Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency rails to v6 #212

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

mend-for-github-com[bot]
Copy link

@mend-for-github-com mend-for-github-com bot commented Mar 16, 2023

This PR contains the following updates:

Package Update Change
rails (source, changelog) major "5.2.4.5" -> "6.1.7.7"

By merging this PR, the below issues will be automatically resolved and closed:

Severity CVSS Score CVE GitHub Issue
Medium 6.1 CVE-2023-23913 #214
Medium 6.1 CVE-2023-28120 #210
Medium 5.3 CVE-2024-26144 #248

Release Notes

rails/rails (rails)

v6.1.7.7: 6.1.7.7

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • No changes.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • Disables the session in ActiveStorage::Blobs::ProxyController
    and ActiveStorage::Representations::ProxyController
    in order to allow caching by default in some CDNs as CloudFlare

    Fixes #​44136

    Bruno Prieto

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.7.6

Compare Source

No changes between this and 6.1.7.5. This release was just to fix file permissions in the previous release.

v6.1.7.5: 6.1.7.5 Release

Compare Source

Active Support

  • Use a temporary file for storing unencrypted files while editing

    [CVE-2023-38037]

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • No changes.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.7.4

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Raise an exception if illegal characters are provide to redirect_to
    [CVE-2023-28362]

    Zack Deveau

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.7.3

Compare Source

Active Support

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • Ignore certain data-* attributes in rails-ujs when element is contenteditable

    [CVE-2023-23913]

Action Pack

  • No changes.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.7.2

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Fix domain: :all for two letter TLD

    This fixes a compatibility issue introduced in our previous security
    release when using domain: :all with a two letter but single level top
    level domain domain (like .ca, rather than .co.uk).

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.7.1

Compare Source

Active Support

Active Model

  • No changes.

Active Record

  • Make sanitize_as_sql_comment more strict

    Though this method was likely never meant to take user input, it was
    attempting sanitization. That sanitization could be bypassed with
    carefully crafted input.

    This commit makes the sanitization more robust by replacing any
    occurrances of "/" or "/" with "/ " or " /". It also performs a
    first pass to remove one surrounding comment to avoid compatibility
    issues for users relying on the existing removal.

    This also clarifies in the documentation of annotate that it should not
    be provided user input.

    [CVE-2023-22794]

  • Added integer width check to PostgreSQL::Quoting

    Given a value outside the range for a 64bit signed integer type
    PostgreSQL will treat the column type as numeric. Comparing
    integer values against numeric values can result in a slow
    sequential scan.

    This behavior is configurable via
    ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.

    [CVE-2022-44566]

Action View

  • No changes.

Action Pack

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.7

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • Symbol is allowed by default for YAML columns

    Étienne Barrié

  • Fix ActiveRecord::Store to serialize as a regular Hash

    Previously it would serialize as an ActiveSupport::HashWithIndifferentAccess
    which is wasteful and cause problem with YAML safe_load.

    Jean Boussier

  • Fix PG.connect keyword arguments deprecation warning on ruby 2.7

    Fixes #​44307.

    Nikita Vasilevsky

Action View

  • No changes.

Action Pack

  • No changes.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • Respect Active Record's primary_key_type in Active Storage migrations. Backported from 7.0.

    fatkodima

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.6.1: 6.1.6.1

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • Change ActiveRecord::Coders::YAMLColumn default to safe_load

    This adds two new configuration options The configuration options are as
    follows:

    • config.active_storage.use_yaml_unsafe_load

    When set to true, this configuration option tells Rails to use the old
    "unsafe" YAML loading strategy, maintaining the existing behavior but leaving
    the possible escalation vulnerability in place. Setting this option to true
    is not recommended, but can aid in upgrading.

    • config.active_record.yaml_column_permitted_classes

    The "safe YAML" loading method does not allow all classes to be deserialized
    by default. This option allows you to specify classes deemed "safe" in your
    application. For example, if your application uses Symbol and Time in
    serialized data, you can add Symbol and Time to the allowed list as follows:

    config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
    

    [CVE-2022-32224]

Action View

  • No changes.

Action Pack

  • No changes.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.6: 6.1.6

Compare Source

Active Support

  • Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

    Add the method ERB::Util.xml_name_escape to escape dangerous characters
    in names of tags and names of attributes, following the specification of XML.

    Álvaro Martín Fraguas

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

    Escape dangerous characters in names of tags and names of attributes in the
    tag helpers, following the XML specification. Rename the option
    :escape_attributes to :escape, to simplify by applying the option to the
    whole tag.

    Álvaro Martín Fraguas

Action Pack

  • Allow Content Security Policy DSL to generate for API responses.

    Tim Wade

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.5.1: 6.1.5.1

Compare Source

Active Support

  • Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

    Add the method ERB::Util.xml_name_escape to escape dangerous characters
    in names of tags and names of attributes, following the specification of XML.

    Álvaro Martín Fraguas

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

    Escape dangerous characters in names of tags and names of attributes in the
    tag helpers, following the XML specification. Rename the option
    :escape_attributes to :escape, to simplify by applying the option to the
    whole tag.

    Álvaro Martín Fraguas

Action Pack

  • Allow Content Security Policy DSL to generate for API responses.

    Tim Wade

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Railties

  • No changes.

v6.1.5: 6.1.5

Compare Source

Active Support

  • Fix ActiveSupport::Duration.build to support negative values.

    The algorithm to collect the parts of the ActiveSupport::Duration
    ignored the sign of the value and accumulated incorrect part values. This
    impacted ActiveSupport::Duration#sum (which is dependent on parts) but
    not ActiveSupport::Duration#eql? (which is dependent on value).

    Caleb Buxton, Braden Staudacher

  • Time#change and methods that call it (eg. Time#advance) will now
    return a Time with the timezone argument provided, if the caller was
    initialized with a timezone argument.

    Fixes #​42467.

    Alex Ghiculescu

  • Clone to keep extended Logger methods for tagged logger.

    Orhan Toy

  • assert_changes works on including ActiveSupport::Assertions module.

    Pedro Medeiros

Active Model

  • Clear secure password cache if password is set to nil

    Before:

    user.password = 'something'
    user.password = nil

    user.password # => 'something'

    Now:

    user.password = 'something'
    user.password = nil

    user.password # => nil

    Markus Doits

  • Fix delegation in ActiveModel::Type::Registry#lookup and ActiveModel::Type.lookup

    Passing a last positional argument {} would be incorrectly considered as keyword argument.

    Benoit Daloze

  • Fix to_json after changes_applied for ActiveModel::Dirty object.

    Ryuta Kamizono

Active Record

  • Fix ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate for Ruby 2.6.

    Ruby 2.6 and 2.7 have slightly different implementations of the String#@​- method.
    In Ruby 2.6, the receiver of the String#@​- method is modified under certain circumstances.
    This was later identified as a bug (https://bugs.ruby-lang.org/issues/15926) and only
    fixed in Ruby 2.7.

    Before the changes in this commit, the
    ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate method, which internally
    calls the String#@​- method, could also modify an input string argument in Ruby 2.6 --
    changing a tainted, unfrozen string into a tainted, frozen string.

    Fixes #​43056

    Eric O'Hanlon

  • Fix migration compatibility to create SQLite references/belongs_to column as integer when
    migration version is 6.0.

    reference/belongs_to in migrations with version 6.0 were creating columns as
    bigint instead of integer for the SQLite Adapter.

    Marcelo Lauxen

  • Fix dbconsole for 3-tier config.

    Eileen M. Uchitelle

  • Better handle SQL queries with invalid encoding.

    Post.create(name: "broken \xC8 UTF-8")

    Would cause all adapters to fail in a non controlled way in the code
    responsible to detect write queries.

    The query is now properly passed to the database connection, which might or might
    not be able to handle it, but will either succeed or failed in a more correct way.

    Jean Boussier

  • Ignore persisted in-memory records when merging target lists.

    Kevin Sjöberg

  • Fix regression bug that caused ignoring additional conditions for preloading
    has_many through relations.

    Fixes #​43132

    Alexander Pauly

  • Fix ActiveRecord::InternalMetadata to not be broken by
    config.active_record.record_timestamps = false

    Since the model always create the timestamp columns, it has to set them, otherwise it breaks
    various DB management tasks.

    Fixes #​42983

    Jean Boussier

  • Fix duplicate active record objects on inverse_of.

    Justin Carvalho

  • Fix duplicate objects stored in has many association after save.

    Fixes #​42549.

    Alex Ghiculescu

  • Fix performance regression in CollectionAssocation#build.

    Alex Ghiculescu

  • Fix retrieving default value for text column for MariaDB.

    fatkodima

Action View

  • preload_link_tag properly inserts as attributes for files with image MIME
    types, such as JPG or SVG.

    Nate Berkopec

  • Add autocomplete="off" to all generated hidden fields.

    Fixes #​42610.

    Ryan Baumann

  • Fix current_page? when URL has trailing slash.

    This fixes the current_page? helper when the given URL has a trailing slash,
    and is an absolute URL or also has query params.

    Fixes #​33956.

    Jonathan Hefner

Action Pack

  • Fix content_security_policy returning invalid directives.

    Directives such as self, unsafe-eval and few others were not
    single quoted when the directive was the result of calling a lambda
    returning an array.

    content_security_policy do |policy|
      policy.frame_ancestors lambda { [:self, "https://example.com"] }
    end

    With this fix the policy generated from above will now be valid.

    Edouard Chin

  • Update HostAuthorization middleware to render debug info only
    when config.consider_all_requests_local is set to true.

    Also, blocked host info is always logged with level error.

    Fixes #​42813.

    Nikita Vyrko

  • Dup arrays that get "converted".

    Fixes #​43681.

    Aaron Patterson

  • Don't show deprecation warning for equal paths.

    Anton Rieder

  • Fix crash in ActionController::Instrumentation with invalid HTTP formats.

    Fixes #​43094.

    Alex Ghiculescu

  • Add fallback host for SystemTestCase driven by RackTest.

    Fixes #​42780.

    Petrik de Heus

  • Add more detail about what hosts are allowed.

    Alex Ghiculescu

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • The Action Cable client now ensures successful channel subscriptions:

    • The client maintains a set of pending subscriptions until either
      the server confirms the subscription or the channel is torn down.
    • Rectifies the race condition where an unsubscribe is rapidly followed
      by a subscribe (on the same channel identifier) and the requests are
      handled out of order by the ActionCable server, thereby ignoring the
      subscribe command.

    Daniel Spinosa

  • Truncate broadcast logging messages.

    J Smith

Active Storage

  • Attachments can be deleted after their association is no longer defined.

    Fixes #​42514

    Don Sisco

Action Mailbox

  • Add attachments to the list of permitted parameters for inbound emails conductor.

    When using the conductor to test inbound emails with attachments, this prevents an
    unpermitted parameter warning in default configurations, and prevents errors for
    applications that set:

    config.action_controller.action_on_unpermitted_parameters = :raise

    David Jones, Dana Henke

Action Text

  • Fix Action Text extra trix content wrapper.

    Alexandre Ruban

Railties

  • In zeitwerk mode, setup the once autoloader first, and the main autoloader after it.
    This order plays better with shared namespaces.

    Xavier Noria

  • Handle paths with spaces when editing credentials.

    Alex Ghiculescu

  • Support Psych 4 when loading secrets.

    Nat Morcos

v6.1.4.7: 6.1.4.7

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • No changes.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • Added image transformation validation via configurable allow-list.

    Variant now offers a configurable allow-list for
    transformation methods in addition to a configurable deny-list for arguments.

    [CVE-2022-21831]

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.4.6: 6.1.4.6

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Fix Reloader method signature to work with the new Executor signature

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.4.5: 6.1.4.5

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Under certain circumstances, the middleware isn't informed that the
    response body has been fully closed which result in request state not
    being fully reset before the next request

    [CVE-2022-23633]

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.4.4: 6.1.4.4

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Fix issue with host protection not allowing host with port in development.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.4.3: 6.1.4.3

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • No changes.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • Allow localhost with a port by default in development

    [Fixes: #​43864]

v6.1.4.2: 6.1.4.2

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.4.1

Compare Source

v6.1.4: 6.1.4

Compare Source

Active Support

  • MemCacheStore: convert any underlying value (including false) to an Entry.

    See #​42559.

    Alex Ghiculescu

  • Fix bug in number_with_precision when using large BigDecimal values.

    Fixes #​42302.

    Federico Aldunate, Zachary Scott

  • Check byte size instead of length on secure_compare.

    Tietew

  • Fix Time.at to not lose :in option.

    Ryuta Kamizono

  • Require a path for config.cache_store = :file_store.

    Alex Ghiculescu

  • Avoid having to store complex object in the default translation file.

    Rafael Mendonça França

Active Model

  • Fix to_json for ActiveModel::Dirty object.

    Exclude +mutations_from_database+ attribute from json as it lead to recursion.

    Anil Maurya

Active Record

  • Do not try to rollback transactions that failed due to a ActiveRecord::TransactionRollbackError.

    Jamie McCarthy

  • Raise an error if pool_config is nil in set_pool_config.

    Eileen M. Uchitelle

  • Fix compatibility with psych >= 4.

    Starting in Psych 4.0.0 YAML.load behaves like YAML.safe_load. To preserve compatibility
    Active Record's schema cache loader and YAMLColumn now uses YAML.unsafe_load if available.

    Jean Boussier

  • Support using replicas when using rails dbconsole.

    Christopher Thornton

  • Restore connection pools after transactional tests.

    Eugene Kenny

  • Change upsert_all to fails cleanly for MySQL when :unique_by is used.

    Bastian Bartmann

  • Fix user-defined self.default_scope to respect table alias.

    Ryuta Kamizono

  • Clear @cache_keys cache after update_all, delete_all, destroy_all.

    Ryuta Kamizono

  • Changed Arel predications contains and overlaps to use
    quoted_node so that PostgreSQL arrays are quoted properly.

    Bradley Priest

  • Fix merge when the where clauses have string contents.

    Ryuta Kamizono

  • Fix rollback of parent destruction with nested dependent: :destroy.

    Jacopo Beschi

  • Fix binds logging for "WHERE ... IN ..." statements.

    Ricardo Díaz

  • Handle false in relation strict loading checks.

    Previously when a model had strict loading set to true and then had a
    relation set strict_loading to false the false wasn't considered when
    deciding whether to raise/warn about strict loading.

    class Dog < ActiveRecord::Base
      self.strict_loading_by_default = true
    
      has_many :treats, strict_loading: false
    end
    

    In the example, dog.treats would still raise even though
    strict_loading was set to false. This is a bug effecting more than
    Active Storage which is why I made this PR superceeding #​41461. We need
    to fix this for all applications since the behavior is a little
    surprising. I took the test from ##​41461 and the code suggestion from #​41453
    with some additions.

    Eileen M. Uchitelle, Radamés Roriz

  • Fix numericality validator without precision.

    Ryuta Kamizono

  • Fix aggregate attribute on Enum types.

    Ryuta Kamizono

  • Fix CREATE INDEX statement generation for PostgreSQL.

    eltongo

  • Fix where clause on enum attribute when providing array of strings.

    Ryuta Kamizono

  • Fix unprepared_statement to work it when nesting.

    Ryuta Kamizono

Action View

  • The translate helper now passes default values that aren't
    translation keys through I18n.translate for interpolation.

    Jonathan Hefner

  • Don't attach UJS form submission handlers to Turbo forms.

    David Heinemeier Hansson

  • Allow both current_page?(url_hash) and current_page?(**url_hash) on Ruby 2.7.

    Ryuta Kamizono

Action Pack

  • Ignore file fixtures on db:fixtures:load

    Kevin Sjöberg

  • Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.

    Dylan Thacker-Smith

  • Correctly place optional path parameter booleans.

    Previously, if you specify a url parameter that is part of the path as false it would include that part
    of the path as parameter for example:

    get "(/optional/:optional_id)/things" => "foo#foo", as: :things
    things_path(optional_id: false) # => /things?optional_id=false
    

    After this change, true and false will be treated the same when used as optional path parameters. Meaning now:

    get '(this/:my_bool)/that' as: :that
    
    that_path(my_bool: true) # => `/this/true/that`
    that_path(my_bool: false) # => `/this/false/that`
    

    Adam Hess

  • Add support for 'private, no-store' Cache-Control headers.

    Previously, 'no-store' was exclusive; no other directives could be specified.

    Alex Smith

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • Fix ArgumentError with ruby 3.0 on RemoteConnection#disconnect.

    Vladislav

Active Storage

  • The parameters sent to ffmpeg for generating a video preview image are now
    configurable under config.active_storage.video_preview_arguments.

    Brendon Muir

  • Fix Active Storage update task when running in an engine.

    Justin Malčić*

  • Don't raise an error if the mime type is not recognized.

    Fixes #​41777.

    Alex Ghiculescu

  • ActiveStorage::PreviewError is raised when a previewer is unable to generate a preview image.

    Alex Robbin

  • respond with 404 given invalid variation key when asking for representations.

    George Claghorn

  • Blob creation shouldn't crash if no service selected.

    Alex Ghiculescu

Action Mailbox

  • No changes.

Action Text

  • Always render attachment partials as HTML with :html format inside trix editor.

    James Brooks

Railties

  • Fix compatibility with psych >= 4.

    Starting in Psych 4.0.0 YAML.load behaves like YAML.safe_load. To preserve compatibility
    Rails.application.config_for now uses YAML.unsafe_load if available.

    Jean Boussier

  • Ensure Rails.application.config_for always cast hashes to ActiveSupport::OrderedOptions.

    Jean Boussier

  • Fix create migration generator with --pretend option.

    euxx

v6.1.3.2: 6.1.3.2

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Prevent open redirects by correctly escaping the host allow list
    CVE-2021-22903

  • Prevent catastrophic backtracking during mime parsing
    CVE-2021-22902

  • Prevent regex DoS in HTTP token authentication
    CVE-2021-22904

  • Prevent string polymorphic route arguments.

    url_for supports building polymorphic URLs via an array
    of arguments (usually symbols and records). If a developer passes a
    user input array, strings can result in unwanted route helper calls.

    CVE-2021-22885

    Gannon McGibbon

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.3.1: 6.1.3.1

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • No changes.

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed mime types data.

    George Claghorn

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.3: 6.1.3

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • Fix the MySQL adapter to always set the right collation and charset
    to the connection session.

    Rafael Mendonça França

  • Fix MySQL adapter handling of time objects when prepared statements
    are enabled.

    Rafael Mendonça França

  • Fix scoping in enum fields using conditions that would generate
    an IN clause.

    Ryuta Kamizono

  • Skip optimised #exist? query when #include? is called on a relation
    with a having clause

    Relations that have aliased select values AND a having clause that
    references an aliased select value would generate an error when
    #include? was called, due to an optimisation that would generate
    call #exists? on the relation instead, which effectively alters
    the select values of the query (and thus removes the aliased select
    values), but leaves the having clause intact. Because the having
    clause is then referencing an aliased column that is no longer
    present in the simplified query, an ActiveRecord::InvalidStatement
    error was raised.

    An sample query affected by this problem:

    Author.select('COUNT(*) as total_posts', 'authors.*')
          .joins(:posts)
          .group(:id)
          .having('total_posts > 2')
          .include?(Author.first)

    This change adds an addition check to the condition that skips the
    simplified #exists? query, which simply checks for the presence of
    a having clause.

    Fixes #​41417

    Michael Smart

  • Increment postgres prepared statement counter before making a prepared statement, so if the statement is aborted
    without Rails knowledge (e.g., if app gets kill -9d during long-running query or due to Rack::Timeout), app won't end
    up in perpetual crash state for being inconsistent with Postgres.

    wbharding, Martin Tepper

Action View

  • No changes.

Action Pack

  • Re-define routes when not set correctly via inheritance.

    John Hawthorn

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.2.1: 6.1.2.1

Compare Source

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • Fix possible DoS vector in PostgreSQL money type

    Carefully crafted input can cause a DoS via the regular expressions used
    for validating the money format in the PostgreSQL adapter. This patch
    fixes the regexp.

    Thanks to @​dee-see from Hackerone for this patch!

    [CVE-2021-22880]

    Aaron Patterson

Action View

  • No changes.

Action Pack

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.2: 6.1.2

Compare Source

Active Support

  • ActiveSupport::Cache::MemCacheStore now accepts an explicit nil for its addresses argument.

    config.cache_store = :mem_cache_store, nil

is now equivalent to

config.cache_store = :mem_cache_store

and is also equivalent to

config.cache_store = :mem_cache_store, ENV["MEMCACHE_SERVERS"] || "localhost:11211"

which is the fallback behavior of Dalli

```

This helps those migrating from `:dalli_store`, where an explicit `nil` was permitted.

*Michael Overmeyer*

Active Model

  • No changes.

Active Record

  • Fix timestamp type for sqlite3.

    Eileen M. Uchitelle

  • Make destroy async transactional.

    An active record rollback could occur while enqueuing a job. In this
    case the job would enqueue even though the database deletion
    rolledback putting things in a funky state.

    Now the jobs are only enqueued until after the db transaction has been committed.

    Cory Gwin

  • Fix malformed packet error in MySQL statement for connection configuration.

    robinroestenburg

  • Connection specification now passes the "url" key as a configuration for the
    adapter if the "url" protocol is "jdbc", "http", or "https". Previously only
    urls with the "jdbc" prefix were passed to the Active Record Adapter, others
    are assumed to be adapter specification urls.

    Fixes #​41137.

    Jonathan Bracy

  • Fix granular connection swapping when there are multiple abstract classes.

    Eileen M. Uchitelle

  • Fix find_by with custom primary key for belongs_to association.

    Ryuta Kamizono

  • Add support for rails console --sandbox for multiple database applications.

    alpaca-tc

  • Fix where on polymorphic association with empty array.

    Ryuta Kamizono

  • Fix preventing writes for ApplicationRecord.

    Eileen M. Uchitelle

Action View

  • No changes.

Action Pack

  • Fix error in ActionController::LogSubscriber that would happen when throwing inside a controller action.

    Janko Marohnić

  • Fix fixture_file_upload deprecation when file_fixture_path is a relative path.

    Eugene Kenny

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • No changes.

v6.1.1: 6.1.1

Compare Source

Active Support

  • Change IPAddr#to_json to match the behavior of the json gem returning the string representation
    instead of the instance variables of the object.

    Before:

    IPAddr.new("127.0.0.1").to_json

=> "{"addr":2130706433,"family":2,"mask_addr":4294967295}"

```

After:

```ruby
IPAddr.new("127.0.0.1").to_json

=> ""127.0.0.1""

```

Active Model

  • No changes.

Active Record

  • Fix fixtures loading when strict loading is enabled for the association.

    Alex Ghiculescu

  • Fix where with custom primary key for belongs_to association.

    Ryuta Kamizono

  • Fix where with aliased associations.

    Ryuta Kamizono

  • Fix composed_of with symbol mapping.

    Ryuta Kamizono

  • Don't skip money's type cast for pluck and calculations.

    Ryuta Kamizono

  • Fix where on polymorphic association with non Active Record object.

    Ryuta Kamizono

  • Make sure db:prepare works even the schema file doesn't exist.

    Rafael Mendonça França

  • Fix complicated has_many :through with nested where condition.

    Ryuta Kamizono

  • Handle STI models for has_many dependent: :destroy_async.

    Muhammad Usman

  • Restore possibility of passing false to :polymorphic option of belongs_to.

    Previously, passing false would trigger the option validation logic
    to throw an error saying :polymorphic would not be a valid option.

    glaszig

  • Allow adding nonnamed expression indexes to be revertible.

    Fixes #​40732.

    Previously, the following code would raise an error, when executed while rolling back,
    and the index name should be specified explicitly. Now, the index name is inferred
    automatically.

    add_index(:items, "to_tsvector('english', description)")

    fatkodima

Action View

  • Fix lazy translation in partial with block.

    Marek Kasztelnik

  • Avoid extra SELECT COUNT queries when rendering Active Record collections.

    aar0nr

  • Link preloading keep integrity hashes in the header.

    Étienne Barrié

  • Add config.action_view.preload_links_header to allow disabling of
    the Link header being added by default when using stylesheet_link_tag
    and javascript_include_tag.

    Andrew White

  • The translate helper now resolves default values when a nil key is
    specified, instead of always returning nil.

    Jonathan Hefner

Action Pack

  • Fix nil translation key lookup in controllers/

    Jan Klimo

  • Quietly handle unknown HTTP methods in Action Dispatch SSL middleware.

    Alex Robbin

  • Change the request method to a GET when passing failed requests down to config.exceptions_app.

    Alex Robbin

Active Job

  • Make retry_job return the job that was created.

    Rafael Mendonça França

  • Include ActiveSupport::Testing::Assertions in ActiveJob::TestHelpers.

    Mikkel Malmberg

Action Mailer

  • Sets default mailer queue to "default" in the mail assertions.

    Paul Keen

Action Cable

  • No changes.

Active Storage

  • Fix S3 multipart uploads when threshold is larger than file.

    Matt Muller

Action Mailbox

  • No changes.

Action Text

  • No changes.

Railties

  • Allow spaces in path to Yarn binstub and only run on precompile if needed.

    Markus Doits

  • Populate ARGV for app template.

    Fixes #​40945.

    Jonathan Hefner

v6.1.0: 6.1.0

Compare Source

Active Support

  • Ensure MemoryStore disables compression by default. Reverts behavior of
    MemoryStore to its prior rails 5.1 behavior.

    Max Gurewitz

  • Calling iso8601 on negative durations retains the negative sign on individual
    digits instead of prepending it.

    This change is required so we can interoperate with PostgreSQL, which prefers
    negative signs for each component.

    Compatibility with other iso8601 parsers which support leading negatives as well
    as negatives per component is still retained.

    Before:

    (-1.year - 1.day).iso8601
    

=> "-P1Y1D"

After:

    (-1.year - 1.day).iso8601

=> "P-1Y-1D"

*Vipul A M*
  • Remove deprecated ActiveSupport::Notifications::Instrumenter#end=.

    Rafael Mendonça França

  • Deprecate ActiveSupport::Multibyte::Unicode.default_normalization_form.

    Rafael Mendonça França

  • Remove deprecated ActiveSupport::Multibyte::Unicode.pack_graphemes,
    ActiveSupport::Multibyte::Unicode.unpack_graphemes,
    ActiveSupport::Multibyte::Unicode.normalize,
    ActiveSupport::Multibyte::Unicode.downcase,
    ActiveSupport::Multibyte::Unicode.upcase and ActiveSupport::Multibyte::Unicode.swapcase.

    Rafael Mendonça França

  • Remove deprecated ActiveSupport::Multibyte::Chars#consumes? and ActiveSupport::Multibyte::Chars#normalize.

    Rafael Mendonça França

  • Remove deprecated file active_support/core_ext/range/include_range.

    Rafael Mendonça França

  • Remove deprecated file active_support/core_ext/hash/transform_values.

    Rafael Mendonça França

  • Remove deprecated file active_support/core_ext/hash/compact.

    Rafael Mendonça França

  • Remove deprecated file active_support/core_ext/array/prepend_and_append.

    Rafael Mendonça França

  • Remove deprecated file active_support/core_ext/numeric/inquiry.

    Rafael Mendonça França

  • Remove deprecated file active_support/core_ext/module/reachable.

    Rafael Mendonça França

  • Remove deprecated Module#parent_name, Module#parent and Module#parents.

    Rafael Mendonça França

  • Remove deprecated ActiveSupport::LoggerThreadSafeLevel#after_initialize.

    Rafael Mendonça França

  • Remove deprecated LoggerSilence constant.

    Rafael Mendonça França

  • Remove deprecated fallback to I18n.default_local when config.i18n.fallbacks is empty.

    Rafael Mendonça França

  • Remove entries from local cache on RedisCacheStore#delete_matched

    Fixes #​38627

    ojab

  • Speed up ActiveSupport::SecurityUtils.fixed_length_secure_compare by using
    OpenSSL.fixed_length_secure_compare, if available.

    Nate Matykiewicz

  • ActiveSupport::Cache::MemCacheStore now checks ENV["MEMCACHE_SERVERS"] before falling back to "localhost:11211" if configured without any addresses.

    config.cache_store = :mem_cache_store

is now equivalent to

config.cache_store = :mem_cache_store, ENV["MEMCACHE_SERVERS"] || "localhost:11211"

instead of

config.cache_store = :mem_cache_store, "localhost:11211" # ignores ENV["MEMCACHE_SERVERS"]
```

*Sam Bostock*
  • ActiveSupport::Subscriber#attach_to now accepts an inherit_all: argument. When set to true,
    it allows a subscriber to receive events for methods defined in the subscriber's ancestor class(es).

    class ActionControllerSubscriber < ActiveSupport::Subscriber
      attach_to :action_controller
    
      def start_processing(event)
        info "Processing by #{event.payload[:controller]}##{event.payload[:action]} as #{format}"
      end
    
      def redirect_to(event)
        info { "Redirected to #{event.payload[:location]}" }
      end
    end

We detach ActionControllerSubscriber from the :action_controller namespace so that our CustomActionControllerSubscriber

can provide its own instrumentation for certain events in the namespace

ActionControllerSubscriber.detach_from(:action_controller)

class CustomActionControllerSubscriber < ActionControllerSubscriber
  attach_to :action_controller, inherit_all: true

  def start_processing(event)
    info "A custom response to start_processing events"
  end

=> CustomActionControllerSubscriber will process events for "start_processing.action_controller" notifications

using its own #start_processing implementation, while retaining ActionControllerSubscriber's instrumentation

for "redirect_to.action_controller" notifications

end
```

*Adrianna Chang*
  • Allow the digest class used to generate non-sensitive digests to be configured with config.active_support.hash_digest_class.

    config.active_support.use_sha1_digests is deprecated in favour of config.active_support.hash_digest_class = ::Digest::SHA1.

    Dirkjan Bussink

  • Fix bug to make memcached write_entry expire correctly with unless_exist

    Jye Lee

  • Add ActiveSupport::Duration conversion methods

    in_seconds, in_minutes, in_hours, in_days, in_weeks, in_months, and in_years return the respective duration covered.

    Jason York

  • Fixed issue in ActiveSupport::Cache::RedisCacheStore not passing options
    to read_multi causing fetch_multi to not work properly

    Rajesh Sharma

  • Fixed issue in ActiveSupport::Cache::MemCacheStore which caused duplicate compression,
    and caused the provided compression_threshold to not be respected.

    Max Gurewitz

  • Prevent RedisCacheStore and MemCacheStore from performing compression
    when reading entries written with raw: true.

    Max Gurewitz

  • URI.parser is deprecated and will be removed in Rails 6.2. Use
    URI::DEFAULT_PARSER instead.

    Jean Boussier

  • require_dependency has been documented to be obsolete in :zeitwerk
    mode. The method is not deprecated as such (yet), but applications are
    encouraged to not use it.

    In :zeitwerk mode, semantics match Ruby's and you do not need to be
    defensive with load order. Just refer to classes and modules normally. If
    the constant name is dynamic, camelize if needed, and constantize.

    Xavier Noria

  • Add 3rd person aliases of Symbol#start_with? and Symbol#end_with?.

    :foo.starts_with?("f") # => true
    :foo.ends_with?("o")   # => true

    Ryuta Kamizono

  • Add override of unary plus for ActiveSupport::Duration.

    + 1.second is now identical to +1.second to prevent errors
    where a seemingly innocent change of formatting leads to a change in the code behavior.

    Before:

    +1.second.class

=> ActiveSupport::Duration

(+ 1.second).class

=> Integer

```

After:
```ruby
+1.second.class

=> ActiveSupport::Duration

(+ 1.second).class

=> ActiveSupport::Duration

```

Fixes #&#8203;39079.

*Roman Kushnir*
  • Add subsec to ActiveSupport::TimeWithZone#inspect.

    Before:

    Time.at(1498099140).in_time_zone.inspect
    

=> "Thu, 22 Jun 2017 02:39:00 UTC +00:00"

    Time.at(1498099140, 123456780, :nsec).in_time_zone.inspect

=> "Thu, 22 Jun 2017 02:39:00 UTC +00:00"

    Time.at(1498099140 + Rational("1/3")).in_time_zone.inspect

=> "Thu, 22 Jun 2017 02:39:00 UTC +00:00"

After:

    Time.at(1498099140).in_time_zone.inspect

=> "Thu, 22 Jun 2017 02:39:00.000000000 UTC +00:00"

    Time.at(1498099140, 123456780, :nsec).in_time_zone.inspect

=> "Thu, 22 Jun 2017 02:39:00.123456780 UTC +00:00"

    Time.at(1498099140 + Rational("1/3")).in_time_zone.inspect

=> "Thu, 22 Jun 2017 02:39:00.333333333 UTC +00:00"

*akinomaeni*
  • Calling ActiveSupport::TaggedLogging#tagged without a block now returns a tagged logger.

    logger.tagged("BCX").info("Funky time!") # => [BCX] Funky time!

    Eugene Kenny

  • Align Range#cover? extension behavior with Ruby behavior for backwards ranges.

    (1..10).cover?(5..3) now returns false, as it does in plain Ruby.

    Also update #include? and #=== behavior to match.

    Michael Groeneman

  • Update to TZInfo v2.0.0.

    This changes the output of ActiveSupport::TimeZone.utc_to_local, but
    can be controlled with the
    ActiveSupport.utc_to_local_returns_utc_offset_times config.

    New Rails 6.1 apps have it enabled by default, existing apps can upgrade
    via the config in config/initializers/new_framework_defaults_6_1.rb

    See the utc_to_local_returns_utc_offset_times documentation for details.

    Phil Ross, Jared Beck

  • Add Date and Time #yesterday? and #tomorrow? alongside #today?.

    Aliased to #prev_day? and #next_day? to match the existing #prev/next_day methods.

    Jatin Dhankhar

  • Add Enumerable#pick to complement ActiveRecord::Relation#pick.

    Eugene Kenny

  • [Breaking change] ActiveSupport::Callbacks#halted_callback_hook now receive a 2nd argument:

    ActiveSupport::Callbacks#halted_callback_hook now receive the name of the callback
    being halted as second argument.
    This change will allow you to differentiate which callbacks halted the chain
    and act accordingly.

      class Book < ApplicationRecord
        before_save { throw(:abort) }
        before_create { throw(:abort) }
    
        def halted_callback_hook(filter, callback_name)
          Rails.logger.info("Book couldn't be #{callback_name}d")
        end
    
        Book.create # => "Book couldn't be created"
        book.save # => "Book couldn't be saved"
      end

    Edouard Chin

  • Support prepend with ActiveSupport::Concern.

    Allows a module with extend ActiveSupport::Concern to be prepended.

    module Imposter
      extend ActiveSupport::Concern
    

Same as included, except only run when prepended.

      prepended do
      end
    end

    class Person
      prepend Imposter
    end

Class methods are prepended to the base class, concerning is also
updated: `concerning :Imposter, prepend: true do`.

*Jason Karns*, *Elia Schito*
  • Deprecate using Range#include? method to check the inclusion of a value
    in a date time range. It is recommended to use Range#cover? method
    instead of Range#include? to check the inclusion of a value
    in a date time range.

    Vishal Telangre

  • Support added for a round_mode parameter, in all number helpers. (See: BigDecimal::mode.)

    number_to_currency(1234567890.50, precision: 0, round_mode: :half_down) # => "$1,234,567,890"
    number_to_percentage(302.24398923423, precision: 5, round_mode: :down) # => "302.24398%"
    number_to_rounded(389.32314, precision: 0, round_mode: :ceil) # => "390"
    number_to_human_size(483989, precision: 2, round_mode: :up) # => "480 KB"
    number_to_human(489939, precision: 2, round_mode: :floor) # => "480 Thousand"
    
    485000.to_s(:human, precision: 2, round_mode: :half_even) # => "480 Thousand"

    Tom Lord

  • Array#to_sentence no longer returns a frozen string.

    Before:

    ['one', 'two'].to_sentence.frozen?
    

=> true

After:

    ['one', 'two'].to_sentence.frozen?

=> false

*Nicolas Dular*
  • When an instance of ActiveSupport::Duration is converted to an iso8601 duration string, if weeks are mixed with date parts, the week part will be converted to days.
    This keeps the parser and serializer on the same page.

    duration = ActiveSupport::Duration.build(1000000)

1 week, 4 days, 13 hours, 46 minutes, and 40.0 seconds

duration_iso = duration.iso8601

P11DT13H46M40S

ActiveSupport::Duration.parse(duration_iso)

11 days, 13 hours, 46 minutes, and 40 seconds

duration = ActiveSupport::Duration.build(604800)

1 week

duration_iso = duration.iso8601

P1W

ActiveSupport::Duration.parse(duration_iso)

1 week

```

*Abhishek Sarkar*
  • Add block support to ActiveSupport::Testing::TimeHelpers#travel_back.

    Tim Masliuchenko

  • Update ActiveSupport::Messages::Metadata#fresh? to work for cookies with expiry set when
    ActiveSupport.parse_json_times = true.

    Christian Gregg

  • Support symbolic links for content_path in ActiveSupport::EncryptedFile.

    Takumi Shotoku

  • Improve Range#===, Range#include?, and Range#cover? to work with beginless (startless)
    and endless range targets.

    Allen Hsu, Andrew Hodgkinson

  • Don't use Process#clock_gettime(CLOCK_THREAD_CPUTIME_ID) on Solaris.

    Iain Beeston

  • Prevent ActiveSupport::Duration.build(value) from creating instances of
    ActiveSupport::Duration unless value is of type Numeric.

    Addresses the errant set of behaviours described in #​37012 where
    ActiveSupport::Duration comparisons would fail confusingly
    or return unexpected results when comparing durations built from instances of String.

    Before:

    small_duration_from_string = ActiveSupport::Duration.build('9')
    large_duration_from_string = ActiveSupport::Duration.build('100000000000000')
    small_duration_from_int = ActiveSupport::Duration.build(9)
    
    large_duration_from_string > small_duration_from_string
    

=> false

    small_duration_from_string == small_duration_from_int

=> false

    small_duration_from_int < large_duration_from_string

=> ArgumentError (comparison of ActiveSupport::Duration::Scalar with ActiveSupport::Duration failed)

    large_duration_from_string > small_duration_from_int

=> ArgumentError (comparison of String with ActiveSupport::Duration failed)

After:

    small_duration_from_string = ActiveSupport::Duration.build('9')

=> TypeError (can't build an ActiveSupport::Duration from a String)

*Alexei Emam*
  • Add ActiveSupport::Cache::Store#delete_multi method to delete multiple keys from the cache store.

    Peter Zhu

  • Support multiple arguments in HashWithIndifferentAccess for merge and update methods, to
    follow Ruby 2.6 addition.

    Wojciech Wnętrzak

  • Allow initializing thread_mattr_* attributes via :default option.

    class Scraper
      thread_mattr_reader :client, default: Api::Client.new
    end
    

    Guilherme Mansur

  • Add compact_blank for those times when you want to remove #blank? values from
    an Enumerable (also compact_blank! on Hash, Array, ActionController::Parameters).

    Dana Sherson

  • Make ActiveSupport::Logger Fiber-safe.

    Use Fiber.current.__id__ in ActiveSupport::Logger#local_level= in order
    to make log level local to Ruby Fibers in addition to Threads.

    Example:

    logger = ActiveSupport::Logger.new(STDOUT)
    logger.level = 1
    puts "Main is debug? #{logger.debug?}"
    
    Fiber.new {
      logger.local_level = 0
      puts "Thread is debug? #{logger.debug?}"
    }.resume
    
    puts "Main is debug? #{logger.debug?}"
    

    Before:

    Main is debug? false
    Thread is debug? true
    Main is debug? true
    

    After:

    Main is debug? false
    Thread is debug? true
    

@mend-for-github-com mend-for-github-com bot added the security fix Security fix generated by WhiteSource label Mar 16, 2023
@mend-for-github-com
Copy link
Author

mend-for-github-com bot commented Mar 16, 2023

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Gemfile.lock
Fetching https://github.com/senny/pdfjs_viewer-rails.git
Fetching https://github.com/department-of-veterans-affairs/connect_vbms.git
Fetching https://github.com/department-of-veterans-affairs/caseflow-commons
Fetching https://github.com/department-of-veterans-affairs/ruby-bgs.git
Fetching gem metadata from https://rubygems.org/........
Fetching gem metadata from https://rubygems.org/.
Resolving dependencies......
Bundler could not find compatible versions for gem "actionpack":
  In Gemfile:
    rails (= 6.1.7.7) was resolved to 6.1.7.7, which depends on
      actionpack (= 6.1.7.7)

    rspec-rails was resolved to 6.1.1, which depends on
      actionpack (>= 6.1)

Bundler could not find compatible versions for gem "activerecord":
  In Gemfile:
activerecord-oracle_enhanced-adapter (~> 5.2.0) was resolved to 5.2.8, which
depends on
      activerecord (~> 5.2.0)

    rails (= 6.1.7.7) was resolved to 6.1.7.7, which depends on
      activerecord (= 6.1.7.7)

Bundler could not find compatible versions for gem "capybara":
  In Gemfile:
    capybara

    capybara-screenshot was resolved to 1.0.26, which depends on
      capybara (< 4, >= 1.0)

Bundler could not find compatible versions for gem "nokogiri":
  In Gemfile:
    bgs was resolved to 0.2, which depends on
      nokogiri (>= 1.11.0.rc4)

    capybara was resolved to 3.35.3, which depends on
      nokogiri (~> 1.8)

    connect_vbms was resolved to 1.2.0, which depends on
      nokogiri (>= 1.8.4)

    roo (~> 2.7) was resolved to 2.8.3, which depends on
      nokogiri (~> 1)

    webdrivers was resolved to 4.6.1, which depends on
      nokogiri (~> 1.6)

Bundler could not find compatible versions for gem "rack":
  In Gemfile:
    rack (~> 2.2.3)

    capybara was resolved to 3.35.3, which depends on
      rack (>= 1.6.0)

    derailed_benchmarks was resolved to 2.1.2, which depends on
      rack (>= 1)

    paper_trail (~> 10) was resolved to 10.3.1, which depends on
      request_store (~> 1.1) was resolved to 1.6.0, which depends on
        rack (>= 1.4)

    rubocop-rails was resolved to 2.5.2, which depends on
      rack (>= 1.1)

Bundler could not find compatible versions for gem "rails":
  In Gemfile:
    rails (= 6.1.7.7)

    caseflow was resolved to 0.4.6, which depends on
      rails (>= 4.2.7.1)

    pdfjs_viewer-rails was resolved to 0.0.9, which depends on
      rails (> 4.2.0)

    react_on_rails (= 11.3.0) was resolved to 11.3.0, which depends on
      rails (>= 3.2)

Bundler could not find compatible versions for gem "railties":
  In Gemfile:
    factory_bot_rails (~> 5.2) was resolved to 5.2.0, which depends on
      railties (>= 4.2.0)

    meta_request was resolved to 0.7.4, which depends on
      railties (< 7.1, >= 3.0.0)

    multiverse was resolved to 0.2.2, which depends on
      railties (>= 4.2)

    rails (= 6.1.7.7) was resolved to 6.1.7.7, which depends on
      railties (= 6.1.7.7)

    rspec-rails was resolved to 6.1.1, which depends on
      railties (>= 6.1)

    pdfjs_viewer-rails was resolved to 0.0.9, which depends on
      sass-rails (~> 5.0) was resolved to 5.1.0, which depends on
        railties (>= 5.2.0)

Bundler could not find compatible versions for gem "rubocop":
  In Gemfile:
    rubocop (= 0.79)

    rubocop-performance was resolved to 1.6.1, which depends on
      rubocop (>= 0.71.0)

    rubocop-rails was resolved to 2.5.2, which depends on
      rubocop (>= 0.72.0)

Bundler could not find compatible versions for gem "ruby�":
  In Gemfile:
    ruby�

activerecord-oracle_enhanced-adapter (~> 5.2.0) was resolved to 5.2.8, which
depends on
      ruby� (>= 2.2.2)

    multiverse was resolved to 0.2.2, which depends on
      ruby� (>= 2.2)

    bgs was resolved to 0.2, which depends on
      nokogiri (>= 1.11.0.rc4) was resolved to 1.12.5, which depends on
        ruby� (>= 2.5.0)

    rubocop (= 0.79) was resolved to 0.79.0, which depends on
      parallel (~> 1.10) was resolved to 1.24.0, which depends on
        ruby� (>= 2.5)

    react_on_rails (= 11.3.0) was resolved to 11.3.0, which depends on
      ruby� (>= 2.1.0)

    caseflow was resolved to 0.4.6, which depends on
      redis-namespace was resolved to 1.11.0, which depends on
        ruby� (>= 2.4)

    rubocop (= 0.79) was resolved to 0.79.0, which depends on
      ruby� (>= 2.3.0)

    rubocop-rails was resolved to 2.19.1, which depends on
      ruby� (>= 2.6.0)

    pdfjs_viewer-rails was resolved to 0.0.9, which depends on
      sass-rails (~> 5.0) was resolved to 5.1.0, which depends on
        ruby� (>= 2.4.0)


@mend-for-github-com mend-for-github-com bot force-pushed the whitesource-remediate/rails-6.x branch from 91aee6d to b1cd476 Compare March 3, 2024 12:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security fix Security fix generated by WhiteSource
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants