Bumps symfony/mime from 4.3.3 to 4.4.1. <details> <summary>Changelog</summary>

Sourced from symfony/mime's changelog.

CHANGELOG

4.4.0

• [BC BREAK] Removed NamedAddress (Address now supports a name)
• Added PHPUnit constraints
• Added AbstractPart::asDebugString()
• Added Address::fromString() </details> <details> <summary>Commits</summary>

• 010cc48 bug #34032 [Mime] Fixing multidimensional array structure with FormDataPart (...
• 89da7b6 Merge branch '4.3' into 4.4
• 22aecf6 [Mime] fix guessing mime-types of files with leading dash
• bf6913d Merge branch '4.3' into 4.4
• 3c0e197 [4.3] Remove unused local variables
• 86fe792 minor #33963 Add .gitignore to .gitattributes (reedy)
• 51d5b0e Changing the multipart form-data behavior to use the form name as an array, w...
• ae5a66b Merge branch '4.3' into 4.4
• a6b152c Merge branch '3.4' into 4.3
• 592a01c Add Message-Id to SentMessage when sending an email
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps symfony/http-foundation from 4.3.3 to 4.4.1. <details> <summary>Changelog</summary>

Sourced from symfony/http-foundation's changelog.

CHANGELOG

5.1.0

• Deprecate Response::create(), JsonResponse::create(), RedirectResponse::create(), and StreamedResponse::create() methods (use __construct() instead)

5.0.0

• made Cookie auto-secure and lax by default
• removed classes in the MimeType namespace, use the Symfony Mime component instead
• removed method UploadedFile::getClientSize() and the related constructor argument
• made Request::getSession() throw if the session has not been set before
• removed Response::HTTP_RESERVED_FOR_WEBDAV_ADVANCED_COLLECTIONS_EXPIRED_PROPOSAL
• passing a null url when instantiating a RedirectResponse is not allowed

4.4.0

• passing arguments to Request::isMethodSafe() is deprecated.
• ApacheRequest is deprecated, use the Request class instead.
• passing a third argument to HeaderBag::get() is deprecated, use method all() instead
• [BC BREAK] PdoSessionHandler with MySQL changed the type of the lifetime column, make sure to run ALTER TABLE sessions MODIFY sess_lifetime INTEGER UNSIGNED NOT NULL to update your database.
• PdoSessionHandler now precalculates the expiry timestamp in the lifetime column, make sure to run CREATE INDEX EXPIRY ON sessions (sess_lifetime) to update your database to speed up garbage collection of expired sessions.
• added SessionHandlerFactory to create session handlers with a DSN
• added IpUtils::anonymize() to help with GDPR compliance.

4.3.0

• added PHPUnit constraints: RequestAttributeValueSame, ResponseCookieValueSame, ResponseHasCookie, ResponseHasHeader, ResponseHeaderSame, ResponseIsRedirected, ResponseIsSuccessful, and ResponseStatusCodeSame
• deprecated MimeTypeGuesserInterface and ExtensionGuesserInterface in favor of Symfony\Component\Mime\MimeTypesInterface.
• deprecated MimeType and MimeTypeExtensionGuesser in favor of Symfony\Component\Mime\MimeTypes.
• deprecated FileBinaryMimeTypeGuesser in favor of Symfony\Component\Mime\FileBinaryMimeTypeGuesser.
• deprecated FileinfoMimeTypeGuesser in favor of Symfony\Component\Mime\FileinfoMimeTypeGuesser.
• added UrlHelper that allows to get an absolute URL and a relative path for a given path

4.2.0

• the default value of the "$secure" and "$samesite" arguments of Cookie's constructor </tr></table> ... (truncated) </details> <details> <summary>Commits</summary>

• 8bccc59 Merge branch '4.3' into 4.4
• fcafc7c Merge branch '3.4' into 4.3
• d2d0cfe [HttpFoundation] Fixed typo
• cc09809 [HttpFoundation] Update CHANGELOG for PdoSessionHandler BC BREAK in 4.4
• c2480b7 Merge branch '3.4' into 4.3
• f7efd0b Simpler example for Apache basic auth workaround
• 502040d Merge branch '4.3' into 4.4
• 0ac9ebf Merge branch '3.4' into 4.3
• a558b18 feature #34405 [HttpFoundation] Added possibility to configure expiration tim...
• 0c5217a [HttpFoundation] Added possibility to configure expiration time in redis sess...
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps axios from 0.17.1 to 0.19.0. <details> <summary>Release notes</summary>

Sourced from axios's releases.

v0.19.0

Fixes and Functionality:

• Unzip response body only for statuses != 204 (#1129) - drawski
• Destroy stream on exceeding maxContentLength (fixes #1098) (#1485) - Gadzhi Gadzhiev
• Makes Axios error generic to use AxiosResponse (#1738) - Suman Lama
• Fixing Mocha tests by locking follow-redirects version to 1.5.10 (#1993) - grumblerchester
• Allow uppercase methods in typings. (#1781) - Ken Powers
• Fixing .eslintrc without extension (#1789) - Manoel
• Consistent coding style (#1787) - Ali Servet Donmez
• Fixing building url with hash mark (#1771) - Anatoly Ryabov
• This commit fix building url with hash map (fragment identifier) when parameters are present: they must not be added after #, because client cut everything after #
• Preserve HTTP method when following redirect (#1758) - Rikki Gibson
• Add getUri signature to TypeScript definition. (#1736) - Alexander Trauzzi
• Adding isAxiosError flag to errors thrown by axios (#1419) - Ayush Gupta
• Fix failing SauceLabs tests by updating configuration - Emily Morehouse

Documentation:

• Add information about auth parameter to README (#2166) - xlaguna
• Add DELETE to list of methods that allow data as a config option (#2169) - Daniela Borges Matos de Carvalho
• Update ECOSYSTEM.md - Add Axios Endpoints (#2176) - Renan
• Add r2curl in ECOSYSTEM (#2141) - 유용우 / CX
• Update README.md - Add instructions for installing with yarn (#2036) - Victor Hermes
• Fixing spacing for README.md (#2066) - Josh McCarty
• Update README.md. - Change .then to .finally in example code (#2090) - Omar Cai
• Clarify what values responseType can have in Node (#2121) - Tyler Breisacher
• docs(ECOSYSTEM): add axios-api-versioning (#2020) - Weffe
• It seems that responseType: 'blob' doesn't actually work in Node (when I tried using it, response.data was a string, not a Blob, since Node doesn't have Blobs), so this clarifies that this option should only be used in the browser
• Add issue templates - Emily Morehouse
• Update README.md. - Add Querystring library note (#1896) - Dmitriy Eroshenko
• Add react-hooks-axios to Libraries section of ECOSYSTEM.md (#1925) - Cody Chan
• Clarify in README that default timeout is 0 (no timeout) (#1750) - Ben Standefer

v0.19.0-beta.1

NOTE: This is a beta version of this release. There may be functionality that is broken in certain browsers, though we suspect that builds are hanging and not erroring. See https://saucelabs.com/u/axios for the most up-to-date information.

New Functionality:

• Add getUri method (#1712)
• Add support for no_proxy env variable (#1693)
• Add toJSON to decorated Axios errors to faciliate serialization (#1625)
• Add second then on axios call (#1623)
• Typings: allow custom return types
• Add option to specify character set in responses (with http adapter)

Fixes:

</tr></table> ... (truncated) </details> <details> <summary>Changelog</summary>

Sourced from axios's changelog.

0.19.0 (May 30, 2019)

Fixes and Functionality:

• Added support for no_proxy env variable (#434) - Chance Dickson
• Unzip response body only for statuses != 204 (#1129) - drawski
• Destroy stream on exceeding maxContentLength (fixes #1098) (#1485) - Gadzhi Gadzhiev
• Makes Axios error generic to use AxiosResponse (#1738) - Suman Lama
• Fixing Mocha tests by locking follow-redirects version to 1.5.10 (#1993) - grumblerchester
• Allow uppercase methods in typings. (#1781) - Ken Powers
• Fixing building url with hash mark (#1771) - Anatoly Ryabov
• This commit fix building url with hash map (fragment identifier) when parameters are present: they must not be added after #, because client cut everything after #
• Preserve HTTP method when following redirect (#1758) - Rikki Gibson
• Add getUri signature to TypeScript definition. (#1736) - Alexander Trauzzi
• Adding isAxiosError flag to errors thrown by axios (#1419) - Ayush Gupta

Internal:

• Fixing .eslintrc without extension (#1789) - Manoel
• Fix failing SauceLabs tests by updating configuration - Emily Morehouse
• Add issue templates - Emily Morehouse

Documentation:

• Consistent coding style in README (#1787) - Ali Servet Donmez
• Add information about auth parameter to README (#2166) - xlaguna
• Add DELETE to list of methods that allow data as a config option (#2169) - Daniela Borges Matos de Carvalho
• Update ECOSYSTEM.md - Add Axios Endpoints (#2176) - Renan
• Add r2curl in ECOSYSTEM (#2141) - 유용우 / CX
• Update README.md - Add instructions for installing with yarn (#2036) - Victor Hermes
• Fixing spacing for README.md (#2066) - Josh McCarty
• Update README.md. - Change .then to .finally in example code (#2090) - Omar Cai
• Clarify what values responseType can have in Node (#2121) - Tyler Breisacher
• docs(ECOSYSTEM): add axios-api-versioning (#2020) - Weffe
• It seems that responseType: 'blob' doesn't actually work in Node (when I tried using it, response.data was a string, not a Blob, since Node doesn't have Blobs), so this clarifies that this option should only be used in the browser
• Update README.md. - Add Querystring library note (#1896) - Dmitriy Eroshenko
• Add react-hooks-axios to Libraries section of ECOSYSTEM.md (#1925) - Cody Chan
• Clarify in README that default timeout is 0 (no timeout) (#1750) - Ben Standefer

0.19.0-beta.1 (Aug 9, 2018)

NOTE: This is a beta version of this release. There may be functionality that is broken in certain browsers, though we suspect that builds are hanging and not erroring. See https://saucelabs.com/u/axios for the most up-to-date information.

New Functionality:

• Add getUri method (#1712)
• Add support for no_proxy env variable (#1693)
• Add toJSON to decorated Axios errors to faciliate serialization (#1625) </tr></table> ... (truncated) </details> <details> <summary>Commits</summary>

• 8d0b92b Releasing 0.19.0
• 3f7451c Update Changelog for release (0.19.0)
• f28ff93 Add information about auth parameter to README (#2166)
• 5250e6e Add DELETE to list of methods that allow data as a config option (#2169)
• 6b0ccd1 Update ECOSYSTEM.md - Add Axios Endpoints (#2176)
• 299e827 Add r2curl in ECOSYSTEM (#2141)
• fd0c959 Unzip response body only for statuses != 204 (#1129)
• 92d2313 Update README.md - Add instructions for installing with yarn (#2036)
• ddcc2e4 Fixing spacing for README.md (#2066)
• 48c43d5 Update README.md. - Change .then to .finally in example code (#2090)
• Additional commits viewable in compare view </details> <details> <summary>Maintainer changes</summary>

This version was pushed to npm by emilyemorehouse, a new releaser for axios since your current version. </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps jackson-databind from 2.7.5 to 2.9.10.1. <details> <summary>Commits</summary>

• See full diff in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps webpack-dev-server from 2.1.0-beta.0 to 3.1.11. <details> <summary>Release notes</summary>

Sourced from webpack-dev-server's releases.

v3.1.11

<a name="3.1.11"></a>

3.1.11 (2018-12-21)

Bug Fixes

• bin/options: correct check for color support (options.color) (#1555) (55398b5)
• package: update spdy v3.4.1...4.0.0 (assertion error) (#1491) (#1563) (7a3a257)
• Server: correct node version checks (#1543) (927a2b3)
• Server: mime type for wasm in contentBase directory (#1575) (#1580) (fadae5d)
• add url for compatibility with webpack@5 (#1598) (#1599) (68dd49a)
• check origin header for websocket connection (#1603) (b3217ca)

v3.1.10

2018-10-23

Bug Fixes

• options: add writeToDisk option to schema (#1520) (d2f4902)
• package: update sockjs-client v1.1.5...1.3.0 (url-parse vulnerability) (#1537) (e719959)
• Server: set tls.DEFAULT_ECDH_CURVE to 'auto' (#1531) (c12def3)

v3.1.9

No release notes provided.

v3.1.8

2018-09-06

Bug Fixes

• package: yargs security vulnerability (dependencies) (#1492) (8fb67c9)
• utils/createLogger: ensure quiet always takes precedence (options.quiet) (#1486) (7a6ca47)

v3.1.7

2018-08-29

Bug Fixes

• Server: don't use spdy on node >= v10.0.0 (#1451) (8ab9eb6)

v3.1.6

2018-08-26

Bug Fixes

</tr></table> ... (truncated) </details> <details> <summary>Changelog</summary>

Sourced from webpack-dev-server's changelog.

3.1.11 (2018-12-21)

Bug Fixes

• bin/options: correct check for color support (options.color) (#1555) (55398b5)
• package: update spdy v3.4.1...4.0.0 (assertion error) (#1491) (#1563) (7a3a257)
• Server: correct node version checks (#1543) (927a2b3)
• Server: mime type for wasm in contentBase directory (#1575) (#1580) (fadae5d)
• add url for compatibility with webpack@5 (#1598) (#1599) (68dd49a)
• check origin header for websocket connection (#1603) (b3217ca)

<a name="3.1.10"></a>

3.1.10 (2018-10-23)

Bug Fixes

• options: add writeToDisk option to schema (#1520) (d2f4902)
• package: update sockjs-client v1.1.5...1.3.0 (url-parse vulnerability) (#1537) (e719959)
• Server: set tls.DEFAULT_ECDH_CURVE to 'auto' (#1531) (c12def3)

<a name="3.1.9"></a>

3.1.9 (2018-09-24)

<a name="3.1.8"></a>

3.1.8 (2018-09-06)

Bug Fixes

• package: yargs security vulnerability (dependencies) (#1492) (8fb67c9)
• utils/createLogger: ensure quiet always takes precedence (options.quiet) (#1486) (7a6ca47)

<a name="3.1.7"></a>

3.1.7 (2018-08-29)

Bug Fixes

• Server: don't use spdy on node >= v10.0.0 (#1451) (8ab9eb6)

</tr></table> ... (truncated) </details> <details> <summary>Commits</summary>

• ff2874f chore(release): 3.1.11
• b3217ca fix: check origin header for websocket connection (#1603)
• 68dd49a fix: add url for compatibility with webpack@5 (#1598) (#1599)
• fadae5d fix(Server): mime type for wasm in contentBase directory (#1575) (#1580)
• 7a3a257 fix(package): update spdy v3.4.1...4.0.0 (assertion error) (#1491) (#1563)
• 1fe82de ci(travis): Node 11 (on OS X) crashes, use 10 for now (#1588)
• 55398b5 fix(bin/options): correct check for color support (options.color) (#1555)
• 927a2b3 fix(Server): correct node version checks (#1543)
• fa96a76 chore(PULL_REQUEST_TEMPLATE): allow features (#1539)
• fe3219f chore(release): 3.1.10
• Additional commits viewable in compare view </details> <details> <summary>Maintainer changes</summary>

This version was pushed to npm by evilebottnawi, a new releaser for webpack-dev-server since your current version. </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps safer-eval from 1.3.2 to 1.3.5. <details> <summary>Commits</summary>

• 6d5ed4b 1.3.5
• fbbc623 Merge pull request #7 from commenthol/strict-mode-recommendation
• 1a87237 fix: use strict mode recommendation
• b81dab9 1.3.4
• 073267a Merge pull request #6 from commenthol/fix-breakout-console
• 25c3048 docu: Update tested browsers/ node versions
• 25fbbe5 fix: sandbox breakout with console.constructor...
• 1ff9411 chore: bump dependencies
• d3167c8 1.3.3
• ba69286 Merge pull request #5 from commenthol/warning
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Superseded by #7.

Bumps safer-eval from 1.3.2 to 1.3.6. <details> <summary>Commits</summary>

• d79adcf 1.3.6
• fe26316 docu: THIS MODULE IS HARMFUL
• 6d5ed4b 1.3.5
• fbbc623 Merge pull request #7 from commenthol/strict-mode-recommendation
• 1a87237 fix: use strict mode recommendation
• b81dab9 1.3.4
• 073267a Merge pull request #6 from commenthol/fix-breakout-console
• 25c3048 docu: Update tested browsers/ node versions
• 25fbbe5 fix: sandbox breakout with console.constructor...
• 1ff9411 chore: bump dependencies
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps axios from 0.17.1 to 0.19.0. <details> <summary>Release notes</summary>

Sourced from axios's releases.

v0.19.0

Fixes and Functionality:

• Unzip response body only for statuses != 204 (#1129) - drawski
• Destroy stream on exceeding maxContentLength (fixes #1098) (#1485) - Gadzhi Gadzhiev
• Makes Axios error generic to use AxiosResponse (#1738) - Suman Lama
• Fixing Mocha tests by locking follow-redirects version to 1.5.10 (#1993) - grumblerchester
• Allow uppercase methods in typings. (#1781) - Ken Powers
• Fixing .eslintrc without extension (#1789) - Manoel
• Consistent coding style (#1787) - Ali Servet Donmez
• Fixing building url with hash mark (#1771) - Anatoly Ryabov
• This commit fix building url with hash map (fragment identifier) when parameters are present: they must not be added after #, because client cut everything after #
• Preserve HTTP method when following redirect (#1758) - Rikki Gibson
• Add getUri signature to TypeScript definition. (#1736) - Alexander Trauzzi
• Adding isAxiosError flag to errors thrown by axios (#1419) - Ayush Gupta
• Fix failing SauceLabs tests by updating configuration - Emily Morehouse

Documentation:

• Add information about auth parameter to README (#2166) - xlaguna
• Add DELETE to list of methods that allow data as a config option (#2169) - Daniela Borges Matos de Carvalho
• Update ECOSYSTEM.md - Add Axios Endpoints (#2176) - Renan
• Add r2curl in ECOSYSTEM (#2141) - 유용우 / CX
• Update README.md - Add instructions for installing with yarn (#2036) - Victor Hermes
• Fixing spacing for README.md (#2066) - Josh McCarty
• Update README.md. - Change .then to .finally in example code (#2090) - Omar Cai
• Clarify what values responseType can have in Node (#2121) - Tyler Breisacher
• docs(ECOSYSTEM): add axios-api-versioning (#2020) - Weffe
• It seems that responseType: 'blob' doesn't actually work in Node (when I tried using it, response.data was a string, not a Blob, since Node doesn't have Blobs), so this clarifies that this option should only be used in the browser
• Add issue templates - Emily Morehouse
• Update README.md. - Add Querystring library note (#1896) - Dmitriy Eroshenko
• Add react-hooks-axios to Libraries section of ECOSYSTEM.md (#1925) - Cody Chan
• Clarify in README that default timeout is 0 (no timeout) (#1750) - Ben Standefer

v0.19.0-beta.1

NOTE: This is a beta version of this release. There may be functionality that is broken in certain browsers, though we suspect that builds are hanging and not erroring. See https://saucelabs.com/u/axios for the most up-to-date information.

New Functionality:

• Add getUri method (#1712)
• Add support for no_proxy env variable (#1693)
• Add toJSON to decorated Axios errors to faciliate serialization (#1625)
• Add second then on axios call (#1623)
• Typings: allow custom return types
• Add option to specify character set in responses (with http adapter)

Fixes:

</tr></table> ... (truncated) </details> <details> <summary>Changelog</summary>

Sourced from axios's changelog.

0.19.0 (May 30, 2019)

Fixes and Functionality:

• Added support for no_proxy env variable (#434) - Chance Dickson
• Unzip response body only for statuses != 204 (#1129) - drawski
• Destroy stream on exceeding maxContentLength (fixes #1098) (#1485) - Gadzhi Gadzhiev
• Makes Axios error generic to use AxiosResponse (#1738) - Suman Lama
• Fixing Mocha tests by locking follow-redirects version to 1.5.10 (#1993) - grumblerchester
• Allow uppercase methods in typings. (#1781) - Ken Powers
• Fixing building url with hash mark (#1771) - Anatoly Ryabov
• This commit fix building url with hash map (fragment identifier) when parameters are present: they must not be added after #, because client cut everything after #
• Preserve HTTP method when following redirect (#1758) - Rikki Gibson
• Add getUri signature to TypeScript definition. (#1736) - Alexander Trauzzi
• Adding isAxiosError flag to errors thrown by axios (#1419) - Ayush Gupta

Internal:

• Fixing .eslintrc without extension (#1789) - Manoel
• Fix failing SauceLabs tests by updating configuration - Emily Morehouse
• Add issue templates - Emily Morehouse

Documentation:

• Consistent coding style in README (#1787) - Ali Servet Donmez
• Add information about auth parameter to README (#2166) - xlaguna
• Add DELETE to list of methods that allow data as a config option (#2169) - Daniela Borges Matos de Carvalho
• Update ECOSYSTEM.md - Add Axios Endpoints (#2176) - Renan
• Add r2curl in ECOSYSTEM (#2141) - 유용우 / CX
• Update README.md - Add instructions for installing with yarn (#2036) - Victor Hermes
• Fixing spacing for README.md (#2066) - Josh McCarty
• Update README.md. - Change .then to .finally in example code (#2090) - Omar Cai
• Clarify what values responseType can have in Node (#2121) - Tyler Breisacher
• docs(ECOSYSTEM): add axios-api-versioning (#2020) - Weffe
• It seems that responseType: 'blob' doesn't actually work in Node (when I tried using it, response.data was a string, not a Blob, since Node doesn't have Blobs), so this clarifies that this option should only be used in the browser
• Update README.md. - Add Querystring library note (#1896) - Dmitriy Eroshenko
• Add react-hooks-axios to Libraries section of ECOSYSTEM.md (#1925) - Cody Chan
• Clarify in README that default timeout is 0 (no timeout) (#1750) - Ben Standefer

0.19.0-beta.1 (Aug 9, 2018)

NOTE: This is a beta version of this release. There may be functionality that is broken in certain browsers, though we suspect that builds are hanging and not erroring. See https://saucelabs.com/u/axios for the most up-to-date information.

New Functionality:

• Add getUri method (#1712)
• Add support for no_proxy env variable (#1693)
• Add toJSON to decorated Axios errors to faciliate serialization (#1625) </tr></table> ... (truncated) </details> <details> <summary>Commits</summary>

• 8d0b92b Releasing 0.19.0
• 3f7451c Update Changelog for release (0.19.0)
• f28ff93 Add information about auth parameter to README (#2166)
• 5250e6e Add DELETE to list of methods that allow data as a config option (#2169)
• 6b0ccd1 Update ECOSYSTEM.md - Add Axios Endpoints (#2176)
• 299e827 Add r2curl in ECOSYSTEM (#2141)
• fd0c959 Unzip response body only for statuses != 204 (#1129)
• 92d2313 Update README.md - Add instructions for installing with yarn (#2036)
• ddcc2e4 Fixing spacing for README.md (#2066)
• 48c43d5 Update README.md. - Change .then to .finally in example code (#2090)
• Additional commits viewable in compare view </details> <details> <summary>Maintainer changes</summary>

This version was pushed to npm by emilyemorehouse, a new releaser for axios since your current version. </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps sprockets from 3.7.0 to 3.7.2. <details> <summary>Changelog</summary>

Sourced from sprockets's changelog.

3.7.2 (June 19, 2018)

• Security release for CVE-2018-3760.

3.7.1 (December 19, 2016)

• Ruby 2.4 support for Sprockets 3.

3.7.0 (July 21, 2016)

• Deprecated interfaces now emit deprecation warnings #345

3.6.3 (July 1, 2016)

• Faster asset lookup in large directories #336
• Faster PathUtils.match_path_extname https://github.com/rails/sprockets/commit/697269cf81e5261fdd7072e32bd489403027fd7e
• Fixed uglifier comment stripping #326
• Error messages now show load path info #313

3.6.2 (June 21, 2016)

• More performance improvements.

3.6.1 (June 17, 2016)

• Some performance improvements.

3.6.0 (April 6, 2016)

• Add Manifest#find_sources to return the source of the compiled assets.
• Fix the list of compressable mime types.
• Improve performance of the FileStore cache.

3.5.2 (December 8, 2015)

• Fix JRuby bug with concurrent-ruby.
• Fix disabling gzip generation in cached environments.

3.5.1 (December 5, 2015)

• Fix gzip asset generation for assets already on disk.

3.5.0 (December 3, 2015)

• Reintroduce Gzip file generation for non-binary assets.

3.4.1 (November 25, 2015)

• PathUtils::Entries will no longer error on an empty directory.

</tr></table> ... (truncated) </details> <details> <summary>Commits</summary>

• 2f7b7e5 v3.7.2
• 9c34fa0 Do not respond to http requests asking for a file://
• eb0af6d Make sure find_sources behaves in the same way when the assets don't
• cfae3de Merge pull request #487 from mcfiredrill/patch-1
• dbeda82 typo in deprecation message
• 10dada6 v3.7.1
• a20f35c Merge pull request #442 from maclover7/jm-ruby-24
• d47639f Update Sprockets::Utils#duplicable? for Ruby 2.4+
• d62bf7b Add Ruby v2.4.0-rc1 to Travis matrix
• 9c2c5f8 Backport test changes from a4001a4b2f8408f0a87ff44aa21b502c1847f79e
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps webpack-bundle-analyzer from 2.13.1 to 3.3.2. <details> <summary>Release notes</summary>

Sourced from webpack-bundle-analyzer's releases.

First test with Lerna monorepo

th0r/webpack-bundle-analyzer#98 </details> <details> <summary>Changelog</summary>

Sourced from webpack-bundle-analyzer's changelog.

3.3.2

• Bug Fix
  • Fix regression with escaping internal assets (#264, fixes #263)

3.3.1

• Improvements

  • Use relative links for serving internal assets (#261, fixes #254)
  • Properly escape embedded JS/JSON (#262)

• Bug Fix

  • Fix showing help message on -h flag (#260, fixes #239)

3.3.0

• New Feature

  • Show/hide chunks using context menu (#246, @​bregenspan)

• Internal

  • Updated dev dependencies

3.2.0

• Improvements
  • Add support for .mjs output files (#252, @​jlopezxs)

3.1.0

• Bug Fix
  • Properly determine the size of the modules containing special characters (#223, @​hulkish)
  • Update acorn to v6 (#248, @​realityking)

3.0.4

• Bug Fix
  • Make webpack's done hook wait until analyzer writes report or stat file (#247, @​mareolan)

3.0.3

• Bug Fix
  • Disable viewer websocket connection when report is generated in static mode (#215, @​sebastianhaeni)

3.0.2

• Improvements

  • Drop @babel/runtime dependency (#209, @​realityking)
  • Properly specify minimal Node.js version in .babelrc (#209, @​realityking)

• Bug Fix </tr></table> ... (truncated) </details> <details> <summary>Commits</summary>

• 345c3f5 v3.3.2
• a615815 Merge pull request #264 from webpack-contrib/fix-escape-regression
• 20f2b4c Fix regression with escaping internal assets
• 9836649 v3.3.1
• d1db526 Remove outdated item from troubleshooting section
• ca34279 Merge pull request #261 from webpack-contrib/relative-links-to-assets
• 99818f9 Fix changelog
• 21722d2 Add changelog entry
• ed99c32 Use relative links for serving internal assets
• 3ce1b8c Merge pull request #262 from webpack-contrib/proper-js-escape
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps axios from 0.15.3 to 0.18.1. <details> <summary>Release notes</summary>

Sourced from axios's releases.

v0.18.1

Security Fix:

• Destroy stream on exceeding maxContentLength (fixes #1098) (#1485) - Gadzhi Gadzhiev

v.0.18.0

• Adding support for UNIX Sockets when running with Node.js (#1070)
• Fixing typings (#1177):
  • AxiosRequestConfig.proxy: allows type false
  • AxiosProxyConfig: added auth field
• Adding function signature in AxiosInstance interface so AxiosInstance can be invoked (#1192, #1254)
• Allowing maxContentLength to pass through to redirected calls as maxBodyLength in follow-redirects config (#1287)
• Fixing configuration when using an instance - method can now be set (#1342)

0.17.1 (Nov 11, 2017)

• Fixing issue with web workers (#1160)
• Allowing overriding transport (#1080)
• Updating TypeScript typings (#1165, #1125, #1131)

v0.17.1

No release notes provided.

v0.17.0

No release notes provided.

v0.16.2

No release notes provided.

v0.16.1

No release notes provided.

v0.16.0

No release notes provided. </details> <details> <summary>Changelog</summary>

Sourced from axios's changelog.

0.18.1 (May 31, 2019)

Security Fix:

• Destroy stream on exceeding maxContentLength (fixes #1098) (#1485) - Gadzhi Gadzhiev

0.18.0 (Feb 19, 2018)

• Adding support for UNIX Sockets when running with Node.js (#1070)
• Fixing typings (#1177):
  • AxiosRequestConfig.proxy: allows type false
  • AxiosProxyConfig: added auth field
• Adding function signature in AxiosInstance interface so AxiosInstance can be invoked (#1192, #1254)
• Allowing maxContentLength to pass through to redirected calls as maxBodyLength in follow-redirects config (#1287)
• Fixing configuration when using an instance - method can now be set (#1342)

0.17.1 (Nov 11, 2017)

• Fixing issue with web workers (#1160)
• Allowing overriding transport (#1080)
• Updating TypeScript typings (#1165, #1125, #1131)

0.17.0 (Oct 21, 2017)

• BREAKING Fixing issue with baseURL and interceptors (#950)
• BREAKING Improving handing of duplicate headers (#874)
• Adding support for disabling proxies (#691)
• Updating TypeScript typings with generic type parameters (#1061)

0.16.2 (Jun 3, 2017)

• Fixing issue with including buffer in bundle (#887)
• Including underlying request in errors (#830)
• Convert method to lowercase (#930)

0.16.1 (Apr 8, 2017)

• Improving HTTP adapter to return last request in case of redirects (#828)
• Updating follow-redirects dependency (#829)
• Adding support for passing Buffer in node (#773)

0.16.0 (Mar 31, 2017)

• BREAKING Removing Promise from axios typings in favor of built-in type declarations (#480)
• Adding options shortcut method (#461)
• Fixing issue with using responseType: 'json' in browsers incompatible with XHR Level 2 (#654)
• Improving React Native detection (#731)
• Fixing combineURLs to support empty relativeURL (#581)
• Removing PROTECTION_PREFIX support (#561) </details> <details> <summary>Commits</summary>

• face016 Releasing 0.18.1
• 0628763 Update Changelog for release (0.18.1)
• dc9b29c adjust README to match IE support
• 16326d5 Remove usages of isOldIE in tests
• 5a4228b Remove IE10 launcher from karma config
• 695b5f7 Remove isOldIE check in tests
• e314ab0 Remove HTTP 1223 handling
• 7efa822 Remove btoa polyfill tests
• f3cdcc7 Delete btoa polyfill
• efc0b58 Remove ie8/9 special CORS treatment and btoa polyfill
• Additional commits viewable in compare view </details> <details> <summary>Maintainer changes</summary>

This version was pushed to npm by emilyemorehouse, a new releaser for axios since your current version. </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps rails-html-sanitizer from 1.0.3 to 1.3.0. <details> <summary>Release notes</summary>

Sourced from rails-html-sanitizer's releases.

v1.3.0

• Address deprecations in Loofah 2.3.0.

  Josh Goodall

v1.2.0

• Remove needless white_list_sanitizer deprecation.

  By deprecating this, we were forcing Rails 5.2 to be updated or spew deprecations that users could do nothing about.

  That's pointless and I'm sorry for adding that!

  Now there's no deprecation warning and Rails 5.2 works out of the box, while Rails 6 can use the updated naming.

  Kasper Timm Hansen

v1.1.0

• Add safe_list_sanitizer and deprecate white_list_sanitizer to be removed in 1.2.0. rails/rails-html-sanitizer#87

  Juanito Fatas

• Remove href from LinkScrubber's tags as it's not an element. rails/rails-html-sanitizer#92

  Juanito Fatas

• Explain that we don't need to bump Loofah here if there's CVEs. https://github.com/rails/rails-html-sanitizer/commit/d4d823c617fdd0064956047f7fbf23fff305a69b

  Kasper Timm Hansen

v1.0.4

• Fix CVE-2018-3741. </details> <details> <summary>Changelog</summary>

Sourced from rails-html-sanitizer's changelog.

1.3.0

• Address deprecations in Loofah 2.3.0.

  Josh Goodall

1.2.0

• Remove needless white_list_sanitizer deprecation.

  By deprecating this, we were forcing Rails 5.2 to be updated or spew deprecations that users could do nothing about.

  That's pointless and I'm sorry for adding that!

  Now there's no deprecation warning and Rails 5.2 works out of the box, while Rails 6 can use the updated naming.

  Kasper Timm Hansen

1.1.0

• Add safe_list_sanitizer and deprecate white_list_sanitizer to be removed in 1.2.0. rails/rails-html-sanitizer#87

  Juanito Fatas

• Remove href from LinkScrubber's tags as it's not an element. rails/rails-html-sanitizer#92

  Juanito Fatas

• Explain that we don't need to bump Loofah here if there's CVEs. https://github.com/rails/rails-html-sanitizer/commit/d4d823c617fdd0064956047f7fbf23fff305a69b

  Kasper Timm Hansen

1.0.1

• Added support for Rails 4.2.0.beta2 and above

1.0.0

• First release. </details> <details> <summary>Commits</summary>

• 51dc564 v1.3.0
• 65b9f88 Merge pull request #102 from orien/gem-metadata
• 845da04 Add project metadata to the gemspec
• 43a87f5 Match Loofah's API changes.
• b8ea80d Prepare 1.2.0
• 5581871 Remove needless white list sanitizer deprecations
• 1a02a14 Merge pull request #96 from olleolleolle/patch-1
• 31cf584 CI: Drop unused sudo: false Travis directive
• 0b64e50 Merge pull request #95 from rwojnarowski/patch-1
• 21da038 Deprecated warning text, missing space
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps rack from 1.6.4 to 1.6.11. <details> <summary>Commits</summary>

• 2bef132 Bumping version for release
• 97ca63d Whitelist http/https schemes
• 7b5054e Merge pull request #1296 from tomelm/fix-prefers-plaintext
• fdcd03a Bump version for release
• 2293c6a Merge pull request #1249 from mclark/handle-invalid-method-parameters
• b27dd86 handle failure to upcase invalid strings
• 274d934 Stick with a passing version of Rubygems and bundler
• 617aac0 bump version for release
• dc017e7 Merge pull request #1237 from eileencodes/backport-1137
• 4d6965a Backport pull request #1137 from unabridged/fix-eof-failure
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Looks like rails-html-sanitizer is up-to-date now, so this is no longer needed.

Looks like rack is no longer updatable, so this is no longer needed.

Bumps mixin-deep from 1.3.1 to 1.3.2. <details> <summary>Commits</summary>

• 754f0c2 1.3.2
• 90ee1fa ensure keys are valid when mixing in values
• See full diff in compare view </details> <details> <summary>Maintainer changes</summary>

This version was pushed to npm by doowb, a new releaser for mixin-deep since your current version. </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps lodash.template from 4.4.0 to 4.5.0. <details> <summary>Commits</summary>

• ab73503 Bump to v4.5.0.
• a4f7d4c Rebuild lodash and docs.
• cca5ac6 Fix npm-test by removing the call to test-docs.
• 9f7f9fc Adjust heading order. [ci skip]
• 6e2fb92 Remove unused baseArity.
• 4f702e2 Specify utf8 encoding.
• b188f90 Add fp tests for iteratee shorthands.
• 7b93dc9 Ensure clone methods clone expando properties of boolean, number, & string ob...
• 664d66a Make string tests more consistent.
• d9dc0e6 Add _.invertBy tests.
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps mixin-deep from 1.3.1 to 1.3.2. <details> <summary>Commits</summary>

• 754f0c2 1.3.2
• 90ee1fa ensure keys are valid when mixing in values
• See full diff in compare view </details> <details> <summary>Maintainer changes</summary>

This version was pushed to npm by doowb, a new releaser for mixin-deep since your current version. </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps handlebars from 4.0.12 to 4.5.3. <details> <summary>Changelog</summary>

Sourced from handlebars's changelog.

v4.5.3 - November 18th, 2019

Bugfixes:

• fix: add "no-prototype-builtins" eslint-rule and fix all occurences - f7f05d7
• fix: add more properties required to be enumerable - 1988878

Chores / Build:

• fix: use !== 0 instead of != 0 - c02b05f
• add chai and dirty-chai and sinon, for cleaner test-assertions and spies, deprecate old assertion-methods - 93e284e, 886ba86, 0817dad, 93516a0

Security:

• The properties __proto__, __defineGetter__, __defineSetter__ and __lookupGetter__ have been added to the list of "properties that must be enumerable". If a property by that name is found and not enumerable on its parent, it will silently evaluate to undefined. This is done in both the compiled template and the "lookup"-helper. This will prevent new Remote-Code-Execution exploits that have been published recently.

Compatibility notes:

• Due to the security-fixes. The semantics of the templates using __proto__, __defineGetter__, __defineSetter__ and __lookupGetter__ in the respect that those expression now return undefined rather than their actual value from the proto.
• The semantics have not changed in cases where the properties are enumerable, as in:

{
  __proto__: 'some string'
}

• The change may be breaking in that respect, but we still only increase the patch-version, because the incompatible use-cases are not intended, undocumented and far less important than fixing Remote-Code-Execution exploits on existing systems.

Commits

v4.5.2 - November 13th, 2019

Bugfixes

• fix: use String(field) in lookup when checking for "constructor" - d541378
• test: add fluent API for testing Handlebars - c2ac79c

Compatibility notes:

• no incompatibility are to be expected </tr></table> ... (truncated) </details> <details> <summary>Commits</summary>

• c819c8b v4.5.3
• 827c9d0 Update release notes
• f7f05d7 fix: add "no-prototype-builtins" eslint-rule and fix all occurences
• 1988878 fix: add more properties required to be enumerable
• 886ba86 test/chore: add chai/expect and sinon to "runtime"-environment
• 0817dad test: add sinon as global variable to eslint in the specs
• 93516a0 test: add sinon.js for spies, deprecate current assertions
• 93e284e chore: add chai and dirty-chai for better test assertions
• c02b05f fix: use !== 0 instead of != 0
• 8de121d v4.5.2
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps merge from 1.2.0 to 1.2.1. <details> <summary>Commits</summary>

• b31e67f link broken
• 6ad6035 Fix prototype pollution
• See full diff in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps nokogiri from 1.6.7.2 to 1.10.7. <details> <summary>Release notes</summary>

Sourced from nokogiri's releases.

1.10.7 / 2019-12-03

Bug

• [MRI] Ensure the patch applied in v1.10.6 works with GNU patch. #1954

1.10.6 / 2019-12-03

Bug

• [MRI] Fix FreeBSD installation of vendored libxml2. [#1941, #1953] (Thanks, @​nurse!)

1.10.5 / 2019-10-31

Dependencies

• [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
• [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

1.10.4 / 2019-08-11

Security

Address CVE-2019-5477 (#1915)

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

This CVE's public notice is sparklemotion/nokogiri#1915

1.10.3 / 2019-04-22

Security Notes

[MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in #1892. Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.

1.10.2 / 2019-03-24

Security

• [MRI] Remove support from vendored libxml2 for future script macros. #1871
• [MRI] Remove support from vendored libxml2 for server-side includes within attributes. #1877 </tr></table> ... (truncated) </details> <details> <summary>Changelog</summary>

Sourced from nokogiri's changelog.

1.10.7 / 2019-12-03

Bug

• [MRI] Ensure the patch applied in v1.10.6 works with GNU patch. #1954

1.10.6 / 2019-12-03

Bug

• [MRI] Fix FreeBSD installation of vendored libxml2. [#1941, #1953] (Thanks, @​nurse!)

1.10.5 / 2019-10-31

Security

[MRI] Vendored libxslt upgraded to v1.1.34 which addresses three CVEs for libxslt:

• CVE-2019-13117
• CVE-2019-13118
• CVE-2019-18197

More details are available at #1943.

Dependencies

• [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
• [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

1.10.4 / 2019-08-11

Security

Address CVE-2019-5477 (#1915)

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

This CVE's public notice is sparklemotion/nokogiri#1915

1.10.3 / 2019-04-22

Security Notes

</tr></table> ... (truncated) </details> <details> <summary>Commits</summary>

• e6b3229 version bump to v1.10.7
• 4f9d443 update CHANGELOG
• 80e67ef Fix the patch from #1953 to work with both git and patch
• 7cf1b85 Fix typo in generated metadata
• d76180d add gem metadata
• 13132fc version bump to v1.10.6
• 95e56fd update CHANGELOG
• 73c53ee Add a patch to fix libxml2.la's path
• 061d75d add security note to CHANGELOG
• 1bc2ff9 version bump to v1.10.5
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps lodash.template from 4.4.0 to 4.5.0. <details> <summary>Commits</summary>

• ab73503 Bump to v4.5.0.
• a4f7d4c Rebuild lodash and docs.
• cca5ac6 Fix npm-test by removing the call to test-docs.
• 9f7f9fc Adjust heading order. [ci skip]
• 6e2fb92 Remove unused baseArity.
• 4f702e2 Specify utf8 encoding.
• b188f90 Add fp tests for iteratee shorthands.
• 7b93dc9 Ensure clone methods clone expando properties of boolean, number, & string ob...
• 664d66a Make string tests more consistent.
• d9dc0e6 Add _.invertBy tests.
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Looks like nokogiri is up-to-date now, so this is no longer needed.

Bumps eslint from 4.17.0 to 4.18.2. <details> <summary>Release notes</summary>

Sourced from eslint's releases.

v4.18.2

• 6b71fd0 Fix: table@4.0.2, because 4.0.3 needs "ajv": "^6.0.1" (#10022) (Mathieu Seiler)
• 3c697de Chore: fix incorrect comment about linter.verify return value (#10030) (Teddy Katz)
• 9df8653 Chore: refactor parser-loading out of linter.verify (#10028) (Teddy Katz)
• f6901d0 Fix: remove catastrophic backtracking vulnerability (fixes #10002) (#10019) (Jamie Davis)
• e4f52ce Chore: Simplify dataflow in linter.verify (#10020) (Teddy Katz)
• 33177cd Chore: make library files non-executable (#10021) (Teddy Katz)
• 558ccba Chore: refactor directive comment processing (#10007) (Teddy Katz)
• 18e15d9 Chore: avoid useless catch clauses that just rethrow errors (#10010) (Teddy Katz)
• a1c3759 Chore: refactor populating configs with defaults in linter (#10006) (Teddy Katz)
• aea07dc Fix: Make max-len ignoreStrings ignore JSXText (fixes #9954) (#9985) (Rachael Sim)

v4.18.1

• f417506 Fix: ensure no-await-in-loop reports the correct node (fixes #9992) (#9993) (Teddy Katz)
• 3e99363 Docs: Fixed typo in key-spacing rule doc (#9987) (Jaid)
• 7c2cd70 Docs: deprecate experimentalObjectRestSpread (#9986) (Toru Nagashima)

v4.18.0

• 70f22f3 Chore: Apply memoization to config creation within glob utils (#9944) (Kenton Jacobsen)
• 0e4ae22 Update: fix indent bug with binary operators/ignoredNodes (fixes #9882) (#9951) (Teddy Katz)
• 47ac478 Update: add named imports and exports for object-curly-newline (#9876) (Nicholas Chua)
• e8efdd0 Fix: support Rest/Spread Properties (fixes #9885) (#9943) (Toru Nagashima)
• f012b8c Fix: support Async iteration (fixes #9891) (#9957) (Toru Nagashima)
• 74fa253 Docs: Clarify no-mixed-operators options (fixes #9962) (#9964) (Ivan Hayes)
• 426868f Docs: clean up key-spacing docs (fixes #9900) (#9963) (Abid Uzair)
• 4a6f22e Update: support eslint-disable-* block comments (fixes #8781) (#9745) (Erin)
• 777283b Docs: Propose fix typo for function (#9965) (John Eismeier)
• bf3d494 Docs: Fix typo in max-len ignorePattern example. (#9956) (Tim Martin)
• d64fbb4 Docs: fix typo in prefer-destructuring.md example (#9930) (Vse Mozhet Byt)
• f8d343f Chore: Fix default issue template (#9946) (Kai Cataldo) </details> <details> <summary>Changelog</summary>

Sourced from eslint's changelog.

v4.18.2 - March 2, 2018

• 6b71fd0 Fix: table@4.0.2, because 4.0.3 needs "ajv": "^6.0.1" (#10022) (Mathieu Seiler)
• 3c697de Chore: fix incorrect comment about linter.verify return value (#10030) (Teddy Katz)
• 9df8653 Chore: refactor parser-loading out of linter.verify (#10028) (Teddy Katz)
• f6901d0 Fix: remove catastrophic backtracking vulnerability (fixes #10002) (#10019) (Jamie Davis)
• e4f52ce Chore: Simplify dataflow in linter.verify (#10020) (Teddy Katz)
• 33177cd Chore: make library files non-executable (#10021) (Teddy Katz)
• 558ccba Chore: refactor directive comment processing (#10007) (Teddy Katz)
• 18e15d9 Chore: avoid useless catch clauses that just rethrow errors (#10010) (Teddy Katz)
• a1c3759 Chore: refactor populating configs with defaults in linter (#10006) (Teddy Katz)
• aea07dc Fix: Make max-len ignoreStrings ignore JSXText (fixes #9954) (#9985) (Rachael Sim)

v4.18.1 - February 20, 2018

• f417506 Fix: ensure no-await-in-loop reports the correct node (fixes #9992) (#9993) (Teddy Katz)
• 3e99363 Docs: Fixed typo in key-spacing rule doc (#9987) (Jaid)
• 7c2cd70 Docs: deprecate experimentalObjectRestSpread (#9986) (Toru Nagashima)

v4.18.0 - February 16, 2018

• 70f22f3 Chore: Apply memoization to config creation within glob utils (#9944) (Kenton Jacobsen)
• 0e4ae22 Update: fix indent bug with binary operators/ignoredNodes (fixes #9882) (#9951) (Teddy Katz)
• 47ac478 Update: add named imports and exports for object-curly-newline (#9876) (Nicholas Chua)
• e8efdd0 Fix: support Rest/Spread Properties (fixes #9885) (#9943) (Toru Nagashima)
• f012b8c Fix: support Async iteration (fixes #9891) (#9957) (Toru Nagashima)
• 74fa253 Docs: Clarify no-mixed-operators options (fixes #9962) (#9964) (Ivan Hayes)
• 426868f Docs: clean up key-spacing docs (fixes #9900) (#9963) (Abid Uzair)
• 4a6f22e Update: support eslint-disable-* block comments (fixes #8781) (#9745) (Erin)
• 777283b Docs: Propose fix typo for function (#9965) (John Eismeier)
• bf3d494 Docs: Fix typo in max-len ignorePattern example. (#9956) (Tim Martin)
• d64fbb4 Docs: fix typo in prefer-destructuring.md example (#9930) (Vse Mozhet Byt)
• f8d343f Chore: Fix default issue template (#9946) (Kai Cataldo) </details> <details> <summary>Commits</summary>

• 22ff6f3 4.18.2
• 817b84b Build: changelog update for 4.18.2
• 6b71fd0 Fix: table@4.0.2, because 4.0.3 needs "ajv": "^6.0.1" (#10022)
• 3c697de Chore: fix incorrect comment about linter.verify return value (#10030)
• 9df8653 Chore: refactor parser-loading out of linter.verify (#10028)
• f6901d0 Fix: remove catastrophic backtracking vulnerability (fixes #10002) (#10019)
• e4f52ce Chore: Simplify dataflow in linter.verify (#10020)
• 33177cd Chore: make library files non-executable (#10021)
• 558ccba Chore: refactor directive comment processing (#10007)
• 18e15d9 Chore: avoid useless catch clauses that just rethrow errors (#10010)
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps lodash from 4.17.11 to 4.17.15. <details> <summary>Commits</summary>

• ddfd9b1 Bump to v4.17.15.
• b185fce Rebuild lodash and docs.
• be87d30 Bump to v4.17.14.
• a6fe6b1 Rebuild lodash and docs.
• e371828 Bump to v4.17.13.
• 357e899 Rebuild lodash and docs.
• fd9a062 Bump to v4.17.12.
• e77d681 Rebuild lodash and docs.
• 629d186 Update OpenJS references.
• 2406eac Fix minified build.
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps eslint-utils from 1.3.1 to 1.4.3. <details> <summary>Commits</summary>

• 23f4ddc 🔖 1.4.3
• 8f9e481 🐛 fix reference tracker false positive
• 6633278 ⚒ fix test scripts
• 7c8e67c ⚒ fix build scripts
• 41ff95e ⚒ update dependencies
• 4942012 ⚒ fix build scripts
• f1c8d02 ⚒ update build scripts
• a88598a Create FUNDING.yml
• 4e1bc07 1.4.2
• e4cb014 🐛 add null test
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps nokogiri from 1.6.7.2 to 1.10.7. <details> <summary>Release notes</summary>

Sourced from nokogiri's releases.

1.10.7 / 2019-12-03

Bug

• [MRI] Ensure the patch applied in v1.10.6 works with GNU patch. #1954

1.10.6 / 2019-12-03

Bug

• [MRI] Fix FreeBSD installation of vendored libxml2. [#1941, #1953] (Thanks, @​nurse!)

1.10.5 / 2019-10-31

Dependencies

• [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
• [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

1.10.4 / 2019-08-11

Security

Address CVE-2019-5477 (#1915)

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

This CVE's public notice is sparklemotion/nokogiri#1915

1.10.3 / 2019-04-22

Security Notes

[MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in #1892. Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.

1.10.2 / 2019-03-24

Security

• [MRI] Remove support from vendored libxml2 for future script macros. #1871
• [MRI] Remove support from vendored libxml2 for server-side includes within attributes. #1877 </tr></table> ... (truncated) </details> <details> <summary>Changelog</summary>

Sourced from nokogiri's changelog.

1.10.7 / 2019-12-03

Bug

• [MRI] Ensure the patch applied in v1.10.6 works with GNU patch. #1954

1.10.6 / 2019-12-03

Bug

• [MRI] Fix FreeBSD installation of vendored libxml2. [#1941, #1953] (Thanks, @​nurse!)

1.10.5 / 2019-10-31

Security

[MRI] Vendored libxslt upgraded to v1.1.34 which addresses three CVEs for libxslt:

• CVE-2019-13117
• CVE-2019-13118
• CVE-2019-18197

More details are available at #1943.

Dependencies

• [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
• [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

1.10.4 / 2019-08-11

Security

Address CVE-2019-5477 (#1915)

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

This CVE's public notice is sparklemotion/nokogiri#1915

1.10.3 / 2019-04-22

Security Notes

</tr></table> ... (truncated) </details> <details> <summary>Commits</summary>

• e6b3229 version bump to v1.10.7
• 4f9d443 update CHANGELOG
• 80e67ef Fix the patch from #1953 to work with both git and patch
• 7cf1b85 Fix typo in generated metadata
• d76180d add gem metadata
• 13132fc version bump to v1.10.6
• 95e56fd update CHANGELOG
• 73c53ee Add a patch to fix libxml2.la's path
• 061d75d add security note to CHANGELOG
• 1bc2ff9 version bump to v1.10.5
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Looks like nokogiri is up-to-date now, so this is no longer needed.

Bumps loofah from 2.0.3 to 2.4.0. <details> <summary>Release notes</summary>

Sourced from loofah's releases.

2.4.0 / 2019-11-25

Features

• Allow CSS property max-width #175 (Thanks, @​bchaney!)
• Allow CSS sizes expressed in rem [#176, #177]
• Add frozen_string_literal: true magic comment to all lib files. #118

2.3.1 / 2019-10-22

Security

Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at flavorjones/loofah#171

2.3.0 / 2019-09-28

Features

• Expand set of allowed protocols to include tel: and line:. [#104, #147]
• Expand set of allowed CSS functions. [related to #122]
• Allow greater precision in shorthand CSS values. #149 (Thanks, @​danfstucky!)
• Allow CSS property list-style #162 (Thanks, @​jaredbeck!)
• Allow CSS keywords thick and thin #168 (Thanks, @​georgeclaghorn!)
• Allow HTML property contenteditable #167 (Thanks, @​andreynering!)

Bug fixes

• CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. #165 (Thanks, @​asok!)

Deprecations / Name Changes

The following method and constants are hereby deprecated, and will be completely removed in a future release:

• Deprecate Loofah::Helpers::ActionView.white_list_sanitizer, please use Loofah::Helpers::ActionView.safe_list_sanitizer instead.
• Deprecate Loofah::Helpers::ActionView::WhiteListSanitizer, please use Loofah::Helpers::ActionView::SafeListSanitizer instead.
• Deprecate Loofah::HTML5::WhiteList, please use Loofah::HTML5::SafeList instead.

Thanks to @​JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.

v2.2.3

Notably, this release addresses CVE-2018-16468.

v2.2.2

2.2.2 / 2018-03-22

</tr></table> ... (truncated) </details> <details> <summary>Changelog</summary>

Sourced from loofah's changelog.

2.4.0 / 2019-11-25

Features

• Allow CSS property max-width #175 (Thanks, @​bchaney!)
• Allow CSS sizes expressed in rem [#176, #177]
• Add frozen_string_literal: true magic comment to all lib files. #118

2.3.1 / 2019-10-22

Security

Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at flavorjones/loofah#171

2.3.0 / 2019-09-28

Features

• Expand set of allowed protocols to include tel: and line:. [#104, #147]
• Expand set of allowed CSS functions. [related to #122]
• Allow greater precision in shorthand CSS values. #149 (Thanks, @​danfstucky!)
• Allow CSS property list-style #162 (Thanks, @​jaredbeck!)
• Allow CSS keywords thick and thin #168 (Thanks, @​georgeclaghorn!)
• Allow HTML property contenteditable #167 (Thanks, @​andreynering!)

Bug fixes

• CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. #165 (Thanks, @​asok!)

Deprecations / Name Changes

The following method and constants are hereby deprecated, and will be completely removed in a future release:

• Deprecate Loofah::Helpers::ActionView.white_list_sanitizer, please use Loofah::Helpers::ActionView.safe_list_sanitizer instead.
• Deprecate Loofah::Helpers::ActionView::WhiteListSanitizer, please use Loofah::Helpers::ActionView::SafeListSanitizer instead.
• Deprecate Loofah::HTML5::WhiteList, please use Loofah::HTML5::SafeList instead.

Thanks to @​JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.

2.2.3 / 2018-10-30

Security

</tr></table> ... (truncated) </details> <details> <summary>Commits</summary>

• 724ac1c version bump to v2.4.0
• e808fb6 ci: don't turn on frozen strings until after bundle install
• 0eb9976 update CHANGELOG
• 0783f5b add magic comment for frozen string literals to all files
• 5ce3a71 add rubocop as dev dep and configure security and frozen string cops
• 82ae384 test suite should check compatibility with frozen string literals
• 8747065 Merge pull request #175 from bchaney/allow-css-max-width
• 2767ae3 Merge pull request #177 from flavorjones/176-allow-rem-css-sizes
• 13f734f css sanitizer allows "rem" sizes
• 2699b61 Allow CSS property: max-width
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Looks like loofah is up-to-date now, so this is no longer needed.

Bumps lodash from 4.17.11 to 4.17.15. <details> <summary>Commits</summary>

• ddfd9b1 Bump to v4.17.15.
• b185fce Rebuild lodash and docs.
• be87d30 Bump to v4.17.14.
• a6fe6b1 Rebuild lodash and docs.
• e371828 Bump to v4.17.13.
• 357e899 Rebuild lodash and docs.
• fd9a062 Bump to v4.17.12.
• e77d681 Rebuild lodash and docs.
• 629d186 Update OpenJS references.
• 2406eac Fix minified build.
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps loofah from 2.0.3 to 2.4.0. <details> <summary>Release notes</summary>

Sourced from loofah's releases.

2.4.0 / 2019-11-25

Features

• Allow CSS property max-width #175 (Thanks, @​bchaney!)
• Allow CSS sizes expressed in rem [#176, #177]
• Add frozen_string_literal: true magic comment to all lib files. #118

2.3.1 / 2019-10-22

Security

Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at flavorjones/loofah#171

2.3.0 / 2019-09-28

Features

• Expand set of allowed protocols to include tel: and line:. [#104, #147]
• Expand set of allowed CSS functions. [related to #122]
• Allow greater precision in shorthand CSS values. #149 (Thanks, @​danfstucky!)
• Allow CSS property list-style #162 (Thanks, @​jaredbeck!)
• Allow CSS keywords thick and thin #168 (Thanks, @​georgeclaghorn!)
• Allow HTML property contenteditable #167 (Thanks, @​andreynering!)

Bug fixes

• CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. #165 (Thanks, @​asok!)

Deprecations / Name Changes

The following method and constants are hereby deprecated, and will be completely removed in a future release:

• Deprecate Loofah::Helpers::ActionView.white_list_sanitizer, please use Loofah::Helpers::ActionView.safe_list_sanitizer instead.
• Deprecate Loofah::Helpers::ActionView::WhiteListSanitizer, please use Loofah::Helpers::ActionView::SafeListSanitizer instead.
• Deprecate Loofah::HTML5::WhiteList, please use Loofah::HTML5::SafeList instead.

Thanks to @​JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.

v2.2.3

Notably, this release addresses CVE-2018-16468.

v2.2.2

2.2.2 / 2018-03-22

</tr></table> ... (truncated) </details> <details> <summary>Changelog</summary>

Sourced from loofah's changelog.

2.4.0 / 2019-11-25

Features

• Allow CSS property max-width #175 (Thanks, @​bchaney!)
• Allow CSS sizes expressed in rem [#176, #177]
• Add frozen_string_literal: true magic comment to all lib files. #118

2.3.1 / 2019-10-22

Security

Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at flavorjones/loofah#171

2.3.0 / 2019-09-28

Features

• Expand set of allowed protocols to include tel: and line:. [#104, #147]
• Expand set of allowed CSS functions. [related to #122]
• Allow greater precision in shorthand CSS values. #149 (Thanks, @​danfstucky!)
• Allow CSS property list-style #162 (Thanks, @​jaredbeck!)
• Allow CSS keywords thick and thin #168 (Thanks, @​georgeclaghorn!)
• Allow HTML property contenteditable #167 (Thanks, @​andreynering!)

Bug fixes

• CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. #165 (Thanks, @​asok!)

Deprecations / Name Changes

The following method and constants are hereby deprecated, and will be completely removed in a future release:

• Deprecate Loofah::Helpers::ActionView.white_list_sanitizer, please use Loofah::Helpers::ActionView.safe_list_sanitizer instead.
• Deprecate Loofah::Helpers::ActionView::WhiteListSanitizer, please use Loofah::Helpers::ActionView::SafeListSanitizer instead.
• Deprecate Loofah::HTML5::WhiteList, please use Loofah::HTML5::SafeList instead.

Thanks to @​JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.

2.2.3 / 2018-10-30

Security

</tr></table> ... (truncated) </details> <details> <summary>Commits</summary>

• 724ac1c version bump to v2.4.0
• e808fb6 ci: don't turn on frozen strings until after bundle install
• 0eb9976 update CHANGELOG
• 0783f5b add magic comment for frozen string literals to all files
• 5ce3a71 add rubocop as dev dep and configure security and frozen string cops
• 82ae384 test suite should check compatibility with frozen string literals
• 8747065 Merge pull request #175 from bchaney/allow-css-max-width
• 2767ae3 Merge pull request #177 from flavorjones/176-allow-rem-css-sizes
• 13f734f css sanitizer allows "rem" sizes
• 2699b61 Allow CSS property: max-width
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Looks like loofah is up-to-date now, so this is no longer needed.

Bumps Microsoft.AspNetCore.All from 2.0.3 to 2.0.9. <details> <summary>Commits</summary>

• 84d6a54 Merge 2.0.9 into release/2.0
• 43ec723 Merge branch release/2.0
• cc0e039 Add required infrastructure improvements to submodules to support NETStandard...
• 9030255 Merge branch 'release/2.0'
• 1895502 Update the LZMA to include NETStandard.Library 2.0.3
• e7c57af Upgrade to NETCore.App 2.0.9 (#29)
• 8fd6124 Merge branch 'release/2.0'
• 93f2e99 Fix for uploading blobs to private Azure blob containers
• aa91b80 Add script used to deploy blobs to Azure storage
• b1f55ff Merge branch 'release/2.0' of release/2.0.9
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps pillow from 2.2.1 to 6.2.0. <details> <summary>Release notes</summary>

Sourced from pillow's releases.

6.2.0

https://pillow.readthedocs.io/en/stable/releasenotes/6.2.0.html

6.1.0

https://pillow.readthedocs.io/en/stable/releasenotes/6.1.0.html

6.0.0

No release notes provided.

5.4.1

No release notes provided.

5.4.0

No release notes provided.

5.3.0

No release notes provided.

5.2.0

No release notes provided.

5.1.0

No release notes provided.

5.0.0

No release notes provided.

4.3.0

No release notes provided.

4.2.1

No release notes provided.

4.2.0

No release notes provided.

4.1.1

No release notes provided.

4.1.0

No release notes provided.

4.0.0 tag had a typo in the version in setup.py, hence 4.0.0a

3.4.2

No release notes provided.

3.4.1

No release notes provided.

</tr></table> ... (truncated) </details> <details> <summary>Changelog</summary>

Sourced from pillow's changelog.

6.2.0 (2019-10-01)

• Catch buffer overruns #4104 [radarhere]

• Initialize rows_per_strip when RowsPerStrip tag is missing #4034 [cgohlke, radarhere]

• Raise error if TIFF dimension is a string #4103 [radarhere]

• Added decompression bomb checks #4102 [radarhere]

• Fix ImageGrab.grab DPI scaling on Windows 10 version 1607+ #4000 [nulano, radarhere]

• Corrected negative seeks #4101 [radarhere]

• Added argument to capture all screens on Windows #3950 [nulano, radarhere]

• Updated warning to specify when Image.frombuffer defaults will change #4086 [radarhere]

• Changed WindowsViewer format to PNG #4080 [radarhere]

• Use TIFF orientation #4063 [radarhere]

• Raise the same error if a truncated image is loaded a second time #3965 [radarhere]

• Lazily use ImageFileDirectory_v1 values from Exif #4031 [radarhere]

• Improved HSV conversion #4004 [radarhere]

• Added text stroking #3978 [radarhere, hugovk]

• No more deprecated bdist_wininst .exe installers #4029 [hugovk]

• Do not allow floodfill to extend into negative coordinates #4017 [radarhere] </tr></table> ... (truncated) </details> <details> <summary>Commits</summary>

• 8a30d13 Updated CHANGES.rst [ci skip]
• 75602d1 6.2.0 version bump
• 4756af9 Updated CHANGES.rst [ci skip]
• cc16025 Merge pull request #4104 from radarhere/overrun
• fb84701 Merge pull request #4034 from cgohlke/patch-1
• b9693a5 Merge pull request #4103 from radarhere/dimension
• f228d0c Merge pull request #4102 from radarhere/decompression
• aaf2c42 Merge pull request #4000 from nulano/dpi_fix
• b36c1bc Merge pull request #4101 from radarhere/negative_seek
• 9a977b9 Raise error if dimension is a string
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps tensorflow from 1.3.0 to 1.12.2. <details> <summary>Release notes</summary>

Sourced from tensorflow's releases.

TensorFlow 1.12.2

Release 1.12.2

Bug Fixes and Other Changes

• Fixes a potential security vulnerability where carefully crafted GIF images can produce a null pointer dereference during decoding

TensorFlow 1.12.0

Release 1.12.0

Major Features and Improvements

• Keras models can now be directly exported to the SavedModel format(tf.contrib.saved_model.save_keras_model()) and used with Tensorflow Serving.
• Keras models now support evaluating with a tf.data.Dataset.
• TensorFlow binaries are built with XLA support linked in by default.
• Ignite Dataset added to contrib/ignite that allows to work with Apache Ignite.

Bug Fixes and Other Changes

• tf.data:
  • tf.data users can now represent, get, and set options of TensorFlow input pipelines using tf.data.Options(), tf.data.Dataset.options(), and tf.data.Dataset.with_options() respectively.
  • New tf.data.Dataset.reduce() API allows users to reduce a finite dataset to a single element using a user-provided reduce function.
  • New tf.data.Dataset.window() API allows users to create finite windows of input dataset; when combined with the tf.data.Dataset.reduce() API, this allows users to implement customized batching.
  • All C++ code moves to the tensorflow::data namespace.
  • Add support for num_parallel_calls to tf.data.Dataset.interleave.
• tf.contrib:
  • Remove tf.contrib.linalg. tf.linalg should be used instead.
  • Replace any calls to tf.contrib.get_signature_def_by_key(metagraph_def, signature_def_key) with meta_graph_def.signature_def[signature_def_key]. Catching a ValueError exception thrown by tf.contrib.get_signature_def_by_key should be replaced by catching a KeyError exception.
• tf.contrib.data
  • Deprecate, and replace by tf.data.experimental.
• Other:
  • Improved XLA stability and performance.
  • Fix single replica TensorBoard summary stats in Cloud ML Engine.
  • TPUEstimator: Initialize dataset iterators in parallel.
  • Keras on TPU model quality and bug fixes.
  • Instead of jemalloc, revert back to using system malloc since it simplifies build and has comparable performance.
  • Remove integer types from tf.nn.softplus and tf.nn.softsign OpDefs. This is a bugfix; these ops were never meant to support integers.
  • Allow subslicing Tensors with a single dimension.
  • Add option to calculate string length in Unicode characters
  • Add functionality to SubSlice a tensor.
  • Add searchsorted (ie lower/upper_bound) op.
  • Add model explainability to Boosted Trees.
  • Support negative positions for tf.substr
  • There was previously a bug in the bijector_impl where the _reduce_jacobian_det_over_event does not handle scalar ILDJ implementations properly.
  • In tf eager execution, allow re-entering a GradientTape context
  • Add tf_api_version flag. If --define=tf_api_version=2 flag is passed in, then bazel will build TensorFlow API version 2.0. Note that TensorFlow 2.0 is under active development and has no guarantees at this point.
  • Add additional compression options to TfRecordWriter
  • Performance improvements for regex full match operations.
  • Replace tf.GraphKeys.VARIABLES with tf.GraphKeys.GLOBAL_VARIABLES
  • Remove unused dynamic learning rate support.

Thanks to our Contributors

</tr></table> ... (truncated) </details> <details> <summary>Changelog</summary>

Sourced from tensorflow's changelog.

Release 1.12.2

Bug Fixes and Other Changes

• Fixes a potential security vulnerability where carefully crafted GIF images can produce a null pointer dereference during decoding.

Release 1.13.0

Major Features and Improvements

• TensorFlow Lite has moved from contrib to core. This means that Python modules are under tf.lite and source code is now under tensorflow/lite rather than tensorflow/contrib/lite.
• TensorFlow GPU binaries are now built against CUDA 10 and TensorRT 5.0.
• Support for Python3.7 on all operating systems.
• Moved NCCL to core.

Behavioral changes

• Disallow conversion of python floating types to uint32/64 (matching behavior of other integer types) in tf.constant.
• Make the gain argument of convolutional orthogonal initializers (convolutional_delta_orthogonal, convolutional_orthogonal_1D, convolutional_orthogonal_2D, convolutional_orthogonal_3D) have consistent behavior with the tf.initializers.orthogonal initializer, i.e. scale the output l2-norm by gain and NOT by sqrt(gain). (Note that these functions are currently in tf.contrib which is not guaranteed backward compatible).

Bug Fixes and Other Changes

• Documentation
  • Update the doc with the details about the rounding mode used in quantize_and_dequantize_v2.
  • Clarify that tensorflow::port::InitMain() should be called before using the TensorFlow library. Programs failing to do this are not portable to all platforms.
• Deprecations and Symbol renames.
  • Removing deprecations for the following endpoints: tf.acos, tf.acosh, tf.add, tf.as_string, tf.asin, tf.asinh, tf.atan, tf.atan2, tf.atanh, tf.cos, tf.cosh, tf.equal, tf.exp, tf.floor, tf.greater, tf.greater_equal, tf.less, tf.less_equal, tf.log, tf.logp1, tf.logical_and, tf.logical_not, tf.logical_or, tf.maximum, tf.minimum, tf.not_equal, tf.sin, tf.sinh, tf.tan
  • Deprecate tf.data.Dataset.shard.
  • Deprecate saved_model.loader.load which is replaced by saved_model.load and saved_model.main_op, which will be replaced by saved_model.main_op in V2.
  • Deprecate tf.QUANTIZED_DTYPES. The official new symbol is tf.dtypes.QUANTIZED_DTYPES.
  • Update sklearn imports for deprecated packages.
  • Deprecate Variable.count_up_to and tf.count_up_to in favor of Dataset.range.
  • Export confusion_matrix op as tf.math.confusion_matrix instead of tf.train.confusion_matrix.
  • Add tf.dtypes. endpoint for every constant in dtypes.py. Moving endpoints in versions.py to corresponding endpoints in tf.sysconfig. </tr></table> ... (truncated) </details> <details> <summary>Commits</summary>

• 6b63465 Merge pull request #27959 from tensorflow/update-release-notes-version
• e967833 Update header on release notes
• cf74798 Merge pull request #27958 from tensorflow/update-release-version
• 7fba173 Update version to 1.12.2
• 332f080 Merge pull request #27878 from tensorflow/windows-cpu
• c9fcc49 Fix windows build for CPU too
• 416b4a3 Merge pull request #27873 from tensorflow/more-bazel-incompatible-flags
• 3ebe165 Add --incompatible_disable_cc_toolchain_label_from_crosstool_proto=false flag
• 5ab9466 Reformat bazel invocation lines
• 446d393 Merge pull request #27870 from tensorflow/bazel-http-archive
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps flask from 0.11.1 to 1.0. <details> <summary>Release notes</summary>

Sourced from flask's releases.

1.0

The Pallets team is pleased to release Flask 1.0. [Read the announcement on our blog.](https://www.palletsprojects.com/blog/flask-1-0-released/

There are over a year's worth of changes in this release. Many features have been improved or changed. Read the changelog to understand how your project's code will be affected.

JSON Security Fix

Flask previously decoded incoming JSON bytes using the content type of the request. Although JSON should only be encoded as UTF-8, Flask was more lenient. However, Python includes non-text related encodings that could result in unexpected memory use by a request.

Flask will now detect the encoding of incoming JSON data as one of the supported UTF encodings, and will not allow arbitrary encodings from the request.

Install or Upgrade

Install from PyPI with pip:

pip install -U Flask

0.12.4

This is a repackage of 0.12.3 to fix an issue with how the package was built.

Upgrade

Upgrade from PyPI with pip. Use a version identifier if you want to stay at 0.12:

pip install -U 'Flask~=0.12.4'

0.12.3

This release includes an important security fix for JSON and a minor backport for CLI support in PyCharm. It is provided for projects that cannot update to Flask 1.0 immediately. See the 1.0 announcement and update to it instead if possible.

JSON Security Fix

Flask previously decoded incoming JSON bytes using the content type of the request. Although JSON should only be encoded as UTF-8, Flask was more lenient. However, Python includes non-text related encodings that could result in unexpected memory use by a request.

Flask will now detect the encoding of incoming JSON data as one of the supported UTF encodings, and will not allow arbitrary encodings from the request.

Upgrade

Upgrade from PyPI with pip. Use a version identifier if you want to stay at 0.12:

pip install -U 'Flask~=0.12.3'

</tr></table> ... (truncated) </details> <details> <summary>Changelog</summary>

Sourced from flask's changelog.

Version 1.0

Released 2018-04-26

• Python 2.6 and 3.3 are no longer supported.
• Bump minimum dependency versions to the latest stable versions: Werkzeug >= 0.14, Jinja >= 2.10, itsdangerous >= 0.24, Click >= 5.1. :issue:2586
• Skip :meth:app.run <Flask.run> when a Flask application is run from the command line. This avoids some behavior that was confusing to debug.
• Change the default for :data:JSONIFY_PRETTYPRINT_REGULAR to False. :func:~json.jsonify returns a compact format by default, and an indented format in debug mode. :pr:2193
• :meth:Flask.__init__ <Flask> accepts the host_matching argument and sets it on :attr:~Flask.url_map. :issue:1559
• :meth:Flask.__init__ <Flask> accepts the static_host argument and passes it as the host argument when defining the static route. :issue:1559
• :func:send_file supports Unicode in attachment_filename. :pr:2223
• Pass _scheme argument from :func:url_for to :meth:~Flask.handle_url_build_error. :pr:2017
• :meth:~Flask.add_url_rule accepts the provide_automatic_options argument to disable adding the OPTIONS method. :pr:1489
• :class:~views.MethodView subclasses inherit method handlers from base classes. :pr:1936
• Errors caused while opening the session at the beginning of the request are handled by the app's error handlers. :pr:2254
• Blueprints gained :attr:~Blueprint.json_encoder and :attr:~Blueprint.json_decoder attributes to override the app's encoder and decoder. :pr:1898
• :meth:Flask.make_response raises TypeError instead of ValueError for bad response types. The error messages have been improved to describe why the type is invalid. :pr:2256
• Add routes CLI command to output routes registered on the application. :pr:2259
• Show warning when session cookie domain is a bare hostname or an IP address, as these may not behave properly in some browsers, such as Chrome. :pr:2282
• Allow IP address as exact session cookie domain. :pr:2282
• SESSION_COOKIE_DOMAIN is set if it is detected through SERVER_NAME. :pr:2282
• Auto-detect zero-argument app factory called create_app or make_app from FLASK_APP. :pr:2297
• Factory functions are not required to take a script_info parameter to work with the flask command. If they take a single parameter or a parameter named script_info, the </tr></table> ... (truncated) </details> <details> <summary>Commits</summary>

• 291f3c3 Bump version number to 1.0
• 36e68a4 release 1.0
• 216151c Merge branch '0.12-maintenance'
• 23047a7 Bump version number to 0.12.4.dev
• 1a9e58e Bump version number to 0.12.3
• 63deee0 release 0.12.3
• 062745b Merge pull request #2720 from pallets/setup-link
• 5c8110d ensure order of project urls
• 10a77a5 Add project_urls so that PyPI will show GitHub stats.
• 22992a0 add donate link
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps lodash.template from 4.4.0 to 4.5.0. <details> <summary>Commits</summary>

• ab73503 Bump to v4.5.0.
• a4f7d4c Rebuild lodash and docs.
• cca5ac6 Fix npm-test by removing the call to test-docs.
• 9f7f9fc Adjust heading order. [ci skip]
• 6e2fb92 Remove unused baseArity.
• 4f702e2 Specify utf8 encoding.
• b188f90 Add fp tests for iteratee shorthands.
• 7b93dc9 Ensure clone methods clone expando properties of boolean, number, & string ob...
• 664d66a Make string tests more consistent.
• d9dc0e6 Add _.invertBy tests.
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps nokogiri from 1.6.7.2 to 1.10.5. <details> <summary>Release notes</summary>

Sourced from nokogiri's releases.

1.10.5 / 2019-10-31

Dependencies

• [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
• [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

1.10.4 / 2019-08-11

Security

Address CVE-2019-5477 (#1915)

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

This CVE's public notice is sparklemotion/nokogiri#1915

1.10.3 / 2019-04-22

Security Notes

[MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in #1892. Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.

1.10.2 / 2019-03-24

Security

• [MRI] Remove support from vendored libxml2 for future script macros. #1871
• [MRI] Remove support from vendored libxml2 for server-side includes within attributes. #1877

Bug fixes

• [JRuby] Fix node ownership in duplicated documents. #1060
• [JRuby] Rethrow exceptions caught by Java SAX handler. [#1847, #1872] (Thanks, @​adjam!)

1.10.1 / 2019-01-13

Features

• [MRI] During installation, handle Xcode 10's new library pathOS. [#1801, #1851] (Thanks, @​mlj and @​deepj!)
• Avoid unnecessary creation of Procs in many methods. #1776 (Thanks, @​chopraanmol1!)

</tr></table> ... (truncated) </details> <details> <summary>Changelog</summary>

Sourced from nokogiri's changelog.

1.10.5 / 2019-10-31

Dependencies

• [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
• [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

1.10.4 / 2019-08-11

Security

Address CVE-2019-5477 (#1915)

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

This CVE's public notice is sparklemotion/nokogiri#1915

1.10.3 / 2019-04-22

Security Notes

[MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in #1892. Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.

1.10.2 / 2019-03-24

Security

• [MRI] Remove support from vendored libxml2 for future script macros. #1871
• [MRI] Remove support from vendored libxml2 for server-side includes within attributes. #1877

Bug fixes

• [JRuby] Fix node ownership in duplicated documents. #1060
• [JRuby] Rethrow exceptions caught by Java SAX handler. [#1847, #1872] (Thanks, @​adjam!)

1.10.1 / 2019-01-13

Features

• [MRI] During installation, handle Xcode 10's new library path. [#1801, #1851] (Thanks, @​mlj and @​deepj!)
• Avoid unnecessary creation of Procs in many methods. #1776 (Thanks, @​chopraanmol1!)

</tr></table> ... (truncated) </details> <details> <summary>Commits</summary>

• 1bc2ff9 version bump to v1.10.5
• 383c1f8 update CHANGELOG
• 43a1753 dependency: update libxslt to 1.1.34 final
• 99d8a6b dependency: update libxml to 2.9.10 final
• 2a86496 add suppressions for ruby 2.7
• dca794a update CHANGELOG with correct release date for v1.10.4
• 077e010 update rake-compiler commands to install bundler
• beb832e version bump to v1.10.4
• 5d30128 Merge branch '1915-css-tokenizer-load-file-vulnerability_v1.10.x' into v1.10.x
• c86b5fc update CHANGELOG
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Superseded by #9.

Bumps nokogiri from 1.6.7.2 to 1.10.7. <details> <summary>Release notes</summary>

Sourced from nokogiri's releases.

1.10.7 / 2019-12-03

Bug

• [MRI] Ensure the patch applied in v1.10.6 works with GNU patch. #1954

1.10.6 / 2019-12-03

Bug

• [MRI] Fix FreeBSD installation of vendored libxml2. [#1941, #1953] (Thanks, @​nurse!)

1.10.5 / 2019-10-31

Dependencies

• [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
• [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

1.10.4 / 2019-08-11

Security

Address CVE-2019-5477 (#1915)

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

This CVE's public notice is sparklemotion/nokogiri#1915

1.10.3 / 2019-04-22

Security Notes

[MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in #1892. Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.

1.10.2 / 2019-03-24

Security

• [MRI] Remove support from vendored libxml2 for future script macros. #1871
• [MRI] Remove support from vendored libxml2 for server-side includes within attributes. #1877 </tr></table> ... (truncated) </details> <details> <summary>Changelog</summary>

Sourced from nokogiri's changelog.

1.10.7 / 2019-12-03

Bug

• [MRI] Ensure the patch applied in v1.10.6 works with GNU patch. #1954

1.10.6 / 2019-12-03

Bug

• [MRI] Fix FreeBSD installation of vendored libxml2. [#1941, #1953] (Thanks, @​nurse!)

1.10.5 / 2019-10-31

Security

[MRI] Vendored libxslt upgraded to v1.1.34 which addresses three CVEs for libxslt:

• CVE-2019-13117
• CVE-2019-13118
• CVE-2019-18197

More details are available at #1943.

Dependencies

• [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
• [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

1.10.4 / 2019-08-11

Security

Address CVE-2019-5477 (#1915)

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

This CVE's public notice is sparklemotion/nokogiri#1915

1.10.3 / 2019-04-22

Security Notes

</tr></table> ... (truncated) </details> <details> <summary>Commits</summary>

• e6b3229 version bump to v1.10.7
• 4f9d443 update CHANGELOG
• 80e67ef Fix the patch from #1953 to work with both git and patch
• 7cf1b85 Fix typo in generated metadata
• d76180d add gem metadata
• 13132fc version bump to v1.10.6
• 95e56fd update CHANGELOG
• 73c53ee Add a patch to fix libxml2.la's path
• 061d75d add security note to CHANGELOG
• 1bc2ff9 version bump to v1.10.5
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

Bumps loofah from 2.0.3 to 2.3.1. <details> <summary>Release notes</summary>

Sourced from loofah's releases.

2.3.1 / 2019-10-22

Security

Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at flavorjones/loofah#171

2.3.0 / 2019-09-28

Features

• Expand set of allowed protocols to include tel: and line:. [#104, #147]
• Expand set of allowed CSS functions. [related to #122]
• Allow greater precision in shorthand CSS values. #149 (Thanks, @​danfstucky!)
• Allow CSS property list-style #162 (Thanks, @​jaredbeck!)
• Allow CSS keywords thick and thin #168 (Thanks, @​georgeclaghorn!)
• Allow HTML property contenteditable #167 (Thanks, @​andreynering!)

Bug fixes

• CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. #165 (Thanks, @​asok!)

Deprecations / Name Changes

The following method and constants are hereby deprecated, and will be completely removed in a future release:

• Deprecate Loofah::Helpers::ActionView.white_list_sanitizer, please use Loofah::Helpers::ActionView.safe_list_sanitizer instead.
• Deprecate Loofah::Helpers::ActionView::WhiteListSanitizer, please use Loofah::Helpers::ActionView::SafeListSanitizer instead.
• Deprecate Loofah::HTML5::WhiteList, please use Loofah::HTML5::SafeList instead.

Thanks to @​JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.

v2.2.3

Notably, this release addresses CVE-2018-16468.

v2.2.2

2.2.2 / 2018-03-22

Make public Loofah::HTML5::Scrub.force_correct_attribute_escaping!, which was previously a private method. This is so that downstream gems (like rails-html-sanitizer) can use this logic directly for their own attribute scrubbers should they need to address CVE-2018-8048.

v2.2.1

Notably, this release mitigates CVE-2018-8048. </tr></table> ... (truncated) </details> <details> <summary>Changelog</summary>

Sourced from loofah's changelog.

2.3.1 / 2019-10-22

Security

Address CVE-2019-15587: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at flavorjones/loofah#171

2.3.0 / 2019-09-28

Features

• Expand set of allowed protocols to include tel: and line:. [#104, #147]
• Expand set of allowed CSS functions. [related to #122]
• Allow greater precision in shorthand CSS values. #149 (Thanks, @​danfstucky!)
• Allow CSS property list-style #162 (Thanks, @​jaredbeck!)
• Allow CSS keywords thick and thin #168 (Thanks, @​georgeclaghorn!)
• Allow HTML property contenteditable #167 (Thanks, @​andreynering!)

Bug fixes

• CSS hex values are no longer limited to lowercase hex. Previously uppercase hex were scrubbed. #165 (Thanks, @​asok!)

Deprecations / Name Changes

The following method and constants are hereby deprecated, and will be completely removed in a future release:

• Deprecate Loofah::Helpers::ActionView.white_list_sanitizer, please use Loofah::Helpers::ActionView.safe_list_sanitizer instead.
• Deprecate Loofah::Helpers::ActionView::WhiteListSanitizer, please use Loofah::Helpers::ActionView::SafeListSanitizer instead.
• Deprecate Loofah::HTML5::WhiteList, please use Loofah::HTML5::SafeList instead.

Thanks to @​JuanitoFatas for submitting these changes in #164 and for making the language used in Loofah more inclusive.

2.2.3 / 2018-10-30

Security

Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

This CVE's public notice is at flavorjones/loofah#154

Meta / 2018-10-27

The mailing list is now on Google Groups #146:

</tr></table> ... (truncated) </details> <details> <summary>Commits</summary>

• 83df303 version bump to v2.3.1
• e323a77 Merge pull request #172 from flavorjones/171-xss-vulnerability
• 1d81f91 update CHANGELOG
• 0c6617a mitigate XSS vulnerability in SVG animate attributes
• a5bd819 rufo formatting
• 1bdf276 formatting in README
• 1908dc2 update CHANGELOG with release date
• bcbd7b3 update dev gemspec
• f6d4c2d version bump to v2.3.0
• 08fee8c update dev deps
• Additional commits viewable in compare view </details> <br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>