Bump the bundler group across 1 directory with 6 updates

[dependabot]

Bumps the bundler group with 2 updates in the / directory: actionmailer and rexml.

Updates actionmailer from 7.0.8.1 to 7.0.8.5

Release notes

Sourced from actionmailer's releases.

7.0.8.5

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Avoid regex backtracking in HTTP Token authentication

  [CVE-2024-47887]

• Avoid regex backtracking in query parameter filtering

  [CVE-2024-41128]

Active Job

• No changes.

Action Mailer

• Avoid regex backtracking in block_format helper

  [CVE-2024-47889]

Action Cable

• No changes.

Active Storage

... (truncated)

Commits

• f61f4ef Preparing for 7.0.8.5 release
• d666c96 Update CHANGELOGs
• 30abd6b Merge pull request #52962 from rails/rm-releser
• 0e5694f Avoid backtracking in ActionMailer block_format
• 40d8b92 Merge pull request #51510 from fatkodima/remove-ostruct
• ec7f253 Preparing for 7.0.8.4 release
• f12d5ae update changelog
• 08bc3ce Preparing for 7.0.8.3 release
• 7c8d2a1 Preparing for 7.0.8.2 release
• See full diff in compare view

Updates actionpack from 7.0.8.1 to 7.0.8.5

Release notes

Sourced from actionpack's releases.

7.0.8.5

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Avoid regex backtracking in HTTP Token authentication

  [CVE-2024-47887]

• Avoid regex backtracking in query parameter filtering

  [CVE-2024-41128]

Active Job

• No changes.

Action Mailer

• Avoid regex backtracking in block_format helper

  [CVE-2024-47889]

Action Cable

• No changes.

Active Storage

... (truncated)

Commits

• f61f4ef Preparing for 7.0.8.5 release
• d666c96 Update CHANGELOGs
• 30abd6b Merge pull request #52962 from rails/rm-releser
• b1241f4 Avoid backtracking in filtered_query_string
• 56b2fc3 Avoid backtracking in Token#raw_params
• 40d8b92 Merge pull request #51510 from fatkodima/remove-ostruct
• 6da6af8 Merge pull request #52176 from zzak/7-0-selenium-webdriver
• 67c2813 Merge pull request #52143 from skipkayhil/hm-fix-7-0-stable-ci
• ec7f253 Preparing for 7.0.8.4 release
• f12d5ae update changelog
• Additional commits viewable in compare view

Updates actiontext from 7.0.8.1 to 7.0.8.5

Release notes

Sourced from actiontext's releases.

7.0.8.5

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Avoid regex backtracking in HTTP Token authentication

  [CVE-2024-47887]

• Avoid regex backtracking in query parameter filtering

  [CVE-2024-41128]

Active Job

• No changes.

Action Mailer

• Avoid regex backtracking in block_format helper

  [CVE-2024-47889]

Action Cable

• No changes.

Active Storage

... (truncated)

Commits

• f61f4ef Preparing for 7.0.8.5 release
• d666c96 Update CHANGELOGs
• 30abd6b Merge pull request #52962 from rails/rm-releser
• 727b094 ActionText: Avoid backtracing in plain_text_for_blockquote_node
• ec7f253 Preparing for 7.0.8.4 release
• f12d5ae update changelog
• 08bc3ce Preparing for 7.0.8.3 release
• 73fac32 Keep actiontext depending on trix 1.3.1
• 83e6a75 Merge pull request #51851 from skipkayhil/hm-fix-7-0-trix
• 7c8d2a1 Preparing for 7.0.8.2 release
• Additional commits viewable in compare view

Updates nokogiri from 1.14.3 to 1.17.1

Release notes

Sourced from nokogiri's releases.

v1.17.1 / 2024-12-10

Fixed

• Fixed a potential segfault when using Node#dup and DocumentFragment#dup. #3359 @​byroot @​flavorjones
• Node#dup and Node#clone now correctly decorate the new node with the document's Node decorators. #3363 @​flavorjones

b3fce09bddfab61ae587f83af97bf0d0834352bcd23ad99831f2993d978627bd  nokogiri-1.17.1-aarch64-linux.gem
0e79badf832783e81439c3211562ed904a5c8eaaa0038c8fdfdb3778e873f3d0  nokogiri-1.17.1-arm64-darwin.gem
b8e9909ff893b257a58066e6bfc39456be18b87f4af1e22ca18d7c0dbc9925e5  nokogiri-1.17.1-arm-linux.gem
910fe0f194db99677f7ddb21b19a1d071ceffc4a0e39d44c08736d9b1e558cfc  nokogiri-1.17.1.gem
baf2cf6785f83c8cb3cdc427d0eb8b7f91d76748bfeb6c2612ce639e82c1ecee  nokogiri-1.17.1-java.gem
601a8bca523bf2b1a576c728ad4901c57263d0c29e4f9e6d2abe654c6a929841  nokogiri-1.17.1-x64-mingw32.gem
299ab9cd2c4ce882112e79fc31f82915920cb3e54ba526287e86d9a5fbfafebe  nokogiri-1.17.1-x64-mingw-ucrt.gem
94bcacacd123379229a8ece0d31c38af36d0ef6f86f399d5813be5ca0f566c88  nokogiri-1.17.1-x86_64-darwin.gem
2234250605b03433747e8d21de947b38b79f33a4280930e58bec179fd95d415d  nokogiri-1.17.1-x86_64-linux.gem
d09565316ffc8f8bb522bd6d1b460dec2a57d23d6e479c2d0d49d9ccbb11076c  nokogiri-1.17.1-x86-linux.gem
8f720dd62bf5d3791aa67f933085be5d2a2ab06afc120d4f210f40a5d184fafb  nokogiri-1.17.1-x86-mingw32.gem

v1.17.0 / 2024-12-08

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.5. @​flavorjones
• [CRuby] Vendored libxslt is updated to v1.1.42. @​flavorjones
• [CRuby] Minimum supported version of libxml2 raised to v2.9.2 (released 2014-10-16) from v2.6.21. [#3232, #3287] @​flavorjones
• [JRuby] Minimum supported version of Java raised to 8 (released 2014-03-18) from 7. #3134 @​flavorjones
• [CRuby] Update to rake-compiler-dock v1.5.1 for building precompiled native gems. #3216 @​flavorjones

Notable changes

SAX Parsers

The XML and HTML4 SAX parsers have received a lot of attention in this release, and we've fixed multiple long-standing bugs with encoding and entity handling. In addition, libxml2 v2.13 has also made some underlying fixes and improvements to encoding and entity handling.

We're shipping these fixes in a minor release because we firmly believe the resulting behavior is correct and standards-compliant, however applications that have been depending on the buggy behavior may be impacted.

If your application relies on the SAX parsers, and in particular if you're SAX-parsing documents with parsed entities or incorrect encoding declarations, please read the changelog below carefully.

Fragment parsing

Document fragment parsing has been improved, particularly with respect to handling malformed fragments or fragments with implicit namespace prefixes. Namespace reconciliation still isn't where we want it to be, but it's an improvement.

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.17.1 / 2024-12-10

Fixed

• Fixed a potential segfault when using Node#dup and DocumentFragment#dup. #3359 @​byroot @​flavorjones
• Node#dup and Node#clone now correctly decorate the new node with the document's Node decorators. #3363 @​flavorjones

v1.17.0 / 2024-12-08

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.5. @​flavorjones
• [CRuby] Vendored libxslt is updated to v1.1.42. @​flavorjones
• [CRuby] Minimum supported version of libxml2 raised to v2.9.2 (released 2014-10-16) from v2.6.21. [#3232, #3287] @​flavorjones
• [JRuby] Minimum supported version of Java raised to 8 (released 2014-03-18) from 7. #3134 @​flavorjones
• [CRuby] Update to rake-compiler-dock v1.5.1 for building precompiled native gems. #3216 @​flavorjones

Notable changes

SAX Parsers

The XML and HTML4 SAX parsers have received a lot of attention in this release, and we've fixed multiple long-standing bugs with encoding and entity handling. In addition, libxml2 v2.13 has also made some underlying fixes and improvements to encoding and entity handling.

We're shipping these fixes in a minor release because we firmly believe the resulting behavior is correct and standards-compliant, however applications that have been depending on the buggy behavior may be impacted.

If your application relies on the SAX parsers, and in particular if you're SAX-parsing documents with parsed entities or incorrect encoding declarations, please read the changelog below carefully.

Fragment parsing

Document fragment parsing has been improved, particularly with respect to handling malformed fragments or fragments with implicit namespace prefixes. Namespace reconciliation still isn't where we want it to be, but it's an improvement.

HTML5 fragment parsing now allows the context node to be specified as a context: keyword argument to the HTML5::DocumentFragment.parse and .new methods, which should allow for more flexible sanitization and future support for the draft HTML Sanitizer API in downstream libraries.

Error handling

In scenarios where multiple errors could be reported by the underlying parser, the errors will be aggregated into a single Nokogiri::XML::SyntaxError that is raised. Previously only the final error reported by libxml2 was raised (which was often misleading if it was only a warning and not the fatal error).

Schema validation

We've resolved many long-standing bugs in the various schema classes, validation methods, and their error reporting. Behavior is now consistent across schema types and input types, as well as parser backends (Xerces and libxml2).

Keyword arguments

The following methods now accept keyword arguments in addition to positional arguments, and use ... parameter forwarding when possible:

... (truncated)

Commits

• e4bae8a version bump to v1.17.1
• 12244fe fix: Node#dup adds the new node to the document's node cache (backport to v1....
• 7bf2fc1 fix: Node#dup adds the new node to the document's node cache
• 765754c doc: update CHANGELOG bullet lists to render with mkdocs
• 076d647 doc: extract older changelog entries into misc/CHANGELOG-archive.md
• c7b75ef version bump to v1.17.0
• e8e8ffe Nokogiri::XSLT() uses parameter forwarding (#3356)
• 3b8fd7e Nokogiri::XML() and Nokogiri::XML.parse() support argument forwarding (#3332)
• 92d2e4b {XML,HTML4,HTML5}::{Document,DocumentFragment}{.parse,#initialize} take keywo...
• a77e1bb Nokogiri::XSLT() uses parameter forwarding
• Additional commits viewable in compare view

Updates rack from 2.2.6.4 to 2.2.10

Release notes

Sourced from rack's releases.

v2.2.8.1

What's Changed

• Fixed ReDoS in Accept header parsing [CVE-2024-26146]
• Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
• Reject Range headers which are too large [CVE-2024-26141]

Full Changelog: rack/rack@v2.2.8...v2.2.8.1

v2.2.8

What's Changed

• Limit file extension length of multipart tempfiles (2.2 backport) by @​dentarg in rack/rack#2075
• CHANGELOG: Add missing 2.2.7 by @​tisba in rack/rack#2081
• Update cookie.rb by @​dchandekstark in rack/rack#2092
• Prefer ubuntu-latest for testing. by @​ioquatix in rack/rack#2095
• Fix inefficient assert pattern in Rack::Lint [2-2-stable] by @​skipkayhil in rack/rack#2101
• Regenerate SPEC [2-2-stable] by @​skipkayhil in rack/rack#2102

New Contributors

• @​tisba made their first contribution in rack/rack#2081
• @​dchandekstark made their first contribution in rack/rack#2092

Full Changelog: rack/rack@v2.2.7...v2.2.8

v2.2.7

What's Changed

• Correct the year number in the changelog by @​kimulab in rack/rack#2015
• Support underscore in host names for Rack 2.2 (Fixes #2070) by @​jeremyevans in rack/rack#2071

New Contributors

• @​kimulab made their first contribution in rack/rack#2015

Full Changelog: rack/rack@v2.2.6.4...v2.2.7

Changelog

Sourced from rack's changelog.

[2.2.10] - 2024-10-14

• Fix compatibility issues with Ruby v3.4.0. (#2248, @​byroot)

[2.2.9] - 2023-03-21

• Return empty when parsing a multi-part POST with only one end delimiter. (#2104, [@​alpaca-tc])

[2.2.8] - 2023-07-31

• Regenerate SPEC (#2102, @​skipkayhil)
• Limit file extension length of multipart tempfiles (#2015, @​dentarg)
• Fix "undefined method DelegateClass for Rack::Session::Cookie:Class" (#2092, @​onigra @​dchandekstark)

[2.2.7] - 2023-03-13

• Correct the year number in the changelog (#2015, @​kimulab)
• Support underscore in host names for Rack 2.2 (Fixes #2070) (#2015, @​jeremyevans)

Commits

• 14c9dec Bump patch version.
• 6ae7057 [2.2-stable] Fix compatibility issues with Ruby 3.4.0dev (#2248)
• b1deebd Bump patch version.
• f7d40f9 Merge branch '2-2-sec' into 2-2-stable
• e830011 bump version
• d9c163a Avoid 2nd degree polynomial regexp in MediaType
• 6245768 Return an empty array when ranges are too large
• e4c1177 Fixing ReDoS in header parsing
• fdb12cb backport #2104 (#2121)
• 99057e6 Update CHANGELOG for 2.2.8 (#2107)
• Additional commits viewable in compare view

Updates rexml from 3.2.5 to 3.3.9

Release notes

Sourced from rexml's releases.

REXML 3.3.9 - 2024-10-24

Improvements

• Improved performance.
  • GH-210
  • Patch by NAITOH Jun.

Fixes

• Fixed a parse bug for text only invalid XML.

  • GH-215
  • Patch by NAITOH Jun.

• Fixed a parse bug that &#0x...; is accepted as a character reference.

Thanks

• NAITOH Jun

REXML 3.3.8 - 2024-09-29

Improvements

• SAX2: Improve parse performance.
  • GH-207
  • Patch by NAITOH Jun.

Fixes

• Fixed a bug that unexpected attribute namespace conflict error for the predefined "xml" namespace is reported.
  • GH-208
  • Patch by KITAITI Makoto

Thanks

• NAITOH Jun

• KITAITI Makoto

REXML 3.3.7 - 2024-09-04

Improvements

• Added local entity expansion limit methods
  • GH-192
  • GH-202
  • Reported by takuya kodama.

... (truncated)

Changelog

Sourced from rexml's changelog.

3.3.9 - 2024-10-24 {#version-3-3-9}

Improvements

• Improved performance.
  • GH-210
  • Patch by NAITOH Jun.

Fixes

• Fixed a parse bug for text only invalid XML.

  • GH-215
  • Patch by NAITOH Jun.

• Fixed a parse bug that &#0x...; is accepted as a character reference.

Thanks

• NAITOH Jun

3.3.8 - 2024-09-29 {#version-3-3-8}

Improvements

• SAX2: Improve parse performance.
  • GH-207
  • Patch by NAITOH Jun.

Fixes

• Fixed a bug that unexpected attribute namespace conflict error for the predefined "xml" namespace is reported.
  • GH-208
  • Patch by KITAITI Makoto

Thanks

• NAITOH Jun

• KITAITI Makoto

3.3.7 - 2024-09-04 {#version-3-3-7}

Improvements

• Added local entity expansion limit methods
  • GH-192
  • GH-202
  • Reported by takuya kodama.

... (truncated)

Commits

• 38eaa86 Add 3.3.9 entry
• ce59f2e parser: fix a bug that &#0x...; is accepted as a character reference
• a09646d test: fix indent
• cf0fb9c Fix IOSource#readline for @pending_buffer (#215)
• 1d0c362 Optimize IOSource#read_until method (#210)
• 622011f Bump version
• 036d508 test: avoid using needless non ASCII characters
• 4197054 Add 3.3.8 entry
• 78f8712 Fix handling with "xml:" prefixed namespace (#208)
• 2e1cd64 Optimize SAX2Parser#get_namespace (#207)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.