profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/cristianbica/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.
Cristian Bica cristianbica ClubCollect Bucharest, Romania

cristianbica/activejob-perform_later 25

Make any method perfomed later with ActiveJob

cristianbica/active_job-query 2

ActiveJob Query API

comboman/communityengine 0

Adds basic social networking capabilities to your existing application, including users, blogs, photos, clippings, favorites, and more.

cristianbica/actioncable 0

Framework for real-time communication over websockets

cristianbica/activejob 0

Declare job classes that can be run by a variety of queueing backends

startedcristianbica/CBSimulatorSeed-Swift

started time in 5 days

release rubocop/rubocop

v1.17.0

released time in 6 days

release hotwired/turbo

v7.0.0-beta.7

released time in 7 days

release hotwired/turbo

v7.0.0-beta.6

released time in 9 days

release vapor/vapor

4.47.0

released time in 11 days

release rubocop/rubocop

v1.16.1

released time in 12 days

MemberEvent

delete branch givlab/activejob-recurring

delete branch : dependabot/bundler/nokogiri-1.10.8

delete time in a month

PR closed givlab/activejob-recurring

Bump nokogiri from 1.10.1 to 1.10.8 dependencies

Bumps nokogiri from 1.10.1 to 1.10.8. <details> <summary>Release notes</summary>

Sourced from nokogiri's releases.

1.10.8 / 2020-02-10

Security

[MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in #1992. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.

1.10.7 / 2019-12-03

Bug

  • [MRI] Ensure the patch applied in v1.10.6 works with GNU patch. #1954

1.10.6 / 2019-12-03

Bug

  • [MRI] Fix FreeBSD installation of vendored libxml2. [#1941, #1953] (Thanks, @​nurse!)

1.10.5 / 2019-10-31

Dependencies

  • [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
  • [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

1.10.4 / 2019-08-11

Security

Address CVE-2019-5477 (#1915)

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

This CVE's public notice is sparklemotion/nokogiri#1915

1.10.3 / 2019-04-22

Security Notes

</tr></table> ... (truncated) </details> <details> <summary>Changelog</summary>

Sourced from nokogiri's changelog.

1.10.8 / 2020-02-10

Security

[MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in #1992. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.

1.10.7 / 2019-12-03

Fixed

  • [MRI] Ensure the patch applied in v1.10.6 works with GNU patch. [#1954]

1.10.6 / 2019-12-03

Fixed

1.10.5 / 2019-10-31

Security

[MRI] Vendored libxslt upgraded to v1.1.34 which addresses three CVEs for libxslt:

  • CVE-2019-13117
  • CVE-2019-13118
  • CVE-2019-18197
  • CVE-2019-19956

More details are available at #1943.

Dependencies

  • [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
  • [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

1.10.4 / 2019-08-11

Security

Address CVE-2019-5477 (#1915).

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4. </tr></table> ... (truncated) </details> <details> <summary>Commits</summary>

  • 6ce10d1 version bump to v1.10.8
  • 2320f5b update CHANGELOG for v1.10.8
  • 4a77fdb remove patches from the hoe Manifest
  • 570b6cb update to use rake-compiler ~1.1.0
  • 2cdb68e backport libxml2 patch for CVE-2020-7595
  • e6b3229 version bump to v1.10.7
  • 4f9d443 update CHANGELOG
  • 80e67ef Fix the patch from #1953 to work with both git and patch
  • 7cf1b85 Fix typo in generated metadata
  • d76180d add gem metadata
  • Additional commits viewable in compare view </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+39 -37

1 comment

1 changed file

dependabot[bot]

pr closed time in a month

pull request commentgivlab/activejob-recurring

Bump nokogiri from 1.10.1 to 1.10.8

Superseded by #18.

dependabot[bot]

comment created time in a month

PR opened givlab/activejob-recurring

Bump nokogiri from 1.10.1 to 1.11.4

Bumps nokogiri from 1.10.1 to 1.11.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/releases">nokogiri's releases</a>.</em></p> <blockquote> <h2>1.11.4 / 2021-05-14</h2> <h3>Security</h3> <p>[CRuby] Vendored libxml2 upgraded to v2.9.12 which addresses:</p> <ul> <li><a href="https://security.archlinux.org/CVE-2019-20388">CVE-2019-20388</a></li> <li><a href="https://security.archlinux.org/CVE-2020-24977">CVE-2020-24977</a></li> <li><a href="https://security.archlinux.org/CVE-2021-3517">CVE-2021-3517</a></li> <li><a href="https://security.archlinux.org/CVE-2021-3518">CVE-2021-3518</a></li> <li><a href="https://security.archlinux.org/CVE-2021-3537">CVE-2021-3537</a></li> <li><a href="https://security.archlinux.org/CVE-2021-3541">CVE-2021-3541</a></li> </ul> <p>Note that two additional CVEs were addressed upstream but are not relevant to this release. <a href="https://security.archlinux.org/CVE-2021-3516">CVE-2021-3516</a> via <code>xmllint</code> is not present in Nokogiri, and <a href="https://security.archlinux.org/CVE-2020-7595">CVE-2020-7595</a> has been patched in Nokogiri since v1.10.8 (see <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1992">#1992</a>).</p> <p>Please see <a href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-7rrm-v45f-jp64">nokogiri/GHSA-7rrm-v45f-jp64 </a> or <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2233">#2233</a> for a more complete analysis of these CVEs and patches.</p> <h3>Dependencies</h3> <ul> <li>[CRuby] vendored libxml2 is updated from 2.9.10 to 2.9.12. (Note that 2.9.11 was skipped because it was superseded by 2.9.12 a few hours after its release.)</li> </ul> <h2>1.11.3 / 2021-04-07</h2> <h3>Fixed</h3> <ul> <li>[CRuby] Passing non-<code>Node</code> objects to <code>Document#root=</code> now raises an <code>ArgumentError</code> exception. Previously this likely segfaulted. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1900">#1900</a>]</li> <li>[JRuby] Passing non-<code>Node</code> objects to <code>Document#root=</code> now raises an <code>ArgumentError</code> exception. Previously this raised a <code>TypeError</code> exception.</li> <li>[CRuby] arm64/aarch64 systems (like Apple's M1) can now compile libxml2 and libxslt from source (though we continue to strongly advise users to install the native gems for the best possible experience)</li> </ul> <h2>1.11.2 / 2021-03-11</h2> <h3>Fixed</h3> <ul> <li>[CRuby] <code>NodeSet</code> may now safely contain <code>Node</code> objects from multiple documents. Previously the GC lifecycle of the parent <code>Document</code> objects could lead to nodes being GCed while still in scope. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1952#issuecomment-770856928">#1952</a>]</li> <li>[CRuby] Patch libxml2 to avoid "huge input lookup" errors on large CDATA elements. (See upstream <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/200">GNOME/libxml2#200</a> and <a href="https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/100">GNOME/libxml2!100</a>.) [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2132">#2132</a>].</li> <li>[CRuby+Windows] Enable Nokogumbo (and other downstream gems) to compile and link against <code>nokogiri.so</code> by including <code>LDFLAGS</code> in <code>Nokogiri::VERSION_INFO</code>. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2167">#2167</a>]</li> <li>[CRuby] <code>{XML,HTML}::Document.parse</code> now invokes <code>#initialize</code> exactly once. Previously <code>#initialize</code> was invoked twice on each object.</li> <li>[JRuby] <code>{XML,HTML}::Document.parse</code> now invokes <code>#initialize</code> exactly once. Previously <code>#initialize</code> was not called, which was a problem for subclassing such as done by <code>Loofah</code>.</li> </ul> <h3>Improved</h3> <ul> <li>Reduce the number of object allocations needed when parsing an HTML::DocumentFragment. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2087">#2087</a>] (Thanks, <a href="https://github.com/ashmaroli"><code>@​ashmaroli</code></a>!)</li> <li>[JRuby] Update the algorithm used to calculate <code>Node#line</code> to be wrong less-often. The underlying parser, Xerces, does not track line numbers, and so we've always used a hacky solution for this method. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1223">#1223</a>, <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2177">#2177</a>]</li> <li>Introduce <code>--enable-system-libraries</code> and <code>--disable-system-libraries</code> flags to <code>extconf.rb</code>. These flags provide the same functionality as <code>--use-system-libraries</code> and the <code>NOKOGIRI_USE_SYSTEM_LIBRARIES</code> environment variable, but are more idiomatic. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2193">#2193</a>] (Thanks, <a href="https://github.com/eregon"><code>@​eregon</code></a>!)</li> <li>[TruffleRuby] <code>--disable-static</code> is now the default on TruffleRuby when the packaged libraries are used. This is more flexible and compiles faster. (Note, though, that the default on TR is still to use system libraries.) [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2191#issuecomment-780724627">#2191</a>, <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2193">#2193</a>] (Thanks, <a href="https://github.com/eregon"><code>@​eregon</code></a>!)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md">nokogiri's changelog</a>.</em></p> <blockquote> <h2>1.11.4 / 2021-05-14</h2> <h3>Security</h3> <p>[CRuby] Vendored libxml2 upgraded to v2.9.12 which addresses:</p> <ul> <li><a href="https://security.archlinux.org/CVE-2019-20388">CVE-2019-20388</a></li> <li><a href="https://security.archlinux.org/CVE-2020-24977">CVE-2020-24977</a></li> <li><a href="https://security.archlinux.org/CVE-2021-3517">CVE-2021-3517</a></li> <li><a href="https://security.archlinux.org/CVE-2021-3518">CVE-2021-3518</a></li> <li><a href="https://security.archlinux.org/CVE-2021-3537">CVE-2021-3537</a></li> <li><a href="https://security.archlinux.org/CVE-2021-3541">CVE-2021-3541</a></li> </ul> <p>Note that two additional CVEs were addressed upstream but are not relevant to this release. <a href="https://security.archlinux.org/CVE-2021-3516">CVE-2021-3516</a> via <code>xmllint</code> is not present in Nokogiri, and <a href="https://security.archlinux.org/CVE-2020-7595">CVE-2020-7595</a> has been patched in Nokogiri since v1.10.8 (see <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1992">#1992</a>).</p> <p>Please see <a href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-7rrm-v45f-jp64">nokogiri/GHSA-7rrm-v45f-jp64 </a> or <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2233">#2233</a> for a more complete analysis of these CVEs and patches.</p> <h3>Dependencies</h3> <ul> <li>[CRuby] vendored libxml2 is updated from 2.9.10 to 2.9.12. (Note that 2.9.11 was skipped because it was superseded by 2.9.12 a few hours after its release.)</li> </ul> <h2>1.11.3 / 2021-04-07</h2> <h3>Fixed</h3> <ul> <li>[CRuby] Passing non-<code>Node</code> objects to <code>Document#root=</code> now raises an <code>ArgumentError</code> exception. Previously this likely segfaulted. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1900">#1900</a>]</li> <li>[JRuby] Passing non-<code>Node</code> objects to <code>Document#root=</code> now raises an <code>ArgumentError</code> exception. Previously this raised a <code>TypeError</code> exception.</li> <li>[CRuby] arm64/aarch64 systems (like Apple's M1) can now compile libxml2 and libxslt from source (though we continue to strongly advise users to install the native gems for the best possible experience)</li> </ul> <h2>1.11.2 / 2021-03-11</h2> <h3>Fixed</h3> <ul> <li>[CRuby] <code>NodeSet</code> may now safely contain <code>Node</code> objects from multiple documents. Previously the GC lifecycle of the parent <code>Document</code> objects could lead to nodes being GCed while still in scope. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1952#issuecomment-770856928">#1952</a>]</li> <li>[CRuby] Patch libxml2 to avoid "huge input lookup" errors on large CDATA elements. (See upstream <a href="https://gitlab.gnome.org/GNOME/libxml2/-/issues/200">GNOME/libxml2#200</a> and <a href="https://gitlab.gnome.org/GNOME/libxml2/-/merge_requests/100">GNOME/libxml2!100</a>.) [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2132">#2132</a>].</li> <li>[CRuby+Windows] Enable Nokogumbo (and other downstream gems) to compile and link against <code>nokogiri.so</code> by including <code>LDFLAGS</code> in <code>Nokogiri::VERSION_INFO</code>. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2167">#2167</a>]</li> <li>[CRuby] <code>{XML,HTML}::Document.parse</code> now invokes <code>#initialize</code> exactly once. Previously <code>#initialize</code> was invoked twice on each object.</li> <li>[JRuby] <code>{XML,HTML}::Document.parse</code> now invokes <code>#initialize</code> exactly once. Previously <code>#initialize</code> was not called, which was a problem for subclassing such as done by <code>Loofah</code>.</li> </ul> <h3>Improved</h3> <ul> <li>Reduce the number of object allocations needed when parsing an <code>HTML::DocumentFragment</code>. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2087">#2087</a>] (Thanks, <a href="https://github.com/ashmaroli"><code>@​ashmaroli</code></a>!)</li> <li>[JRuby] Update the algorithm used to calculate <code>Node#line</code> to be wrong less-often. The underlying parser, Xerces, does not track line numbers, and so we've always used a hacky solution for this method. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1223">#1223</a>, <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2177">#2177</a>]</li> <li>Introduce <code>--enable-system-libraries</code> and <code>--disable-system-libraries</code> flags to <code>extconf.rb</code>. These flags provide the same functionality as <code>--use-system-libraries</code> and the <code>NOKOGIRI_USE_SYSTEM_LIBRARIES</code> environment variable, but are more idiomatic. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2193">#2193</a>] (Thanks, <a href="https://github.com/eregon"><code>@​eregon</code></a>!)</li> <li>[TruffleRuby] <code>--disable-static</code> is now the default on TruffleRuby when the packaged libraries are used. This is more flexible and compiles faster. (Note, though, that the default on TR is still to use system libraries.) [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2191#issuecomment-780724627">#2191</a>, <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2193">#2193</a>] (Thanks, <a href="https://github.com/eregon"><code>@​eregon</code></a>!)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/sparklemotion/nokogiri/commit/9d69b44ed3357b8069856083d39ee418cd10109b"><code>9d69b44</code></a> version bump to v1.11.4</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/058e87fdfda2cc2f309df098d18fe8856e785fcc"><code>058e87f</code></a> update CHANGELOG with complete CVE information</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/92852514a0d4621961deb6ce249441ff5140358f"><code>9285251</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2234">#2234</a> from sparklemotion/2233-upgrade-to-libxml-2-9-12</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/5436f6120f883e9f185d48b992f39118a4897760"><code>5436f61</code></a> update CHANGELOG</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/761d320af2872c61b91f7b147cf57481566e3c67"><code>761d320</code></a> patch: renumber libxml2 patches</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/889ee2a9cb1e190bfa664cbf3552585f4d0a09a7"><code>889ee2a</code></a> test: update behavior of namespaces in HTML</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/9751d852c005606447dac7bb17f1a56593014583"><code>9751d85</code></a> test: remove low-value HTML::SAX::PushParser encoding test</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/9fcb7d25eabfab5e701d882e72ecab3b2ea6b13c"><code>9fcb7d2</code></a> test: adjust xpath gc test to libxml2's max recursion depth</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/1c99019f5f1bee23e4bff6cf72871f470097f7b2"><code>1c99019</code></a> patch: backport libxslt configure.ac change for libxml2 config</li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/82a253fe7c5bdfab5fbe4c1b0c536b5ce4c72ac3"><code>82a253f</code></a> patch: fix isnan/isinf patch to apply cleanly to libxml 2.9.12</li> <li>Additional commits viewable in <a href="https://github.com/sparklemotion/nokogiri/compare/v1.10.1...v1.11.4">compare view</a></li> </ul> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+49 -46

0 comment

1 changed file

pr created time in a month

create barnchgivlab/activejob-recurring

branch : dependabot/bundler/nokogiri-1.11.4

created branch time in a month

delete branch givlab/activejob-recurring

delete branch : dependabot/bundler/actionpack-6.0.3.1

delete time in 2 months

PR closed givlab/activejob-recurring

Bump actionpack from 5.2.2 to 6.0.3.1 dependencies

Bumps actionpack from 5.2.2 to 6.0.3.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rails/rails/releases">actionpack's releases</a>.</em></p> <blockquote> <h2>6.0.3</h2> <p>In this version, we fixed warnings when used with Ruby 2.7 across the entire framework.</p> <p>Following are the list of other changes, per-framework.</p> <h2>Active Support</h2> <ul> <li> <p><code>Array#to_sentence</code> no longer returns a frozen string.</p> <p>Before:</p> <pre><code>['one', 'two'].to_sentence.frozen?

=> true

</code></pre> <p>After:</p> <pre><code>['one', 'two'].to_sentence.frozen?

=> false

</code></pre> <p><em>Nicolas Dular</em></p> </li> <li> <p>Update <code>ActiveSupport::Messages::Metadata#fresh?</code> to work for cookies with expiry set when <code>ActiveSupport.parse_json_times = true</code>.</p> <p><em>Christian Gregg</em></p> </li> </ul> <h2>Active Model</h2> <ul> <li>No changes.</li> </ul> <h2>Active Record</h2> <ul> <li> <p>Recommend applications don't use the <code>database</code> kwarg in <code>connected_to</code></p> <p>The database kwarg in <code>connected_to</code> was meant to be used for one-off scripts but is often used in requests. This is really dangerous because it re-establishes a connection every time. It's deprecated in 6.1 and will be removed in 6.2 without replacement. This change soft deprecates it in 6.0 by removing documentation.</p> <p><em>Eileen M. Uchitelle</em></p> </li> <li> <p>Fix support for PostgreSQL 11+ partitioned indexes.</p> <p><em>Sebastián Palma</em></p> </li> <li> <p>Add support for beginless ranges, introduced in Ruby 2.7.</p> <p><em>Josh Goodall</em></p> </li> </ul> </tr></table> ... (truncated) </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rails/rails/blob/v6.0.3.1/actionpack/CHANGELOG.md">actionpack's changelog</a>.</em></p> <blockquote> <h2>Rails 6.0.3.1 (May 18, 2020)</h2> <ul> <li> <p>[CVE-2020-8166] HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a per-form token</p> </li> <li> <p>[CVE-2020-8164] Return self when calling #each, #each_pair, and #each_value instead of the raw <a href="https://github.com/parameters">@parameters</a> hash</p> </li> </ul> <h2>Rails 6.0.3 (May 06, 2020)</h2> <ul> <li> <p>Include child session assertion count in ActionDispatch::IntegrationTest</p> <p><code>IntegrationTest#open_session</code> uses <code>dup</code> to create the new session, which meant it had its own copy of <code>@assertions</code>. This prevented the assertions from being correctly counted and reported.</p> <p>Child sessions now have their <code>attr_accessor</code> overriden to delegate to the root session.</p> <p>Fixes <a href="https://github-redirect.dependabot.com/rails/rails/issues/32142">#32142</a></p> <p><em>Sam Bostock</em></p> </li> </ul> <h2>Rails 6.0.2.2 (March 19, 2020)</h2> <ul> <li>No changes.</li> </ul> <h2>Rails 6.0.2.1 (December 18, 2019)</h2> <ul> <li> <p>Fix possible information leak / session hijacking vulnerability.</p> <p>The <code>ActionDispatch::Session::MemcacheStore</code> is still vulnerable given it requires the gem dalli to be updated as well.</p> <p>CVE-2019-16782.</p> </li> </ul> <h2>Rails 6.0.2 (December 13, 2019)</h2> <ul> <li> <p>Allow using mountable engine route helpers in System Tests.</p> <p><em>Chalo Fernandez</em></p> </li> </ul> <h2>Rails 6.0.1 (November 5, 2019)</h2> <ul> <li><code>ActionDispatch::SystemTestCase</code> now inherits from <code>ActiveSupport::TestCase</code> rather than <code>ActionDispatch::IntegrationTest</code>. This permits running jobs in system tests.</li> </ul> </tr></table> ... (truncated) </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/rails/rails/commit/34991a6ae2fc68347c01ea7382fa89004159e019"><code>34991a6</code></a> Preparing for 6.0.3.1 release</li> <li><a href="https://github.com/rails/rails/commit/2c8fe2ac0442bb78698dc9516882598020972014"><code>2c8fe2a</code></a> bumping version, updating changelog</li> <li><a href="https://github.com/rails/rails/commit/0ad524ab6e350412f7093a14f7a358e5f50b0c3f"><code>0ad524a</code></a> update changelog</li> <li><a href="https://github.com/rails/rails/commit/29aa538ac26a984389fa78aaaf292e2b4ca1a544"><code>29aa538</code></a> HMAC raw CSRF token before masking it, so it cannot be used to reconstruct a ...</li> <li><a href="https://github.com/rails/rails/commit/b3230c500d780b5a5d500cc57496074e1d3d8ea9"><code>b3230c5</code></a> Return self when calling #each, #each_pair, and #each_value instead of the ra...</li> <li><a href="https://github.com/rails/rails/commit/b738f1930f3c82f51741ef7241c1fee691d7deb2"><code>b738f19</code></a> Preparing for 6.0.3 release</li> <li><a href="https://github.com/rails/rails/commit/509b9da209a8481fef8310bc14d6c6cd27c629dc"><code>509b9da</code></a> Preparing for 6.0.3.rc1 release</li> <li><a href="https://github.com/rails/rails/commit/b60571ea8efc4d6c8d0e1d90e0b29e5eb9de186e"><code>b60571e</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/rails/rails/issues/38864">#38864</a> from abhaynikam/replace-mailing-list-url</li> <li><a href="https://github.com/rails/rails/commit/639e646a9d6815f3e4367174bbee807403f73cfb"><code>639e646</code></a> Add CHANGELOG entry to 6.0.2.2</li> <li><a href="https://github.com/rails/rails/commit/ff380b5c39940e8b4d77788403d2c00cba3f7643"><code>ff380b5</code></a> Merge branch '6-2-sec' into 6-0-stable</li> <li>Additional commits viewable in <a href="https://github.com/rails/rails/compare/v5.2.2...v6.0.3.1">compare view</a></li> </ul> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+40 -38

1 comment

1 changed file

dependabot[bot]

pr closed time in 2 months

pull request commentgivlab/activejob-recurring

Bump actionpack from 5.2.2 to 6.0.3.1

Superseded by #17.

dependabot[bot]

comment created time in 2 months

PR opened givlab/activejob-recurring

Bump actionpack from 5.2.2 to 6.1.3.2

Bumps actionpack from 5.2.2 to 6.1.3.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rails/rails/releases">actionpack's releases</a>.</em></p> <blockquote> <h2>6.1.3.2</h2> <h2>Active Support</h2> <ul> <li>No changes.</li> </ul> <h2>Active Model</h2> <ul> <li>No changes.</li> </ul> <h2>Active Record</h2> <ul> <li>No changes.</li> </ul> <h2>Action View</h2> <ul> <li>No changes.</li> </ul> <h2>Action Pack</h2> <ul> <li> <p>Prevent open redirects by correctly escaping the host allow list CVE-2021-22903</p> </li> <li> <p>Prevent catastrophic backtracking during mime parsing CVE-2021-22902</p> </li> <li> <p>Prevent regex DoS in HTTP token authentication CVE-2021-22904</p> </li> <li> <p>Prevent string polymorphic route arguments.</p> <p><code>url_for</code> supports building polymorphic URLs via an array of arguments (usually symbols and records). If a developer passes a user input array, strings can result in unwanted route helper calls.</p> <p>CVE-2021-22885</p> <p><em>Gannon McGibbon</em></p> </li> </ul> <h2>Active Job</h2> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/rails/rails/blob/v6.1.3.2/actionpack/CHANGELOG.md">actionpack's changelog</a>.</em></p> <blockquote> <h2>Rails 6.1.3.2 (May 05, 2021)</h2> <ul> <li> <p>Prevent open redirects by correctly escaping the host allow list CVE-2021-22903</p> </li> <li> <p>Prevent catastrophic backtracking during mime parsing CVE-2021-22902</p> </li> <li> <p>Prevent regex DoS in HTTP token authentication CVE-2021-22904</p> </li> <li> <p>Prevent string polymorphic route arguments.</p> <p><code>url_for</code> supports building polymorphic URLs via an array of arguments (usually symbols and records). If a developer passes a user input array, strings can result in unwanted route helper calls.</p> <p>CVE-2021-22885</p> <p><em>Gannon McGibbon</em></p> </li> </ul> <h2>Rails 6.1.3.1 (March 26, 2021)</h2> <ul> <li>No changes.</li> </ul> <h2>Rails 6.1.3 (February 17, 2021)</h2> <ul> <li> <p>Re-define routes when not set correctly via inheritance.</p> <p><em>John Hawthorn</em></p> </li> </ul> <h2>Rails 6.1.2.1 (February 10, 2021)</h2> <ul> <li> <p>Prevent open redirect when allowed host starts with a dot</p> <p>[CVE-2021-22881]</p> <p>Thanks to <a href="https://github.com/tktech"><code>@​tktech</code></a> (<a href="https://hackerone.com/tktech">https://hackerone.com/tktech</a>) for reporting this issue and the patch!</p> <p><em>Aaron Patterson</em></p> </li> </ul> <h2>Rails 6.1.2 (February 09, 2021)</h2> <ul> <li> <p>Fix error in <code>ActionController::LogSubscriber</code> that would happen when throwing inside a controller action.</p> <p><em>Janko Marohnić</em></p> </li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/rails/rails/commit/75ac626c4e21129d8296d4206a1960563cc3d4aa"><code>75ac626</code></a> Preparing for 6.1.3.2 release</li> <li><a href="https://github.com/rails/rails/commit/9c21201772d240d58462796ae9f4d03765f573b4"><code>9c21201</code></a> Prep for release</li> <li><a href="https://github.com/rails/rails/commit/20a4e60814a45a287d502226b3bdeedf9ad2c735"><code>20a4e60</code></a> Prevent slow regex when parsing host authorization header</li> <li><a href="https://github.com/rails/rails/commit/1439db50581392508a1691504778ad8949d0b045"><code>1439db5</code></a> Escape allow list hosts correctly</li> <li><a href="https://github.com/rails/rails/commit/030318784683f76df4c916d5a38b07dbf1f2aec5"><code>0303187</code></a> Prevent string polymorphic route arguments</li> <li><a href="https://github.com/rails/rails/commit/40f82dc38fe3f21d41b9345a26ad23ac90cf31c9"><code>40f82dc</code></a> Prevent catastrophic backtracking during mime parsing</li> <li><a href="https://github.com/rails/rails/commit/85c6823b77b60f2a3a6a25d7a1013032e8c580ef"><code>85c6823</code></a> v6.1.3.1</li> <li><a href="https://github.com/rails/rails/commit/5aaaa1630ae9a71b3c3ecc4dc46074d678c08d67"><code>5aaaa16</code></a> Preparing for 6.1.3 release</li> <li><a href="https://github.com/rails/rails/commit/e322277be55452665cba6ea6925d2e93a3a04092"><code>e322277</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/rails/rails/issues/41463">#41463</a> from jhawthorn/isolated_engine_controller_subclasses</li> <li><a href="https://github.com/rails/rails/commit/eddb809b92808de50235a7975106ff974bee540f"><code>eddb809</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/rails/rails/issues/41441">#41441</a> from jonathanhefner/apidocs-inline-code-markup</li> <li>Additional commits viewable in <a href="https://github.com/rails/rails/compare/v5.2.2...v6.1.3.2">compare view</a></li> </ul> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+49 -46

0 comment

1 changed file

pr created time in 2 months

create barnchgivlab/activejob-recurring

branch : dependabot/bundler/actionpack-6.1.3.2

created branch time in 2 months

PR opened cristianbica/activejob-perform_later

Upgrade to GitHub-native Dependabot

Dependabot Preview will be shut down on August 3rd, 2021. In order to keep getting Dependabot updates, please merge this PR and migrate to GitHub-native Dependabot before then.

Dependabot has been fully integrated into GitHub, so you no longer have to install and manage a separate app. This pull request migrates your configuration from Dependabot.com to a config file, using the new syntax. When merged, we'll swap out dependabot-preview (me) for a new dependabot app, and you'll be all set!

With this change, you'll now use the Dependabot page in GitHub, rather than the Dependabot dashboard, to monitor your version updates, and you'll configure Dependabot through the new config file rather than a UI.

If you've got any questions or feedback for us, please let us know by creating an issue in the dependabot/dependabot-core repository.

Learn more about migrating to GitHub-native Dependabot

Please note that regular @dependabot commands do not work on this pull request.

+8 -0

0 comment

1 changed file

pr created time in 2 months

PR opened cristianbica/active_job-query

Upgrade to GitHub-native Dependabot

Dependabot Preview will be shut down on August 3rd, 2021. In order to keep getting Dependabot updates, please merge this PR and migrate to GitHub-native Dependabot before then.

Dependabot has been fully integrated into GitHub, so you no longer have to install and manage a separate app. This pull request migrates your configuration from Dependabot.com to a config file, using the new syntax. When merged, we'll swap out dependabot-preview (me) for a new dependabot app, and you'll be all set!

With this change, you'll now use the Dependabot page in GitHub, rather than the Dependabot dashboard, to monitor your version updates, and you'll configure Dependabot through the new config file rather than a UI.

If you've got any questions or feedback for us, please let us know by creating an issue in the dependabot/dependabot-core repository.

Learn more about migrating to GitHub-native Dependabot

Please note that regular @dependabot commands do not work on this pull request.

+8 -0

0 comment

1 changed file

pr created time in 2 months

create barnchcristianbica/active_job-query

branch : dependabot/add-v2-config-file

created branch time in 2 months

delete branch socialpaymentsbv/ex_phone_number

delete branch : add-metadata-country-mobile-token

delete time in 2 months

push eventsocialpaymentsbv/ex_phone_number

josemrb

commit sha b47009cf07a1e419beae0ac6dba732f51b4ac21c

Update Metadata + get_country_mobile_token/1

view details

push time in 2 months

delete branch socialpaymentsbv/ex_phone_number

delete branch : add-validation-alpha-number

delete time in 2 months

push eventsocialpaymentsbv/ex_phone_number

josemrb

commit sha fe4e430d90d10c624e209d56f6ac5628d4c28da3

Update Validation + is_alpha_number/1

view details

push time in 2 months

fork dhh/redis

Persistent Redis as a private Docker service on Render

https://render.com/docs/deploy-redis

fork in 2 months