🚨 [security] Upgrade all of rails: 5.1.7 → 5.2.4.3 (minor)

[depfu]

---

🚨 Your version of activesupport has known security vulnerabilities 🚨

Advisory: CVE-2020-8165
Disclosed: May 18, 2020
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore

There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
untrusted user input is written to the cache store using the raw: true parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:

data = cache.fetch("demo", raw: true) { untrusted_string }

Versions Affected: rails < 5.2.5, rails < 6.0.4
Not affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the raw option when storing untrusted user input.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.

In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
they are calling Rails.cache.fetch they are using consistent values of the raw parameter for both
reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
detect if data was serialized using the raw option upon deserialization.

Workarounds

It is recommended that application developers apply the suggested patch or upgrade to the latest release as
soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
the raw argument should be double-checked to ensure that they conform to the expected format.

🚨 We recommend to merge and deploy this update as soon as possible! 🚨

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ nokogiri (1.10.2 → 1.10.9) · Repo · Changelog

Release Notes

1.10.9

More info than we can show here.

1.10.8

More info than we can show here.

1.10.7

More info than we can show here.

1.10.6

More info than we can show here.

1.10.5

More info than we can show here.

1.10.4

More info than we can show here.

1.10.3

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 40 commits:

• version bump to v1.10.9
• update CHANGELOG
• Change return type to RubyArray
• update CHANGELOG for #1985
• Work around a bug in libxml2
• version bump to v1.10.8
• update CHANGELOG for v1.10.8
• remove patches from the hoe Manifest
• update to use rake-compiler ~1.1.0
• backport libxml2 patch for CVE-2020-7595
• version bump to v1.10.7
• update CHANGELOG
• Fix the patch from #1953 to work with both `git` and `patch`
• Fix typo in generated metadata
• add gem metadata
• version bump to v1.10.6
• update CHANGELOG
• Add a patch to fix libxml2.la's path
• add security note to CHANGELOG
• version bump to v1.10.5
• update CHANGELOG
• dependency: update libxslt to 1.1.34 final
• dependency: update libxml to 2.9.10 final
• add suppressions for ruby 2.7
• update CHANGELOG with correct release date for v1.10.4
• update rake-compiler commands to install bundler
• version bump to v1.10.4
• Merge branch '1915-css-tokenizer-load-file-vulnerability_v1.10.x' into v1.10.x
• update CHANGELOG
• regenerate lexical scanner using rexical 1.0.7
• eliminate `eval` from Builder#initialize
• rufo formatting
• rubocop security scan is run as part of the `test` rake target
• add rubocop as a dev dependency
• adding a temporary pipeline for v1.10.x
• version bump to v1.10.3
• Merge pull request #1898 from sparklemotion/1892-libxslt-patch-for-usn-3947
• Backport libxslt patch for CVE-2019-11068
• Merge branch 'concourse-icons'
• ci: add icons to concourse resources

✳️ rails (5.1.7 → 5.2.4.3) · Repo

Release Notes

5.2.4.1

More info than we can show here.

5.2.4

More info than we can show here.

5.2.3

More info than we can show here.

5.2.2

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actioncable (indirect, 5.1.7 → 5.2.4.3) · Repo · Changelog

Release Notes

5.2.4.1

More info than we can show here.

5.2.4

More info than we can show here.

5.2.3

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionmailer (indirect, 5.1.7 → 5.2.4.3) · Repo · Changelog

Release Notes

5.2.4.1

More info than we can show here.

5.2.4

More info than we can show here.

5.2.3

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionpack (indirect, 5.1.7 → 5.2.4.3) · Repo · Changelog

Release Notes

5.2.4.1

More info than we can show here.

5.2.4

More info than we can show here.

5.2.3

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionview (indirect, 5.1.7 → 5.2.4.3) · Repo · Changelog

Release Notes

5.2.4.1

More info than we can show here.

5.2.4

More info than we can show here.

5.2.3

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activejob (indirect, 5.1.7 → 5.2.4.3) · Repo · Changelog

Release Notes

5.2.4.1

More info than we can show here.

5.2.4

More info than we can show here.

5.2.3

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activemodel (indirect, 5.1.7 → 5.2.4.3) · Repo · Changelog

Release Notes

5.2.4.1

More info than we can show here.

5.2.4

More info than we can show here.

5.2.3

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activerecord (indirect, 5.1.7 → 5.2.4.3) · Repo · Changelog

Release Notes

5.2.4.1

More info than we can show here.

5.2.4

More info than we can show here.

5.2.3

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activesupport (indirect, 5.1.7 → 5.2.4.3) · Repo · Changelog

Release Notes

5.2.4.1

More info than we can show here.

5.2.4

More info than we can show here.

5.2.3

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ arel (indirect, 8.0.0 → 9.0.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 52 commits:

• Prepare for 9.0.0
• Merge pull request #501 from abelards/patch-1
• Merge pull request #502 from kddeisz/count-math
• Allow count nodes to have math functions
• Update README.md
• Merge pull request #500 from jcoleman/fix_incorrect_typecasting_of_raw_sql_strings
• Type-castable attributes should not try to cast SqlLiteral nodes
• Merge pull request #496 from amatsuda/froms_to_nowhere
• Merge pull request #499 from jgraichen/jg/cte-bindparams
• Support BindParams in subqueries
• Merge pull request #498 from yhirano55/update_travis
• Update .travis.yml
• Unused variables
• Merge pull request #495 from koic/add_required_ruby_version_to_gemspec
• Update travis.yml
• Add required_ruby_version to gemspec
• Merge pull request #494 from koic/remove_encoding_utf8_magic_comment
• Remove encoding utf-8 magic comment
• Merge pull request #493 from gaurish/patch-1
• Remove Unused variable - offset_bind
• Merge pull request #492 from mikaji/ci_against_2.4.1
• Merge pull request #491 from yahonda/follow_up_add_bind_for_oracle_visitor
• CI against 2.4.1
• Address `undefined method `value_for_database'` in Oracle visitor
• Change the verison to 9.0.0.alpha
• Merge pull request #490 from MaxLap/fix_nodes_hash_eql_eqeq
• Add missing hash, eql?, == to various node classes
• Merge pull request #489 from kamipo/remove_unused_bind_values
• Remove unused `bind_values`
• Fix test failures
• Adjust `BindParam` as needed for AR
• Add a collector to grab the bind values off the AST
• Ensure `ToSql` collector returns a UTF-8 string
• Refactor `substitute_binds` to perform substitution immediately
• Add a value field `Nodes::BindParam`
• Rename `Collectors::Bind`
• Merge pull request #484 from kirs/multiple-insert-v2
• Merge pull request #472 from film42/master
• Test concurrency of visitor superclass fallback
• Support INSERT with multiple values
• Merge pull request #483 from kamipo/remove_unused_engine
• Add regression test
• Revert "Merge pull request #482 from kirs/multiple-insert"
• Merge pull request #482 from kirs/multiple-insert
• Remove unused `engine`
• Support multiple inserts
• Merge pull request #475 from PedroSena/chainable-insert
• Made InsertManager#insert chainable
• Merge pull request #474 from JaKXz/patch-1
• docs(distinct): tweaks [skip ci]
• docs(distinct): fix distinct example [skip ci]
• docs: add distinct to README

↗️ builder (indirect, 3.2.3 → 3.2.4) · Repo · Changelog

↗️ concurrent-ruby (indirect, 1.1.5 → 1.1.6) · Repo · Changelog

Release Notes

1.1.6 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ crass (indirect, 1.0.4 → 1.0.6) · Repo · Changelog

Release Notes

1.0.6

More info than we can show here.

1.0.5

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

• Release 1.0.6
• Limit number values to a sensible range
• Update history
• Add project metadata to the gemspec
• Release 1.0.5
• Remove test files and omit them
• Remove 1.9.3 from the test matrix
• Update Travis test matrix

↗️ erubi (indirect, 1.8.0 → 1.9.0) · Repo · Changelog

Release Notes

1.9.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

• Bump version to 1.9.0
• Change default :bufvar from 'String.new' to '::String.new' to work with BasicObject
• Try to get Travis passing
• Use minitest-global_expecations in tests to avoid deprecation issues with minitest 5.12
• Test JRuby 9.2 on Travis
• Test on TruffleRuby on Travis
• CI: Add Ruby 2.6 to the matrix

↗️ i18n (indirect, 1.6.0 → 1.8.2) · Repo · Changelog

Release Notes

1.8.2

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 65 commits:

• Bump to 1.8.2
• Fix regression introduced by b7f69f78
• Add pry to Gemfile
• Expand post-install message to clarify for new apps
• Bump to 1.8.1
• Merge pull request #508 from ruby-i18n/revert-499-chain-fallback-backends
• Revert "Chain fallback backends"
• Bump to 1.8.0
• Merge pull request #499 from vipera/chain-fallback-backends
• Bump to 1.7.1
• Merge pull request #503 from CrAsH1101/preserve-count-option
• Add test for preserving count option
• Merge pull request #505 from peterberkenbosch/update-readme-with-gh-workflow-badge
• Replace TravisCI badge with GH Actions badge
• Merge pull request #504 from ruby-i18n/bump-ruby-rails
• :wave: Travis CI :cry:
• Ignore Ruby 2.3.8 + Rails 6.0.x
• Correct Rails version number
• Correct more ruby versions
• Use actions/checkout@v2
• Ignore Rails 6.0.0 + Ruby 2.4
• Specify exact versions for eregon/use-ruby-action
• Use eregon/use-ruby-action for Ruby 2.7, 2.3 + JRuby support
• Undo required_ruby_version bump
• Add missing Gemfile
• Fail slowly
• Bump Ruby + Rails versions
• Merge pull request #501 from alchimere/add-user-friendly-comment-on-translate-kwargs
• Add comment on kwargs to avoid new people open issues like #500
• Preserve count option
• I18n::Backend::Chain#translations fallback merge
• Use activesupport implementation of Hash#deep_merge!
• Merge pull request #495 from ghiculescu/pluralization_fallback_test
• Add tests for existing behavior
• Merge pull request #480 from Tietew/exclude-count-on-retrieve-link
• Add JRuby to build pipeline
• Add Ruby 2.3 to Ruby pipeline
• One i in gemfile
• Exclude Ruby 2.4.x + Rails master Gemfile build
• Update ruby.yml
• Update ruby.yml
• Exclude :count option on retrieve link
• Bump to 1.7.0
• Merge pull request #491 from ruby-i18n/pipe-interpolation
• Allow pipes in interpolations
• Merge pull request #486 from amatsuda/kwargs_2.7
• Merge pull request #487 from amatsuda/https
• Keyword arguments have to be explicitly double-splatted in Ruby 2.7+
• GitHub is https by default
• Merge pull request #488 from amatsuda/reduce_allocations
• Merge pull request #489 from lbraun/fix-typos
• Fix typos
• No need to dup before creating another Hash instance via Hash#reject
• Merge pull request #483 from hsbt/remove-rubyforge
• Removed rubyforge_project from gemspec. Because rubyforge was EOL.
• Merge pull request #481 from ahorek/public
• #include is public since ruby 2.1
• Merge pull request #476 from TaigaMikami/master
• Fix typo :)
• Merge pull request #475 from KaanOzkan/raise-disabled
• Raise disabled during boot inside fallback
• Merge pull request #470 from gburgett/patch-1
• Merge branch 'master' into patch-1
• Use each_with_object and more descriptive names
• Update spec for new behavior of chain backend

↗️ loofah (indirect, 2.2.3 → 2.5.0) · Repo · Changelog

Release Notes

2.5.0 (from changelog)

More info than we can show here.

2.4.0

More info than we can show here.

2.3.1

More info than we can show here.

2.3.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ method_source (indirect, 0.9.2 → 1.0.0) · Repo

Commits

See the full diff on Github. The new version differs by 17 commits:

• Merge pull request #64 from banister/release-1-0-0
• Release v1.0.0
• Merge pull request #63 from banister/travis-removal
• Test solely on CircleCI, remove Travis
• Merge pull request #62 from banister/circleci
• Test on CircleCI
• Merge pull request #61 from jasonkarns/patch-1
• More closely match MIT License text verbatim
• Merge pull request #59 from casperisfine/fix-ruby-2.7
• Test against Ruby 2.7 on CI
• Handle new message for unterminated lists on MRI 2.7
• Merge pull request #60 from casperisfine/fix-ci
• Fix ruby warning in spec_helper
• Add MRI 2.5 and 2.6
• Fix CI build
• Merge pull request #56 from nisusam/fix_documentation_link
• Fix `documentation` link

↗️ mini_mime (indirect, 1.0.1 → 1.0.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 13 commits:

• Changelog and prepare for release
• FEATURE: update for latest parity with mime types data
• Remove unsupported rubies from travis test matrix
• relax bundler version
• Update benchmark in readme
• Add gems to Gemfile for bench script
• Allow custom db paths
• Update benchmark
• Test on Ruby 2.5 and Ruby 2.6
• Merge pull request #16 from Aqualon/readme_improvements
• Fix some typos/whitespace
• Fix link to bench.rb
• bump cache on travis

↗️ minitest (indirect, 5.11.3 → 5.14.1) · Repo · Changelog

Release Notes

5.14.0 (from changelog)

More info than we can show here.

5.13.0 (from changelog)

More info than we can show here.

5.12.2 (from changelog)

More info than we can show here.

5.12.1 (from changelog)

More info than we can show here.

5.12.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

↗️ nio4r (indirect, 2.3.1 → 2.5.2) · Repo · Changelog

Release Notes

2.5.2 (from changelog)

More info than we can show here.

2.4.0 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 67 commits:

• Fix error: use of undeclared identifier 'EV_USE_LINUXAIO'.
• RuboCop...........
• Bump version.
• Replace usage of `long` with `size_t` in memory allocation functions.
• Fix `ev_backend_poll` so that it doesn't generate warnings.
• Detect aio_abi.h and define EV_USE_LINUXAIO if present.
• Add project metadata to the gemspec
• Update README.md
• Bump version.
• Add missing closing ')' on assert call in ev_port.c
• Add notes about release process.
• Update license details.
• Report supported backends and current backend.
• Bump version.
• Test empty selector timeout.
• Update to libev-4.27.
• Merge pull request #219 from Jesus/master
• Adds Puma to the list of projects using nio4r
• Allow calling `deregister` on closed IO objects (#217)
• Travis -add testing on OpenSSL 1.0.1 (trusty) & 1.1.1 (bionic & osx) [skip appveyor]
• Update `CHANGES.md` and `README.md`.
• Enable KQUEUE on macOS 10.14+.
• Don't freeze strings in file with `frozen_string_literal`.
• Bump minimum supported Ruby to 2.3.
• Update travis config.
• Set TRUFFLERUBY_RECOMPILE_OPENSSL to workaround OpenSSL issues
• monitor.rb :nodoc => :nodoc: [skip ci]
• Skip IO.try_convert in ruby code for SSL Sockets
• Split some OpenSSL specs into TLSv1.2 and TLSv1.3
• .gitignore - add .rspec_status [skip ci]
• appveyor.yml - update with Ruby x64 - 2.5, 2.6, & head/trunk
• Bump version.
• Restore piratey patches.
• Use `struct ev_loop` in `selector.c`.
• Use `struct ev_loop`.
• Update libev to v4.25.
• Doesn't seem like gem/bundler update is required.
• Run truffleruby with NIO4R_PURE.
• Skip SSL spec on JRuby because the socket isn't readable for some reason.
• Fix rubocop.
• Don't invoke `monitor.close` after related IO has already been closed.
• Prefer generic latest stable jruby in travis config.
• Java Extension: use at least Java 1.8, avoid warnings
• Travis: update to jruby-9.2.5.0 (#197)
• Don't allow 2.6 to fail.
• Fix trailing whitespace.
• Increase and embed select precision on a per-test basis.
• Simplify rubocop usage.
• Remove Ruby 2.2 since it's no longer supported by bundler.
• Try reverting select timeout.
• Try to detect unwritable OpenSSL socket.
• Fix rubocop.
• Remove pending check since it appears to be unnecessary.
• Merge pull request #200 from boutil/patch-1
• Fix travis os: name.
• Simplify travis build matrix.
• Rework port allocation and selector timeouts. Fixes #184.
• allow failures for Ruby 2.6 for now
• Merge pull request #199 from boutil/master
• Increase size of RSA keys to 2048 bits
• Update travis config, add support for truffleruby.
• Merge pull request #192 from junaruga/feature/doc-ruby-2.5
• Merge pull request #191 from junaruga/feature/travis-update
• Add Ruby 2.5 to supported platforms.
• Update Rubies to the latest version on Travis CI.
• Merge pull request #190 from olleolleolle/patch-4
• Travis: jruby-9.2.0.0

↗️ rack (indirect, 2.0.6 → 2.2.2) · Repo · Changelog

Release Notes

2.2.2 (from changelog)

More info than we can show here.

2.2.1 (from changelog)

More info than we can show here.

2.2.0 (from changelog)

More info than we can show here.

2.1.2 (from changelog)

More info than we can show here.

2.1.1 (from changelog)

More info than we can show here.

2.1.0 (from changelog)

More info than we can show here.

2.0.8 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rails-html-sanitizer (indirect, 1.0.4 → 1.3.0) · Repo · Changelog

Release Notes

1.3.0

More info than we can show here.

1.2.0

More info than we can show here.

1.1.0

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 30 commits:

• v1.3.0
• Merge pull request #102 from orien/gem-metadata
• Add project metadata to the gemspec
• Match Loofah's API changes.
• Prepare 1.2.0
• Remove needless white list sanitizer deprecations
• Merge pull request #96 from olleolleolle/patch-1
• CI: Drop unused sudo: false Travis directive
• Merge pull request #95 from rwojnarowski/patch-1
• Deprecated warning text, missing space
• Prepare version 1.1.0
• Merge pull request #91 from JuanitoFatas/doc/scrubbers
• Merge pull request #92 from JuanitoFatas/link-sanitizer
• Improve LinkSanitizer's documentation
• href is not a HTML element
• Improve Scrubber documentations
• Merge pull request #87 from JuanitoFatas/migrate-to-safelist
• Migrate to SafeListSanitizer
• Merge pull request #90 from JuanitoFatas/jf.fix-tests
• Update test behavior for Nokogiri > 1.9.1.
• Merge pull request #89 from JuanitoFatas/rubies
• Merge pull request #88 from JuanitoFatas/jf.relax-bundler-dependency
• Update Ruby version matrix on CI
• Use a inclusive Bundler version
• Merge pull request #86 from tebs/fix-documentation-link
• Fix Nokogiri link in documentation
• [ci skip] Please don't send more PRs trying to bump Loofah.
• Merge pull request #71 from nicolasleger/patch-1
• [CI] Allow failure with ruby head
• [CI] Test against Ruby 2.5

↗️ railties (indirect, 5.1.7 → 5.2.4.3) · Repo · Changelog

Release Notes

5.2.4.1

More info than we can show here.

5.2.4

More info than we can show here.

5.2.3

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rake (indirect, 12.3.2 → 12.3.3) · Repo · Changelog

Release Notes

12.3.3 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

• Bump version to 12.3.3.
• Use File.open explicitly.
• Merge pull request #317 from ruby/ignore-gitignore
• Removed gitignore from gemspec files.
• Merge pull request #309 from RDIL/patch-1
• Remove deprecated travis ci option
• Merge pull request #307 from ruby/azure-pipelines
• Only enabled macOS environment
• use realpath
• Do not specify ruby version of macOS
• Ignore matrix build for macOS
• Rename
• Removed non supported versions.
• Extracted ruby versions for matrix
• Added missing vmImage
• Applied matrix build for the multiple platforms.
• Set up CI with Azure Pipelines
• Merge pull request #305 from aycabta/use-2.6.1
• Use Ruby 2.6.1
• Merge pull request #303 from tmatilai/app-name-in-error
• Use the application's name in error message if a task is not found
• Merge pull request #301 from ruby/colby/update-rubocop
• fix outstanding rubocop warnings
• Merge pull request #300 from ruby/colby/add-ruby-2.6
• Add ruby 2.6.0 to .travis.yml

↗️ tzinfo (indirect, 1.2.5 → 1.2.7) · Repo · Changelog

Release Notes

1.2.7

More info than we can show here.

1.2.6

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 46 commits:

• Improve grammar.
• Preparing v1.2.7.
• Update to Ruby 2.7.1.
• Revert to Ruby 2.4.9 and 2.7.0.
• Update to Ruby 2.4.10, 2.5.8, 2.6.6, 2.7.1 and JRuby 9.2.11.1.
• Use shields.io for badges.
• Update copyright years.
• Add a build status badge for AppVeyor.
• Replace broken links.
• Use https for links where available.
• Update to JRuby 9.2.11.0.
• Merge pull request #112.
• Test for just the non-existence of #untaint.
• Fix comments relating to taint/untaint removal.
• Don't rely on lexicographic version comparisons.
• Fix test failures on Ruby 1.8.7.
• Fix erroneous 'wrong number of arguments' errors on JRuby 9.0.5.0.
• `$VERBOSE = false` won't be worked since `rb_warning` is changed to `rb_warn`
• Update to Ruby 2.7.0.
• Update copyright years.
• Preparing v1.2.6.
• Replace expired gem signing certificate.
• Fix a comment.
• Ruby Enterprise Edition requires older versions of RubyGems and Bundler.
• Fix block not being called by RubyCoreSupport.open_file on JRuby 9.2.
• Revert "Try and fix an incorrect rake version being picked with JRuby 1.7."
• Try and fix an incorrect rake version being picked with JRuby 1.7.
• Convert to UNIX line endings.
• Simplify minitest version constraint.
• Update to Ruby v2.7.0-rc2.
• Run CI tests on Windows with AppVeyor.
• Enable verbose test output.
• Update Travis CI Ruby versions.
• Prevent bundler from attempting to use version minitest v5.12.0.
• Allow newer versions of Rake that fix warnings with Ruby 2.7.
• Eliminate a warning when calling File.open with keyword arguments.
• Suppress deprecation warnings due to Object#untaint on Ruby 2.7.
• Fix test failures on Ruby 1.8.7 caused by DateTime issues.
• Remove the unused REQUIRE_PATH constant from RubyDataSource.
• Fix SecurityErrors when loading data in safe mode.
• Test that RUBY_ENGINE is defined.
• Skip tests that fail due to Ruby bug 14060 on Ruby 2.4.4.
• Update to the latest Ruby, JRuby and Rubinius releases.
• Fix a documentation typo.
• Return the correct seconds since the epoch value for strftime with %s.
• Restrictions on timezones only apply to older (pre-1.9) Ruby releases.

↗️ websocket-driver (indirect, 0.6.5 → 0.7.1) · Repo · Changelog

Release Notes

0.7.1 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 31 commits:

• Bump version to 0.7.1
• Change markdown formatting of docs.
• Remove a redundant statement from the Hybi setup code.
• Fail a draft-76 connection of a header does not contain any digits.
• Depend on Rake < 12.3 if we're running on Ruby < 2.0.
• Reformat the C and Java native extension modules.
• Fix an uninitialised variable warning.
• Update Travis target versions.
• Switch license to Apache 2.0.
• Test on Ruby 2.5.0.
• I think you have to use jruby-head instead of jruby-9 now.
• Bump the Ruby versions for Travis.
• If any header used by Hybi is present, then pick Hybi, and likewise for Draft76. This means the driver is more likely to pick Hybi and report likely combinations of malformed headers as errors to the client.
• If any driver encounters a validation error in the request headers, it can throw an error and Driver#start will catch that and send a 400 response to the client.
• Fix the version of Rubygems that Travis is using on Ruby 1.9.
• Bump version to 0.7.0.
• Refactor the client examples, and get the TCPSocket one into a runnable state so it can be run from the command line with a URI.
• Don't require rubygems, this has not been necessary since Ruby 1.8.
• Merge pull request #53 from izwick-schachter/master
• Added TCPSocket client example
• Rename tcp_server.rb to em_server.rb.
• Add an example EventMachine client.
• Flesh out the docs for the new ping/pong events.
• Make the ping/pong tests check the content of the events.
• Emit ping and pong events after all other effects of those frames have been carried out.
• Merge pull request #51 from ably-forks/support-ping-in-event-emitter
• Update Ruby versions in Travis config.
• Update docs to reflect ping & pong events
• Emit :ping and :pong events in the driver
• Merge pull request #50 from junaruga/feature/travis-ruby-head
• Update Ruby 2.3, 2.4 to latest version on Travis.

↗️ websocket-extensions (indirect, 0.1.3 → 0.1.4) · Repo · Changelog

Release Notes

0.1.4 (from changelog)

More info than we can show here.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

• Bump version to 0.1.4
• Change markdown formatting of docs.
• Fix deprecation warning about =~ being called on TrueClass.
• Fix RSpec warnings about raise_error with no arguments.
• Update Travis target versions.
• Switch license to Apache 2.0.
• Test on Ruby 2.5.0.

🆕 activestorage (added, 5.2.4.3)

🆕 marcel (added, 0.3.3)

🆕 mimemagic (added, 0.3.5)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #257.