🚨 [security] Upgrade json: 1.8.6 → 2.3.0 (major) #161
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![depfu[bot]](https://avatars.githubusercontent.com/in/715?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🚨 Your version of json has known security vulnerabilities 🚨
Advisory: CVE-2020-10663
Disclosed: March 19, 2020
URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Unsafe Object Creation Vulnerability in JSON (Additional fix)
🚨 We recommend to merge and deploy this update as soon as possible! 🚨
Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳️ json (1.8.6 → 2.3.0) · Repo · Changelog
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
✳️ gibbon (1.1.5 → 3.3.3) · Repo · Changelog
Release Notes
3.3.3 (from changelog)
3.3.1 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
✳️ sandi_meter (1.1.6 → 1.2.0) · Repo
Commits
See the full diff on Github. The new version differs by 31 commits:
New version with jRuby, thresholds and all PRs mergedMerge pull request #64 from makaroni4/feature/thresholdsFIX remove :all options for specs silent CLI configDefault config.ml file with thresholds for each ruleAdded CLI thresholds for each ruleAdded threshold check for each rule from config.yml fileRSpec 3 syntaxMerge pull request #62 from dkarter/feature/specify_output_pathMerge pull request #29 from andreanastacio/28-jruby-supportMerge pull request #63 from jaysonvirissimo/patch-1fix spellingupdate readme to include output path documentationmove output path setup up the scoperemove byebug gem: not supported on old rubiesadd output path to CLI and update all over the codestub out file system for CLI testssilence CLI output during testsrequire fakefs spec helpers for testsrequire pry for testsadd fakefs, pry and pry-byebug for testingfix indentationadd jruby platform to travisadd jruby supportLate release with PR from @mgrecarMerge pull request #58 from mgrecar/feature/no_launch_optionAdded a 'quiet' flag to the CLI options to suppress launch of the browser.Bump gem to new versionMerge pull request #56 from mgrecar/feature/html_using_launchyCLI now uses Launchy to open the graph, for cross platformMerge pull request #53 from andyw8/patch-1Fix typo in spec description✳️ simplecov (0.16.1 → 0.18.5) · Repo · Changelog
Release Notes
0.18.5
0.18.4
0.18.3
0.18.2
0.18.1
0.18.0
0.17.1 (from changelog)
0.17.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
3.3.17 (from changelog)
3.3.16 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
1.3.2 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 7 commits:
Prepare for release of v1.3.2Update HISTORY.md for 1.3.2Update copyright dates to 2019Update Travis Ruby versionsFix test failure on rubinius-3Fix issue #33 DSL object is replaced when #dsl_eval is nested (PR #34)Exclude certain methods from falling back from block context to dsl objectRelease Notes
0.9.5
0.9.4
0.9.3
0.9.1
0.9.0
0.8.6
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
5.14.0 (from changelog)
5.13.0 (from changelog)
5.12.2 (from changelog)
5.12.1 (from changelog)
5.12.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 54 commits:
prepped for releaseClosed temporary IOs when exiting capture_subprocess_io. (doudou)- Added example for value wrapper with block to Expectations module. (stomar)Added minitest_log to known modules (BurdetteLamar)+ Block-assertions (eg assert_output) now error if raised inside the block. (casperisfine)- Fixed use of must/wont_be_within_delta on Expectation instance. (stomar)+ Changed assert_raises to only catch Assertion since that covers Skip and friends.- Renamed UnexpectedError#exception to #error to avoid problems with reraising. (casperisfine)prepped for release+ Deprecated Minitest::Guard#maglev?+ Added skip_until(year, month, day, msg) to allow deferring until a deadline.Reworked some of metametameta to be more flexible.+ Added expectations #path_must_exist and #path_wont_exist. Not thrilled with the names.re-sorted assertions after path additions+ Finally added assert_path_exists and refute_path_exists. (deivid-rodriguez)+ Refactored and pulled Assertions#things_to_diff out of #diff. (BurdetteLamar)- Fix autorun bug that affects fork exit status in tests. (dylanahsmith/jhawthorn)+ Added examples to documentation for assert_raises. (lxxxvi)- Support new Proc#to_s format. (ko1)- Improved documentation for _/value/expect, especially for blocks. (svoop)prepped for release- After chatting w/ @y-yagi and others, decided to lower support to include ruby 2.2.prepped for release- Fixed broken link to reference on goodness-of-fit testing. (havenwood)Added mini-apivore to readme.- Update requirements in readme and Rakefile/hoe spec.+ Added documentation for Reporter classes. (sshaw)Added minitest-global_expectations to readme. (jeremyevans)- Avoid using 'match?' to support older ruby versions. (y-yagi)Tweaked multithreading section of README. (iHiD)prepped for releaseReworked the \n vs \\n mu_pp_for_diff situation.Extended assert_mu_pp and assert_mu_pp_for_diff to auto-quote strings to make tests more grokkable.minor editing to commentTurn off parallelism on stub and spec meta tests because they hit class methods (globals)Added mutant-minitest to readme. (mjb)+ Add a descriptive error if assert_output or assert_raises called without a block. (okuramasafumi)- Check `option[:filter]` klass before match. Fixes 2.6 warning. (y-yagi)Fixed 2.6 warning in test_refute_match_matcher_object by adding explicit =~ method. (y-yagi)Added doco for using Rake::TestTask. (schneems)Added minitest-mock_expectations to readme. (bogdanvlviv)- Fixed spec section of readme to not use deprecated global expectations. (CheezItMan)minor rearrangement of requiresAdded tests for message and using message/lambad w/ assertions.+ Changed mu_pp_for_diff to make having both \n and \\n easier to debug.Overhauled and sorted test_minitest_assertions.rb in prep for new mu_pp_for_diff changes.Split tests out into test_minitest_assertions.rb- Fixed Assertions#diff from recalculating if set to nil+ Deprecated $N for specifying number of parallel test runners. Use MT_CPU.+ Extended Assertions#mu_pp to encoding validity output for strings to improve diffs.+ Deprecated use of global expectations. To be removed from MT6.+ Fail gracefully when expectation used outside of `it`.Converted all minitest/spec tests over to use _ to avoid deprecation warnings.Avoid teardown assertion check if test is skippedRelease Notes
2.1.5 (from changelog)
2.1.1 (from changelog)
2.1.0 (from changelog)
2.0.6 (from changelog)
2.0.3 (from changelog)
2.0.1 (from changelog)
2.0.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
6.13.7 (from changelog)
6.13.6 (from changelog)
6.13.5 (from changelog)
6.13.4 (from changelog)
6.13.3 (from changelog)
6.13.2 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
1.14.1 (from changelog)
1.14.0 (from changelog)
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 13 commits:
Version 0.14.1Update changelog for 0.14.1Fix 2.7 warningMerge pull request #193 from orien/gem-metadataAdd project metadata to the gemspecVersion 0.14.0Remove ssh key signingAdd changelog for 0.14Oj 2 and 3 supportFix CIRemove gemnasiumMerge pull request #192 from igas/patch-2Fix codeclimate badgeRelease Notes
1.10.9
1.10.8
1.10.7
1.10.6
1.10.5
1.10.4
1.10.3
1.10.2
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
0.12.2
0.12.1
0.12.0
0.11.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
1.2.6
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 27 commits:
Update copyright years.Preparing v1.2.6.Replace expired gem signing certificate.Fix a comment.Ruby Enterprise Edition requires older versions of RubyGems and Bundler.Fix block not being called by RubyCoreSupport.open_file on JRuby 9.2.Revert "Try and fix an incorrect rake version being picked with JRuby 1.7."Try and fix an incorrect rake version being picked with JRuby 1.7.Convert to UNIX line endings.Simplify minitest version constraint.Update to Ruby v2.7.0-rc2.Run CI tests on Windows with AppVeyor.Enable verbose test output.Update Travis CI Ruby versions.Prevent bundler from attempting to use version minitest v5.12.0.Allow newer versions of Rake that fix warnings with Ruby 2.7.Eliminate a warning when calling File.open with keyword arguments.Suppress deprecation warnings due to Object#untaint on Ruby 2.7.Fix test failures on Ruby 1.8.7 caused by DateTime issues.Remove the unused REQUIRE_PATH constant from RubyDataSource.Fix SecurityErrors when loading data in safe mode.Test that RUBY_ENGINE is defined.Skip tests that fail due to Ruby bug 14060 on Ruby 2.4.4.Update to the latest Ruby, JRuby and Rubinius releases.Fix a documentation typo.Return the correct seconds since the epoch value for strftime with %s.Restrictions on timezones only apply to older (pre-1.9) Ruby releases.🆕 faraday (added, 1.0.0)
🆕 multipart-post (added, 2.1.1)
🗑️ httparty (removed)
🗑️ multi_xml (removed)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands