Bump the bundler group across 1 directory with 8 updates

[dependabot]

Bumps the bundler group with 5 updates in the / directory:

Package	From	To
activesupport	7.0.3.1	7.0.7.1
loofah	2.18.0	2.19.1
rack	2.2.4	2.2.8.1
rails-html-sanitizer	1.4.3	1.4.4
rexml	3.3.1	3.3.3

Updates activesupport from 7.0.3.1 to 7.0.7.1

Release notes

Sourced from activesupport's releases.

7.0.7.1

Active Support

• Use a temporary file for storing unencrypted files while editing

  [CVE-2023-38037]

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

... (truncated)

Commits

• c92caef Preparing for 7.0.7.1 release
• 936587d updating version / changelog
• a21d6ed Use a temporary file for storing unencrypted files while editing
• 522c86f Preparing for 7.0.7 release
• 5610cba Sync CHANGELOG with the changes in the repository
• 7e9ffc2 Fix to_s not using :default format with no args
• a8e88e2 Fix Cache::NullStore with local caching for repeated reads
• b18b9df Merge pull request #48800 from robinjam/fix-humanize-nil
• b12fe80 Fix Enumerable#sum for Enumerator#lazy
• e3f80f6 Add lower bound to Listen gem requirement
• Additional commits viewable in compare view

Updates actionpack from 7.0.3.1 to 7.0.7.1

Release notes

Sourced from actionpack's releases.

7.0.7.1

Active Support

• Use a temporary file for storing unencrypted files while editing

  [CVE-2023-38037]

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

... (truncated)

Commits

• c92caef Preparing for 7.0.7.1 release
• 936587d updating version / changelog
• 522c86f Preparing for 7.0.7 release
• c05a88d Merge pull request #45116 from ghiculescu/helper_method_backtrace
• 593893c Preparing for 7.0.6 release
• 0b89567 Avoid creating match object when checking for illegal header value
• 9ae3da1 Fix rubocop warning
• 8e37f2b Merge branch '7-0-sec' into 7-0-stable
• cdd14ce Preparing for 7.0.5.1 release
• 93b9c74 update changelog
• Additional commits viewable in compare view

Updates actionview from 7.0.3.1 to 7.0.7.1

Release notes

Sourced from actionview's releases.

7.0.7.1

Active Support

• Use a temporary file for storing unencrypted files while editing

  [CVE-2023-38037]

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

... (truncated)

Commits

• c92caef Preparing for 7.0.7.1 release
• 936587d updating version / changelog
• 522c86f Preparing for 7.0.7 release
• 64bd0ac Merge pull request #48645 from Shopify/action-view-bare-cache-fragments
• d76f2de Don't double-encode nested field_id and field_name index
• 593893c Preparing for 7.0.6 release
• 8e37f2b Merge branch '7-0-sec' into 7-0-stable
• cdd14ce Preparing for 7.0.5.1 release
• 25e94f4 Fix actionview test to work regardless of capitalization of missing translati...
• 17b3152 Merge pull request #48329 from zzak/unlink-rails-lib-readme
• Additional commits viewable in compare view

Updates loofah from 2.18.0 to 2.19.1

Release notes

Sourced from loofah's releases.

2.19.1 / 2022-12-13

Security

• Address CVE-2022-23514, inefficient regular expression complexity. See GHSA-486f-hjj9-9vhh for more information.
• Address CVE-2022-23515, improper neutralization of data URIs. See GHSA-228g-948r-83gx for more information.
• Address CVE-2022-23516, uncontrolled recursion. See GHSA-3x8r-x6xp-q4vm for more information.

2.19.0 / 2022-09-14

Features

• Allow SVG 1.0 color keyword names in CSS attributes. These colors are part of the CSS Color Module Level 3 recommendation released 2022-01-18. [#243]

Changelog

Sourced from loofah's changelog.

2.19.1 / 2022-12-13

Security

• Address CVE-2022-23514, inefficient regular expression complexity. See GHSA-486f-hjj9-9vhh for more information.
• Address CVE-2022-23515, improper neutralization of data URIs. See GHSA-228g-948r-83gx for more information.
• Address CVE-2022-23516, uncontrolled recursion. See GHSA-3x8r-x6xp-q4vm for more information.

2.19.0 / 2022-09-14

Features

• Allow SVG 1.0 color keyword names in CSS attributes. These colors are part of the CSS Color Module Level 3 recommendation released 2022-01-18. [#243]

Commits

• 3f88063 version bump to v2.19.1
• 9a8dadb docs: preserve the context and decision record
• 86f7f63 fix: replace recursive approach to cdata with escaping solution
• 415677f fix: do not allow "image/svg+xml" in data URIs
• 84ca20c refactor: extract scrub_uri_attribute for downstream use
• 47a835a ci: pin psych to v4 until v5 builds properly on CI
• a6e0a1a fix: replace slow regex attribute check with crass parser
• ea853aa Merge pull request #247 from flavorjones/flavorjones-downstream-test-rhs
• e1f2a4b ci: test downstream rails-html-sanitizer
• 79d65a0 Merge pull request #245 from flavorjones/flavorjones-fix-ruby-2.5-ci
• Additional commits viewable in compare view

Updates nokogiri from 1.16.4 to 1.16.7

Release notes

Sourced from nokogiri's releases.

v1.16.7 / 2024-07-27

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.9, which the upstream release notes state is a security release to address CVE-2024-40896. Nokogiri's maintainers believe this vulnerability does not affect users of Nokogiri, but we advise upgrading at your earliest convenience anyway.

---

sha256 checksums:

78778d35f165b59513be31c0fe232c63a82cf97626ffba695b5f822e5da1d74b  nokogiri-1.16.7-aarch64-linux.gem
c84cdb9e3aa44c35bbb981b20175838c4b2066c26c5cb118f31f177168a42fc3  nokogiri-1.16.7-arm-linux.gem
276dcea1b988a5b22b5acc1ba901d24b8e908c40b71dccd5d54a2ae279480dad  nokogiri-1.16.7-arm64-darwin.gem
044c45ca46abc2b6135a85ab39a546ff2f0434d43142bc59b83e5b1068876a42  nokogiri-1.16.7-java.gem
01ed785392f9cbdfd45e0e5ef6ad6d2c80a6128672589448f18952168bd68e56  nokogiri-1.16.7-x64-mingw-ucrt.gem
d8fd5c675743b85354c9098117bfa9e703c7cacab8c33e5190104ea8218ad1ec  nokogiri-1.16.7-x64-mingw32.gem
dddbf1c1ef99ce9fab98302b14f8bacb703e6f16e89b99f05ecee8a1fca23664  nokogiri-1.16.7-x86-linux.gem
b6517d995b024739cbb81251a26866d40e1ccb151936b5bb0977e7487f4e617c  nokogiri-1.16.7-x86-mingw32.gem
630732b80fc572690eab50c73a1f18988f3ac401ed0b67ca9956ba2b1e2c3faa  nokogiri-1.16.7-x86_64-darwin.gem
9e1e428641d5942af877c60b418c71163560e9feb4a5c4015f3230a8b86a40f6  nokogiri-1.16.7-x86_64-linux.gem
f819cbfdfb0a7b19c9c52c6f2ca63df0e58a6125f4f139707b586b9511d7fe95  nokogiri-1.16.7.gem

v1.16.6 / 2024-06-13

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.8, which the release notes state is a bugfix release.

---

sha256 checksums:

7f4c37ee2dd9c97fdfb6278cf3d9dd2078651f241eed320e26902135dbf78183  nokogiri-1.16.6-aarch64-linux.gem
73d7a7ca569308f181a234269e6607c9acb26ecc93ccbb05998d24a9546c0a94  nokogiri-1.16.6-arm-linux.gem
43e8a783697c65413408a4923b5c2ed6bea6632cfdab4da220446b601733fa4b  nokogiri-1.16.6-arm64-darwin.gem
993ec13a1f0fb2261913e62e1f7a662c77108b1a59c903033eac432f74437275  nokogiri-1.16.6-java.gem
285687f16c330a9b61793d9d45913becf7a9aa82b0ce15c48fc1e0d6c6c9972f  nokogiri-1.16.6-x64-mingw-ucrt.gem
dbbefbfabe363daaa90e7c0b15854769e17ee5b8ae243014e0e55c01047eb5cd  nokogiri-1.16.6-x64-mingw32.gem
dedac3ee38b4deed1141747f04dd5ac512ef9165259cec66ec934edaa8a2a848  nokogiri-1.16.6-x86-linux.gem
5080e9512e3ba320aef074c16a23aef737301ac0e3b7a173a299dcaaa40b6a20  nokogiri-1.16.6-x86-mingw32.gem
92fa413d866baf9b609f17558ecfbcf950d5373213babcf4ce11d7eaed4b21cf  nokogiri-1.16.6-x86_64-darwin.gem
769bd2c14ad76dd5a7e14c867741cf2e3b8c25626a34f40aee7b0b998b8de820  nokogiri-1.16.6-x86_64-linux.gem
935fe4dd67d4377f4a05002acb1ffbadbcae265ea8e7869fc40e3a8121f3e1ef  nokogiri-1.16.6.gem

v1.16.5 / 2024-05-13

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.16.7 / 2024-07-27

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.9, which the upstream release notes state is a security release to address CVE-2024-40896. Nokogiri's maintainers believe this vulnerability does not affect users of Nokogiri, but we advise upgrading at your earliest convenience anyway.

v1.16.6 / 2024-06-13

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.8, which the release notes state is a bugfix release.

v1.16.5

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-34459. See GHSA-r95h-9x8f-r3f7 for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.7 from v2.12.6. (@​flavorjones)

Commits

• d8d6ba3 version bump to v1.16.7
• 76199bb dep: update libxml2 to v2.12.9 (branch v1.16.x) (#3297)
• ca92e48 dep: update packaged libxml2 to v2.12.9
• fb833ea version bump to v1.16.6
• bacc8dc dep: update libxml2 to 2.12.8 (backport to v1.16.x) (#3229)
• cf0579f doc: update CHANGELOG
• 447fd12 dep: update libxml2 to 2.12.8
• cd70bd3 version bump to v1.16.5
• afc36de dep: update vendored libxml2 to v2.12.7 (#3191)
• 41b4f08 ci: add arm64-darwin coverage using macos-14
• Additional commits viewable in compare view

Updates rack from 2.2.4 to 2.2.8.1

Release notes

Sourced from rack's releases.

v2.2.8.1

What's Changed

• Fixed ReDoS in Accept header parsing [CVE-2024-26146]
• Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
• Reject Range headers which are too large [CVE-2024-26141]

Full Changelog: rack/rack@v2.2.8...v2.2.8.1

v2.2.8

What's Changed

• Limit file extension length of multipart tempfiles (2.2 backport) by @​dentarg in rack/rack#2075
• CHANGELOG: Add missing 2.2.7 by @​tisba in rack/rack#2081
• Update cookie.rb by @​dchandekstark in rack/rack#2092
• Prefer ubuntu-latest for testing. by @​ioquatix in rack/rack#2095
• Fix inefficient assert pattern in Rack::Lint [2-2-stable] by @​skipkayhil in rack/rack#2101
• Regenerate SPEC [2-2-stable] by @​skipkayhil in rack/rack#2102

New Contributors

• @​tisba made their first contribution in rack/rack#2081
• @​dchandekstark made their first contribution in rack/rack#2092

Full Changelog: rack/rack@v2.2.7...v2.2.8

v2.2.7

What's Changed

• Correct the year number in the changelog by @​kimulab in rack/rack#2015
• Support underscore in host names for Rack 2.2 (Fixes #2070) by @​jeremyevans in rack/rack#2071

New Contributors

• @​kimulab made their first contribution in rack/rack#2015

Full Changelog: rack/rack@v2.2.6.4...v2.2.7

v2.2.6.4

No release notes provided.

Changelog

Sourced from rack's changelog.

Changelog

All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference Keep A Changelog.

Unreleased

Added

• Introduce Rack::VERSION constant. (#2199, [@​ioquatix])

Changed

• Invalid cookie keys will now raise an error. (#2193, [@​ioquatix])
• Rack::MediaType#params now handles empty strings. (#2229, [@​jeremyevans])

Deprecated

• Rack::Auth::AbstractRequest#request is deprecated without replacement. (#2229, [@​jeremyevans])
• Rack::Request#parse_multipart (private method designed to be overridden in subclasses) is deprecated without replacement. (#2229, [@​jeremyevans])

Removed

• Rack::Request#values_at is removed. (#2200, [@​ioquatix])
• Rack::Logger is removed with no replacement. (#2196, [@​ioquatix])
• Automatic cache invalidation in Rack::Request#{GET,POST} has been removed. (#2230, [@​jeremyevans])

[3.1.7] - 2024-07-11

Fixed

• Do not remove escaped opening/closing quotes for content-disposition filenames. (#2229, [@​jeremyevans])
• Fix encoding setting for non-binary IO-like objects in MockRequest#env_for. (#2227, [@​jeremyevans])
• Rack::Response should not generate invalid content-length header. (#2219, [@​ioquatix])
• Allow empty PATH_INFO. (#2214, [@​ioquatix])

[3.1.6] - 2024-07-03

Fixed

• Fix several edge cases in Rack::Request#parse_http_accept_header's implementation. (#2226, [@​ioquatix])

[3.1.5] - 2024-07-02

Security

• Fix potential ReDoS attack in Rack::Request#parse_http_accept_header. (GHSA-cj83-2ww7-mvq7, @​dwisiswant0)

[3.1.4] - 2024-06-22

Fixed

... (truncated)

Commits

• e830011 bump version
• d9c163a Avoid 2nd degree polynomial regexp in MediaType
• 6245768 Return an empty array when ranges are too large
• e4c1177 Fixing ReDoS in header parsing
• f169ff7 Bump patch version.
• 0a46487 Regenerate SPEC (#2102)
• cee73b3 Fix inefficient assert pattern in Rack::Lint (#2101)
• 1fdcf1f Prefer ubuntu-latest for testing. (#2095)
• 287fe43 Update cookie.rb (#2092)
• e7f4869 adds missing 2.2.7 to CHANGELOG.md (#2081)
• Additional commits viewable in compare view

Updates rails-html-sanitizer from 1.4.3 to 1.4.4

Release notes

Sourced from rails-html-sanitizer's releases.

1.4.4 / 2022-12-13

• Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer.

  Fixes CVE-2022-23517. See GHSA-5x79-w82f-gw8w for more information.

  Mike Dalessio

• Address improper sanitization of data URIs.

  Fixes CVE-2022-23518 and #135. See GHSA-mcvf-2q2m-x72m for more information.

  Mike Dalessio

• Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

  Fixes CVE-2022-23520. See GHSA-rrfc-7g8p-99q8 for more information.

  Mike Dalessio

• Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

  Fixes CVE-2022-23519. See GHSA-9h9g-93gc-623h for more information.

  Mike Dalessio

Changelog

Sourced from rails-html-sanitizer's changelog.

1.4.4 / 2022-12-13

• Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer.

  Fixes CVE-2022-23517. See GHSA-5x79-w82f-gw8w for more information.

  Mike Dalessio

• Address improper sanitization of data URIs.

  Fixes CVE-2022-23518 and #135. See GHSA-mcvf-2q2m-x72m for more information.

  Mike Dalessio

• Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

  Fixes CVE-2022-23520. See GHSA-rrfc-7g8p-99q8 for more information.

  Mike Dalessio

• Address possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

  Fixes CVE-2022-23519. See GHSA-9h9g-93gc-623h for more information.

  Mike Dalessio

Commits

• fd63dea version bump to v1.4.4
• 48ae90a dep: bump dependency on loofah
• 0713caf fix: escape CDATA nodes using Loofah's escaping methods
• e6d52d3 revert 45a5c10
• d1223a2 fix: use Loofah's scrub_uri_attribute method
• f0e3347 fix: replace slow regex attribute check with Loofah method
• df03f2f ci: pin system lib test to 20.04
• 3e2a0f3 Merge pull request #145 from rails/flavorjones-get-14x-green
• 11752a6 tests: handle libxml 2.10.0 incorrectly-opened comment parsing
• See full diff in compare view

Updates rexml from 3.3.1 to 3.3.3

Release notes

Sourced from rexml's releases.

REXML 3.3.3 - 2024-08-01

Improvements

• Added support for detecting invalid XML that has unsupported content before root element

  • GH-184
  • Patch by NAITOH Jun.

• Added support for REXML::Security.entity_expansion_limit= and REXML::Security.entity_expansion_text_limit= in SAX2 and pull parsers

  • GH-187
  • Patch by NAITOH Jun.

• Added more tests for invalid XMLs.

  • GH-183
  • Patch by Watson.

• Added more performance tests.

  • Patch by Watson.

• Improved parse performance.

  • GH-186
  • Patch by tomoya ishida.

Thanks

• NAITOH Jun

• Watson

• tomoya ishida

REXML 3.3.2 - 2024-07-16

Improvements

• Improved parse performance.

  • GH-160
  • Patch by NAITOH Jun.

• Improved parse performance.

  • GH-169
  • GH-170
  • GH-171
  • GH-172
  • GH-173
  • GH-174
  • GH-175
  • GH-176

... (truncated)

Changelog

Sourced from rexml's changelog.

3.3.3 - 2024-08-01 {#version-3-3-3}

Improvements

• Added support for detecting invalid XML that has unsupported content before root element

  • GH-184
  • Patch by NAITOH Jun.

• Added support for REXML::Security.entity_expansion_limit= and REXML::Security.entity_expansion_text_limit= in SAX2 and pull parsers

  • GH-187
  • Patch by NAITOH Jun.

• Added more tests for invalid XMLs.

  • GH-183
  • Patch by Watson.

• Added more performance tests.

  • Patch by Watson.

• Improved parse performance.

  • GH-186
  • Patch by tomoya ishida.

Thanks

• NAITOH Jun

• Watson

• tomoya ishida

3.3.2 - 2024-07-16 {#version-3-3-2}

Improvements

• Improved parse performance.

  • GH-160
  • Patch by NAITOH Jun.

• Improved parse performance.

  • GH-169
  • GH-170
  • GH-171
  • GH-172
  • GH-173
  • GH-174
  • GH-175

... (truncated)

Commits

• e4a067e Add 3.3.3 entry
• 17ff3e7 test: add a performance test for attribute list declaration
• be86b3d test: fix wrong test name
• b93d790 test: use double quote for string literal
• 0fbe7d5 test: don't use abbreviated name
• 1599e87 test: add a performance test for PI with many tabs
• e2546e6 parse pi: improve invalid case detection
• 73661ef test: fix a typo
• 850488a test: use double quote for string literal
• 46c6397 test: add performance tests for entity declaration
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.