🚨 [security] Update rails 7.1.4.1 → 7.1.5.1 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (7.1.4.1 → 7.1.5.1) · Repo

Release Notes

7.1.5.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Add validation to content security policies to disallow spaces and semicolons.
  Developers should use multiple arguments, and different directive methods instead.

  [CVE-2024-54133]

  Gannon McGibbon

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• Update vendored trix version to 2.1.10

  John Hawthorn

Railties

• No changes.

Guides

• No changes.

7.1.5

Active Support

• No changes.

Active Model

• Fix regression in alias_attribute to work with user defined methods.

  alias_attribute would wrongly assume the attribute accessor was generated by Active Model.

  class Person
    include ActiveModel::AttributeMethods
  define_attribute_methods :name
  
  attr_accessor :name
  alias_attribute :full_name, :name
  
  end
  person.full_name # => NoMethodError: undefined method `attribute' for an instance of Person

  Jean Boussier

Active Record

• Fix marshalling of unsaved associated records in 7.1 format.

  The 7.1 format would only marshal associated records if the association was loaded.
  But associations that would only contain unsaved records would be skipped.

  Jean Boussier

• Fix an issue where .left_outer_joins used with multiple associations that have
  the same child association but different parents does not join all parents.

  Previously, using .left_outer_joins with the same child association would only join one of the parents.

  Now it will correctly join both parents.

  Fixes #41498.

  Garrett Blehm

• Ensure ActiveRecord::Encryption.config is always ready before access.

  Previously, ActiveRecord::Encryption configuration was deferred until ActiveRecord::Base
  was loaded. Therefore, accessing ActiveRecord::Encryption.config properties before
  ActiveRecord::Base was loaded would give incorrect results.

  ActiveRecord::Encryption now has its own loading hook so that its configuration is set as
  soon as needed.

  When ActiveRecord::Base is loaded, even lazily, it in turn triggers the loading of
  ActiveRecord::Encryption, thus preserving the original behavior of having its config ready
  before any use of ActiveRecord::Base.

  Maxime Réty

• Add TimeZoneConverter#== method, so objects will be properly compared by
  their type, scale, limit & precision.

  Address #52699.

  Ruy Rocha

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

Guides

• No changes.

7.1.4.2

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• Fix NoMethodError in block_format helper

  Michael Leimstaedtner

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

Guides

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ nokogiri (1.17.1 → 1.17.2) · Repo · Changelog

Release Notes

1.17.2

v1.17.2 / 2024-12-12

Fixed

• [JRuby] Fixed an issue where Node#dup when called with the new_parent_doc parameter was not decorating the node with the document's Node decorators. [#3372] @flavorjones

sha256 checksums

585c8cac6380848b7973bacfd0584628d116810e5f209db25e22d0c32313e681  nokogiri-1.17.2-aarch64-linux.gem
0c5eb06ba1c112d33c2bb29973b07e2f21c4ddb66c67c9386fd97ff1c5d84686  nokogiri-1.17.2-arm64-darwin.gem
3d033ad9b09d5b8a203f0f2156053e93a9327a9c7887c0ceb9fa78c71d27280d  nokogiri-1.17.2-arm-linux.gem
75825401f59b1a8746ee8ce5d066c8f11e745642e36a4452e206730b03d1fd8c  nokogiri-1.17.2.gem
ffe1fc1353f831793260b3023f575b4ed2e6144404947c57ad37ad932f9adb94  nokogiri-1.17.2-java.gem
da29e3d6add44bfc0bec8b9d4c7c660b38c7fc16ef505313839e07c3358d1059  nokogiri-1.17.2-x64-mingw32.gem
2bb710109d52f1209ea013c1f9603cd24271a9f22d387c0c45fced62945b4a30  nokogiri-1.17.2-x64-mingw-ucrt.gem
dc5977eb3416e1d501b22b0ed4737bf7604121491405865b887975eacfb3e896  nokogiri-1.17.2-x86_64-darwin.gem
e8614ae8d776bd9adb535ca814375e7ae05d7cfa6aa01909e561484f6d70be0b  nokogiri-1.17.2-x86_64-linux.gem
8c4dd75e35810bdeb7c74943f383ca665baf6aed8fc2b78c1d305094a72794aa  nokogiri-1.17.2-x86-linux.gem
9038e8b59e2eb48feb18f0efb093bd21a19d0eb17eed822a155b2a6860381702  nokogiri-1.17.2-x86-mingw32.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actioncable (indirect, 7.1.4.1 → 7.1.5.1) · Repo · Changelog

Release Notes

7.1.5.1 (from changelog)

• No changes.

7.1.5 (from changelog)

• No changes.

7.1.4.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionmailbox (indirect, 7.1.4.1 → 7.1.5.1) · Repo · Changelog

↗️ actionmailer (indirect, 7.1.4.1 → 7.1.5.1) · Repo · Changelog

Release Notes

7.1.5.1 (from changelog)

• No changes.

7.1.5 (from changelog)

• No changes.

7.1.4.2 (from changelog)

• Fix NoMethodError in block_format helper

  Michael Leimstaedtner

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionpack (indirect, 7.1.4.1 → 7.1.5.1) · Repo · Changelog

Security Advisories 🚨

🚨 Possible Content Security Policy bypass in Action Dispatch

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

Release Notes

7.1.5.1 (from changelog)

• Add validation to content security policies to disallow spaces and semicolons. Developers should use multiple arguments, and different directive methods instead.

  [CVE-2024-54133]

  Gannon McGibbon

7.1.5 (from changelog)

• No changes.

7.1.4.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actiontext (indirect, 7.1.4.1 → 7.1.5.1) · Repo · Changelog

Release Notes

7.1.5.1 (from changelog)

• Update vendored trix version to 2.1.10

  John Hawthorn

7.1.5 (from changelog)

• No changes.

7.1.4.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionview (indirect, 7.1.4.1 → 7.1.5.1) · Repo · Changelog

Release Notes

7.1.5.1 (from changelog)

• No changes.

7.1.5 (from changelog)

• No changes.

7.1.4.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activejob (indirect, 7.1.4.1 → 7.1.5.1) · Repo · Changelog

Release Notes

7.1.5.1 (from changelog)

• No changes.

7.1.5 (from changelog)

• No changes.

7.1.4.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activemodel (indirect, 7.1.4.1 → 7.1.5.1) · Repo · Changelog

Release Notes

7.1.5.1 (from changelog)

• No changes.

7.1.5 (from changelog)

• Fix regression in alias_attribute to work with user defined methods.

  alias_attribute would wrongly assume the attribute accessor was generated by Active Model.

  class Person
  include ActiveModel::AttributeMethods

  define_attribute_methods :name
  attr_accessor :name

  alias_attribute :full_name, :name
  end

  person.full_name # => NoMethodError: undefined method `attribute' for an instance of Person

  Jean Boussier

7.1.4.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activerecord (indirect, 7.1.4.1 → 7.1.5.1) · Repo · Changelog

Release Notes

7.1.5.1 (from changelog)

• No changes.

7.1.5 (from changelog)

• Fix marshalling of unsaved associated records in 7.1 format.

  The 7.1 format would only marshal associated records if the association was loaded. But associations that would only contain unsaved records would be skipped.

  Jean Boussier

• Fix an issue where .left_outer_joins used with multiple associations that have the same child association but different parents does not join all parents.

  Previously, using .left_outer_joins with the same child association would only join one of the parents.

  Now it will correctly join both parents.

  Fixes #41498.

  Garrett Blehm

• Ensure ActiveRecord::Encryption.config is always ready before access.

  Previously, ActiveRecord::Encryption configuration was deferred until ActiveRecord::Base was loaded. Therefore, accessing ActiveRecord::Encryption.config properties before ActiveRecord::Base was loaded would give incorrect results.

  ActiveRecord::Encryption now has its own loading hook so that its configuration is set as soon as needed.

  When ActiveRecord::Base is loaded, even lazily, it in turn triggers the loading of ActiveRecord::Encryption, thus preserving the original behavior of having its config ready before any use of ActiveRecord::Base.

  Maxime Réty

• Add TimeZoneConverter#== method, so objects will be properly compared by their type, scale, limit & precision.

  Address #52699.

  Ruy Rocha

7.1.4.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activestorage (indirect, 7.1.4.1 → 7.1.5.1) · Repo · Changelog

Release Notes

7.1.5.1 (from changelog)

• No changes.

7.1.5 (from changelog)

• No changes.

7.1.4.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activesupport (indirect, 7.1.4.1 → 7.1.5.1) · Repo · Changelog

Release Notes

7.1.5.1 (from changelog)

• No changes.

7.1.5 (from changelog)

• No changes.

7.1.4.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ irb (indirect, 1.14.1 → 1.14.2) · Repo

Release Notes

1.14.2

What's Changed

✨ Enhancements

• Change default completor from regexp to type-completor if RUBY_VERSION>=3.4 by @tompng in #1010

🐛 Bug Fixes

• Use correct binding in debug mode by @tompng in #1007
• Remove bignum check from save_history by @tompng in #1018
• Always use alternate sceen on alt-d by @tompng in #988
• Suppress "literal string will be frozen in the future" warning by @tikkss in #1019
• Fix indentation of xstring literal by @tompng in #1038
• Prevent cursor flickering in dancing ruby by @ima1zumi in #1041
• Don't show 'Maybe IRB bug!' in show_source and ls command by @tompng in #1039
• Page the output in irb:rdbg sessions too by @st0012 in #1043

📚 Documentation

• Improve Debugging with IRB section to make it easier to get started by @st0012 in #1015
• Complete the missing documentation abount the environment variables by @kyanagi in #1028

🛠 Other Changes

• Hash#inspect style has changed in ruby 3.4 by @nobu in #1011
• Change debug test workaround to use ENV RUBY_DEBUG_TEST_UI by @tompng in #1014
• History refactors by @eval in #1013
• Document infinite history by @eval in #1012
• Make rendering test faster using updated yamatanooroti by @tompng in #1001
• Fix rendering test broken by conflict by @tompng in #1016
• Update setup/ruby used in gh-pages workflow because it is failing on ci by @tompng in #1017
• Improve history test's encoding setting by @monkeyWzr in #1022
• On Windows, Process.kill(:TERM) is not supported. by @YO4 in #1026
• Correct ja/help-message for --context-mode and --prompt by @kyanagi in #1029
• Prevent a warning: ambiguous / by @hsbt in #1030
• Don't use delegator to install helper methods to main object by @tompng in #1031
• Follow-up refactor of #1031 by @st0012 in #1034
• Store method objects in constants by @st0012 in #1033
• Extract truffleruby workflow by @st0012 in #1035
• Bump version to v1.14.2 by @st0012 in #1045

New Contributors

• @eval made their first contribution in #1013
• @tikkss made their first contribution in #1019

Full Changelog: v1.14.1...v1.14.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ net-imap (indirect, 0.5.1 → 0.5.2) · Repo

Release Notes

0.5.2

What's Changed

Added

• 🥅 Raise ArgumentError on multiple search charset args by @nevans in #363
• ✨ Add keyword argument for search charset by @nevans in #364
• ✨ Add basic ESEARCH support (RFC4466, RFC4731) by @nevans in #333

Fixed

• 🐛 Return empty SearchResult for no search result by @nevans in #362

Documentation

• 📚 Fix README example by @nevans in #354
• 📦📚 Add release.yml for better release note generation by @nevans in #355
• 📚💄 Fix rdoc 6.8 CSS styles by @nevans in #356
• 📚 Update IMAP#search docs (again) by @nevans in #360
• 📚 Consistent heading levels inside method rdoc by @nevans in #361

Other Changes

• ✨ Add Data polyfill for ruby 3.1 by @nevans in #352
• ♻️ Refactor internal command data classes by @nevans in #358

Miscellaneous

• 🔥 Drop YAML.unsafe_load_file refinement (tests only) by @nevans in #353
• ⬆️ Bump step-security/harden-runner from 2.10.1 to 2.10.2 by @dependabot in #357
• Enabled windows-latest on GHA by @hsbt in #359

Full Changelog: v0.5.1...v0.5.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ psych (indirect, 5.2.1 → 5.2.2) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rails-html-sanitizer (indirect, 1.6.1 → 1.6.2) · Repo · Changelog

Release Notes

1.6.2

v1.6.2 / 2024-12-12

• PermitScrubber fully supports frozen "allowed tags".

  v1.6.1 introduced safety checks that may remove unsafe tags from the allowed list, which
  introduced a regression for applications passing a frozen array of allowed tags. Tags and
  attributes are now properly copied when they are passed to the scrubber.

  Fixes #195.

  Mike Dalessio

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ railties (indirect, 7.1.4.1 → 7.1.5.1) · Repo · Changelog

Release Notes

7.1.5.1 (from changelog)

• No changes.

7.1.5 (from changelog)

• No changes.

7.1.4.2 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rdoc (indirect, 6.8.1 → 6.9.1) · Repo · Changelog

Release Notes

6.9.1

What's Changed

🐛 Bug Fixes

• Fix iPad Pro navigation not shown by @sunblaze in #1236
• Hide hamburger on desktop by @sunblaze in #1237
• Add attribute :force to RDoc::RubygemsHook just like RDoc::RubyGemsHook by @tompng in #1244

📚 Documentation

• Fix dead links in the markup reference page by @st0012 in #1242

New Contributors

• @sunblaze made their first contribution in #1236

Full Changelog: v6.9.0...v6.9.1

6.9.0

What's Changed

✨ Enhancements

• Deprecate main and title directives by @st0012 in #1218
• Expand rdoc-ref targets at the end of ri output by @st0012 in #1141

🐛 Bug Fixes

• Improve how gemspec's files are defined by @st0012 in #1212
• fix: C variables should never show up in Ancestors tree by @flavorjones in #1217
• Sort MethodAttr so that names starting with symbols are before names starting with alpha ASCII by @flavorjones in #1219
• ClassModule#superclass= accepts a ClassModule as an argument by @flavorjones in #1222
• Use distinct styles for note lists and label lists by @nevans in #1209

🛠 Other Changes

• Bump step-security/harden-runner from 2.10.1 to 2.10.2 by @dependabot in #1215
• Bump rubygems/release-gem from 612653d273a73bdae1df8453e090060bb4db5f31 to 9e85cb11501bebc2ae661c1500176316d3987059 by @dependabot in #1214
• Fixed version number of rubygems/release-gem by @hsbt in #1216
• Prefer String#ord to String#codepoints[0] by @flavorjones in #1220
• Workaround JRuby's jar-dependencies error and test failures on CI by @st0012 in #1225
• lint: Remove unreachable code by @okuramasafumi in #1137
• Stop running CI against JRuby and some CI config cleanup by @st0012 in #1228
• Make it loose coupling between RubyGems and RDoc by @mterada1228 in #1171
• Fixed compatibility error with setup command and rdoc plugin on rubygems by @hsbt in #1234

Full Changelog: v6.8.1...v6.9.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ reline (indirect, 0.5.12 → 0.6.0) · Repo

Release Notes

0.6.0

What's Changed

🐛 Bug Fixes

• Fix RELINE_TEST_ENCODING by @ima1zumi in #743
• Don't skip start_with check on encoding-incompatible candidates by @tompng in #787
• Call user defined sigwinch and sigcont handler by @tompng in #788
• Fix line wrapped cursor position by @tompng in #791
• Undo and redo should restore indentation by @tompng in #793

🛠 Other Changes

• Fix tests failing when INPUTRC is defined by @pterjan in #789
• Implement buffered output to Reline::ANSI by @tompng in #790
• Merge key mapping with key bindings by @tompng in #715
• Refactor Reline::Unicode ed_ vi_ em_ methods by @tompng in #720
• Change quoted_insert and bracketed_paste to a single key input by @tompng in #792
• Bump version to 0.6.0 by @ima1zumi in #795

New Contributors

• @pterjan made their first contribution in #789

Full Changelog: v0.5.12...v0.6.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ timeout (indirect, 0.4.2 → 0.4.3) · Repo

Release Notes

0.4.3

What's Changed

• Bump rubygems/release-gem from 612653d273a73bdae1df8453e090060bb4db5f31 to 9e85cb11501bebc2ae661c1500176316d3987059 by @dependabot in #54
• Bump step-security/harden-runner from 2.10.1 to 2.10.2 by @dependabot in #55
• added the check for negative sec by @Cosmicoppai in #51

New Contributors

• @Cosmicoppai made their first contribution in #51

Full Changelog: v0.4.2...v0.4.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 benchmark (added, 0.4.0)

🆕 securerandom (added, 0.4.1)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)