🚨 [security] Update all of rails: 5.2.4.3 → 5.2.4.4 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (5.2.4.3 → 5.2.4.4) · Repo

Commits

See the full diff on Github. The new version differs by 2 commits:

• v5.2.4.4
• Fix XSS vulnerability in `translate` helper

↗️ actioncable (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

• v5.2.4.4
• Fix XSS vulnerability in `translate` helper

↗️ actionmailer (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

• v5.2.4.4
• Fix XSS vulnerability in `translate` helper

↗️ actionpack (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

• v5.2.4.4
• Fix XSS vulnerability in `translate` helper

↗️ actionview (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog

Security Advisories 🚨

🚨 Potential XSS vulnerability in Action View

There is a potential Cross-Site Scripting (XSS) vulnerability in Action
View's translation helpers. Views that allow the user to control the
default (not found) value of the t and translate helpers could be
susceptible to XSS attacks.

Impact

When an HTML-unsafe string is passed as the default for a missing
translation key named html or ending in _html,
the default string is incorrectly marked as HTML-safe and not escaped.
Vulnerable code may look like the following examples:

<%# The welcome_html translation is not defined for the current locale: %>
<%= t("welcome_html", default: untrusted_user_controlled_string) %>
<%# Neither the title.html translation nor the missing.html translation is defined for the current locale: %>

<%= t("title.html", default: [:"missing.html", untrusted_user_controlled_string]) %>

Workarounds

Impacted users who can’t upgrade to a patched Rails version can avoid
this issue by manually escaping default translations with the
html_escape helper (aliased as h):

<%= t("welcome_html", default: h(untrusted_user_controlled_string)) %>

Commits

See the full diff on Github. The new version differs by 2 commits:

• v5.2.4.4
• Fix XSS vulnerability in `translate` helper

↗️ activejob (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

• v5.2.4.4
• Fix XSS vulnerability in `translate` helper

↗️ activemodel (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

• v5.2.4.4
• Fix XSS vulnerability in `translate` helper

↗️ activerecord (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

• v5.2.4.4
• Fix XSS vulnerability in `translate` helper

↗️ activestorage (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

• v5.2.4.4
• Fix XSS vulnerability in `translate` helper

↗️ activesupport (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

• v5.2.4.4
• Fix XSS vulnerability in `translate` helper

↗️ loofah (indirect, 2.6.0 → 2.7.0) · Repo · Changelog

Release Notes

2.7.0

2.7.0 / 2020-08-26

Features

• Allow CSS properties page-break-before, page-break-inside, and page-break-after. [#190] (Thanks, @ahorek!)

Fixes

• Don't drop the !important rule from some CSS properties. [#191] (Thanks, @b7kich!)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

• version bump to v2.7.0
• Merge pull request #190 from ahorek/page_break
• update CHANGELOG
• add page-break to safelist
• Merge pull request #192 from b7kich/maintain_shorthand_css_important_rule
• update CHANGELOG
• prefer Array#<< to creating a new array
• scrub_css should not drop `!important` from shorthand css props
• update json dev dependency

↗️ minitest (indirect, 5.14.1 → 5.14.2) · Repo · Changelog

Release Notes

5.14.2 (from changelog)

• 1 bug fix:

  • Bumped ruby version to include 3.0 (trunk).

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

• prepped for release
• - Bumped ruby version to include 3.0 (trunk).
• whitespace
• I am an idiot... fixed a last-day-of-month testing bug. I don't think I've done that in 15+ years. :P

↗️ nio4r (indirect, 2.5.2 → 2.5.3) · Repo · Changelog

Release Notes

2.5.3 (from changelog)

• #241 Possible bug with Ruby >= 2.7.0 and GC.compact. (@boazsegev)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 37 commits:

• Bump version.
• Remove ancient appveyor config.
• Prepare CHANGES.md for next release.
• fix for #241
• Fix Actions CI for macOS
• ssl_socket_spec.rb - move require inside block
• Fixes for use when OpenSSL is not loaded
• Fix warning: Use `result.unpack1("i")` instead of `result.unpack("i").first`. (convention:Style/UnpackFirst)
• Setting 'Enabled: false' for the new cops of Rubocop
• Fix warning: Metrics/LineLength has the wrong namespace - should be Layout
• Update rubocop version to 2.4
• Fix warning: The `Lint/HandleExceptions` cop has been renamed to `Lint/SuppressedException`.
• Fix warning: The `Layout/AlignHash` cop has been renamed to `Layout/HashAlignment`
• Bumb Rubocop to 0.82.0
• Use truffleruby-head in CI
• CI: Exclude TruffleRuby on Windows
• Remove travis config and update github actions.
• Update travis configuration.
• Add ruby 2.7
• Merge pull request #234 from MSP-Greg/add-actions
• Remove redundant jobs from AppVeyor
• Remove redundant jobs from Travis
• Add Actions CI - workflow.yml
• extconf.rb - add devkit for mingw
• Fix Warning: unrecognized cop Performance/RegexpMatch found in .rubocop.yml
• Fix Lint/UnneededCopEnableDirective
• Fix Naming/RescuedExceptionsVariableName
• Fix Lint/UnneededCopEnableDirective
• disable Layout/AlignHash
• Fix Style/ExpandPathArguments
• Fix Layout/EmptyLineAfterGuardClause
• Fix Style/ExpandPathArguments
• bump rubocop to 0.74.0
• CI: Add 2.7 to the matrix
• Polish examples/echo_server.rb
• Update CHANGES.md
• Update CHANGES.md

↗️ railties (indirect, 5.2.4.3 → 5.2.4.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

• v5.2.4.4
• Fix XSS vulnerability in `translate` helper

↗️ websocket-driver (indirect, 0.7.2 → 0.7.3) · Repo · Changelog

Release Notes

0.7.3 (from changelog)

• Let the client accept HTTP responses that have an empty reason phrase following the 101 status code

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 2 commits:

• Bump version to 0.7.3
• Accept HTTP responses that have an empty reason-phrase, per RFC 2616

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #337.