1.15.5 → 1.16.3) · Repo · Changelog

Release Notes

1.16.3 (from changelog)

Fixed:

• Fix gcc error when building on CentOS 7. #1052
• Avoid trying to store new DataConverter type in frozen TypeDefs hash. #1057

1.16.2 (from changelog)

Fixed:

• Handle null pointer crash after fork. #1051

1.16.1 (from changelog)

Fixed:

• Fix compiling the builtin libffi. #1049

1.16.0 (from changelog)

Fixed:

• Fix an issue with signed bitmasks when using flags on the most significant bit. #949
• Fix FFI::Pointer#initialize using NUM2LL instead of NUM2ULL.
• Fix FFI::Type#inspect to properly display the constant name. #1002
• Use libffi closure allocations on hppa-Linux. #1017 Previously they would segfault.
• Fix class name of Symbol#inspect.
• Fix MSVC support of libtest. #1028
• Fix attach_function of functions ending in ? or ! #971

Added:

• Convert all C-based classes to TypedData and use write barriers. #994, #995, #996, #997, #998, #999, #1000, #1001, #1003, #1004, #1005, #1006, #1007, #1008, #1009, #1010, #1011, #1012 This results in less pressure on the garbage collector, since the objects can be promoted to the old generation, which means they only get marked on major GC.
• Implement ObjectSpace.memsize_of() of all C-based classes.
• Make FFI Ractor compatible. #1023 Modules extended per extend FFI::Library need to be frozen in order to be used by non-main Ractors. This can be done by calling freeze below of all C interface definitions.
  • In a Ractor it's possible to:
    • load DLLs and call its functions, access its global variables
    • use builtin typedefs
    • use and modify ractor local typedefs
    • define callbacks
    • receive async callbacks from non-ruby threads
    • use frozen FFI::Library based modules with all attributes (enums, structs, typedefs, functions, callbacks)
    • invoke frozen functions and callbacks defined in the main Ractor
    • use FFI::Struct definitions from the main Ractor
  • In a Ractor it's impossible to:
    • create new FFI::Library based modules
    • create new FFI::Struct definitions
    • use custom global typedefs
    • use non-frozen FFI::Library based modules
• Allow type retrieval of attached functions+variables. #1023
• Make FFI classes GC.compact friendly. #1021
• Update libffi and disable custom trampoline when using libffi closure allocation. #1020 This is because libffi changed the way how closures are allocated to static trampolines.
• Add types.conf for loongarch64-linux. #943
• Add types.conf for sw_64-linux (Shen Wei 64-bit, based on Alpha). #1018
• Add support for aarch64-windows. #1035
• Windows: Update LoadLibrary error message to include error code. #1026
• Allow private release method for FFI::ManagedStruct and FFI::AutoPointer. #1029
• Add support for passing ABI version to FFI.map_library_name. #963 This adds the new class FFI::LibraryPath .
• Add support for ruby-3.2 to windows binary gem. #1047
• Enable debug symbols for rake compile builds to ease debugging. #1048

Removed:

• Remove allocator of AbstractMemory. #1013 This disables AbstractMemory.new, which has no practical use.
• Remove unused FFI::SizeTypes. #1022

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ i18n (indirect, 1.12.0 → 1.14.1) · Repo · Changelog

Release Notes

1.14.1

Included in this release

• Simplify the "Translation missing" message when default is an empty Array by @amatsuda in #662

Maintenance stuff

• Skip CIing on jruby against Rails 5.2 by @amatsuda in #664
• A fix for failing CI against edge Rails by @amatsuda in #663
• Add documentation hint for fallback values by @mark-a in #659
• CI against Ruby 3.2 by @amatsuda in #665
• Fix build warnings in the CI by using actions/checkout@v3 by @amatsuda in #666

Thanks to @amatsuda for these PRs!

New Contributors

• @mark-a made their first contribution in #659

Full Changelog: v1.14.0...v1.14.1

1.14.0

What's Changed

• fix LazyLoadable#available_locales duplicating locales by @ccutrer in #655
• Add more helpful translation error when :default option is provided. by @Nerian in #654
• Fix I18n::Locale::Fallbacks not initializing itself on Ruby 3 by @yheuhtozr in #653
• Fix I18n.t when locale contains separator by @tubaxenor in #656
  • This reverts a change from #651, that was released in v1.13.0

New Contributors

• @ccutrer made their first contribution in #655
• @Nerian made their first contribution in #654
• @yheuhtozr made their first contribution in #653
• @tubaxenor made their first contribution in #656

Full Changelog: v1.13.0...v1.14.0

1.13.0

What's Changed

• Fix symbol resolving with pluralization by @movermeyer in #636
• Updating DEFAULT_APPROXIMATIONS with capitalised German Eszett character for consistency by @lucapericlp in #627
• Fix load_path example in README.md by @nickcampbell18 in #642
• Add support for meridian indicators on Date objects by @movermeyer in #640
• Make translations loading thread-safe by @mensfeld in #644
• Get closer to full CLDR pluralization support by @movermeyer in #634
• Allow passing scope argument to exists? by @misdoro in #647
• Revert #503 changes for Backend::Base by @movermeyer in #637
• Properly stub constants by @fatkodima in #650
• Optimize I18n.t by @fatkodima in #651
• Return same string object when no interpolations were made by @fatkodima in #649

New Contributors

• @lucapericlp made their first contribution in #627
• @nickcampbell18 made their first contribution in #642
• @mensfeld made their first contribution in #644
• @misdoro made their first contribution in #647

Full Changelog: v1.12.0...v1.13.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_mime (indirect, 1.1.2 → 1.1.5) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.16.2 → 5.20.0) · Repo · Changelog

Release Notes

5.20.0 (from changelog)

• 1 minor enhancement:

  • Optionally allow autorun exit hook to remain active in forked child. (casperisfine)

5.19.0 (from changelog)

• 2 minor enhancements:

  • Add metadata lazy accessor to Runnable / Result. (matteeyah)

  • Only load minitest/unit (aka ancient MiniTest compatibility layer) if ENV

• 1 bug fix:

  • Minitest::TestTask enthusiastically added itself to default. (ParadoxV5)

5.18.1 (from changelog)

• 3 bug fixes:

  • Avoid extra string allocations when filtering tests. (tenderlove)

  • Only mention deprecated ENV if it is an integer string.

  • Push up test_order to Minitest::Runnable to fix minitest/hell. (koic)

5.18.0 (from changelog)

• 2 major enhancements:

  • Added assert_pattern & refute_pattern for pattern matching. (flavorjones)

  • Added matching must_pattern_match & wont_pattern_match to minitest/spec.

• 1 bug fix:

  • Support the new message format of NameError in Ruby 3.3 (mame)

5.17.0 (from changelog)

• 1 minor enhancement:

  • Refactor setup hooks into a SETUP_METHODS constant. (MSP-Greg)

• 3 bug fixes:

  • Fix kwargs for Mock calls to delegator. (blowmage)

  • Fix kwargs for expectations. (bobmazanec, blowmage)

  • Remove check for .b method. (tenderlove)

5.16.3 (from changelog)

• 2 bug fixes:

  • Fixed exception sanitization by removing TypeError restriction on rescue.

  • Use A instead of deprecated TESTOPTS in rake test:slow. (davidstosik)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ public_suffix (indirect, 4.0.7 → 5.0.4) · Repo · Changelog

Release Notes

5.0.4 (from changelog)

Changed

• Reduced .gem file size (GH-259). [Thanks @ybiquitous]
• Updated definitions.

5.0.3 (from changelog)

Fixed

• Fixed automated release workflow.

5.0.1 (from changelog)

Changed

• Updated definitions.

5.0.0 (from changelog)

Changed

• Minimum Ruby version is 2.6

• Updated definitions.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ruby-vips (indirect, 2.1.4 → 2.2.0) · Repo · Changelog

Release Notes

2.2.0 (from changelog)

• add draw_point! [jcupitt]
• add Vips.tracked_* for getting file and memory metrics [jeremy]
• add Vips.cache_* for getting cache settings [jeremy]
• add Vips.vector? to get/set SIMD status [jeremy]
• add Vips.concurrency to get/set threadpool size [jeremy]
• add Vips.concurrency_default to get the default threadpool size [jeremy]
• fix targetcustom spec test with libvips 8.13 [lucaskanashiro]
• add ruby 3.2 to CI [petergoldstein]
• update docs for libvips 8.15 [jcupitt]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ssrf_filter (indirect, 1.0.7 → 1.1.2) · Repo · Changelog

Release Notes

1.1.2

Bump version to 1.1.2

1.1.1

Bump version to 1.1.1

1.1.0

Bump version to 1.1.0

1.0.8 (from changelog)

• Add support for HEAD requests (jakeyheath)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tzinfo (indirect, 2.0.5 → 2.0.6) · Repo · Changelog

Release Notes

2.0.6

• Eliminate Object#untaint deprecation warnings on JRuby 9.4.0.0. #145.

TZInfo v2.0.6 on RubyGems.org

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (d2b8bcf) 95.702% compared to head (95f071c) 95.702%.

Additional details and impacted files

@@            Coverage Diff            @@
##            master      #278   +/-   ##
=========================================
  Coverage   95.702%   95.702%           
=========================================
  Files          311       311           
  Lines         2955      2955           
=========================================
  Hits          2828      2828           
  Misses         127       127           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[depfu]

Closed in favor of #295.

[depfu]

Closed in favor of #295.

[depfu]

Closed in favor of #295.

[depfu]

Closed in favor of #295.

[depfu]

Closed in favor of #295.