🚨 [security] Update rspec-rails 7.1.0 → 7.1.1 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rspec-rails (7.1.0 → 7.1.1) · Repo · Changelog

Release Notes

7.1.1 (from changelog)

Full Changelog

Bug Fixes:

• Check wether rspec-mocks has been loaded before enabling signature verification for have_enqueued_job et al (Jon Rowe, #2823)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 11 commits:

• Reference issues for Github
• v7.1.1
• Merge pull request #2823 from rspec/ensure-mocks-config-available
• Simplify instructions for gems installations from git repository (#2828)
• Merge pull request #2829 from rspec/fix-verify-mailer-preview
• Merge pull request #2826 from rspec/switch-to-monorepo
• Switch to ruby 3.4 from rc
• Merge pull request #2825 from rspec/ruby-3.4-v2
• Merge pull request #2824 from rspec/fix-build
• Merge pull request #2812 from rspec/expand-permitted-rails-versions
• Fix documentation links for 7.1

↗️ concurrent-ruby (indirect, 1.3.4 → 1.3.5) · Repo · Changelog

Release Notes

1.3.5

What's Changed

• Remove dependency on logger by @eregon in #1062
• Avoid error when member is present on ancestor class by @francesmcmullin in #1068
• Set rake-compiler source and target to Java 8 by @headius in #1071
• chore: fix typos by @chenrui333 in #1076

New Contributors

• @francesmcmullin made their first contribution in #1068
• @chenrui333 made their first contribution in #1076

Full Changelog: v1.3.4...v1.3.5

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 6 commits:

• Release concurrent-ruby 1.3.5 and concurrent-ruby-edge 0.7.2
• chore: fix typos (#1076)
• Set rake-compiler source and target to Java 8 (#1071)
• Improve ancestor classes spec
• Avoid error when member is present on ancestor class
• Remove dependency on logger

↗️ diff-lcs (indirect, 1.5.1 → 1.6.0) · Repo · Changelog

Release Notes

1.6.0 (from changelog)

• Baptiste Courtois (@Annih) has done significant work on making bin/ldiff work better, contributing a number of issues and pull requests. These include:

  • Separation of command parsing from diff-generation in Diff::LCS::Ldiff code extraction making it easier to use separately from the bin/ldiff command in #103. This partially resolves #46.

  • Improvement of binary and empty file detection and tests in #104 and #105. This resolves issues #100, #102.

  • Various ldiff fixes for output #101 resolves issues #106 (ldiff ed scripts are inverted), #107 (ldiff hunk ranges are incorrect; regression or incorrect fix for #60), and #95.

• Patrick Linnane fixed various minor typos. #93

• Mark Young added a Changelog link to the RubyGems metadata. #92 This has been modified to incorporate it into the README.

• Updated the documentation on Diff::LCS#lcs to be clearer about the requirements for object equality comparison. This resolves #70.

• Governance:

  Changes described here are effective 2024-12-31.

  • Update gem management details to use markdown files for everything, enabled in part by flavorjones/hoe-markdown. Several files were renamed to be more consistent with standard practices.

  • Updated security notes with an age public key rather than pointing to Keybase.io and a PGP public key which I no longer use. The use of the Tidelift security contact is recommended over direct disclosure.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 30 commits:

• chore: Resolve workflow permissions issues
• docs: Clarify object equality requirements
• chore: Prepare for next release
• chore: Clean up 'rubocop' flags
• Fix hunk/ldiff unified diff against empty files
• Fix ed & "reversed_ed" ranges
• Fix hunk ranges computation
• Fix hunk.diff "No newline at end of file" handling
• Adapt ldiff tests to check stderr
• Bump github/codeql-action from 3.28.8 to 3.28.9
• Bump ruby/setup-ruby from 1.215.0 to 1.218.0
• Bump reviewdog/action-typos from 1.13.0 to 1.15.0
• Bump ruby/setup-ruby from 1.207.0 to 1.215.0
• Bump reviewdog/action-actionlint from 1.63.0 to 1.64.1
• Fix ldiff binary files comparison and output
• Enable test on ldiff with no output
• Extract ldiff display logic to reuse it as lib
• Factorize ldiff format handling
• fix: Fix a thread safety warning
• chore: Metadata and governance updates
• Improve ldiff binary files detection
• Update policy and workflow
• Remove unused `ostruct`
• Update Licence reference in diff-lcs.gemspec
• Create SECURITY.md
• Update License block in Rakefile
• various: fix miscellaneous typos
• Update contributors and history
• Provide a 'Changelog' link on rubygems.org/gems/diff-lcs
• Add Masato Nakamura to contributing

↗️ i18n (indirect, 1.14.6 → 1.14.7) · Repo · Changelog

Release Notes

1.14.7

What's Changed

• Ruby 3.4 Hash#inspect compatibility. by @voxik in #709
• Removed (annoying) post-install message that was triggering on all Rubies, rather than the specified versions.

Full Changelog: v1.14.6...v1.14.7

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

• Bump to 1.14.7
• remove post-install message
• Merge pull request #709 from voxik/ruby-3.4
• Add Rails 7.2 and 8.0 into test matrix.
• Adjust the test matrix for Rails 8.1
• Add `base64` / `mutex_m` dependencies for Rails 6.1
• Ruby 3.4 `Hash#inspect` compatibility.
• Add 'ruby-head' to test matrix

↗️ rack (indirect, 2.2.10 → 2.2.11) · Repo · Changelog

Security Advisories 🚨

🚨 Possible Log Injection in Rack::CommonLogger

Summary

Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs.

Details

When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes.

The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile.

Impact

Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files.

Mitigation

• Update to the latest version of Rack.

Commits

See the full diff on Github. The new version differs by 2 commits:

• Bump patch version.
• Escape non-printable characters when logging.

↗️ rspec-core (indirect, 3.13.2 → 3.13.3) · Repo · Changelog

↗️ rspec-support (indirect, 3.13.1 → 3.13.2) · Repo · Changelog

↗️ zeitwerk (indirect, 2.7.1 → 2.7.2) · Repo · Changelog

Release Notes

2.7.2 (from changelog)

• Internal improvements and micro-optimizations.

• Add stable TruffleRuby to CI.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 30 commits:

• Ready for 2.7.2
• Let get_or_set evaluate the fallback lazily
• Add a couple more of tests
• Define get_or_set for cref maps
• Revises some signatures
• Fixes signature annotation
• Adds a test for cref maps
• Docs improvements
• Adds code comments
• Introduce Zeitwerk::Cref::Map
• Synchronize the inceptions registry if not in CRuby
• Remove top-level constant
• Mark the private callback for namespaces as internal
• Move inceptions to their own registry
• Remove truffleruby-head from this workflow
• Add Ruby 3.4 to CI
• Merge pull request #311 from fxn/truffleruby
• Add TruffleRuby stable to CI
• Create a proper registry for explicit namespaces
• Revises some signatures
• Define Zeitwerk::Cref#to_s
• Pass crefs to the registry
• Revert "Define Zeitwerk::Cref#{to_s,hash,eql?,==}"
• Revert "Support hashing crefs whose mod has an overridden name"
• Revert "Rename some variables"
• Rename some variables
• Support hashing crefs whose mod has an overridden name
• Define Zeitwerk::Cref#{to_s,hash,eql?,==}
• Edit a comment
• Keep an eye on TruffleRuby HEAD

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)