Skip to content

🚨 [security] Update jekyll 3.8.6 → 3.10.0 (minor) #273

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

🚨 [security] Update jekyll 3.8.6 → 3.10.0 (minor) #273

wants to merge 1 commit into from

Conversation

depfu[bot]
Copy link

@depfu depfu bot commented Jun 25, 2024

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ jekyll (3.8.6 → 3.10.0) · Repo · Changelog

Release Notes

3.10.0 (from changelog)

Minor Enhancements

  • Backport add-csv-dependency from #9522 to Jekyll 3 (#9616)
  • 3.10-stable: Add webrick as a dependency (#9620)

3.9.4

Bug Fixes

  • Backport #9392 for v3.9.x: Add support for Ruby 3.3 Logger (#9513)

3.9.3

Bug Fixes

  • 3.9.x: Support i18n 1.x (#9269)
  • Backport #8880 for v3.9.x: Support both tzinfo v1 and v2 alongwith
    non-half hour offsets (#9280)

Development Fixes

  • v3.9.x: test under Ruby 3.2 #9272)
  • v3.9.x: fix rdiscount test (#9277)

3.9.2

Bug Fixes

  • Lock http_parser.rb gem to v0.6.x on JRuby (#8943)
  • Backport #8756 for v3.9.x: Respect collections_dir config within include tag (#8795)
  • Backport #8965 for v3.9.x: Fix response header for content served via jekyll serve (#8976)

Development Fixes

  • Update and fix CI for 3.9-stable on Ruby 3.x (#8942)
  • Fix CI for commits to 3.9-stable branch (#8788)

3.9.1

Bug Fixes

  • Backport #8618 for v3.9.x: Update include tag to be more permissive (#8629)

3.9.0

Minor Enhancements

  • Allow use of kramdown v2 (#8322)
  • Add default language for kramdown syntax highlighting (#8325)

3.8.7

Fixes

  • Prevent console warnings with Ruby 2.7 (#7948)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ addressable (indirect, 2.7.0 → 2.8.7) · Repo · Changelog

Security Advisories 🚨

🚨 Regular Expression Denial of Service in Addressable templates

Impact

Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.

Patches

The vulnerability was introduced in version 2.3.0 (previously yanked) and has been present in all subsequent versions up to, and including, 2.7.0. It is fixed in version 2.8.0.

Workarounds

The vulnerability can be avoided by only creating Template objects from trusted sources that have been validated not to produce catastrophic backtracking.

References

For more information

If you have any questions or comments about this advisory:

Release Notes

2.8.7 (from changelog)

  • Allow public_suffix 6 (#535)

2.8.6 (from changelog)

  • Memoize regexps for common character classes (#524)

2.8.5 (from changelog)

  • Fix thread safety issue with encoding tables (#515)
  • Define URI::NONE as a module to avoid serialization issues (#509)
  • Fix YAML serialization (#508)

2.8.4 (from changelog)

  • Restore Addressable::IDNA.unicode_normalize_kc as a deprecated method (#504)

2.8.3 (from changelog)

  • Fix template expand level 2 hash support for non-string objects (#499, #498)

2.8.2 (from changelog)

  • Improve cache hits and JIT friendliness (#486)
  • Improve code style and test coverage (#482)
  • Ensure reset of deferred validation (#481)
  • Resolve normalization differences between IDNA::Native and IDNA::Pure (#408, #492)
  • Remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438) (accidentally reverted by #449 merge but added back in #492)

2.8.1 (from changelog)

  • refactor Addressable::URI.normalize_path to address linter offenses (#430)
  • remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438)
  • update gemspec to reflect supported Ruby versions (#466, #464, #463)
  • compatibility w/ public_suffix 5.x (#466, #465, #460)
  • fixes "invalid byte sequence in UTF-8" exception when unencoding URLs containing non UTF-8 characters (#459)
  • Ractor compatibility (#449)
  • use the whole string instead of a single line for template match (#431)
  • force UTF-8 encoding only if needed (#341)

2.8.0 (from changelog)

  • fixes ReDoS vulnerability in Addressable::Template#match
  • no longer replaces + with spaces in queries for non-http(s) schemes
  • fixed encoding ipv6 literals
  • the :compacted flag for normalized_query now dedupes parameters
  • fix broken escape_component alias
  • dropping support for Ruby 2.0 and 2.1
  • adding Ruby 3.0 compatibility for development tasks
  • drop support for rack-mount and remove Addressable::Template#generate
  • performance improvements
  • switch CI/CD to GitHub Actions

Does any of this look wrong? Please let us know.

↗️ concurrent-ruby (indirect, 1.1.6 → 1.3.3) · Repo · Changelog

Release Notes

1.3.3

What's Changed

Full Changelog: v1.3.2...v1.3.3

1.3.2

What's Changed

New Contributors

Full Changelog: v1.3.1...v1.3.2

1.3.1

This release is essentially v1.3.0, but with a properly packaged gem. There was an issue publishing v1.3.0 and that gem needed to be yanked to avoid breaking downstream projects. The v1.3.0 changelog is reproduced below.

What's Changed

  • Add Concurrent.usable_processor_count that is cgroups aware by @casperisfine in #1038
  • Align Java Executor Service behavior for shuttingdown?, shutdown? by @bensheldon in #1042

New Contributors

Full Changelog: v1.2.3...v1.3.1

1.2.3

What's Changed

New Contributors

Full Changelog: v1.2.2...v1.2.3

1.2.2

concurrent-ruby 1.2.2:

  • (#993) Fix arguments passed to Concurrent::Map's default_proc.

1.2.1

concurrent-ruby 1.2.1:

  • (#990) Add missing require 'fiber' for FiberLocalVar.
  • (#989) Optimize Concurrent::Map#[] on CRuby by letting the backing Hash handle the default_proc.

1.2.0

concurrent-ruby 1.2.0:

  • (#975) Set the Ruby compatibility version at 2.3
  • (#962) Fix ReentrantReadWriteLock to use the same granularity for locals as for Mutex it uses.
  • (#983) Add FiberLocalVar
  • (#934) concurrent-ruby now supports requiring individual classes (public classes listed in the docs), e.g., require 'concurrent/map'
  • (#976) Let Promises.any_fulfilled_future take an Event
  • Improve documentation of various classes
  • (#972) Remove Rubinius-related code

concurrent-ruby-edge 0.7.0:

  • (#975) Set the Ruby compatibility version at 2.3
  • (#934) concurrent-ruby now supports requiring individual classes (public classes listed in the docs), e.g., require 'concurrent/map'
  • (#972) Remove Rubinius-related code

1.1.10

concurrent-ruby:

  • (#951) Set the Ruby compatibility version at 2.2
  • (#939, #933) The caller_runs fallback policy no longer blocks reads from the job queue by worker threads
  • (#938, #761, #652) You can now explicitly prune_pool a thread pool (Sylvain Joyeux)
  • (#937, #757, #670) We switched the Yahoo stock API for demos to Alpha Vantage (Gustavo Caso)
  • (#932, #931) We changed how SafeTaskExecutor handles local jump errors (Aaron Jensen)
  • (#927) You can use keyword arguments in your initialize when using Async (Matt Larraz)
  • (#926, #639) We removed timeout from TimerTask because it wasn't sound, and now it's a no-op with a warning (Jacob Atzen)
  • (#919) If you double-lock a re-entrant read-write lock, we promote to locked for writing (zp yuan)
  • (#915) monotonic_time now accepts an optional unit parameter, as Ruby's clock_gettime (Jean Boussier)

1.1.9 (from changelog)

concurrent-ruby:

  • (#866) Child promise state not set to :pending immediately after #execute when parent has completed
  • (#905, #872) Fix RubyNonConcurrentPriorityQueue#delete method
  • (2df0337d) Make sure locks are not shared on shared when objects are dup/cloned
  • (#900, #906, #796, #847, #911) Fix Concurrent::Set tread-safety issues on CRuby
  • (#907) Add new ConcurrentMap backend for TruffleRuby

1.1.8 (from changelog)

  • (#885) Fix race condition in TVar for stale reads
  • (#884) RubyThreadLocalVar: Do not iterate over hash which might conflict with new pair addition

1.1.7 (from changelog)

concurrent-ruby:

  • (#879) Consider falsy value on Concurrent::Map#compute_if_absent for fast non-blocking path
  • (#876) Reset Async queue on forking, makes Async fork-safe
  • (#856) Avoid running problematic code in RubyThreadLocalVar on MRI that occasionally results in segfault
  • (#853) Introduce ThreadPoolExecutor without a Queue

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ em-websocket (indirect, 0.5.1 → 0.5.3) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ffi (indirect, 1.12.2 → 1.17.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ http_parser.rb (indirect, 0.6.0 → 0.8.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ liquid (indirect, 4.0.3 → 4.0.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ public_suffix (indirect, 4.0.5 → 6.0.0) · Repo · Changelog

Release Notes

6.0.0 (from changelog)

Same as 5.1.0. Re-releasing as a major version change due to a major ruby version requirement change.

Changed

  • Updated definitions.
  • Minimum Ruby version is 3.0

5.1.1 (from changelog)

No significant changes. Releasing a mini version to address 5.1.0 release with major ruby requirement change (GH-315).

5.1.0 (from changelog)

Changed

  • Updated definitions.
  • Minimum Ruby version is 3.0

5.0.5 (from changelog)

Changed

  • Updated definitions.

5.0.4 (from changelog)

Changed

5.0.3 (from changelog)

Fixed

  • Fixed automated release workflow.

5.0.1 (from changelog)

Changed

  • Updated definitions.

5.0.0 (from changelog)

Changed

  • Minimum Ruby version is 2.6

  • Updated definitions.

4.0.7 (from changelog)

Fixes

  • Fixed YARD rake task (GH-179)

Changed

  • Updated definitions.

4.0.6 (from changelog)

Changed

  • Updated definitions.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rb-fsevent (indirect, 0.10.4 → 0.11.2) · Repo

Release Notes

0.11.2

  • Avoid modifying string literals #91

0.11.1

  • rescue Errno::EBADF when closing pipe #92

0.11.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rb-inotify (indirect, 0.10.1 → 0.11.1) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rouge (indirect, 3.19.0 → 3.30.0) · Repo · Changelog

Release Notes

3.30.0

We bring you 3 new exciting lexers in this release: Isabelle, Meson and Nial lexer. There are also some fixes and improvements on CPP, Dart, Groovy, JavaScript, Pascal, PHP and TOML lexer.

Thank you to all of the amazing contributors for your help and continuous support!

Full Changelog: v3.29.0...v3.30.0

3.29.0

We bring you 5 new exciting lexers in this release: Idris, Lean, Syzlang and Syzprog lexer. There are also some fixes and improvements on Docker, Matlab and Python lexer.

Furthermore, we have made some improvements in Rouge and Rouge CI. We are now running Ruby 3.1 as part of our CI. As part of this release, we also introduced Code of Conduct v2.1.

Thank you to all of the amazing contributors for your help and continuous support!

New Contributors

Full Changelog: v3.28.0...v3.29.0

3.28.0

This first release of 2022 introduces 3 new lexers: Fluent, Stan and Stata. There are also numerous fixes and improvements across C, Console, CPP, Cypher, Dart, HCL, JSX, Kotlin, Rust, SPARQL and TOML lexer. In addition, we have added support to run the visual test app in Ruby 3.0.

Thank you to everyone who has contributed to this release. It is wonderful to see some first-time contributors. May all your wishes come true in 2022!

3.27.0 (from changelog)

Comparison with the previous version

  • Ceylon Lexer
    • Backtracking fix in interpolation regex (#1773 by thewoolleyman)
  • Dafny Lexer
    • Add Dafny Lexer (#1647 by davidcok, mschlaipfer)
  • Elixir Lexer
    • Add support for HEEX templates (#1736 by sineed
  • Rust Lexer
    • Fix lexing of integers, escapes, identifiers, unicode idents, keywords and builtins, byte strings and multiline and doc comments (#1711 by thomcc)
  • SQL Lexer
    • Curly brace support (#1714 by hawkfish)
    • Add more SQL dialects in visual samples (#1751 by tancnle)
    • Windowing keywords support (#1754 by hawkfish)
  • Swift Lexer
    • Add 5.5 keywords (#1715 by johnfairh))
  • Rouge CI
    • Migrate from Travis CI to GitHub (#1728 by Geod24)
  • Documentation

3.26.1 (from changelog)

Comparison with the previous version

  • CPP Lexer
    • Add year and date chrono literals, add std::complex literals, fix chrono literals with digit separator (#1665 by swheaton)
  • Factor and GHC Core Lexer
    • Fix catastrophic backtrack (#1690 by Ravlen)
  • JSL Lexer
    • Fix single line block comments, scoped variables and functions (#1663 by BenPH)
  • YAML Lexer
    • Fix YAML key containing special character (#1667 by tancnle)
  • Fix Ruby 2.7 keyword parameter deprecation warning (#1597 by stanhu)
  • Updated README (#1666 by dchacke)

3.26.0

There are two things to report in this release.

The first are the usual notes. We have two new lexers: one for OCL and one for ReScript. There are also fixes for the CMake, Crystal, JSL, Python, ReasonML and Rust lexers. Thank you to all the contributors!

The second is that I'd like to announce that this will be my last release as a maintainer of Rouge. It's been a terrific experience and I'd like to thank @jneen and the other maintainers for making me feel very welcome. I wish them all the best as Rouge moves to version 4!

3.25.0

No new lexers this time but we do have a lot of updates. There are fixes for the Batchfile, C++, Docker, JavaScript, Kotlin, Perl, PowerShell, Ruby, Rust and Velocity lexers. Enjoy!

3.24.0

This release has two new lexers: one for e-mails (yes, I am aware it is only me that spells it that way) and one for J (why not another language starting with J?). There's also fixes for the Apex, HTTP, Janet, JavaScript and Rust lexers. And on top of all of that, there are some improvements to Rouge itself, including a new CLI debug command and a line highlighting option.

Thanks to everyone who contributed bug reports and pull requests. Stay safe and lex responsibly!

3.23.0

This release has two new lexers: one for PostScript and one for systemd unit files. There's also fixes for the Kotlin, Ruby and Rust lexers. Thanks to all the contributors who help make Rouge better. Don't forget to wear a mask!

3.22.0

This is a small release with just one update: a major rewrite of the PHP lexer. Hopefully the improved level of detail makes your PHP code look prettier but do report any issues you find with it!

3.21.0

This release has three new lexers, one for BrightScript, one for Janet and one for SSH Config. There's also fixes for the Batchfile, C++, Jinja, Perl, PowerShell, Rego, Sass, SCSS and Twig lexers. Happy highlighting!

3.20.0

We've got some new lexers again! This release includes lexers for Augeas, BibTeX, HLSL, LiveScript, Velocity and Zig. On top of that, we have fixes for the C++, Diff, Haskell, HTML, JavaScript, JSX, OpenType Feature File, PowerShell, TSX and TypeScript lexers.

I'd like to especially call out @lkinasiewicz for the LiveScript lexer. This was originally submitted back in 2017 and it's great to have it finally part of Rouge! The backlog of outstanding PRs is still too long but we are slowly making progress. As I like to say: forward, not backward; upward, not forward; and always twirling, twirling, twirling towards freedom!

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 csv (added, 3.3.0)

🆕 webrick (added, 1.8.1)

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added the depfu label Jun 25, 2024
@depfu depfu bot mentioned this pull request Jun 26, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
depfu
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants