🚨 [security] Upgrade devise: 4.2.1 → 4.7.1 (minor)#55
Open
depfu[bot] wants to merge 1 commit intomasterfrom
Open
🚨 [security] Upgrade devise: 4.2.1 → 4.7.1 (minor)#55depfu[bot] wants to merge 1 commit intomasterfrom
depfu[bot] wants to merge 1 commit intomasterfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Welcome to Depfu 👋
This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.
After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.
Let us know if you have any questions. Thanks so much for giving Depfu a try!
🚨 Your version of devise has known security vulnerabilities 🚨
Advisory: CVE-2019-16109
Disclosed: September 08, 2019
URL: https://github.com/plataformatec/devise/issues/5071
Devise Gem for Ruby confirmation token validation with a blank string
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ devise (4.2.1 → 4.7.1) · Repo · Changelog
Release Notes
4.7.1 (from changelog)
4.7.0 (from changelog)
4.6.2 (from changelog)
4.6.1 (from changelog)
4.6.0 (from changelog)
Not all release notes shown. View the full release notes.
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
3.1.12
Not all release notes shown. View the full release notes.
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 56 commits:
Merge pull request #198 from codahale/update-depsMerge pull request #195 from olleolleolle/appveyor-build-with-bundler-1Removing the dev dep on RDocbumping versionuse Bundler < 2 in Appveyor buildsMerge pull request #189 from adam12/skip-gnu-crypt-functionsMerge pull request #190 from fliiiix/patch-1Use https for linksUpdate Website link in readmeDefine SKIP_GNU token when building extensionPeg older versions of rubygems and bundler that work with older RubiesMerge pull request #186 from codahale/speed_up_appveyorFix deprecation warningNo rdoc or ri on Appveyor to speed it upMerge pull request #183 from codahale/test-updatesAdd the test vectors from the Java implementationAdd back in missing chars from Openwall test vectorsThis vector is duplicated — it’s also the last oneRemove REE from matrixMerge pull request #184 from codahale/include_x86_openwall_depExplicitly enumerate $objs for the generated MakefileInclude x86.S file from Openwall crypt implementationMerge pull request #185 from codahale/drop_rubies_1-8_and_1-9Remove explicit support for Rubies 1.8 and 1.9CHANGELOG entry for #181Merge pull request #181 from bdewater/bump-default-cost-12Changelog entry for #182Merge pull request #174 from codahale/no_more_precompiled_binariesUpdate Travis badge to SVG; add AppVeyor badgeMerge pull request #182 from fonica/masterdon't install docs during travis CI buildsupdate blowfish imprementation to latest version (1.3)Bump default cost to 12Changelog entryNo longer cross-compile fat binaries for WindowsWindows CI: run tests instead of installMerge pull request #172 from codahale/gem_3-1-12-rc3.1.12 finalRC for 3.1.12 releaseMerge pull request #164 from besser82/libxcryptMerge pull request #171 from codahale/windows_ciUse AppVeyor for testing Windows gem installsMerge branch 'master' into libxcryptMerge pull request #167 from codahale/update-lockfileUse RBX 3Try updating Bundler tooMerge branch 'master' into update-lockfileMerge pull request #169 from codahale/travis_more_rubiesTest on more Rubies in CI; looser version definitionUpdate RG and see if that fixes the buildbcrypt_ext: Add compatibility with libxcryptUpdate lockfile so newer Ruby works with JSON gemMerge pull request #159 from cbrnrd/patch-1Add syntax highlighting where applicableMerge pull request #136 from remvee/fix/remove-forgot-password-exampleRemove Rails forgot password exampleRelease Notes
1.1.5 (from changelog)
1.1.4 (from changelog)
1.1.0
Not all release notes shown. View the full release notes.
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
1.8.0 (from changelog)
Not all release notes shown. View the full release notes.
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 27 commits:
Bump version to 1.8.0Fix and expand on documentation for :yield_returns_bufferRename return_buffer option to yield_returns_bufferModify test to work with new :return_buffer behaviorFlip `result` and `code` for :return_buffer optionDisable minitest plugins when testingModify spec to show how :return_buffer can be used when modifying buffersSimplify test in attempt to get 1.8.7 passingAdd return_buffer option to CaptureEndEngineUpdate the README with an example of how to write a method that works with capture_end (Fixes #15)Remove has_rdoc from gemspec, since it is deprecatedBump version to 1.7.1Remove one difference from READMEMinor tweak to READMEBump copyright yearMake whitespace handling for <%# %> tags more compatible with Erubis (Fixes #14)Test on ruby 2.5 on Travisremove unnecessary ternary operationBump version to 1.7.0Fix escaping in erubi/capture_end, the setting was previously inverted (Fixes #10)Make use of <%| more clear in README (Fixes #10)Remove gemspec line from travis.gemfileDrop tiny ruby versions from Travis, so Travis installs latestBump version to 1.6.1Fix usage on newer versions of JRuby 9.1Drop jruby-18mode from TravisUpdate .travis.ymlRelease Notes
0.9.5
0.9.4
0.9.3
0.9.1
0.9.0
0.8.6
Not all release notes shown. View the full release notes.
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
2.2.3
2.2.2
Not all release notes shown. View the full release notes.
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Commits
See the full diff on Github. The new version differs by 53 commits:
prepped for release- Pushed #error? up to Reportable module. (composerinteralia)Failing tests for missing error? methodprepped for release+ Reversed Test < Result. Back to < Runnable and using Reportable for shared code.nodoc on Minitest::Parallel::TestFixed test output in ruby 2.5 which now has Thread.report_on_exception = true- Fixed deprecation message for Runnable#marshal_dump. (y-yagi)- Fixed Result#location for instances of Test. (alexisbernard)prepped for releaseoops- Fixed Result (a superclass of Test) overriding Runnable's name accessors. (y-yagi, MSP-Greg)prepped for release+ Added deprecation warning for Runnable#marshal_dump.- Brought Runnable#marshal_load/dump back to prevent extensions w/ super from raising.prepped for release! Added Minitest::Result and Minitest::Result.from(runnable).- Pushed Minitest::Test#time & #time_it up to Runnable.+ Added bench_performance_{logarithmic,power} for spec-style benchmarks. (rickhull)Rename assert_in_epsilon args to agree its own doc. (utilum)Fixed typo in readme. (rickhull)cleaned up trailing whitespaceHAHA! Finally reported by rickhull, 7 years and 11 days later...Added FAQ example for setup before all tests (joelparkerhenderson)Added minitest-keyword to readme (kddeisz)+ Added --no-plugins and MT_NO_PLUGINS to bypass MT plugin autoloading. Helps with bad actors installed globally.- Object.stub now passes blocks down to the callable result.Fixes for tests for older versions of ruby.Added a ton of tests around Object.stub against the (possibly buggy) current and planned behavior.Added test to ensure NameError is raised when stubbing a missing methodtenderlove talked me into switching the two- Test nil equality directly in assert_equal. Fixes #679. (voxik)prepped for releaseUpdate README for common windows problems. (snarfmason)Fix links in description. (boogiebpg)Added minispec-rails. (ordinaryzelig)- Finished off missing doco.+ Extended documentation for Mock#expect for multiple calls to mock object. (insti)- Fixed verbose output on parallelize_me! classes. (chanks)prepped for release- Write aggregated_results directly to the IO object to avoid mixed encoding errors. (tenderlove)oops. fixed test for new deprecation output- Fixed location of assert_send deprecation. (rab)- Workaround for rdoc nodoc generation bug that totally f'd up minitest doco. (Paxa)- Made deprecation use warn so -W0 will silence it.- Expand MT6 to Minitest 6. (xaviershay)+ Added suggestion in minitest/hell to install minitest/proveit.- Fixed minitest/hell to use parallelize_me! (azul)minitest-proveit strikes again!!! Fixed test_run_with_bogus_reporter to actually check reporter was runAdded warning to tests that if the external encoding doesn't match source encoding then the assert_equal tests will fail and how to avoid that. (snarfmason)Fixed History.rdoc. Stuff got dropped because of 5.9.1 screwing up my history generation script timeline.Clarifications to readme. (y-yagi)- Fixed location of nil assert_equal deprecation to work with expectations. (jeremyevans)Release Notes
1.10.4
1.10.3
1.10.2
1.10.1
1.10.0
1.9.1
1.9.0
Not all release notes shown. View the full release notes.
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Commits
See the full diff on Github. The new version differs by 61 commits:
Bumping to 2.0.7 for releaseMerge pull request #1343 from larsxschneider/ls/forward-fixPreserve forwarded IP address for trusted proxy chainsMerge pull request #1201 from janko-m/make-multipart-parsing-work-for-chunked-requestsBumping version for releaseWhitelist http/https schemesReduce buffer size to avoid pathological parsingMerge tag '2.0.5' into 2-0-stableMerge pull request #1296 from tomelm/fix-prefers-plaintextBump version for releaseMerge pull request #1268 from eileencodes/forwardport-pr-1249-to-2-0-stableMerge pull request #1249 from mclark/handle-invalid-method-parametersStick with a passing version of Rubygems and bundlerLeahizeBumping versionwebrick: remove concurrent-ruby dev dependencyMerge pull request #1190 from hugoabonizio/masterMerge pull request #1193 from tompng/multipart_less_memoryMerge pull request #1192 from jkowens/masterMerge pull request #1179 from tompng/masterMerge pull request #1151 from cremno/simplify-some-string-creationsMerge pull request #1189 from lugray/fix_rack_lockRequire the right file for the digest we're usingBump version for releaseMerge pull request #1166 from jnraine/masterEnsure env values are ASCII 8BIT encodedBump Rack version for releaseRevert "updating author / email"Merge pull request #1117 from ioquatix/patch-3Merge branch 'rfc7231-sec6.3.6-205'Merge branch 'no-deflate'Merge pull request #1141 from brauliomartinezlm/bytesize_usageUpdate bytesize usage after its removal from rack utilsMerge pull request #1137 from unabridged/fix-eof-failureWrite MethodOverride errors to RACK_ERRORSResolve undefined constant test failure by loading constantMinimal resolution of EOFError in MethodOverride middlewareRevert "Add 205 Reset Content to the list of statuses without a message body"Merge pull request #1135 from tonytonyjan/patch-rdocadd rdoc dependencyMerge pull request #1133 from tonytonyjan/patch-typoMerge pull request #1132 from tonytonyjan/patchfix typotypo fixMerge pull request #1130 from tonytonyjan/patchTo support minitest 6 and prevent error ouput in minitest 5, use `must_be_nil` if expecting nil.Merge pull request #1128 from dijonkitchen/patch-1Change NEWS file into Markdown file extensionMerge pull request #973 from mwpastore/masterMerge pull request #1080 from sophiedeziel/masterwebrick: detect partial hijack without hash headersMerge pull request #1125 from yannvanhalewyn/improve-fetch-on-session-hashAdd test for fetching unknown keys without defaultsImprove and test SessionHash#fetch.Fix warnings and usage of $VERBOSEMerge pull request #1115 from Shopify/fix-multipart-parsing-with-null-byteHandle NULL byte in multipart file nameupdating author / emailMerge pull request #1110 from kirs/patch-1Freeze default session optionsdeflater: remove "deflate" encoding supportCommits
See the full diff on Github. The new version differs by 2 commits:
Release new gem thats free of upper-bound pessimismRelease gem dependencies from pessimismRelease Notes
1.2.0
1.1.0
Not all release notes shown. View the full release notes.
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 42 commits:
Prepare 1.2.0Remove needless white list sanitizer deprecationsMerge pull request #96 from olleolleolle/patch-1CI: Drop unused sudo: false Travis directiveMerge pull request #95 from rwojnarowski/patch-1Deprecated warning text, missing spacePrepare version 1.1.0Merge pull request #91 from JuanitoFatas/doc/scrubbersMerge pull request #92 from JuanitoFatas/link-sanitizerImprove LinkSanitizer's documentationhref is not a HTML elementImprove Scrubber documentationsMerge pull request #87 from JuanitoFatas/migrate-to-safelistMigrate to SafeListSanitizerMerge pull request #90 from JuanitoFatas/jf.fix-testsUpdate test behavior for Nokogiri > 1.9.1.Merge pull request #89 from JuanitoFatas/rubiesMerge pull request #88 from JuanitoFatas/jf.relax-bundler-dependencyUpdate Ruby version matrix on CIUse a inclusive Bundler versionMerge pull request #86 from tebs/fix-documentation-linkFix Nokogiri link in documentation[ci skip] Please don't send more PRs trying to bump Loofah.Merge pull request #71 from nicolasleger/patch-1[CI] Allow failure with ruby head[CI] Test against Ruby 2.5Prepare to 1.0.4 releaseMake sure we address CVE-2018-8048Remove rbx since it doesn't seem to install.Merge pull request #66 from fschwahn/improve-testsFix deprecation warning from MinitestMake tests pass again with recent nokogiri versionsRename test to better reflect what is actually testedtyposWe're still testing against ruby 1.9 and 2.0 that aren't supported by nokogiri 1.7activesupport 5 doesn't support ruby < 2.2.2 that are still tested in this repobundle with the newest released bundlerTest against newer released rubies[ci skip] Remove faulty overrides in scrubber example.[ci skip] Change override method in PermitScrubber.Merge pull request #47 from pvalena/patch-1Correct license filenameRelease Notes
12.3.3 (from changelog)
Not all release notes shown. View the full release notes.
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
3.0.0 (from changelog)
2.4.1 (from changelog)
Not all release notes shown. View the full release notes.
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 52 commits:
Prepare to 3.0.0Remove code to support Rails 4.2Configure rubocop and autocorrect everythingHappy new year :tada:Update CHANGELOG [ci skip]Make sure the template being rendered matches the media typeCheck the media type instead of content typeFix minitest warningsRemove support to Rails 4.2Test against released rackRun tests with 2.6 and the global gemfileCommit the Gemfile.lockMerge pull request #211 from deivid-rodriguez/allow_rails_61_prereleasesRemove the upper bound on rails dependenciesAllow Rails 6.1 prereleasesMerge pull request #208 from deivid-rodriguez/update_rails_6_branchMerge pull request #206 from deivid-rodriguez/remove_rubyforge_gemspec_attributeMerge branch 'master' into remove_rubyforge_gemspec_attributeMerge pull request #209 from deivid-rodriguez/drop_old_rubies_supportDrop support for old rubiesPoint Rails 6 Gemfile to 6-0-stable`rubyforge_project` attribute was removed from rubygemsMerge pull request #205 from abraham/patch-1Use example domain for emailMerge pull request #203 from Shopify/deduplicate-action-namesDeduplicate action namesMerge pull request #202 from matthewrudy/rails-6.0.0travis: exclude rails 4.2 and ruby 2.6travis: test against rails master (6.0.0.beta)travis: test rails 5.2 correctlytravis: enable ruby 2.6.0Prepare for `2.4.1` releaseMerge pull request #201 from plataformatec/revert-197-rails_6_undefined_local_variable_or_method_mimes_for_respond_toRevert "Allow rails 6"Merge pull request #197 from oystersauce8/rails_6_undefined_local_variable_or_method_mimes_for_respond_toMerge pull request #199 from jfeaver/patch-1use "these" for plural noun phraseAllow rails 6Merge pull request #188 from Fudoshiki/masterchange travis matrixchange right borderAllow rails 6Merge pull request #185 from uuushiro/masterfix typoMerge pull request #183 from amatsuda/httpsGitHub is HTTPS by defaultRelease 2.4.0Responders depends on actionpackMerge pull request #177 from betesh/support-rails5.1Add rails 5.1 and 5.2 to travisMerge pull request #176 from Edouard-chin/render-templateAllowed a 'render' arg that goes straight to the render call:Release Notes
1.2.5
1.2.4
Not all release notes shown. View the full release notes.
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 16 commits:
Preparing v1.2.5.Update copyright years.Use Ruby 1.8 compatible syntax.Document that utc_offset and std_offset may be inaccurate with zoneinfo.Allow zoneinfo offset derivation to pick a negative std_offset.Don't store lazily-evaluated results if the object has been frozen.Remove unnecessary calls to Country.get in tests.Restore $SAFE after running a safe mode test (if possible).Disable Minitest's use of external diff tools during safe mode tests.Add Ruby 2.5.0 and update to the latest Ruby, JRuby and Rbx releases.Replace expired gem signing certificate.Preparing v1.2.4.Update bundler before installing gems.Use the Trusty build environment.Update to Ruby 2.2.8, 2.3.5, 2.4.2, JRuby 1.7.27, 9.1.13.0 and rbx 3.86.Ignore the leapseconds file included in v2017c+ zoneinfo directories.Commits
See the full diff on Github. The new version differs by 54 commits:
Merge pull request #168 from wardencommunity/security-vuln-patchUpdate to rack >= 2.0.6 due to XSS security vulnerability. Release 1.2.8Merge pull request #165 from rbarysas/masterFix commentMerge pull request #162 from godfat/fix-catching-on-requestMake it able to throw in Warden::Manager.on_requestMerge pull request #161 from appropriate/avoid-session-options-mutationMerge branch 'master' into avoid-session-options-mutationMerge pull request #160 from hassox/jsmestad-patch-1Avoid modifying frozen rack.session.optionsCall setup_rack(app).call(@env) consistentlyUpdate README.mdMerge pull request #159 from hassox/chore/cleanup-specswhitespaceUpdate Rakefile with bundler defaultsUpdate gemspecUpdate License yearRename READMERename history fileUpdate HistoryMerge branch 'master' into chore/cleanup-specsMerge pull request #144 from patrickmcguire/winning-strategy-authenticate-from-another-scopeMerge branch 'master' into winning-strategy-authenticate-from-another-scopeUpdate VERSION and history for recent changesResolve Rubcop Lint warningsFavor RSpec.describe over describe.Merge pull request #158 from hassox/chore/throw-action-testAdd test to verify action can be overriddenMerge branch 'master' into winning-strategy-authenticate-from-another-scopeMerge pull request #154 from yhirano55/update_gemfileMerge branch 'master' into winning-strategy-authenticate-from-another-scopeMerge branch 'master' into update_gemfileMerge pull request #156 from yhirano55/update_travisCI against Ruby 2.4.2Merge branch 'master' into update_gemfileMerge pull request #155 from yhirano55/using_httpsUse https instead of httpbundle updateMerge pull request #153 from EdwardBetts/spellingcorrect spelling mistakeMerge branch 'master' into winning-strategy-authenticate-from-another-scopeMerge pull request #152 from hassox/add-authors-to-gemspecUpdate warden.gemspecMerge branch 'master' into winning-strategy-authenticate-from-another-scopeMerge pull request #149 from hassox/fix-bundle-on-travisUpdate .travis.ymlMerge pull request #145 from znz/fix-magic-commentUpdate README.textileUpdate .travis.ymlFix magic commentSet winning strategy after _run!, in case _run! also sets winning_strategyUpdate .travis.ymlUpdate .travis.ymlUpdate .travis.yml🆕 crass (added, 1.0.4)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands