-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency rails to v5.2.8.1 #43
Conversation
⚠ Artifact update problemRenovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is. ♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
The artifact failure details are included below: File name: Gemfile.lock
|
Renovate Ignore NotificationBecause you closed this PR without merging, Renovate will ignore this update ( If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR. |
This PR contains the following updates:
'~> 7.0', '>= 7.0.6'
->'~> 5.0', '>= 5.2.8.1'
Release Notes
rails/rails (rails)
v5.2.8.1
: 5.2.8.1Compare Source
Active Support
Active Model
Active Record
Change ActiveRecord::Coders::YAMLColumn default to safe_load
This adds two new configuration options The configuration options are as
follows:
config.active_storage.use_yaml_unsafe_load
When set to true, this configuration option tells Rails to use the old
"unsafe" YAML loading strategy, maintaining the existing behavior but leaving
the possible escalation vulnerability in place. Setting this option to true
is not recommended, but can aid in upgrading.
config.active_record.yaml_column_permitted_classes
The "safe YAML" loading method does not allow all classes to be deserialized
by default. This option allows you to specify classes deemed "safe" in your
application. For example, if your application uses Symbol and Time in
serialized data, you can add Symbol and Time to the allowed list as follows:
[CVE-2022-32224]
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Railties
v5.2.8
: 5.2.8Compare Source
Active Support
Fix tag helper regression.
Eileen Uchitelle
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Railties
v5.2.7.1
: 5.2.7.1Compare Source
Active Support
Fix and add protections for XSS in
ActionView::Helpers
andERB::Util
.Add the method
ERB::Util.xml_name_escape
to escape dangerous charactersin names of tags and names of attributes, following the specification of XML.
Álvaro Martín Fraguas
Active Model
Active Record
Action View
Fix and add protections for XSS in
ActionView::Helpers
andERB::Util
.Escape dangerous characters in names of tags and names of attributes in the
tag helpers, following the XML specification. Rename the option
:escape_attributes
to:escape
, to simplify by applying the option to thewhole tag.
Álvaro Martín Fraguas
Action Pack
Allow Content Security Policy DSL to generate for API responses.
Tim Wade
Active Job
Action Mailer
Action Cable
Active Storage
Railties
v5.2.7
: 5.2.7Compare Source
Active Support
Restore support to Ruby 2.2.
ojab
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Fix
ActiveStorage.supported_image_processing_methods
andActiveStorage.unsupported_image_processing_arguments
that were not being applied.Rafael Mendonça França
Railties
v5.2.6.3
: 5.2.6.3Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Added image transformation validation via configurable allow-list.
Variant now offers a configurable allow-list for
transformation methods in addition to a configurable deny-list for arguments.
[CVE-2022-21831]
Railties
v5.2.6.2
: 5.2.6.2Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Active Job
Action Mailer
Action Cable
Active Storage
Railties
v5.2.6.1
: 5.2.6.1Compare Source
Active Support
Active Model
Active Record
Action View
Action Pack
Under certain circumstances, the middleware isn't informed that the
response body has been fully closed which result in request state not
being fully reset before the next request
[CVE-2022-23633]
Active Job
Action Mailer
Action Cable
Active Storage
Railties
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.