Bump sidekiq, rack and connection_pool

[dependabot]

Bumps sidekiq, rack and connection_pool. These dependencies needed to be updated together.
Updates sidekiq from 6.0.7 to 7.0.9

Changelog

Sourced from sidekiq's changelog.

7.0.9

• Restore confirmation dialogs in Web UI [#5881, shevaun]
• Increase fetch timeout to minimize ReadTimeoutError #5874
• Reverse histogram tooltip ordering #5868
• Add Scottish Gaelic (gd) locale [#5867, GunChleoc]

7.0.8

• SECURITY Sanitize period input parameter on Metrics pages. Specially crafted values can lead to XSS. This functionality was introduced in 7.0.4. Thank you to spercex @ huntr.dev #5694
• Add job hash as 3rd parameter to the sidekiq_retry_in block.

7.0.7

• Fix redis-client API usage which could result in stuck Redis connections #5823
• Fix AS::Duration with sidekiq_retry_in #5806
• Restore dumping config options on startup with -v #5822

7.0.5,7.0.6

• More context for debugging json unsafe errors #5787

7.0.4

• Performance and memory optimizations [#5768, fatkodima]
• Add 1-8 hour period selector to Metrics pages #5694
• Fix process display with sidekiqmon #5733

7.0.3

• Don't warn about memory policy on Redis Enterprise #5712
• Don't allow Quiet/Stop on embedded Sidekiq instances #5716
• Fix size: X for configuring the default Redis pool size #5702
• Improve the display of queue weights on Busy page #5642
• Freeze CurrentAttributes on a job once initially set #5692

7.0.2

• Improve compatibility with custom loggers #5673
• Add queue weights on Busy page #5640

... (truncated)

Commits

• a93cddc bump, prep
• ec84676 Switch buttons to input attributes, so they get the JS listener that provides...
• ae6ca11 BasicFetch: wait for an extra conn.read_timeout (#5874)
• 815a0a1 fix random test breakage
• 934ccd2 Histogram tooltip sort order should match the bubbles on the chart (#5868)
• b1be873 fix test
• 1006b05 Add gd translation
• 626f776 Remove Ruby 2.1 version check
• 458fdf7 Trim :period parameter to two characters and escape the value
• cf686d4 Create SECURITY.md
• Additional commits viewable in compare view

Updates rack from 2.2.3 to 2.2.6.4

Changelog

Sourced from rack's changelog.

Changelog

All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference Keep A Changelog.

Unreleased

SPEC Changes

• rack.input is now optional. (#1997, [@​ioquatix])

Changed

• rack.input is now optional, and if missing, will raise an error. Use this to fail on multipart parsing a request without an input body. (#2018, [@​ioquatix])
• Introduce module Rack::BadRequest which is included in multipart and query parser errors. (#2019, [@​ioquatix])
• MIME type for JavaScript files (.js) changed from application/javascript to text/javascript (1bd0f15)
• Add .mjs MIME type (#2057, [@​axilleas])
• Update MIME types associated to .ttf, .woff, .woff2 and .otf extensions to use mondern font/* types. (#2065, [@​davidstosik])

[3.0.7] - 2023-03-16

• Make query parameters without = have nil values. (#2059, [@​jeremyevans])

[3.0.6.1] - 2023-03-13

• [CVE-2023-27539] Avoid ReDoS in header parsing

[3.0.6] - 2023-03-13

• Add QueryParser#missing_value for handling missing values + tests. (#2052, [@​ioquatix])

[3.0.5] - 2023-03-13

• Split form/query parsing into two steps. (#2038, @​matthewd)

[3.0.4.2] - 2023-03-02

• [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts

[3.0.4.1] - 2023-01-17

• [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
• [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
• [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)

[3.0.4] - 2023-01-17

• Rack::Request#POST should consistently raise errors. Cache errors that occur when invoking Rack::Request#POST so they can be raised again later. (#2010, [@​ioquatix])
• Fix Rack::Lint error message for HTTP_CONTENT_TYPE and HTTP_CONTENT_LENGTH. (#2007, @​byroot)
• Extend Rack::MethodOverride to handle QueryParser::ParamsTooDeepError error. (#2006, @​byroot)

... (truncated)

Commits

• 27addc7 bump version
• ee7919e Avoid ReDoS problem
• d6b5b2b bump version
• 9aac375 Limit all multipart parts, not just files
• 2606ac5 bumping version
• f6d4f52 Fix ReDoS in Rack::Utils.get_byte_ranges
• 20bc90c bump version
• 3677f17 Update changelog
• ee25ab9 Fix ReDoS vulnerability in multipart parser
• 19e49f0 Forbid control characters in attributes
• Additional commits viewable in compare view

Updates connection_pool from 2.2.2 to 2.4.0

Changelog

Sourced from connection_pool's changelog.

2.4.0

• Automatically drop all connections after fork #166

2.3.0

• Minimum Ruby version is now 2.5.0
• Add pool size to TimeoutError message

2.2.5

• Fix argument forwarding on Ruby 2.7 #149

2.2.4

• Add reload to close all connections, recreating them afterwards [Andrew Marshall, #140]
• Add then as a way to use a pool or a bare connection with the same code path #138

2.2.3

• Pool now throws ConnectionPool::TimeoutError on timeout. #130
• Use monotonic clock present in all modern Rubies [Tero Tasanen, #109]
• Remove code hacks necessary for JRuby 1.7
• Expose wrapped pool from ConnectionPool::Wrapper [Thomas Lecavelier, #113]

Commits

• 526f45e release
• d8bee94 Add Ruby 3.2 to the CI matrix. (#169)
• 428c06f Automatically drop all connections after fork (#166)
• a8bc713 Update readme: non critical -> non-critical (#164)
• a4abba7 release
• ac46d5d Add more context to timeout error
• a105ff6 simplify flaky test
• 67363c6 fix jruby?
• 597adbe remove 2.4
• 87ce172 Cleanup readme
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.