🚨 [security] Update all of rails: 6.1.4.1 → 6.1.4.4 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (6.1.4.1 → 6.1.4.4) · Repo

Release Notes

6.1.4.4

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix issue with host protection not allowing host with port in development.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

6.1.4.3

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• Allow localhost with a port by default in development

  [Fixes: #43864]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• Preparing for 6.1.4.4 release
• Preparing for 6.1.4.3 release
• bumping version for release

↗️ actioncable (indirect, 6.1.4.1 → 6.1.4.4) · Repo · Changelog

Release Notes

6.1.4.4 (from changelog)

• No changes.

6.1.4.3 (from changelog)

• No changes.

6.1.4.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• Preparing for 6.1.4.4 release
• Preparing for 6.1.4.3 release
• bumping version for release

↗️ actionmailbox (indirect, 6.1.4.1 → 6.1.4.4) · Repo · Changelog

↗️ actionmailer (indirect, 6.1.4.1 → 6.1.4.4) · Repo · Changelog

Release Notes

6.1.4.4 (from changelog)

• No changes.

6.1.4.3 (from changelog)

• No changes.

6.1.4.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• Preparing for 6.1.4.4 release
• Preparing for 6.1.4.3 release
• bumping version for release

↗️ actionpack (indirect, 6.1.4.1 → 6.1.4.4) · Repo · Changelog

Security Advisories 🚨

🚨 Possible Open Redirect in Host Authorization Middleware

There is a possible open redirect vulnerability in the Host Authorization
middleware in Action Pack.

Specially crafted "X-Forwarded-Host" headers in combination with certain
"allowed host" formats can cause the Host Authorization middleware in Action
Pack to redirect users to a malicious website.

Impacted applications will have allowed hosts with a leading dot. For example,
configuration files that look like this:

config.hosts <<  '.EXAMPLE.com'

When an allowed host contains a leading dot, a specially crafted Host header
can be used to redirect to a malicious website.

This vulnerability is similar to CVE-2021-22881 and CVE-2021-22942.

Releases

The fixed releases are available at the normal locations.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

• 6-0-host-authorzation-open-redirect.patch - Patch for 6.0 series
• 6-1-host-authorzation-open-redirect.patch - Patch for 6.1 series
• 7-0-host-authorzation-open-redirect.patch - Patch for 7.0 series

Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at
present. Users of earlier unsupported releases are advised to upgrade as soon
as possible as we cannot guarantee the continued availability of security
fixes for unsupported releases.

Release Notes

6.1.4.4 (from changelog)

• Fix issue with host protection not allowing host with port in development.

6.1.4.3 (from changelog)

• No changes.

6.1.4.2 (from changelog)

• Fix X_FORWARDED_HOST protection. [CVE-2021-44528]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• Preparing for 6.1.4.4 release
• Preparing for 6.1.4.3 release
• bumping version for release

↗️ actiontext (indirect, 6.1.4.1 → 6.1.4.4) · Repo · Changelog

Release Notes

6.1.4.4 (from changelog)

• No changes.

6.1.4.3 (from changelog)

• No changes.

6.1.4.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• Preparing for 6.1.4.4 release
• Preparing for 6.1.4.3 release
• bumping version for release

↗️ actionview (indirect, 6.1.4.1 → 6.1.4.4) · Repo · Changelog

Release Notes

6.1.4.4 (from changelog)

• No changes.

6.1.4.3 (from changelog)

• No changes.

6.1.4.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• Preparing for 6.1.4.4 release
• Preparing for 6.1.4.3 release
• bumping version for release

↗️ activejob (indirect, 6.1.4.1 → 6.1.4.4) · Repo · Changelog

Release Notes

6.1.4.4 (from changelog)

• No changes.

6.1.4.3 (from changelog)

• No changes.

6.1.4.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• Preparing for 6.1.4.4 release
• Preparing for 6.1.4.3 release
• bumping version for release

↗️ activemodel (indirect, 6.1.4.1 → 6.1.4.4) · Repo · Changelog

Release Notes

6.1.4.4 (from changelog)

• No changes.

6.1.4.3 (from changelog)

• No changes.

6.1.4.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• Preparing for 6.1.4.4 release
• Preparing for 6.1.4.3 release
• bumping version for release

↗️ activerecord (indirect, 6.1.4.1 → 6.1.4.4) · Repo · Changelog

Release Notes

6.1.4.4 (from changelog)

• No changes.

6.1.4.3 (from changelog)

• No changes.

6.1.4.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• Preparing for 6.1.4.4 release
• Preparing for 6.1.4.3 release
• bumping version for release

↗️ activestorage (indirect, 6.1.4.1 → 6.1.4.4) · Repo · Changelog

Release Notes

6.1.4.4 (from changelog)

• No changes.

6.1.4.3 (from changelog)

• No changes.

6.1.4.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• Preparing for 6.1.4.4 release
• Preparing for 6.1.4.3 release
• bumping version for release

↗️ activesupport (indirect, 6.1.4.1 → 6.1.4.4) · Repo · Changelog

Release Notes

6.1.4.4 (from changelog)

• No changes.

6.1.4.3 (from changelog)

• No changes.

6.1.4.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• Preparing for 6.1.4.4 release
• Preparing for 6.1.4.3 release
• bumping version for release

↗️ globalid (indirect, 0.5.2 → 1.0.0) · Repo · Changelog

Release Notes

1.0.0

Stable API release.

The code is the same as the 0.6.0 release.

0.6.0

• Add ActiveRecord::FixtureSet.signed_global_id helper to generate signed ids inside fixtures.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

• Prepare for 1.0.0
• Prepare to 0.6.0
• Upgrade all development gems
• Add devcontainer to allow contributors to have a working environment
• Move ActiveRecord::FixtureSet.signed_global_id to this gem
• Merge pull request #137 from rails/dependabot/bundler/nokogiri-1.12.5
• Bump nokogiri from 1.11.7 to 1.12.5
• Why u no love me?

↗️ i18n (indirect, 1.8.10 → 1.8.11) · Repo · Changelog

Release Notes

1.8.11

What's Changed

• Fix typo in documentation by @rkh in #565
• Improve available locale check in Simple backend by @codealchemy in #566
• Fix typo in Simple backend JSON test by @codealchemy in #572
• Fix a build error when using Psych 4.0 by @koic in #569

New Contributors

• @rkh made their first contribution in #565
• @codealchemy made their first contribution in #566
• @koic made their first contribution in #569

Full Changelog: v1.8.10...v1.8.11

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

• Bump to 1.8.11
• Merge pull request #569 from koic/fix_build_error_when_using_psych_4_0
• Merge pull request #572 from codealchemy/simple_backend/json-test-fix
• Fix typo in Simple backend JSON test
• Fix a build error when using Psych 4.0
• Merge pull request #566 from codealchemy/simple_backend/consolidate-available-locale-check
• Update available locale check in Simple backend
• Merge pull request #565 from rkh/patch-1
• Fix typo in documentation

↗️ loofah (indirect, 2.12.0 → 2.13.0) · Repo · Changelog

Release Notes

2.13.0

2.13.0 / 2021-12-10

Bug fixes

• Loofah::HTML::DocumentFragment#text no longer serializes top-level comment children. [#221]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

• version bump to v2.13.0
• Merge pull request #222 from flavorjones/221-fragment-text-should-not-serialize-comment
• fix: comments should not be emitted by DocumentFragment#text
• Merge pull request #220 from flavorjones/flavorjones-test-css-hex-encoded-exploit
• test: use CSS hex-encoded strings to test sanitization
• Merge pull request #217 from gogainda/main
• Update ci.yml

↗️ marcel (indirect, 1.0.1 → 1.0.2) · Repo

Release Notes

1.0.2

• Include Apache license in gem release. (a525d5b)
• Prefer audio/x-wav for WAV audio files. (#45)
• Prefer application/x-x509-ca-cert for Privacy-Enhanced Mail certificates. (#46)
• Prefer audio/flac for FLAC audio files. (#47)
• Prefer audio/aac for Advanced Audio Coding audio files. (#49)
• Prefer application/vnd.ms-access for Microsodt Access DB files. (#50)
• Support text/x-scss and text/x-sass stylesheets. (#52)
• Support encrypted Microsoft Access DB files. (#53)
• Prefer application/x-ole-storage for Microsoft Office files. (#54)
• Prefer text/markdown for Markdown files. (#55)
• Prefer audio/mpc for Musepack audio files. (#56)
• Support audio/webm audio files. (#58)
• Support image/avif images files. (#63)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 34 commits:

• v1.0.2
• v1.1.0
• Merge pull request #63 from brian-kephart/main
• Add AVIF to custom definitions to fix conflict with video/quicktime
• Add AVIF fixture
• Merge pull request #60 from gmcgibbon/contributing_note
• Add generation note in tables.rb
• Add contributing note
• Merge pull request #58 from kiskoza/fix-audio/webm
• Fix audio/webm files
• Merge pull request #56 from andynguyenshopify/fix-musepack
• Fix musepack files application/vnd.mophun.certificate -> audio/x-musepack
• Merge pull request #55 from kodokon/fix_markdown
• Fix markdown file reporting to conform with IANA ->text/markdown
• Merge pull request #54 from gmcgibbon/application/x-ole-storage
• Prefer application/x-ole-storage instead of application/x-tika-msoffice
• Merge pull request #53 from gmcgibbon/mde_accde
• Add support for .mde and .accde files
• Merge pull request #45 from gmcgibbon/wav
• Prefer audio/x-wav for .wav files
• Merge pull request #51 from gmcgibbon/json_fixture
• Merge pull request #50 from gmcgibbon/mdb_accdb
• Merge pull request #52 from gmcgibbon/sass_scss
• Merge pull request #49 from gmcgibbon/aac
• Merge pull request #46 from gmcgibbon/pem
• Merge pull request #47 from gmcgibbon/flac
• Add support for scss and sass detection
• Fix JSON fixture syntax
• Fix detection for .mdb and .accdb files
• Prefer audio/aac for .aac files
• Prefer audio/flac for .flac files
• Prefer application/x-x509-ca-cert for .pem files
• Fix syntax
• Remove Travis CI config

↗️ mini_mime (indirect, 1.1.0 → 1.1.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 5 commits:

• version bump
• DB updates 2021-10-01T10:15:26Z
• version bump and changelog
• DB updates 2021-08-01T10:14:51Z
• DEV: Allow recent versions of gems in development

↗️ minitest (indirect, 5.14.4 → 5.15.0) · Repo · Changelog

Release Notes

5.15.0 (from changelog)

• 1 major enhancement:

  • assert_throws returns the value returned, if any. (volmer)

• 3 minor enhancements:

  • Added -S <CODES> option to skip reporting of certain types of output

  • Enable Ruby deprecation warnings by default. (casperisfine)

  • Use Etc.nprocessors by default in order to maximize cpu usage. (tonytonyjan)

• 6 bug fixes:

  • Close then unlink tempfiles on Windows. (nobu)

  • Fixed #skip_until for windows paths. (MSP-Greg)

  • Fixed a bunch of tests for jruby and windows. (MSP-Greg)

  • Fixed marshalling of specs if they error. (tenderlove, jeremyevans, et al)

  • Updated deprecation message for block expectations. (blowmage)

  • Use Kernel.warn directly in expectations in case CUT defines their own warn. (firien)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 17 commits:

• prepped for release
• - Fixed #skip_until for windows paths. (MSP-Greg)
• - Fixed marshalling of specs if they error. (tenderlove, jeremyevans, et al)
• Added minitest-heat to readme. (garrettdimon)
• Added failing test to show specs can't marshal if they raise. (jeremyevans)
• - Updated deprecation message for block expectations. (blowmage)
• - Use Kernel.warn directly in expectations in case CUT defines their own warn. (firien)
• + Use Etc.nprocessors by default in order to maximize cpu usage. (tonytonyjan)
• + Enable Ruby deprecation warnings by default. (casperisfine)
• Fixed typo for 5.0.0 in History.rdoc. (tnir)
• - Close then unlink tempfiles on Windows. (nobu)
• + Added -S <CODES> option to skip reporting of certain types of output
• Ruby 1.9 is a taaad dead by now.
• Use assert_match instead of assert_equal to test the error message. (mame)
• Added rematch plugin reference in README (ddnexus)
• ! assert_throws returns the value returned, if any. (volmer)
• updated ruby version status

↗️ rails-html-sanitizer (indirect, 1.4.1 → 1.4.2) · Repo · Changelog

Release Notes

1.4.2

1.4.2 / 2021-08-23

• Slightly improve performance.

  Assuming elements are more common than comments, make one less method call per node.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

• version bump to v1.4.2
• Merge pull request #118 from rails/flavorjones-tweak-comment-and-pi
• perf: PermitScrubber#scrub checks node.element? before node.comment?
• test: rewrite test coverage for comments and PIs
• ci: update default git branch
• Merge pull request #119 from rails/flavorjones-port-ci-to-github-actions
• ci: remove travis and update the CI badge
• ci: add github actions workflow

↗️ railties (indirect, 6.1.4.1 → 6.1.4.4) · Repo · Changelog

Release Notes

6.1.4.4 (from changelog)

• No changes.

6.1.4.3 (from changelog)

• Allow localhost with a port by default in development

  [Fixes: #43864]

6.1.4.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• Preparing for 6.1.4.4 release
• Preparing for 6.1.4.3 release
• bumping version for release

↗️ sprockets-rails (indirect, 3.2.2 → 3.4.2) · Repo · Changelog

Release Notes

3.4.2

What's Changed

• Fix protocol relative URLs amended accidentally by @PikachuEXE in #485
• Add assets.resolve_assets_in_css_urls configuration option to allow disabling AssetUrlProcessor by @rmacklin in #489

New Contributors

• @PikachuEXE made their first contribution in #485
• @rmacklin made their first contribution in #489

Full Changelog: v3.4.1...v3.4.2

3.4.1

What's Changed

• expose dependencies from AssetUrlProcessor by @zarqman in #480
• Fix issues with relative paths from AssetUrlProcessor by @jcoyne in #482
• Fix sourcemapping url replacement by @dhh in #484

Full Changelog: v3.4.0...v3.4.1

3.4.0

What's Changed

• Ensure source mapping URLs set by transpilers are not broken by appending a semicolon to their path and translate the paths to the digested versions for deployment by @dhh in #479

This makes sprockets-rails compatible out of the box with sourcemap generation from jsbundling-rails.

3.3.0

What's Changed

• Process css files so that they get digested paths for asset files by @jcoyne in #476. This allows you to use sprockets-rails together with cssbundling-rails and be able to reference assets in the asset pipeline without additional compilation.
• Raise the error that includes an error message by @ghiculescu in #472

Full Changelog: v3.2.2...v3.3.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 30 commits:

• Bump for 3.4.2
• Add `assets.resolve_assets_in_css_urls` configuration option to allow disabling `AssetUrlProcessor` (#489)
• Merge pull request #490 from ghiculescu/patch-1
• Update README.md
• Be more explicit that `config.assets.debug` does nothing in Sprockets 4+
• Merge pull request #485 from PikachuEXE/fix/protocol-relative-urls
• Fix protocol relative URLs amended accidentally
• Bump for 3.4.1
• Fix sourcemapping url replacement (#484)
• Strip away the relative path (#482)
• Whitespaces :scissors:
• Merge pull request #474 from jbampton/fix-spelling
• Merge pull request #477 from jcoyne/rails-6.1
• Merge pull request #480 from zarqman/track-dependent-assets
• Remove warning of unused variable
• Bump for 3.4.0
• Process source mapping URLs be set by transpilers (#479)
• expose dependencies from AssetUrlProcessor
• Bump for 3.3.0
• Process css files so that they get digested paths for asset files (#476)
• Test on Rails 6.1.x
• Merge pull request #475 from hahmed/ha/move-to-gitub-actions
• Fixes build for Gemfile, rails 7 by adding a new method that checks the rails version and appends media="screen" to the assertions. The setting config.action_view.apply_stylesheet_media_default = true was added in rails 7.
• Move to github actions
• Merge pull request #472 from ghiculescu/use-the-good-error
• Raise the error that includes an error message
• chore: fix spelling
• Merge pull request #469 from skatkov/travis-remove-unsupported-versions
• Update gemspec with minimum ruby/rails versions
• Travis-ci: remove unsupported rubies and rails versions

↗️ zeitwerk (indirect, 2.4.2 → 2.5.1) · Repo · Changelog

Release Notes

2.5.1 (from changelog)

• Restores support for namespaces that are not hashable. For example namespaces that override the hash method with a different arity as shown in #188.

2.5.0 (from changelog)

Breaking changes

• Requires Ruby 2.5.

• Deletes the long time deprecated preload API. Instead of:

  loader.preload("app/models/user.rb")

  just reference the constant on setup:

  loader.on_setup { User }

  If you want to eager load a namespace, use the constants API:

  loader.on_setup do
    Admin.constants(false).each { |cname| Admin.const_get(cname) }
  end

Bug fixes

• Fixes a bug in which a certain valid combination of overlapping trees managed by different loaders and ignored directories was mistakenly reported as having conflicting directories.

• Detects external namespaces defined with Module#autoload. If your project reopens a 3rd party namespace, Zeitwerk already detected it and did not consider the namespace to be managed by the loader (automatically descends, ignored for reloads, etc.). However, the loader did not do that if the namespace had only an autoload in the 3rd party code yet to be executed. Now it does.

Callbacks

• Implements Zeitwerk::Loader#on_setup, which allows you to configure blocks of code to be executed on setup and on each reload. When the callback is fired, the loader is ready, you can refer to project constants in the block.

  See the documentation for further details.

• There is a new catch-all Zeitwerk::Loader#on_load that takes no argument and is triggered for all loaded objects:

  loader.on_load do |cpath, value, abspath|
    # ...
  end

  Please, remember that if you want to trace the activity of a loader, Zeitwerk::Loader#log! logs plenty of information.

  See the documentation for further details.

• The block of the existing Zeitwerk::Loader#on_load receives also the value stored in the constant, and the absolute path to its corresponding file or directory:

  loader.on_load("Service::NotificationsGateway") do |klass, abspath|
    # ...
  end

  Remember that blocks can be defined to take less arguments than passed. So this change is backwards compatible. If you had

  loader.on_load("Service::NotificationsGateway") do
    Service::NotificationsGateway.endpoint = ...
  end

  That works.

• Implements Zeitwerk::Loader#on_unload, which allows you to configure blocks of code to be executed before a certain class or module gets unloaded:

  loader.on_unload("Country") do |klass, _abspath|
    klass.clear_cache
  end

  These callbacks are invoked during unloading, which happens in an unspecified order. Therefore, they should not refer to reloadable constants.

  You can also be called for all unloaded objects:

  loader.on_unload do |cpath, value, abspath|
    # ...
  end

  Please, remember that if you want to trace the activity of a loader, Zeitwerk::Loader#log! logs plenty of information.

  See the documentation for further details.

Assorted

• Performance improvements.

• Documentation improvements.

• The method Zeitwerk::Loader#eager_load accepts a force flag:

  loader.eager_load(force: true)

  If passed, eager load exclusions configured with do_not_eager_load are not honoured (but ignored files and directories are).

  This may be handy for test suites that eager load in order to ensure all files define the expected constant.

• Eliminates internal use of File.realpath. One visible consequence is that in logs root dirs are shown as configured if they contain symlinks.

• When an autoloaded file does not define the expected constant, Ruby clears state differently starting with Ruby 3.1. Unloading has been revised to be compatible with both behaviours.

• Logging prints a few new traces.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

Go to the Depfu Dashboard to see the state of your dependencies and to customize how Depfu works.

[depfu]

Closed in favor of #201.