Bump the bundler group across 1 directory with 6 updates

[dependabot]

Bumps the bundler group with 5 updates in the / directory:

Package	From	To
rexml	3.2.6	3.3.2
carrierwave	1.3.3	2.2.6
rdoc	6.3.2	6.3.4.1
rack	2.2.8	2.2.8.1
actionpack	7.0.6	7.0.8.4

Updates rexml from 3.2.6 to 3.3.2

Release notes

Sourced from rexml's releases.

REXML 3.3.2 - 2024-07-16

Improvements

• Improved parse performance.

  • GH-160
  • Patch by NAITOH Jun.

• Improved parse performance.

  • GH-169
  • GH-170
  • GH-171
  • GH-172
  • GH-173
  • GH-174
  • GH-175
  • GH-176
  • GH-177
  • Patch by Watson.

• Added support for raising a parse exception when an XML has extra content after the root element.

  • GH-161
  • Patch by NAITOH Jun.

• Added support for raising a parse exception when an XML declaration exists in wrong position.

  • GH-162
  • Patch by NAITOH Jun.

• Removed needless a space after XML declaration in pretty print mode.

  • GH-164
  • Patch by NAITOH Jun.

• Stopped to emit :text event after the root element.

  • GH-167
  • Patch by NAITOH Jun.

Fixes

• Fixed a bug that SAX2 parser doesn't expand predefined entities for characters callback.
  • GH-168
  • Patch by NAITOH Jun.

Thanks

• NAITOH Jun

• Watson

... (truncated)

Changelog

Sourced from rexml's changelog.

3.3.2 - 2024-07-16 {#version-3-3-2}

Improvements

• Improved parse performance.

  • GH-160
  • Patch by NAITOH Jun.

• Improved parse performance.

  • GH-169
  • GH-170
  • GH-171
  • GH-172
  • GH-173
  • GH-174
  • GH-175
  • GH-176
  • GH-177
  • Patch by Watson.

• Added support for raising a parse exception when an XML has extra content after the root element.

  • GH-161
  • Patch by NAITOH Jun.

• Added support for raising a parse exception when an XML declaration exists in wrong position.

  • GH-162
  • Patch by NAITOH Jun.

• Removed needless a space after XML declaration in pretty print mode.

  • GH-164
  • Patch by NAITOH Jun.

• Stopped to emit :text event after the root element.

  • GH-167
  • Patch by NAITOH Jun.

Fixes

• Fixed a bug that SAX2 parser doesn't expand predefined entities for characters callback.
  • GH-168
  • Patch by NAITOH Jun.

Thanks

• NAITOH Jun

• Watson

... (truncated)

Commits

• 2b285ac Add 3.3.2 entry
• 0e33d3a test: improve linear performance test names
• 910e5a2 Fix performance issue caused by using repeated > characters inside `<xml><!...
• 1f1e6e9 Fix ReDoS by using repeated space characters inside `<!DOCTYPE name [<!ATTLIS...
• 1cc1d9a Suppress have_root not initialized warnings on Ruby < 3
• 67efb59 Fix performance issue caused by using repeated > characters inside `<!DOCTY...
• a79ac8b Fix performance issue caused by using repeated > characters inside `<!DOCTY...
• c33ea49 Fix performance issue caused by using repeated > characters after ` <!DOCTY...
• 9f1415a Fix performance issue caused by using repeated > characters inside `CDATA [...
• c1b64c1 Fix performance issue caused by using repeated > characters inside comments...
• Additional commits viewable in compare view

Updates carrierwave from 1.3.3 to 2.2.6

Release notes

Sourced from carrierwave's releases.

2.2.6

Security

• Fix Content-Type allowlist bypass vulnerability remained (@​mshibuya 4317871, GHSA-vfmv-jfc5-pjjw)

2.2.5

Security

• Fix Content-Type allowlist bypass vulnerability, possibly leading to XSS (@​mshibuya 39b282d, GHSA-gxhx-g4fq-49hj)

2.2.4

Fixed

• Fix Ruby 2.7 keyword argument warning in uploader process (@​SuperTux88 #2665, #2636, #2635)

2.2.3

Fixed

• Add workaround for 'undefined method closed?' error caused by ssrf_filter 1.1 (@​mshibuya c74579d, #2628)
• Add workaround for the API change in ssrf_filter 1.1 (@​BrianHawley #2629, #2625)

2.2.2

Fixed

• Fix no implicit conversion of CSV into String error when parsing a CSV object (@​pjmartorell #2562, #2559)

2.2.1

Changed

• Replace mimemagic with marcel due to licensing concern (@​pjmartorell #2551, #2548)

Fixed

• Fog storage's #clean_cache! breaks when non-cache objects exist in cache_dir (@​mshibuya 42c620a1, #2532)

2.2.0

Added

• libvips support through ImageProcessing::Vips and ruby-vips (@​rhymes #2500, e8421978, 4ae8dc64)
• Provide alternatives to whitelist/blacklist terminology as allowlist/denylist, while old ones are still available but deprecated (@​grantbdev #2442, 4c3cac75, #2491)
• Support for the latest version of RMagick (@​mshibuya 88f24451)

Deprecated

• #(content_type|extension)_whitelist, #(content_type|extension)_blacklist are deprecated. Use #(content_type|extension)_allowlist and #(content_type|extension)_denylist instead (@​grantbdev #2442, 4c3cac75)

Fixed

• Calculate Fog expiration taking DST into account (@​mshibuya, f90e14ca, #2059)
• Set correct content type on copy of fog files (@​ZuevEvgenii #2503, 6682f7ac, #2487)
• Fix fog-google support to pass acl_header for public read if fog is public (@​yosiat #2525, #2426)
• Fix various URL escape issues by escaping on URI parse error only (@​mshibuya 3faf7491, #2457, #2473)
• Fix instance variables @versions_to_* not initialized warning (@​mshibuya c10b82ed, #2493)
• Fix SanitizedFile#move_to wrongly detects content_type based on the path before move (@​mshibuya a42e1b4c, #2495)
• Fix returning invalid content type on text files (@​inkstak #2474, #2424)
• Skip content type and extension filters where possible (@​alexpooley #2464)
• Fix file's #url being called twice, which might be costly for non-local files (@​skyeagle #2519)
• Fix mime type detection failing with types which contain + symbol, such as image/svg+xml (@​sylvainbx #2489)
• Fix #cached? to return boolean instead of @cache_id value (@​kmiyake #2510)
• Fix mime type detection for MS Office files (@​anthonypenner #2447)

... (truncated)

Changelog

Sourced from carrierwave's changelog.

2.2.6 - 2024-03-23

Security

• Fix Content-Type allowlist bypass vulnerability remained (@​mshibuya 4317871, GHSA-vfmv-jfc5-pjjw)

2.2.5 - 2023-11-29

Security

• Fix Content-Type allowlist bypass vulnerability, possibly leading to XSS (@​mshibuya 39b282d, GHSA-gxhx-g4fq-49hj)

2.2.4 - 2023-06-10

Fixed

• Fix Ruby 2.7 keyword argument warning in uploader process (@​SuperTux88 #2665, #2636, #2635)

2.2.3 - 2022-11-21

Fixed

• Add workaround for 'undefined method closed?' error caused by ssrf_filter 1.1 (@​mshibuya c74579d, #2628)
• Add workaround for the API change in ssrf_filter 1.1 (@​BrianHawley #2629, #2625)

2.2.2 - 2021-05-28

Fixed

• Fix no implicit conversion of CSV into String error when parsing a CSV object (@​pjmartorell #2562, #2559)

2.2.1 - 2021-03-30

Changed

• Replace mimemagic with marcel due to licensing concern (@​pjmartorell #2551, #2548)

Fixed

• Fog storage's #clean_cache! breaks when non-cache objects exist in cache_dir (@​mshibuya 42c620a1, #2532)

2.2.0 - 2021-02-23

Added

• libvips support through ImageProcessing::Vips and ruby-vips (@​rhymes #2500, e8421978, 4ae8dc64)
• Provide alternatives to whitelist/blacklist terminology as allowlist/denylist, while old ones are still available but deprecated (@​grantbdev #2442, 4c3cac75, #2491)
• Support for the latest version of RMagick (@​mshibuya 88f24451)

Deprecated

• #(content_type|extension)_whitelist, #(content_type|extension)_blacklist are deprecated. Use #(content_type|extension)_allowlist and #(content_type|extension)_denylist instead (@​grantbdev #2442, 4c3cac75)

Fixed

• Calculate Fog expiration taking DST into account (@​mshibuya, f90e14ca, #2059)
• Set correct content type on copy of fog files (@​ZuevEvgenii #2503, 6682f7ac, #2487)
• Fix fog-google support to pass acl_header for public read if fog is public (@​yosiat #2525, #2426)
• Fix various URL escape issues by escaping on URI parse error only (@​mshibuya 3faf7491, #2457, #2473)
• Fix instance variables @versions_to_* not initialized warning (@​mshibuya c10b82ed, #2493)
• Fix SanitizedFile#move_to wrongly detects content_type based on the path before move (@​mshibuya a42e1b4c, #2495)
• Fix returning invalid content type on text files (@​inkstak #2474, #2424)
• Skip content type and extension filters where possible (@​alexpooley #2464)
• Fix file's #url being called twice, which might be costly for non-local files (@​skyeagle #2519)
• Fix mime type detection failing with types which contain + symbol, such as image/svg+xml (@​sylvainbx #2489)
• Fix #cached? to return boolean instead of @cache_id value (@​kmiyake #2510)
• Fix mime type detection for MS Office files (@​anthonypenner #2447)

... (truncated)

Commits

• eb6359e Version 2.2.6
• 4317871 Fix Content-Type allowlist bypass vulnerability remained
• 0fcff94 Version 2.2.5
• 39b282d Fix Content-Type allowlist bypass vulnerability
• 2f91bee Version 2.2.4
• 2f2d77a Merge pull request #2665 from SuperTux88/backport-kwargs-fix
• 52237f4 fix: ruby 2.7 kwarg warning in uploader process
• bdb0be0 File.exists? had been deprecated since Ruby 2.1 and has been deleted in Ruby 3.2
• ed8c518 Forward to 1.x changelog for older changes
• baf5df7 Version 2.2.3
• Additional commits viewable in compare view

Updates rdoc from 6.3.2 to 6.3.4.1

Release notes

Sourced from rdoc's releases.

v6.3.3

Full Changelog: ruby/rdoc@v6.3.2...v6.3.3

Commits

• cbef3cc Bump up 6.3.4.1
• a5de13b Fix NoMethodError for start_with
• ee074e9 Bump up 6.3.4
• 60a6d74 Use safe_load and safe_load_file for .rdoc_options
• 32ff6ba Filter marshaled objects
• 4797136 Bump rdoc version to 6.3.3
• 61414e4 Vertical-bar is disallowed in path names on Windows
• See full diff in compare view

Updates rack from 2.2.8 to 2.2.8.1

Release notes

Sourced from rack's releases.

v2.2.8.1

What's Changed

• Fixed ReDoS in Accept header parsing [CVE-2024-26146]
• Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
• Reject Range headers which are too large [CVE-2024-26141]

Full Changelog: rack/rack@v2.2.8...v2.2.8.1

Commits

• e830011 bump version
• d9c163a Avoid 2nd degree polynomial regexp in MediaType
• 6245768 Return an empty array when ranges are too large
• e4c1177 Fixing ReDoS in header parsing
• See full diff in compare view

Updates actionpack from 7.0.6 to 7.0.8.4

Release notes

Sourced from actionpack's releases.

7.0.8.4

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Include the HTTP Permissions-Policy on non-HTML Content-Types [CVE-2024-28103]

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

... (truncated)

Commits

• ec7f253 Preparing for 7.0.8.4 release
• f12d5ae update changelog
• b84cbec include the HTTP Permissions-Policy on non-HTML Content-Types
• 08bc3ce Preparing for 7.0.8.3 release
• 7c8d2a1 Preparing for 7.0.8.2 release
• 506462a Preparing for 7.0.8.1 release
• 030cd01 update changelog
• 4c83b33 fix XSS vulnerability when using translation
• fc734f2 Preparing for 7.0.8 release
• f9175db Fix webdrivers on 7-0-stable branch for issue #48973. (#48977)
• Additional commits viewable in compare view

Updates actiontext from 7.0.6 to 7.0.8.4

Release notes

Sourced from actiontext's releases.

7.0.8.4

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Include the HTTP Permissions-Policy on non-HTML Content-Types [CVE-2024-28103]

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

... (truncated)

Commits

• ec7f253 Preparing for 7.0.8.4 release
• f12d5ae update changelog
• 08bc3ce Preparing for 7.0.8.3 release
• 73fac32 Keep actiontext depending on trix 1.3.1
• 83e6a75 Merge pull request #51851 from skipkayhil/hm-fix-7-0-trix
• 7c8d2a1 Preparing for 7.0.8.2 release
• 07e6c88 Upgrade Trix to 1.3.2 to fix [CVE-2024-34341][1]
• 506462a Preparing for 7.0.8.1 release
• 030cd01 update changelog
• fc734f2 Preparing for 7.0.8 release
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.