🚨 [security] Update railties 6.1.7.8 → 6.1.7.9 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ railties (6.1.7.8 → 6.1.7.9) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 7 commits:

• Preparing for 6.1.7.9 release
• Update CHANGELOGs
• Merge pull request #16 from rails/7-0-sec-relase
• Avoid backtracking in ActionMailer block_format
• ActionText: Avoid backtracing in plain_text_for_blockquote_node
• Avoid backtracking in filtered_query_string
• Avoid backtracking in Token#raw_params

✳️ actionpack (6.1.7.8 → 6.1.7.9) · Repo · Changelog

Security Advisories 🚨

🚨 Possible ReDoS vulnerability in HTTP Token authentication in Action Controller

There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.

Impact

For applications using HTTP Token authentication via authenticate_or_request_with_http_token or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for reporting

🚨 Possible ReDoS vulnerability in query parameter filtering in Action Dispatch

There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.

Impact

Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for the report and patches!

Commits

See the full diff on Github. The new version differs by 7 commits:

• Preparing for 6.1.7.9 release
• Update CHANGELOGs
• Merge pull request #16 from rails/7-0-sec-relase
• Avoid backtracking in ActionMailer block_format
• ActionText: Avoid backtracing in plain_text_for_blockquote_node
• Avoid backtracking in filtered_query_string
• Avoid backtracking in Token#raw_params

✳️ actionview (6.1.7.8 → 6.1.7.9) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 7 commits:

• Preparing for 6.1.7.9 release
• Update CHANGELOGs
• Merge pull request #16 from rails/7-0-sec-relase
• Avoid backtracking in ActionMailer block_format
• ActionText: Avoid backtracing in plain_text_for_blockquote_node
• Avoid backtracking in filtered_query_string
• Avoid backtracking in Token#raw_params

✳️ activemodel (6.1.7.8 → 6.1.7.9) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 7 commits:

• Preparing for 6.1.7.9 release
• Update CHANGELOGs
• Merge pull request #16 from rails/7-0-sec-relase
• Avoid backtracking in ActionMailer block_format
• ActionText: Avoid backtracing in plain_text_for_blockquote_node
• Avoid backtracking in filtered_query_string
• Avoid backtracking in Token#raw_params

✳️ activerecord (6.1.7.8 → 6.1.7.9) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 7 commits:

• Preparing for 6.1.7.9 release
• Update CHANGELOGs
• Merge pull request #16 from rails/7-0-sec-relase
• Avoid backtracking in ActionMailer block_format
• ActionText: Avoid backtracing in plain_text_for_blockquote_node
• Avoid backtracking in filtered_query_string
• Avoid backtracking in Token#raw_params

✳️ activesupport (6.1.7.8 → 6.1.7.9) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 7 commits:

• Preparing for 6.1.7.9 release
• Update CHANGELOGs
• Merge pull request #16 from rails/7-0-sec-relase
• Avoid backtracking in ActionMailer block_format
• ActionText: Avoid backtracing in plain_text_for_blockquote_node
• Avoid backtracking in filtered_query_string
• Avoid backtracking in Token#raw_params

↗️ builder (indirect, 3.2.4 → 3.3.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 24 commits:

• Release 3.3.0
• Merge pull request #24 from casperisfine/update-ci
• File.exists? -> File.exist?
• Update CI configuration and gemspec
• Merge pull request #23 from Earlopain/ci-update
• Add Ruby 3.1-3.3 to CI
• Update readme and gemspec to point to rails/builder repo
• Merge pull request #9 from timkrins/patch-2
• Merge pull request #14 from hosamaly/patch-1
• Merge pull request #15 from voxik/remove-blankslate
• Merge pull request #16 from voxik/gh-actions
• Merge pull request #19 from kbrock/chmod
• Merge pull request #20 from kbrock/pr/64
• Merge pull request #21 from kbrock/pr/63
• Updated comments which are incorrect.
• Fix spelling mistake in example
• remove exec but from rdoc
• Drop Travis configuration.
• Setup GitHub actions.
• Use BasicObject instead of BlankSlate
• Update the changelog for v3.2.4
• Merge pull request #8 from orien/gem-metadata
• Add project metadata to the gemspec
• Fix spelling mistake

↗️ concurrent-ruby (indirect, 1.3.1 → 1.3.4) · Repo · Changelog

Release Notes

1.3.4

What's Changed

• Update comment for JRuby variant of processor_count to reality by @meineerde in #1054
• Add Concurrent.cpu_requests that is cgroups aware. by @heka1024 in #1058
• Fix the doc of Concurrent.available_processor_count by @y-yagi in #1059
• Fix the return value of Concurrent.available_processor_count when cpu.cfs_quota_us is -1 by @y-yagi in #1060

New Contributors

• @heka1024 made their first contribution in #1058
• @y-yagi made their first contribution in #1059

Full Changelog: v1.3.3...v1.3.4

1.3.3

What's Changed

• Improve speed for windows Get-CimInstance by @Earlopain in #1053

Full Changelog: v1.3.2...v1.3.3

1.3.2

What's Changed

• Fix method name in CHANGELOG.md by @nertzy in #1049
• Remove dependency on win32ole by @Earlopain in #1051

New Contributors

• @nertzy made their first contribution in #1049
• @Earlopain made their first contribution in #1051

Full Changelog: v1.3.1...v1.3.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 22 commits:

• Avoid requiring files of the gem in Rakefile to avoid redefined method warnings
• Avoid require in Gemfile & Rakefile to avoid redefined constant warnings
• Avoid require in *.gemspec files to avoid redefined constant warnings
• Update docs-source/signpost.md
• 1.3.4
• Check early that $CONCURRENT_JRUBY_HOME is set
• Fix the return value of `Concurrent.available_processor_count` when `cpu.cfs_quota_us` is -1
• Fix the doc of `Concurrent.available_processor_count`
• Add `Concurrent.cpu_shares` that is cgroups aware.
• Update comment for JRuby variant of processor_count to reality
• 1.3.3
• Improve speed for windows `Get-CimInstance`
• 1.3.2
• Add a windows job to CI
• Remove dependency on `win32ole`
• Automatically run bundle install before running tests
• Release edge 0.7.1
• Make it possible to publish edge without base
• Ensure JRuby is used in release tests
• Fix concurrent-ruby-edge to depend on `~> MAJOR.MINOR` of concurrent-ruby
• Get RakeCompilerDock to work with either podman or docker, based on what is installed
• Fix method name in CHANGELOG.md

↗️ erubi (indirect, 1.12.0 → 1.13.0) · Repo · Changelog

Release Notes

1.13.0 (from changelog)

* Define Erubi.h as a module function (jeremyevans)

Add erubi/capture_block, supporting capturing block output via standard <%= and <%== tags (jeremyevans)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 12 commits:

• Bump version to 1.13.0
• Add erubi/capture_block to the gem
• Adjust nocov markers
• Define Erubi.h as a module function
• Add erubi/capture_block, supporting capturing block output via standard <%= and <%== tags
• Restructure tests to make it so the same basic tests can be used for multiple engines
• Add Ruby 3.3 to CI and bump actions/checkout to v4
• Switch from hanna-nouveau to hanna
• Stop testing Ruby 2.2 in CI as it no longer works with ubuntu-latest
• Move to actions/checkout@v3
• Limit rake gem restriction in CI to Ruby <2.4
• Add CI for Ruby 3.2

↗️ i18n (indirect, 1.14.5 → 1.14.6) · Repo · Changelog

Release Notes

1.14.6

What's Changed

Ruby < 3.2 support will be dropped April 2025. Upgrade now to continue using i18n after that date.

• fix issues with RDoc generation by @davetron5000 in #698
• Fix loading of .rb locale files when load_path is not a string by @stevegeek in #701
• Fixes strings being interpolated multiple times by @alexpls in #699
• Optimize pluralization logic in test data by @zachmargolis in #697
• [FIX] Raise ArgumentError on nil key in exists? by @KinWang-2013 in #696

New Contributors

• @davetron5000 made their first contribution in #698
• @stevegeek made their first contribution in #701
• @alexpls made their first contribution in #699
• @zachmargolis made their first contribution in #697
• @KinWang-2013 made their first contribution in #696

Full Changelog: v1.14.5...v1.14.6

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 12 commits:

• Bump to 1.14.6
• Add post install message for Ruby < 3.2 users
• Merge pull request #696 from KinWang-2013/fix/exists-method-nil-key
• Merge pull request #697 from zachmargolis/margolis-optimize-plurals
• Merge pull request #699 from alexpls/master
• Merge pull request #701 from stevegeek/fix_load_rb_with_pathname
• Fix loading of .rb locale files when load_path is not a string, eg it is a Pathname
• Fixes strings being interpolated multiple times
• Merge pull request #698 from davetron5000/rdoc-fixes
• fix issues with RDoc generation
• Optimize pluralization logic in test data
• return error on nil key and add test

↗️ racc (indirect, 1.8.0 → 1.8.1) · Repo · Changelog

Release Notes

1.8.1

What's Changed

• Use require_relative in the Racc codebase by @koic in #269
• Fix a typo by @koic in #270
• Provide a 'Changelog' link on rubygems.org/gems/racc by @mark-young-atg in #271
• Fix RDoc main file to "README.rdoc" by @ydah in #274
• Fix file path and line number errors when using +, * and () by @ydah in #273
• Bump up v1.8.1 by @yui-knk in #275

New Contributors

• @koic made their first contribution in #269
• @mark-young-atg made their first contribution in #271

Full Changelog: v1.8.0...v1.8.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 15 commits:

• Merge pull request #275 from yui-knk/v1.8.1
• Bump up v1.8.1
• Merge pull request #273 from ydah/fix-filepath-lineno
• Add test code for TestRaccCommand
• Fix file path and line number errors when using `+`, `*` and `()`
• Merge pull request #274 from ydah/rename-docs-main
• Fix RDoc main file to "README.rdoc"
• Merge pull request #271 from mark-young-atg/provide_changelog_link_on_rubygems
• Provide a 'Changelog' link on rubygems.org/gems/racc
• Merge pull request #270 from koic/fix_a_typo
• Fix a typo
• Added BSDL to gemspec
• Update license files same as ruby/ruby
• Merge pull request #269 from koic/use_require_relative
• Use `require_relative` in the Racc codebase

↗️ rack (indirect, 2.2.9 → 2.2.10) · Repo · Changelog

Release Notes

2.2.10 (from changelog)

• Fix compatibility issues with Ruby v3.4.0. (#2248, @byroot)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 2 commits:

• Bump patch version.
• [2.2-stable] Fix compatibility issues with Ruby 3.4.0dev (#2248)

↗️ zeitwerk (indirect, 2.6.15 → 2.7.0) · Repo · Changelog

Release Notes

2.7.0 (from changelog)

• Explicit namespaces can now also be defined using constant assignments.

  While constant assignments like

  # coordinates.rb

  Coordinates = Data.define(:x, :y)

  worked for most objects, they did not for classes and modules that were also namespaces (i.e., those defined by a file and matching subdirectories). In such cases, their child constants could not be autoloaded.

  This limitation has been removed.

• TracePoint is no longer used.

• Requires Ruby 3.2 or later.

  Gems that work with previous versions of Zeitwerk also work with this one. If they support Ruby versions older than 3.2 they can specify a relaxed version constraint for Zeitwerk like "~> 2.6", for example.

  In client projects, Bundler takes the Ruby requirement into account when resolving dependencies, so Gemfile.lock will get one compatible with the Ruby version being used.

2.6.18 (from changelog)

• Fixes a bug in which projects reopening the main namespace of a gem dependency managed by its own Zeitwerk loader could not reload the constants they added to that external namespace.

2.6.17 (from changelog)

• Fix log message when eager loading a directory ends.

2.6.16 (from changelog)

• Logging prints a message when a directory that was not ignored is skipped anyway because it contains no Ruby files.

• Internal refactors.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 28 commits:

• Ready for 2.7.0
• Adds a note about backwards compatibility to the CHANGELOG
• Rewording
• Remove TracePoint Ruby compatibility test
• Update CHANGELOG
• Fix method signature annotation
• Prefer Dir.each_child over Dir.children
• Remove polyfill for UnboundMethod#bind_call
• Remove polyfill for Module#autoload?
• Remove polyfill for Symbol#name
• Replace TracePoint with const_added for explicit namespaces
• Move core extensions to a new core_ext folder
• Add missing @raise annotation
• Revises month capitalization in CHANGELOG.md
• Revises quotes
• Ready for 2.6.18
• Fix autoload_path_set_by_me_for? with inceptions
• Update project rules about crefs
• Ready for 2.6.17
• Fix log message when eager loading a directory ends
• Ready for 2.6.16
• Remove ruby-lsp from the Gemfile
• Introduces the private class Zeitwerk::Cref
• Add ruby-lsp to the Gemfile
• Merge pull request #295 from kianmeng/fix-typos
• Fix typos
• Log directories being ignored for having no Ruby file
• Reword and reorder logging test

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[Adnilson]

zeitwerk-2.7.0 requires ruby version >= 3.2, which is incompatible with the current version, ruby 2.5.9p229