🚨 [security] Update json: 1.8.6 → 2.3.0 (major)

[depfu]

---

🚨 Your version of json has known security vulnerabilities 🚨

Advisory: CVE-2020-10663
Disclosed: March 19, 2020
URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

Unsafe Object Creation Vulnerability in JSON (Additional fix)

When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system.

This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed JSON.parse(user_input), but didn’t address some other styles of JSON parsing including JSON(user_input) and JSON.parse(user_input, nil).

See CVE-2013-0269 in detail. Note that the issue was exploitable to cause a Denial of Service by creating many garbage-uncollectable Symbol objects, but this kind of attack is no longer valid because Symbol objects are now garbage-collectable. However, creating arbitrary objects may cause severe security consequences depending upon the application code.

Please update the json gem to version 2.3.0 or later. You can use gem update json to update it. If you are using bundler, please add gem "json", ">= 2.3.0" to your Gemfile.

🚨 We recommend to merge and deploy this update as soon as possible! 🚨

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ json (indirect, 1.8.6 → 2.3.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ html-proofer (3.7.2 → 3.15.1) · Repo

Release Notes

3.15.0

• #362

3.14.0

• #541
• #539
• #540

3.12.0

• Drop ActiveRecord dependency: #534
• Update Nokogiri dependency: #533

3.11.0

• Add new Rack middleware support: #512

3.10.0

• Ignoring SRI for pagination rels: #499 (thanks @vllur)
• Make assume_extension work with a directory with the same name: #503 (thanks @nex3)
• Support Typheous from the command line: #490 (thanks @SeanKilleen)

3.9.0

• Allow missing hrefs: #475

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ addressable (indirect, 2.5.2 → 2.7.0) · Repo · Changelog

Release Notes

2.7.0 (from changelog)

• added :compacted flag to normalized_query
• heuristic_parse handles mailto: more intuitively
• refactored validation to use a prepended module
• dropped explicit support for JRuby 9.0.5.0
• compatibility w/ public_suffix 4.x
• performance improvements

2.6.0 (from changelog)

• added tld= method to allow assignment to the public suffix
• most heuristic_parse patterns are now case-insensitive
• heuristic_parse handles more file:// URI variations
• fixes bug in heuristic_parse when uri starts with digit
• fixes bug in request_uri= with query strings
• fixes template issues with nil and ? operator
• frozen_string_literal pragmas added
• minor performance improvements in regexps
• fixes to eliminate warnings

Does any of this look wrong? Please let us know.

↗️ ethon (indirect, 0.10.1 → 0.12.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 44 commits:

• bump version and pseudo update changelog
• Merge pull request #152 from yuki24/add-support-for-CURLPIPE_MULTIPLEX
• Merge pull request #151 from yuki24/test-against-recent-ruby-versions
• Add support for CURLPIPE_MULTIPLEX
• Test against MRI 2.5.1, 2.4.4, 2.3.7, 2.2.10, and 2.1.10
• Merge pull request #141 from atambo/params_encoding_none
• Merge pull request #149 from drpump/master
• Added :pipewait curl option.
• Merge pull request #144 from Rigor/ares_interface_options
• add dns_interface pass-through option
• add dns_local_ip4 pass-through option
• Add params_encoding :none
• bump version
• Merge pull request #140 from HappyHax0r/multipart-forcing
• update bundler
• fix mime-type spec
• fix mime-types for travis?
• fix mustermann dep
• remove gems
• RSpec tests for multipart properties in options.rb
• RSpec tests for multipart behavior properties in form.rb and options.rb
• More concise syntax for multipart? method.
• Updating to be a more concise form for the multipart check.
• Removing the newline.
• Changes for Ethon to allow multipart-form-data forcing through Typhoeus using "multipart: true" as part of the option set in Request.new().
• Merge pull request #139 from typhoeus/progress
• fix issue again
• fix old ruby issues.
• fallback to progressfunction for older curls
• include dltotal and ultotal in tests
• use long_long
• move onprogress
• add correct expactation.
• show curl version
• fixing some annoying warnings
• fix specs
• docs
• set noprogress
• more code and more tests
• more code and tests around progress
• remove debug out and fix specs
• Progress feature
• Merge pull request #135 from v-kolesnikov/patch-1
• Update README.md

↗️ ffi (indirect, 1.9.23 → 1.12.2) · Repo · Changelog

Release Notes

1.12.2 (from changelog)

• Fix possible segfault at FFI::Struct#[] and []= after GC.compact . #742

1.12.1 (from changelog)

Added:

• Add binary gem support for ruby-2.7 on Windows

1.12.0 (from changelog)

Added:

• FFI::VERSION is defined as part of require 'ffi' now. It is no longer necessary to require 'ffi/version' .

Changed:

• Update libffi to latest master.

Deprecated:

• Overwriting struct layouts is now warned and will be disallowed in ffi-2.0. #734, #735

1.11.3 (from changelog)

Removed:

• Remove support for tainted objects which cause deprecation warnings in ruby-2.7. #730

1.11.2 (from changelog)

Added:

• Add DragonFlyBSD as a platform. #724

Changed:

• Sort all types.conf files, so that files and changes are easier to compare.
• Regenerated type conf for freebsd12 and x86_64-linux targets. #722
• Remove MACOSX_DEPLOYMENT_TARGET that was targeting very old version 10.4. #647
• Fix library name mangling for non glibc Linux/UNIX. #727
• Fix compiler warnings raised by ruby-2.7
• Update libffi to latest master.

1.11.1 (from changelog)

Changed:

• Raise required ruby version to >=2.0. #699, #700
• Fix a possible linker error on ruby < 2.3 on Linux.

1.11.0 (from changelog)

Added:

• Add ability to disable or force use of system libffi. #669 Use like gem inst ffi -- --enable-system-libffi .
• Add ability to call FFI callbacks from outside of FFI call frame. #584
• Add proper documentation to FFI::Generator and ::Task
• Add gemspec metadata. #696, #698

Changed:

• Fix stdcall on Win32. #649, #669
• Fix load paths for FFI::Generator::Task
• Fix FFI::Pointer#read_string(0) to return a binary String. #692
• Fix benchmark suite so that it runs on ruby-2.x
• Move FFI::Platform::CPU from C to Ruby. #663
• Move FFI::StructByReference to Ruby. #681
• Move FFI::DataConverter to Ruby (#661)
• Various cleanups and improvements of specs and benchmarks

Removed:

• Remove ruby-1.8 and 1.9 compatibility code. #683
• Remove unused spec files. #684

1.10.0 (from changelog)

Added:

• Add /opt/local/lib/ to ffi's fallback library search path. #638
• Add binary gem support for ruby-2.6 on Windows
• Add FreeBSD on AArch64 and ARM support. #644
• Add FFI::LastError.winapi_error on Windows native or Cygwin. #633

Changed:

• Update to rake-compiler-dock-0.7.0
• Use 64-bit inodes on FreeBSD >= 12. #644
• Switch time_t and suseconds_t types to long on FreeBSD. #627
• Make register_t long_long on 64-bit FreeBSD. #644
• Fix Pointer#write_array_of_type #637

Removed:

• Drop binary gem support for ruby-2.0 and 2.1 on Windows

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_portile2 (indirect, 2.3.0 → 2.4.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 10 commits:

• version bump to v2.4.0
• update CHANGELOG in preparation for v2.4.0
• update dev dependencies
• Merge pull request #86 from eagletmt/skip-progress-when-chunked
• Merge pull request #87 from halfbyte/patch-1
• Make version in changelog fit release version.
• Skip progress report when Content-Length is unavailable
• update test:examples to libiconv 1.15
• concourse: test most-recent two rubies
• convert to using windows-ruby-dev-tools-release

↗️ nokogiri (indirect, 1.8.2 → 1.10.9) · Repo · Changelog

Release Notes

1.10.9

1.10.9 / 2020-03-01

Fixed

• [MRI] Raise an exception when Nokogiri detects a specific libxml2 edge case involving blank Schema nodes wrapped by Ruby objects that would cause a segfault. Currently no fix is available upstream, so we're preventing a dangerous operation and informing users to code around it if possible. [#1985, #2001]
• [JRuby] Change NodeSet#to_a to return a RubyArray instead of Object, for compilation under JRuby 9.2.9 and later. [#1968, #1969] (Thanks, @headius!)

1.10.8

1.10.8 / 2020-02-10

Security

[MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in #1992. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.

1.10.7

1.10.7 / 2019-12-03

Bug

• [MRI] Ensure the patch applied in v1.10.6 works with GNU patch. [#1954]

1.10.6

1.10.6 / 2019-12-03

Bug

• [MRI] Fix FreeBSD installation of vendored libxml2. [#1941, #1953] (Thanks, @nurse!)

1.10.5

1.10.5 / 2019-10-31

Dependencies

• [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
• [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

1.10.4

1.10.4 / 2019-08-11

Security

Address CVE-2019-5477 (#1915)

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

This CVE's public notice is #1915

1.10.3

1.10.3 / 2019-04-22

Security Notes

[MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in #1892. Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.

1.10.2

1.10.2 / 2019-03-24

Security

• [MRI] Remove support from vendored libxml2 for future script macros. [#1871]
• [MRI] Remove support from vendored libxml2 for server-side includes within attributes. [#1877]

Bug fixes

• [JRuby] Fix node ownership in duplicated documents. [#1060]
• [JRuby] Rethrow exceptions caught by Java SAX handler. [#1847, #1872] (Thanks, @adjam!)

1.10.1

1.10.1 / 2019-01-13

Features

• [MRI] During installation, handle Xcode 10's new library pathOS. [#1801, #1851] (Thanks, @mlj and @deepj!)
• Avoid unnecessary creation of Procs in many methods. [#1776] (Thanks, @chopraanmol1!)

Bug fixes

• CSS selector :has() now correctly matches against any descendant. Previously this selector matched against only direct children). [#350] (Thanks, @Phrogz!)
• NodeSet#attr now returns nil if it's empty. Previously this raised a NoMethodError.
• [MRI] XPath errors are no longer suppressed during XSLT::Stylesheet#transform. Previously these errors were suppressed which led to silent failures and a subsequent segfault. [#1802]

1.10.0

1.10.0 / 2019-01-04

Features

• [MRI] Cross-built Windows gems now support Ruby 2.6 [#1842, #1850]

Backwards incompatibilities

This release ends support for:

• Ruby 2.2, for which official support ended on 2018-03-31 [#1841]
• JRuby 1.7, for which official support ended on 2017-11-21 [#1741]

Dependencies

• [MRI] libxml2 is updated from 2.9.8 to 2.9.9
• [MRI] libxslt is updated from 1.1.32 to 1.1.33

1.9.1

1.9.1 / 2018-12-17

Bug fixes

• Fix a bug introduced in v1.9.0 where XML::DocumentFragment#dup no longer returned an instance of the callee's class, instead always returning an XML::DocumentFragment. This notably broke any subclass of XML::DocumentFragment including HTML::DocumentFragment as well as the Loofah gem's Loofah::HTML::DocumentFragment. [#1846]

1.9.0

1.9.0 / 2018-12-17

Security Notes

• [JRuby] Upgrade Xerces dependency from 2.11.0 to 2.12.0 to address upstream vulnerability CVE-2012-0881 [#1831] (Thanks @grajagandev for reporting.)

Notable non-functional changes

• Decrease installation size by removing many unneeded files (e.g., /test) from the packaged gems. [#1719] (Thanks, @stevecrozz!)

Features

• XML::Attr#value= allows HTML node attribute values to be set to either a blank string or an empty boolean attribute. [#1800]
• Introduce XML::Node#wrap which does what XML::NodeSet#wrap has always done, but for a single node. [#1531] (Thanks, @ethirajsrinivasan!)
• [MRI] Improve installation experience on macOS High Sierra (Darwin). [#1812, #1813] (Thanks, @gpakosz and @nurse!)
• [MRI] Node#dup supports copying a node directly to a new document. See the method documentation for details.
• [MRI] DocumentFragment#dup is now more memory-efficient, avoiding making unnecessary copies. [#1063]
• [JRuby] NodeSet has been rewritten to improve performance! [#1795]

Bug fixes

• NodeSet#each now returns self instead of zero. [#1822] (Thanks, @olehif!)
• [MRI] Address a memory leak when using XML::Builder to create nodes with namespaces. [#1810]
• [MRI] Address a memory leak when unparenting a DTD. [#1784] (Thanks, @stevecheckoway!)
• [MRI] Use RbConfig::CONFIG instead of ::MAKEFILE_CONFIG to fix installations that use Makefile macros. [#1820] (Thanks, @nobu!)
• [JRuby] Decrease large memory usage when making nested XPath queries. [#1749]
• [JRuby] Fix failing tests on JRuby 9.2.x
• [JRuby] Fix default namespaces in nodes reparented into a different document [#1774]
• [JRuby] Fix support for Java 9. [#1759] (Thanks, @Taywee!)

Dependencies

• [MRI] Upgrade mini_portile2 dependency from ~> 2.3.0 to ~> 2.4.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ parallel (indirect, 1.12.0 → 1.19.1) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ public_suffix (indirect, 3.0.2 → 4.0.3) · Repo · Changelog

Release Notes

4.0.3 (from changelog)

Fixed

• Fixed 2.7 deprecations and warnings (GH-167). [Thanks @BrianHawley]

4.0.2 (from changelog)

Changed

• Updated definitions.

4.0.1 (from changelog)

• CHANGED: Updated definitions.

4.0.0 (from changelog)

• CHANGED: Minimum Ruby version is 2.3

3.1.1 (from changelog)

• CHANGED: Updated definitions.
• CHANGED: Rolled back support for Ruby 2.3 (GH-161, GH-162)

IMPORTANT: 3.x is the latest version compatible with Ruby 2.1 and Ruby 2.2.

3.1.0 (from changelog)

• CHANGED: Updated definitions.
• CHANGED: Minimum Ruby version is 2.3
• CHANGED: Upgraded to Bundler 2.x

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 38 commits:

• Release 4.0.3
• Welcome 2020
• CHANGELOG for GH-167
• Fix 2.7 deprecations and warnings (#168)
• Update .travis.yml
• Experiment with https://keepachangelog.com/
• Update rubocop
• Release 4.0.2
• Update README.md
• Create SECURITY.md
• Update CHANGELOG.md
• Release 4.0.1
• Updated definitions
• Add Tidelift link
• Create FUNDING.yml
• Test Ruby 2.7
• Release 4.0.0
• Remove support for Ruby < 2.3 in major version
• Release 3.1.1
• Reinstate support to Ruby 2.1 and 2.2
• Update PSL
• Fix version in README
• Release 3.1.0
• Update definitions list (#160)
• Upgrade to Rubocop 0.70
• Fix version mismatch
• Minimum Ruby version is 2.3
• Upgrade Bundler
• Make Travis happy
• Fix typo in comment (#159)
• Fix offenses
• Switch to CodeCov
• Update .travis.yml
• Release 3.0.3
• Update definitions (#154)
• Fix Rubocop new warnings
• Update .rubocop_defaults.yml (#153)
• Update docblock

↗️ typhoeus (indirect, 0.8.0 → 1.3.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ yell (indirect, 2.0.7 → 2.2.2) · Repo

Sorry, we couldn't find anything useful about this release.

🆕 nokogumbo (added, 2.0.2)

🆕 rainbow (added, 3.0.0)

🗑️ activesupport (removed)

🗑️ colored (removed)

🗑️ i18n (removed)

🗑️ minitest (removed)

🗑️ thread_safe (removed)

🗑️ tzinfo (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)