🚨 [security] [ruby] Update yard 0.9.38 → 0.9.42 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ yard (0.9.38 → 0.9.42) · Repo · Changelog

Security Advisories 🚨

🚨 yard: Possible arbitrary path traversal and file access via yard server

Impact

A path traversal vulnerability was discovered in YARD <= 0.9.41 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions.

The original patch in GHSA-xfhh-rx56-rxcr was incorrectly applied.

Patches

Please upgrade to YARD v0.9.42 immediately if you are relying on yard server to host documentation in any untrusted environments without WEBrick and rely on --docroot.

Workarounds

For users who cannot upgrade, it is possible to perform path sanitization of HTTP requests at your webserver level. WEBrick, for example, can perform such sanitization by default (which you can use via yard server -s webrick), as can certain rules in your webserver configuration.

Release Notes

0.9.42

• Fix alternating rows when loading a module in default HTML templates with subelements in the nav frame
• Fix reliability of keypresses and copy/paste in search box (#1174)
• Fix regression in yard server search box styling
• Fix possible path traversal with document_root (--docroot) set in yard server (GHSA-xfhh-rx56-rxcr)

0.9.41

• Add support for rdoc-image:... syntax in HybridMarkup (#1676)
• Add support for colon suffix code blocks in HybridMarkup (rdoc compatibility)
• Fix responsiveness and state issues with nav frame links in yard server

0.9.40

• Add support for Ruby .rbs files (docstrings included) (#1673)
• Add built-in hybrid RDoc/Markdown renderer (HybridMarkdown) requiring no external gems (#1674)
• Add support for #- as a comment-block separator. See Getting Started Guide.
• Add support for commonmarker version >= 1.0.
• Remove usage of jQuery in default templates. jQuery library is still packaged in templates for backward compatibility (#1675)
• Fix false self-referential mixin when bare name matches ancestor namespace (#1672)
• Fix bracket/brace map corruption from Ruby 3.0+ pattern matching deconstruction (#1671)
• Fix @!scope class on attributes (#1582, #1655, #1666)
• Fix @!parse directives not including source for block (#1665)
• Fix inherited methods not appearing in groups (#1656)

0.9.39

• Add support for Ruby 4.0 (#1663)
• Add changelog URI to gemspec metadata (#1641)
• Fix issues with source ranges (#1642)
• Fix an issue loading relative links from file list in HTML template (#1660)
• Various test fixes (#1650, #1651)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.29%. Comparing base (5ac3d04) to head (e7519ce).
⚠️ Report is 4 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #5707      +/-   ##
===========================================
- Coverage    87.32%   87.29%   -0.04%     
===========================================
  Files         1467     1467              
  Lines        33167    33167              
  Branches      3496     3496              
===========================================
- Hits         28964    28953      -11     
- Misses        4182     4193      +11     
  Partials        21       21              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.