Bump the bundler group across 1 directory with 13 updates

[dependabot]

Bumps the bundler group with 13 updates in the / directory:

Package	From	To
puma	6.3.0	6.4.2
rack	2.2.7	2.2.8.1
omniauth	1.9.2	2.1.2
omniauth-cas	2.0.0	3.0.0
omniauth-saml	1.10.3	2.1.0
nokogiri	1.15.2	1.16.5
rack-cors	2.0.1	2.0.2
sanitize	6.0.1	6.0.2
sidekiq	6.5.9	6.5.10
sidekiq-unique-jobs	7.1.29	7.1.33
json-jwt	1.15.3	1.15.3.1
rotp	6.2.2	6.3.0
uri	0.12.1	0.13.0

Updates puma from 6.3.0 to 6.4.2

Release notes

Sourced from puma's releases.

6.4.1

• Bugfixes

  • DSL#warn_if_in_single_mode - fixup when workers set via CLI (#3256)
  • Fix idle-timeout not working in cluster mode (#3235, #3228, #3282, #3283)
  • Fix worker 0 timing out during phased restart (#3225, #2786)
  • context_builder.rb - require openssl if verify_mode != 'none' (#3179)
  • Make puma cluster process suitable as PID 1 (#3255)
  • Improve Puma::NullIO consistency with real IO (#3276)
  • extconf.rb - fixup to detect openssl info in Ruby build (#3271, #3266)
  • MiniSSL.java - set serialVersionUID, fix RaiseException deprecation (#3270)
  • dsl.rb - fix warn_if_in_single_mode when WEB_CONCURRENCY is set (#3265, #3264)

• Maintenance

  • LOTS of test refactoring to make tests more stable and easier to write - thanks to @​MSP-Greg!
  • Fix bug in tests re: TestPuma::HOST4 (#3254)
  • Dockerfile for minimal repros: use Ruby 3.2, expect bundler installed (#3245)
  • fix define_method calls, use Symbol parameter instead of String (#3293)

• Docs

  • README.md - add the puma-acme plugin (#3301)
  • Remove --keep-file-descriptors flag from systemd docs (#3248)
  • Note symlink mechanism in restart documentation for hot restart (#3298)

6.4.0 - The Eagle of Durango

America is #1 in professional cycling, baby!

• Features

  • on_thread_exit hook (#2920)
  • on_thread_start_hook (#3195)
  • Shutdown on idle (#3209, #2580)
  • New error message when control server port taken (#3204)

• Refactor

  • Remove Forwardable dependency (#3191, #3190)
  • Update URLMap Regexp usage for Ruby v3.3 (#3165)

• Bugfixes

  • Bring the cert_pem: parameter into parity with the cert: parameter to ssl_bind. (#3174)
  • Fix using control server with IPv6 host (#3181)
  • control_cli.rb - add require_relative 'log_writer' (#3187)
  • Fix cases where fallback Rack response wasn't sent to the client (#3094)

6.3.1

• Security
  • Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields (GHSA-68xg-gqqm-vgj8)

Changelog

Sourced from puma's changelog.

6.4.2 / 2024-01-08

• Security
  • Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. (GHSA-c2f4-cvqm-65w2)

6.4.1 / 2024-01-03

• Bugfixes

  • DSL#warn_if_in_single_mode - fixup when workers set via CLI (#3256)
  • Fix idle-timeout not working in cluster mode (#3235, #3228, #3282, #3283)
  • Fix worker 0 timing out during phased restart (#3225, #2786)
  • context_builder.rb - require openssl if verify_mode != 'none' (#3179)
  • Make puma cluster process suitable as PID 1 (#3255)
  • Improve Puma::NullIO consistency with real IO (#3276)
  • extconf.rb - fixup to detect openssl info in Ruby build (#3271, #3266)
  • MiniSSL.java - set serialVersionUID, fix RaiseException deprecation (#3270)
  • dsl.rb - fix warn_if_in_single_mode when WEB_CONCURRENCY is set (#3265, #3264)

• Maintenance

  • LOTS of test refactoring to make tests more stable and easier to write - thanks to @​MSP-Greg!
  • Fix bug in tests re: TestPuma::HOST4 (#3254)
  • Dockerfile for minimal repros: use Ruby 3.2, expect bundler installed (#3245)
  • fix define_method calls, use Symbol parameter instead of String (#3293)

• Docs

  • README.md - add the puma-acme plugin (#3301)
  • Remove --keep-file-descriptors flag from systemd docs (#3248)
  • Note symlink mechanism in restart documentation for hot restart (#3298)

6.4.0 / 2023-09-21

• Features

  • on_thread_exit hook (#2920)
  • on_thread_start_hook (#3195)
  • Shutdown on idle (#3209, #2580)
  • New error message when control server port taken (#3204)

• Refactor

  • Remove Forwardable dependency (#3191, #3190)
  • Update URLMap Regexp usage for Ruby v3.3 (#3165)

• Bugfixes

  • Bring the cert_pem: parameter into parity with the cert: parameter to ssl_bind. (#3174)
  • Fix using control server with IPv6 host (#3181)
  • control_cli.rb - add require_relative 'log_writer' (#3187)
  • Fix cases where fallback Rack response wasn't sent to the client (#3094)

6.3.1 / 2023-08-18

• Security

... (truncated)

Commits

• 5fc43d7 5.6.8 and 6.4.2
• dfbba22 6.4.2
• 60d5ee3 Merge pull request from GHSA-c2f4-cvqm-65w2
• a287025 6.4.1 version tick!
• 32a629d 6.4.1
• 7e17826 [Fix #3282] idle-timeout not waiting on all workers in cluster mode (#3283)
• 437142e README.md - add the puma-acme plugin (#3301)
• e9125fa [CI] Change all workflow file extensions to '.yml' (#3300)
• d49dec9 [CI] Add Ruby 3.3, use 'rubygems: latest' in tests.yaml MRI (#3299)
• 2d27225 Note symlink mechanism in restart documentation for hot restart (#3298)
• Additional commits viewable in compare view

Updates rack from 2.2.7 to 2.2.8.1

Release notes

Sourced from rack's releases.

v2.2.8.1

What's Changed

• Fixed ReDoS in Accept header parsing [CVE-2024-26146]
• Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
• Reject Range headers which are too large [CVE-2024-26141]

Full Changelog: rack/rack@v2.2.8...v2.2.8.1

v2.2.8

What's Changed

• Limit file extension length of multipart tempfiles (2.2 backport) by @​dentarg in rack/rack#2075
• CHANGELOG: Add missing 2.2.7 by @​tisba in rack/rack#2081
• Update cookie.rb by @​dchandekstark in rack/rack#2092
• Prefer ubuntu-latest for testing. by @​ioquatix in rack/rack#2095
• Fix inefficient assert pattern in Rack::Lint [2-2-stable] by @​skipkayhil in rack/rack#2101
• Regenerate SPEC [2-2-stable] by @​skipkayhil in rack/rack#2102

New Contributors

• @​tisba made their first contribution in rack/rack#2081
• @​dchandekstark made their first contribution in rack/rack#2092

Full Changelog: rack/rack@v2.2.7...v2.2.8

Commits

• e830011 bump version
• d9c163a Avoid 2nd degree polynomial regexp in MediaType
• 6245768 Return an empty array when ranges are too large
• e4c1177 Fixing ReDoS in header parsing
• f169ff7 Bump patch version.
• 0a46487 Regenerate SPEC (#2102)
• cee73b3 Fix inefficient assert pattern in Rack::Lint (#2101)
• 1fdcf1f Prefer ubuntu-latest for testing. (#2095)
• 287fe43 Update cookie.rb (#2092)
• e7f4869 adds missing 2.2.7 to CHANGELOG.md (#2081)
• Additional commits viewable in compare view

Updates omniauth from 1.9.2 to 2.1.2

Release notes

Sourced from omniauth's releases.

v2.1.0

This release adds Ruby 3.0+ support.

Due to kwarg changes in ruby 3, we have bumped the minimum required version of Rack to 2.2.3, which is where ruby3 support was added.

Releasing as a minor as dependency resolution should fail at install if an application is locked to a rack below new minimum.

Full Changelog: omniauth/omniauth@v2.0.4...v2.1.0

v2.0.4

This release removes unnecessary warning logging when accessing GET routes that are not related to the OmniAuth request path.

Thanks to @​charlie-wasp and @​sponomarev at Evil Martians for the bug find and subsequent PR.

Fix rescuing of application errors when call_app! is used.

As a consequence of the changes that were merged in #689, errors thrown by strategies that utilize other_phase (or more specifically call_app!), would be caught by omniauth, causing headaches for folks looking to have those errors handled by their application. This should allow for errors that come from the app to pass through, while passing errors that come from the authentication phases to the fail! handler.

Resolves #1030

Fix for incorrect order of request_validation_phase in test_mode.

@​jsdalton gave an awesome report of the issue present in test_mode in #1033

The current implementation of mock_call was verifying the token for all requests, regardless of whether the current path is on the omniauth request path. The change was introduced recently in 1b784ff. See #1032 for details.

This creates two problems:

1. When test mode is on, the authenticity verification logic is run inappropriately against requests where this may not even be wanted.
2. The behavior varies from actual production behavior, potentially allowing bugs to be introduced by unwary developers.

Note that this bug was only present when OmniAuth was configured for test_mode and using the mock_call phases.

Allow passing rack-protection configuration to default request_validation_phase

This release now properly allows an instance of OmniAuth::AuthenticityTokenProtection (with passed in rack-protection configuration) to be used as the request_validation_phase.

Thanks @​jkowens #1027

If you haven't already read the release notes for v2.0.0, you should do so.

v2.0.0

Version 2.0 of OmniAuth includes some changes that may be breaking depending on how you use OmniAuth in your app.

Many thanks to the folks who contributed in code and discussion for these changes.

OmniAuth now defaults to only POST as the allowed request_phase method.

Hopefully, you were already doing this as a result of the warnings due to CVE-2015-9284.

... (truncated)

Commits

• 36f46c4 Prep for next release
• a13cd11 Merge pull request #1122 from nschonni/jruby-hack
• a0b31ec fix: conditional delegate require Rack/JRuby
• 79d0c9a Merge pull request #1118 from nschonni/remove-old-conditions
• c160e48 Merge pull request #1102 from madogiwa0124/update-tesed-ruby-versions
• b6cc0cc chore: Remove conditions for old (J)Ruby
• c6e01a6 Merge pull request #1110 from nschonni/dependabot-setup
• 4e9563f ci: update coverals to v2
• fa2674c ci: update actions/checkout to v3
• d050031 chore: add Dependabot for version updates
• Additional commits viewable in compare view

Updates omniauth-cas from 2.0.0 to 3.0.0

Release notes

Sourced from omniauth-cas's releases.

v3.0.0

What's Changed

• Move CI build to GitHub Actions by @​tagliala in dlindahl/omniauth-cas#65
• Modernize CI by @​tagliala in dlindahl/omniauth-cas#71
• Require Ruby >= 3.0 by @​tagliala in dlindahl/omniauth-cas#73
• Fix readme and changelog by @​tagliala in dlindahl/omniauth-cas#74
• Use example.org in specs by @​tagliala in dlindahl/omniauth-cas#75
• Fix module case in version [Breaking Change] by @​tagliala in dlindahl/omniauth-cas#76
• Add RuboCop by @​tagliala in dlindahl/omniauth-cas#77
• Fix safe RuboCop offenses in production code by @​tagliala in dlindahl/omniauth-cas#78
• Chore/fix unsafe offenses in production code by @​tagliala in dlindahl/omniauth-cas#79
• Regenerate spec helper by @​tagliala in dlindahl/omniauth-cas#80
• Honor skip_info? by @​tagliala in dlindahl/omniauth-cas#81
• Add OmniAuth v2 support by @​tagliala in dlindahl/omniauth-cas#82
• Set version and changelog to 3.0.0.beta.1 by @​tagliala in dlindahl/omniauth-cas#84
• Chore/fix some offenses by @​tagliala in dlindahl/omniauth-cas#85
• Update changelog and version by @​tagliala in dlindahl/omniauth-cas#86

Full Changelog: dlindahl/omniauth-cas@v2.0.0...v3.0.0

v3.0.0.beta.1

What's Changed

• Move CI build to GitHub Actions by @​tagliala in dlindahl/omniauth-cas#65
• Modernize CI by @​tagliala in dlindahl/omniauth-cas#71
• Require Ruby >= 3.0 by @​tagliala in dlindahl/omniauth-cas#73
• Fix readme and changelog by @​tagliala in dlindahl/omniauth-cas#74
• Use example.org in specs by @​tagliala in dlindahl/omniauth-cas#75
• Fix module case in version [Breaking Change] by @​tagliala in dlindahl/omniauth-cas#76
• Add RuboCop by @​tagliala in dlindahl/omniauth-cas#77
• Fix safe RuboCop offenses in production code by @​tagliala in dlindahl/omniauth-cas#78
• Chore/fix unsafe offenses in production code by @​tagliala in dlindahl/omniauth-cas#79
• Regenerate spec helper by @​tagliala in dlindahl/omniauth-cas#80
• Honor skip_info? by @​tagliala in dlindahl/omniauth-cas#81
• Add OmniAuth v2 support by @​tagliala in dlindahl/omniauth-cas#82
• Set version and changelog to 3.0.0.beta.1 by @​tagliala in dlindahl/omniauth-cas#84

Full Changelog: dlindahl/omniauth-cas@v2.0.0...v3.0.0.beta.1

Changelog

Sourced from omniauth-cas's changelog.

3.0.0 - 2024-02-24

Changed

• There are no changes between 3.0.0 and 3.0.0.beta.1

3.0.0.beta.1 - 2024-01-12

Changed

• Breaking change: Support OmniAuth 2 (#82).
• Potential breaking change: case of Omniauth::Cas::VERSION module (#76).

Removed

• Compatibility with EOL Ruby versions (#73).

Commits

• a8bd9b2 Merge pull request #86 from dlindahl/release/v3.0.0
• 0553de7 Update changelog and version
• 5f7f7fb Merge pull request #85 from dlindahl/chore/fix-some-offenses
• fa932f9 Fix some offenses
• 6ebadfd Improve Readme
• c47a0e9 Merge pull request #84 from dlindahl/chore/release-3-beta
• 24f16d8 Set version and changelog to 3.0.0.beta.1
• 9d9d3a9 Merge pull request #82 from dlindahl/feature/omniauth-2
• 435573c Add OmniAuth v2 support
• 4c25eed Merge pull request #81 from dlindahl/feature/honor-skip-info
• Additional commits viewable in compare view

Updates omniauth-saml from 1.10.3 to 2.1.0

Release notes

Sourced from omniauth-saml's releases.

v2.1.0 (2022-03-01)

Refactor

• Rename usage of deprecated SAML options (74ed8df)

Chores

• bump ruby-saml to 1.12 (15c156a)

v2.0.0

v2.0.0 (2021-01-13)

Chores

• Allow OmniAuth 2.0.0 (f7ec7ee)

Changelog

Sourced from omniauth-saml's changelog.

v2.1.0 (2022-03-01)

Refactor

• Rename usage of deprecated SAML options (74ed8df)

Chores

• bump ruby-saml to 1.12 (15c156a)

v2.0.0 (2021-01-13)

Chores

• Allow OmniAuth 2.0.0 (f7ec7ee)

Commits

• f2a7a84 Bump version to v2.1.0
• 8894f8d Merge pull request #206 from MrSerth/master
• 0883acf Update README.md
• 74ed8df Rename usage of deprecated SAML options
• 71d61c2 Merge pull request #207 from omniauth/setup-actions-ci
• 29c1761 chore: Remove .travis.yml file
• 3462c81 chore: Setup GitHub Actions for CI
• b628c1c Merge pull request #200 from omniauth/chore/bump-ruby-saml
• 15c156a chore: bump ruby-saml to 1.12
• ed52758 v2.0.0
• Additional commits viewable in compare view

Updates nokogiri from 1.15.2 to 1.16.5

Release notes

Sourced from nokogiri's releases.

v1.16.5 / 2024-05-13

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-34459. See GHSA-r95h-9x8f-r3f7 for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.7 from v2.12.6. (@​flavorjones)

---

sha256 checksums:

af0f44fa3e664dfb2aa10de8b551447d720c1e8d1f0aa3f35783dcc43e40a874  nokogiri-1.16.5-aarch64-linux.gem
23dc2357b26409a5c33b7e32a82902f0e9995305420f16d1a03ab3ea1a482fec  nokogiri-1.16.5-arm-linux.gem
950d037530edb49f75ad35de0b8038b970a7dda57e2b6326895b0e49fadf6214  nokogiri-1.16.5-arm64-darwin.gem
b7aefc94370c62476b8528e8d8abb6160203abd84a1f4eceda8f1aa8974d9989  nokogiri-1.16.5-java.gem
ec2167160df8fec3137bf95d574ed80ebc1d002bb3b281546b60b4aa9002466e  nokogiri-1.16.5-x64-mingw-ucrt.gem
6984200491fac69974005ecfa2de129d61843d345eafa5d6f58e8b908d1cf107  nokogiri-1.16.5-x64-mingw32.gem
abdc389ab1ec6604492da16bd9d06ad746fdb6bd6a1bd274c400d61ffcadb3c4  nokogiri-1.16.5-x86-linux.gem
63d24981345856f2baf7f4089870a62d3042fb8d3021b280fb04fc052532e3c4  nokogiri-1.16.5-x86-mingw32.gem
71b5f54e378c433d13df67c3b71acc4716129da62402d8181f310c4216a63279  nokogiri-1.16.5-x86_64-darwin.gem
0ca238da870066bed2f7837af6f35791bb9b76c4c5638999c46aac44818a6a97  nokogiri-1.16.5-x86_64-linux.gem
ec36162c68984fa0a90a5c4ae7ab7759460639e716cc1ce75f34c3cb54158ad2  nokogiri-1.16.5.gem

v1.16.4 / 2024-04-10

Dependencies

• [CRuby] Vendored zlib in the precompiled native gems is updated to v1.3.1 from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see this discussion about removing the compression libraries altogether in a future version of Nokogiri.

---

sha256 checksums:

bdb1dc4378ebcf3ade8f440c7df68f6d76946a1a96c4823a2b4c53c01a320cd5  nokogiri-1.16.4-aarch64-linux.gem
0c994b9996d5576eddcc3201a94ef2bff6fc3627c4ae4d2708b0ec9b9743ec6a  nokogiri-1.16.4-arm-linux.gem
8e86abb64c93c06d3c588042a0e757279e8f1dc88b5210a00be892a9a7a27196  nokogiri-1.16.4-arm64-darwin.gem
bf84fa28be4943692bd64772186e0832fb1061f80714ccb93e111e9d72b1cadc  nokogiri-1.16.4-java.gem
a46808467c1f63a2031e1ca0715cd5336bb4ec759e9c0e2f4c951c1cc30994ae  nokogiri-1.16.4-x64-mingw-ucrt.gem
4cdf64bc5e9443ec3e0b595347ecc8affe21968d9ae934c0825d26630ef96468  nokogiri-1.16.4-x64-mingw32.gem
d86d21bae47dd9f6f5223055e45d33fae08b0b89aad94cbc0ece4f4274fa7af5  nokogiri-1.16.4-x86-linux.gem
d488b872884844686780fda7cf5da44ee884d32faa713a55aeb4736d76718168  nokogiri-1.16.4-x86-mingw32.gem
a896e52a56951ffb0e6a9279afbf485d683e357a053d27f4cfcb2a73b0824628  nokogiri-1.16.4-x86_64-darwin.gem
92ff4f09910255fec84b3bc4c4b182e94cada3ed12b9f7a6ea058e0af186fb31  nokogiri-1.16.4-x86_64-linux.gem
</tr></table> 

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.16.5

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-34459. See GHSA-r95h-9x8f-r3f7 for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.7 from v2.12.6. (@​flavorjones)

v1.16.4 / 2024-04-10

Dependencies

• [CRuby] Vendored zlib in the precompiled native gems is updated to v1.3.1 from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see this discussion about removing the compression libraries altogether in a future version of Nokogiri.

v1.16.3 / 2024-03-15

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.6 from v2.12.5. (@​flavorjones)

Changed

• [CRuby] XML::Reader sets the @encoding instance variable during reading if it is not passed into the initializer. Previously, it would remain nil. The behavior of Reader#encoding has not changed. This works around changes to how libxml2 reports the encoding used in v2.12.6.

v1.16.2 / 2024-02-04

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See GHSA-xc9x-jj77-9p9j for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.5 from v2.12.4. (@​flavorjones)

v1.16.1 / 2024-02-03

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.4 from v2.12.3. (@​flavorjones)

... (truncated)

Commits

• cd70bd3 version bump to v1.16.5
• afc36de dep: update vendored libxml2 to v2.12.7 (#3191)
• 41b4f08 ci: add arm64-darwin coverage using macos-14
• 67b9e86 dep: update libxml2 to v2.12.7
• 17c0362 version bump to v1.16.4
• 1c329e9 dep: update to zlib 1.3.1 (v1.16.x) (#3175)
• edeac07 dep: update to zlib 1.3.1
• 80fb608 version bump to v1.16.3
• 710bd96 dep: update libxml 2.12.6 (branch v1.16.x) (#3151)
• 461a96e fix: Reader#read sets @​encoding if it is unset
• Additional commits viewable in compare view

Updates rack-cors from 2.0.1 to 2.0.2

Changelog

Sourced from rack-cors's changelog.

2.0.2 - 2024-03-04

Changed

• Fix file permission issues with 2.0.1 release
  • Security: Fixes CVE-2024-27456, GHSA-785g-282q-pwvx

Commits

• 8780639 Update changelog
• 7231de7 Bump rack-cors to 2.0.2
• b30b86d Fix rubocop
• e823594 Fix typo in README.md (#267)
• 8f50607 Escape $ in ressource paths compile (#270)
• 555ac46 Mocha 2.0+ / Minitest 5.19+ compatibility (#266)
• 202b85d Exclude test in gem
• b0e06a0 Move Host matching note into troubleshooting
• 507894e Fix test (#262)
• See full diff in compare view

Updates sanitize from 6.0.1 to 6.0.2

Release notes

Sourced from sanitize's releases.

v6.0.2

Bug Fixes

• CVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS (cross-site scripting). This issue affects Sanitize versions 3.0.0 through 6.0.1.

  When using Sanitize's relaxed config or a custom config that allows <style> elements and one or more CSS at-rules, carefully crafted input could be used to sneak arbitrary HTML through Sanitize.

  See the following security advisory for additional details: GHSA-f5ww-cq3m-q3g7

  Thanks to @​cure53 for finding this issue.

Changelog

Sourced from sanitize's changelog.

6.0.2 (2023-07-06)

Bug Fixes

• CVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS (cross-site scripting). This issue affects Sanitize versions 3.0.0 through 6.0.1.

  When using Sanitize's relaxed config or a custom config that allows <style> elements and one or more CSS at-rules, carefully crafted input could be used to sneak arbitrary HTML through Sanitize.

  See the following security advisory for additional details: GHSA-f5ww-cq3m-q3g7

  Thanks to @​cure53 for finding this issue.

Commits

• 76ed46e Merge pull request from GHSA-f5ww-cq3m-q3g7
• 3481ac3 Release 6.0.2
• 773d927 Update history
• 041c068 Escape </ to prevent a style element from being closed prematurely
• See full diff in compare view

Updates sidekiq from 6.5.9 to 6.5.10

Changelog

Sourced from sidekiq's changelog.

Sidekiq Changes

Sidekiq Changes | Sidekiq Pro Changes | Sidekiq Enterprise Changes

7.2.4

• Fix XSS in metrics filtering introduced in 7.2.0, CVE-2024-32887 Thanks to @​UmerAdeemCheema for the security report.

7.2.3

• Support Dragonfly.io as an alternative Redis implementation
• Fix error unpacking some compressed error backtraces #6241
• Fix potential heartbeat data leak #6227
• Add ability to find a currently running work by jid [Translate Korean mastodon/mastodon#6212, fatkodima]

7.2.2

• Add Process.warmup call in Ruby 3.3+
• Batch jobs now skip transactional push #6160

7.2.1

• Add Sidekiq::Work type which replaces the raw Hash as the third parameter in Sidekiq::WorkSet#each { |pid, tid, hash| ... } #6145
• DEPRECATED: direct access to the attributes within the hash block parameter above. The Sidekiq::Work instance contains accessor methods to get at the same data, e.g.

work["queue"] # Old
work.queue # New

• Fix Ruby 3.3 warnings around base64 gem [Recover 2FA with email mastodon/mastodon#6151, earlopain]

7.2.0

• sidekiq_retries_exhausted can return :discard to avoid the deadset and all death handlers #6091
• Metrics filtering by job class in Web UI #5974
• Better readability and formatting for numbers within the Web UI #6080
• Add explicit error if user code tries to nest test modes #6078

Sidekiq::Testing.inline! # global setting
Sidekiq::Testing.fake! do # override within block
  # ok
  Sidekiq::Testing.inline! do # can't override the override
</tr></table> 

... (truncated)

Commits

• f67a7ab Cherry pick:
• 101435c Merge 62c90d7
• See full diff in compare view

Updates sidekiq-unique-jobs from 7.1.29 to 7.1.33

Release notes

Sourced from sidekiq-unique-jobs's releases.

v7.1.33

What's Changed

• NOTE: The RCE vulnerability was a false alarm; sidekiq-unique-jobs was not vulnerable to RCE. You can find additional information in the PR linked below.
• fix: backport xss and rce fixes to v7.1 by @​mhenrixon in mhenrixon/sidekiq-unique-jobs#834

Full Changelog: mhenrixon/sidekiq-unique-jobs@v7.1.32...v7.1.33

v7.1.31

What's Changed

• fix: while_executing should not invoke conflict strategy when the job was successfully executed. by @​leandrogoe in mhenrixon/sidekiq-unique-jobs#806

New Contributors

• @​leandrogoe made their first contribution in mhenrixon/sidekiq-unique-jobs#806

Full Changelog: mhenrixon/sidekiq-unique-jobs@v7.1.30...v7.1.31

v7.1.30

What's Changed

• fix(v7.1): backport fixes from v8 by @​mhenrixon in mhenrixon/sidekiq-unique-jobs#799

Full Changelog: mhenrixon/sidekiq-unique-jobs@v7.1.29...v7.1.30

Changelog

Sourced from sidekiq-unique-jobs's changelog.

v7.1.33 (2024-02-12)

Full Changelog

v8.0.9 (2024-02-12)

Full Changelog

Fixed bugs:

• fix(rce): prevent remot code execution #833 (mhenrixon)

v8.0.8 (2024-02-12)

Full Changelog

Implemented enhancements:

• fix: ensure a new lock isn't conflicting with itself #830 (mhenrixon)

Fixed bugs:

• until_and_while_executing not entering perform method on initial run #824
• fix(digest): write digest on middleware call #774 (mhenrixon)

Closed issues:

• incompatibility with sidekiq-failures #790
• Jobs queued during existing job inherit lock digest #766

v8.0.7 (2024-02-05)

Full Changelog

Implemented enhancements:

• chore(ci): add test coverage from bropoplpush #828 (mhenrixon)

Fixed bugs:

• fix(xss): sanitize parameters #829 (mhenrixon)

Closed issues:

• No 'Changelog' link is being displayed on https://rubygems.org/gems/sidekiq-unique-jobs #825
• Using rspec matcher and getting: NameError: uninitialized constant SidekiqUniqueJobs::Lock::BaseLock::Validator #741

Merged pull requests:

• Fix Testing Instructions #827 (jherdman)

... (truncated)

Commits

• f613977 Bump sidekiq-unique-jobs to 7.1.33
• cd09ba6 fix: backport xss and rce fixes to v7.1 (#834)
• 81cc875 Bump sidekiq-unique-jobs to 7.1.32
• 3e21885 fix: while_executing should not invoke conflict strategy when the job was s...
• eec260f Bump sidekiq-unique-jobs to 7.1.31
• 9682f16 chore(gem): bump version
• 0d9a4ea Fix active worker detection by using correct keys (#756) (#799)
• See full diff in compare view

Updates json-jwt from 1.15.3 to 1.15.3.1

Commits

• See full diff in compare view

Updates rotp from 6.2.2 to 6.3.0

Release notes

Sourced from rotp's releases.

v6.3.0

6.3.0 (2023-08-30)

Features

• Allow for non-standard provisioning URI params, eg. image/icon (#91) (45d8aac)

Changelog

Sourced from rotp's changelog.

6.3.0 (2023-08-30)

Features

• Allow for non-standard provisioning URI params, eg. image/icon (#91) (45d8aac)

Commits

• 131d2c3 chore(main): release 6.3.0 (#132)
• 45d8aac feat: Allow for non-standard provisioning URI params, eg. image/icon (#91)
• 3908511 chore: bootstrap releases for path: . (#131)
• 06581e7 Chore: run CI on all pull requests (#130)
• 9a48b39 chore: docker-compose.yml: Use ruby-3.0 (#128)
• b38a738 Chore: CI Update for please release and Devcontainer addition of act (#127)
• 2425911 Merge pull request #126 from mdp/mdp/pr_rollup
• 9b5390e Merge branch 'main' into mdp/pr_rollup
• be137f1 Add Ruby 3.2 to CI.
• 5b60912 Merge pull request #116 from gogainda/patch-1
• Additional commits viewable in

[dependabot]

Superseded by #5.