🚨 [security] [ruby] Update redcarpet: 3.5.0 → 3.6.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ redcarpet (3.5.0 → 3.6.0) · Repo · Changelog

Security Advisories 🚨

🚨 Injection/XSS in Redcarpet

Redcarpet is a Ruby library for Markdown processing. In Redcarpet before
version 3.5.1, there is an injection vulnerability which can enable a cross-site
scripting attack. In affected versions no HTML escaping was being performed when
processing quotes. This applies even when the :escape_html option was being used.

Release Notes

3.6.0

This release is not particularly heavy but brings a few improvements and fixes.

Improvements

• Avoid warnings running on Ruby 3.2+ (See #721).
• Consider <center> as a block-level element (See #702).
• Properly provide a third argument to the table_cell callback indicating whether the current cell is part of the header or not.
  The previous implementation with two parameters is still supported (See #604 and #605).

Fixes

• Match fence char and length when matching closing fence in fenced code blocks (Fixes #208).
• Fix anchor generation on titles with ampersands (Fixes #696).

3.5.1

Fix a security vulnerability using :quote in combination with the :escape_html option.

Reported by Johan Smits.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 27 commits:

• Redcarpet v3.6.0
• Add a changelog entry for #721
• Merge pull request #721 from casperisfine/ruby-3.2
• Merge pull request #724 from amatsuda/test_files
• Missing files in the gem package
• Don't include test files in the gem package
• Merge pull request #723 from amatsuda/https
• GitHub is HTTPS by default
• Undefine uneeded T_DATA allocators
• Merge pull request #681 from orchitech/match-closing-fence-type-and-length
• Merge branch 'master' into match-closing-fence-type-and-length
• Add a changelog entry for #702
• Merge pull request #702 from momijizukamori/block-elements
• Add ins and del back to block list
• Merge pull request #707 from vmg/fix-travis
• Test against recent Ruby versions
• Merge pull request #706 from vmg/fix-605
• Remove Rubinius from our Travis build
• Fix for Ruby 1.9.3
• Provide the header bit in the `table_cell` callback
• Fix anchor generation on titles with ampersands
• Remove the version eye badge from the README
• Merge pull request #699 from noraj/patch-1
• Update list of HTML block elements + add source text to repo
• add gem version badge
• Fix a security issue using `:quote` with `:escape_html`
• Match fence char and length when matching closing fence in fenced code blocks.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #403.