🚨 [security] Update factory_bot_rails 6.4.4 → 6.5.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ factory_bot_rails (6.4.4 → 6.5.0) · Repo · Changelog

Release Notes

6.5.0

What's Changed

• Drop support for Ruby 3.0 by @FerPerales in #507
• Read gem version from code file by @unused in #506
• Add missing required Ruby version to gemspec by @unused in #510
• Update Bundler to v2.5.23 by @smaboshe in #515
• Fix standardrb violations by @sarahraqueld in #482
• Activate linter in CI by @unused in #508
• Support file_fixture in Factory definitions by @seanpdoyle in #427
• Fix development dependencies by @neilvcarvalho in #526
• Support Rails 7.2 by @RajRoR in #495
• Limit push builds to the main branch by @neilvcarvalho in #527
• add support for rails v8 by @jamesoneill997 in #521
• Add latest Ruby and Rails versions to the build by @neilvcarvalho in #529
• Update gemspec with supported Rails version by @neilvcarvalho in #531
• Run Cucumber feature tests on CI by @neilvcarvalho in #530

New Contributors

• @FerPerales made their first contribution in #507
• @unused made their first contribution in #506
• @RajRoR made their first contribution in #495
• @jamesoneill997 made their first contribution in #521

Full Changelog: v6.4.4...v6.5.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ base64 (0.2.0 → 0.3.0) · Repo

Release Notes

0.3.0

What's Changed

• Provide a 'Changelog' link on rubygems.org/gems/base64 by @mark-young-atg in #18
• Exclude older than 2.6 on macos-14 by @nobu in #21
• Add RBS signature and testing by @ksss in #25
• Enabled trusted publisher for rubygems.org by @hsbt in #29
• [DOC] Tweaks for module Base64 by @BurdetteLamar in #23

New Contributors

• @mark-young-atg made their first contribution in #18
• @nobu made their first contribution in #21
• @ksss made their first contribution in #25

Full Changelog: v0.2.0...v0.3.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

• v0.3.0
• [DOC] Tweaks for module Base64
• Enabled trusted publisher for rubygems.org
• Add RBS signature and testing (#25)
• Update file list on gemspec
• Update license files same as ruby/ruby
• Merge pull request #21 from ruby/old-version-on-macos
• Exclude older than 2.6 on macos-14
• Merge pull request #18 from mark-young-atg/provide_changelog_link_on_rubygems
• Provide a 'Changelog' link on rubygems.org/gems/base64

✳️ benchmark (0.4.0 → 0.4.1) · Repo

Release Notes

0.4.1

What's Changed

• Document that default FORMAT includes total time by @paarthmadan in #12

New Contributors

• @paarthmadan made their first contribution in #12

Full Changelog: v0.4.0...v0.4.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 19 commits:

• v0.4.1
• Merge pull request #12 from paarthmadan/correct-format-documentation
• Merge pull request #33 from ruby/dependabot/github_actions/step-security/harden-runner-2.12.0
• Bump step-security/harden-runner from 2.11.1 to 2.12.0
• Merge pull request #32 from ruby/dependabot/github_actions/step-security/harden-runner-2.11.1
• Bump step-security/harden-runner from 2.11.0 to 2.11.1
• Merge pull request #31 from ruby/dependabot/github_actions/step-security/harden-runner-2.11.0
• Bump step-security/harden-runner from 2.10.4 to 2.11.0
• Merge pull request #30 from ruby/dependabot/github_actions/step-security/harden-runner-2.10.4
• Bump step-security/harden-runner from 2.10.3 to 2.10.4
• Merge pull request #29 from ruby/dependabot/github_actions/step-security/harden-runner-2.10.3
• Bump step-security/harden-runner from 2.10.2 to 2.10.3
• Merge pull request #28 from ruby/dependabot/github_actions/rubygems/release-gem-1.1.1
• Bump rubygems/release-gem from 1.1.0 to 1.1.1
• Fixed version number of rubygems/release-gem
• Merge pull request #26 from ruby/dependabot/github_actions/rubygems/release-gem-9e85cb11501bebc2ae661c1500176316d3987059
• Merge pull request #27 from ruby/dependabot/github_actions/step-security/harden-runner-2.10.2
• Bump step-security/harden-runner from 2.10.1 to 2.10.2
• Bump rubygems/release-gem

✳️ bigdecimal (3.1.9 → 3.2.2) · Repo · Changelog

Release Notes

3.2.2

What's Changed

• Make precision calculation in bigdecimal.div(value, 0) gc-compaction safe by @tompng in #339

Full Changelog: v3.2.1...v3.2.2

3.2.1

What's Changed

• Enabled trusted publisher for rubygems.org by @hsbt in #333
• Fix division precision limit by @tompng in #335

Full Changelog: v3.2.0...v3.2.1

3.2.0

What's Changed

• Fix spec NoMethodError message for .allocator on truffle Ruby by @mrzasa in #313
• Remove outdated BigMath.atan document that refers to convergence by @tompng in #318
• Add a precision assertion to BigMath test by @tompng in #316
• Use Ractor#value as Ractor#take is removed by @ko1 in #327
• Indent multiline call-seq comment by @tompng in #311
• Integrate BigDecimal_div and BigDecimal_div2 by @tompng in #329
• Fix division rounding by @tompng in #330

New Contributors

• @tompng made their first contribution in #318
• @ko1 made their first contribution in #327

Full Changelog: v3.1.9...v3.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 21 commits:

• Bump version to 3.2.2
• Update CHANGES for 3.2.2
• Make precision calculation in bigdecimal.div(value, 0) gc-compaction safe (#339)
• Bump version to 3.2.1
• CHANGES: Add v3.2.1 entries
• Merge pull request #335 from tompng/div_with_preclimit_fix
• Apply preclimit in BigDecimal_div2 when specified prec is 0
• Enabled trusted publisher for rubygems.org (#333)
• Bump version to 3.2.0
• Add dev:version:bump rake task
• CHANGES: Add v3.2.0 entries
• Fix division rounding (#330)
• Integrate BigDecimal_div and BigDecimal_div2 (#329)
• [DOC] Indent multiline call-seq comment (#311)
• Merge pull request #327 from ko1/ractor_value
• Use `Ractor#value` as `Ractor#take` is removed
• Add a precision assertion to BigMath test (#316)
• Merge pull request #318 from tompng/rm_atan_convergence_comment
• Merge pull request #313 from mrzasa/fix-no-allocator-on-truffle
• Remove outdated BigMath.atan document that referrs to convergence
• Fix spec NoMethodError message for .allocator on truffle Ruby

↗️ drb (indirect, 2.2.1 → 2.2.3) · Repo · Changelog

Release Notes

2.2.3

Improvement

• Added support for "Changelog" link in RubyGems.org page.

  • GH-30
  • Patch by Mark Young

• Dropped ObjectSpace._id2ref dependency because
  ObjectSpace._id2ref is deprecated. Drb::WeakIdConv is
  meaningless by this. So it's deprecated. Use the default ID
  converter instead.

  • GH-35
  • https://bugs.ruby-lang.org/issues/15711

Fixes

• SSL: Fixed wrong certificate version.
  • GH-29

Thanks

• Mark Young

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 15 commits:

• Bump version
• Fix building and publishing package
• Bump version
• Add 2.2.2 entry
• Use more specific changelog page
• Add support for Trusted Publishing
• Merge InvokeMethod18Mixin into InvokeMethod (#37)
• Add safety comment about x509 cert versioning rule (#34)
• Avoid use of id2ref for weak mapping (#35)
• Merge pull request #29 from jeremyevans/fix-openssl-cert-version
• Merge pull request #33 from ruby/docs-fix-links
• [doc] Update links
• Merge pull request #30 from mark-young-atg/provide_changelog_link_on_rubygems
• Provide a 'Changelog' link on rubygems.org/gems/drb
• Fix wrong certificate version

↗️ factory_bot (indirect, 6.5.1 → 6.5.4) · Repo · Changelog

Release Notes

6.5.4

• Fix bug where user-defined method named definition could not be set through method_missing in factories. (CodeMeister)

6.5.3

• Fix: Factory sequences without blocks (CodeMeister)
• Added: New methods for setting, generating and rewinding sequences (CodeMeister)

6.5.2

• Changed: Updated "verbose linting" test to allow for backtrace changes in Ruby 3.4 (CodeMeister)
• Fix: Set the same timestamps for created_at and updated_at on build_stubbed (Kim Emmanuel)
• Fix: Refactored sequences to ensure cloned traits use parent sequences. (CodeMeister)
• Docs: Fix definition_file_paths comment (Milo Winningham)
• Docs: Add ruby-lsp extensions to Useful Tools in README.md (johansenja)
• Docs: Fix docs about definition file paths (Ryo Nakamura)
• Docs: Update has_many-associations.md to mention that traits can use inline associations (Matthew Zagaja)
• Docs: Fix "Transitioning from Factory Girl" guide link (Neil Carvalho)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rack (indirect, 3.1.15 → 3.1.16) · Repo · Changelog

Security Advisories 🚨

🚨 ReDoS Vulnerability in Rack::Multipart handle_mime_head

Summary

There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571.

Details

Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.

Credits

Thanks to scyoon for reporting this to the Rails security team

Commits

See the full diff on Github. The new version differs by 3 commits:

• Bump patch version.
• Fix ReDoS and consistency in multipart regexes
• Synchronize changelog.

↗️ rails-dom-testing (indirect, 2.2.0 → 2.3.0) · Repo · Changelog

Release Notes

2.3.0

What's Changed

• Add assert_not_dom, refute_dom, assert_not_select, refute_select & refute_dom_equal by @joshuay03 in #113
• Raise an error when given a block with a 0 element assertion by @joshuay03 in #116
• Raise an error when provided an invalid Range, or invalid :minimum and :maximum by @joshuay03 in #115
• assert_dom :text collapses whitespace by @jyeharry in #123

New Contributors

• @joshuay03 made their first contribution in #113
• @m-nakamura145 made their first contribution in #118
• @jyeharry made their first contribution in #122

Full Changelog: v2.2.0...v2.3.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 29 commits:

• Prepare for 2.3.0
• No need for CHANGELOG file. Use GitHub Releases instead
• Add release workflow
• Merge pull request #123 from jyeharry/feature/assert_dom-ignore-whitespace-v2
• Collapse whitespace from :text but not :html
• Add failing test for assert_dom collapsing whitespace
• Merge pull request #122 from jyeharry/feature/assert_dom-ignore-whitespace
• Add strict parameter to assert_dom
• Add failing test for assert_dom collapsing whitespace
• Add macos to supported platforms in Gemfile.lock
• ci: run tests once a week on a timer
• Merge pull request #124 from rails/flavorjones-dep-logger-fix
• ci: drop jruby where unsupported, pin concurrent-ruby where needed
• ci: insert Rails 7.2 and 8.0 into the testing matrix
• dep: bundle update
• Merge pull request #118 from m-nakamura145/update-checkout-action
• Update checkout action version
• doc: introduce a CHANGELOG.md file
• Merge pull request #117 from rails/flavorjones-ci-20240113
• ci: add mutex_m to the rails 7.0 gemfile
• dep: bundle update
• Merge pull request #115 from joshuay03/raise-an-error-for-invalid-ranges
• Merge pull request #116 from joshuay03/raise-an-error-for-no-elements-with-block
• Raise an error when given a block with a 0 element assertion
• Raise an error when provided an invalid Range, or invalid :minimum and :maximum
• Merge pull request #113 from joshuay03/feature/refute-and-assert-not-for-dom-and-dom-equal
• Merge pull request #114 from flavorjones/flavorjones-update-ci-matrix-2024-01
• Add `assert_not_dom`, `refute_dom`, `assert_not_select`, `refute_select` & `refute_dom_equal`
• ci: update ci matrix with rails 7.1 and ruby 3.3

↗️ rake (indirect, 13.2.1 → 13.3.0) · Repo · Changelog

Release Notes

13.3.0

What's Changed

• Add missing changelog by @VitaliySerov in #555
• Exclude 2.3-2.5 on macos-14 iamge by @hsbt in #563
• Use require_relative in the Rake codebase by @koic in #566
• Provide a 'Changelog' link on rubygems.org/gems/rake by @mark-young-atg in #572
• Remove dependency on win32ole by @Earlopain in #573
• Switch changelog_uri to releases tab by @fynsta in #577
• chore: refactor/reformat the heredocs (in tests) ... by @pvdb in #589
• chore: remove $trace global variable / option by @pvdb in #592
• Link to Jim's last rake commit (not the git tree with that SHA) by @pvdb in #593
• chore: refactor how temporary files are created (in tests) by @pvdb in #590
• refactor: use $LOADED_FEATURES built-in instead of $" by @pvdb in #605
• refactor: remove "exposed" @system_dir instance variable (in helper method) by @pvdb in #604
• refactor: simplify Rake::Application#system_dir method by @pvdb in #591
• Remove unused argument by @takmar in #623
• Use latest RDoc release instead of Ruby 3.2's default version by @st0012 in #630
• Enabled trusted publisher for rubygems.org by @hsbt in #634
• refactor: use Dir.home to find rake's standard system dir by @pvdb in #608
• Fix RDoc links in Rake Information section by @komagata in #627
• refactor: move dependency requires to ruby_runner.rb file by @pvdb in #609
• Pattern matching support for arguments by @rgarner in #515

New Contributors

• @VitaliySerov made their first contribution in #555
• @koic made their first contribution in #566
• @mark-young-atg made their first contribution in #572
• @Earlopain made their first contribution in #573
• @fynsta made their first contribution in #577
• @takmar made their first contribution in #623
• @st0012 made their first contribution in #630
• @komagata made their first contribution in #627
• @rgarner made their first contribution in #515

Full Changelog: v13.2.1...v13.3.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rdoc (indirect, 6.13.1 → 6.14.0) · Repo · Changelog

Release Notes

6.14.0

What's Changed

✨ Enhancements

• Add support for canonical URL link tag by @p8 in #1354
• Set language in HTML by @p8 in #1361

🐛 Bug Fixes

• Fix image tag with external source by @ybiquitous in #1348

🛠 Other Changes

• Bump ruby/setup-ruby from 1.227.0 to 1.229.0 by @dependabot in #1336
• Fix RDoc::Options example in README by @tompng in #1337
• Bump step-security/harden-runner from 2.11.0 to 2.11.1 by @dependabot in #1338
• Bump ruby/setup-ruby from 1.229.0 to 1.230.0 by @dependabot in #1339
• Runs ruby-core workflow on ubuntu-latest by @st0012 in #1345
• Move default RDoc headings to a constant by @vinistock in #1341
• Enable Style/MethodDefParentheses rule by @vinistock in #1342
• Bump ruby/setup-ruby from 1.230.0 to 1.233.0 by @dependabot in #1346
• Fix rubygems hook execution when gemspec.rdoc_options contains --ri by @tompng in #1347
• Update ri manpage to show how to access ruby pages by @adam12 in #1340
• Fix link to CONTRIBUTING on README by @ybiquitous in #1350
• Bump step-security/harden-runner from 2.11.1 to 2.12.0 by @dependabot in #1351
• Bump ruby/setup-ruby from 1.233.0 to 1.235.0 by @dependabot in #1352
• Don't run CI jobs for push by Dependabot by @kou in #1353
• Fix typo in test name by @p8 in #1355
• Polish link underline in Darkfish CSS by @ybiquitous in #1349
• Rename test classes from Test* to *Test by @st0012 in #1359
• Bump ruby/setup-ruby from 1.235.0 to 1.237.0 by @dependabot in #1362
• Declare erb as a dependency by @st0012 in #1368
• Load cgi/escape instead of cgi/util by @Earlopain in #1366
• Add a new workflow to deploy page preview for PRs from forks by @st0012 in #1365
• Bump version to 6.14.0 by @st0012 in #1371

Full Changelog: v6.13.1...v6.14.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 34 commits:

• Bump version to 6.14.0 (#1371)
• Fix PR commenting workflow
• Fetch PR details first to get the correct commit sha
• Test workflow fix: use sha for build checkout instead
• Add a new workflow to deploy page preview for PRs from forks (#1365)
• Load `cgi/escape` instead of `cgi/util` (#1366)
• Declare erb as a dependency (#1368)
• Merge pull request #1361 from p8/features/html-lang
• Add support for canonical URL link tag (#1354)
• Set language in HTML
• Bump ruby/setup-ruby from 1.235.0 to 1.237.0 (#1362)
• Rename test classes from Test* to *Test (#1359)
• Merge pull request #1349 from ybiquitous/css-link-underline
• Fix typo in test name (#1355)
• Don't run CI jobs for push by Dependabot (#1353)
• Increase `text-underline-offset` value with `em` unit
• Bump ruby/setup-ruby from 1.233.0 to 1.235.0 (#1352)
• Bump step-security/harden-runner from 2.11.1 to 2.12.0 (#1351)
• Fix link to CONTRIBUTING on README (#1350)
• Polish link underline in Darkfish CSS
• Fix image tag with external source (#1348)
• Update ri manpage to show how to access ruby pages (#1340)
• Fix rubygems hook execution when gemspec.rdoc_options contains --ri (#1347)
• Bump ruby/setup-ruby from 1.230.0 to 1.233.0 (#1346)
• Merge pull request #1342 from Shopify/vs-enable-method-def-parenthesis
• Merge pull request #1341 from Shopify/vs-make-to-rdoc-headings-more-idiomatic
• Move default RDoc headings to a constant
• Auto-fix Style/MethodDefParentheses violations
• Enable Style/MethodDefParentheses rule
• Runs ruby-core workflow on ubuntu-latest (#1345)
• Bump ruby/setup-ruby from 1.229.0 to 1.230.0 (#1339)
• Bump step-security/harden-runner from 2.11.0 to 2.11.1 (#1338)
• Fix RDoc::Options example in README (#1337)
• Bump ruby/setup-ruby from 1.227.0 to 1.229.0

↗️ zeitwerk (indirect, 2.7.2 → 2.7.3) · Repo · Changelog

Release Notes

2.7.3 (from changelog)

• The helper Zeitwerk::Loader#cpath_expected_at did not work correctly if the inflector had logic that relied on the absolute path of the given file or directory. This has been fixed.

  This bug was found by Codex.

• Perpetual internal work.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 16 commits:

• Ready for 2.7.3
• cpath_expected_at: pass correct dir to the inflector
• User Symbol#name here
• Refactor thread-safety test
• Simplify Zeitwerk::Cref#path
• Parameterize Zeitwerk::Cref::Map
• New signature convention for exceptions
• Revises duck-typing signatures
• Use #: for RBS annotations
• Updates some signature annotations
• Defines a dedicated registry for loaders
• Defines a dedicated registry for autoloads
• Refactors the registry for inceptions
• Refactors the registry for explicit namespaces
• Small simplification
• Revamp docs of Zeitwerk::Cref::Map

🆕 erb (added, 5.0.1)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #320.

[depfu]

Closed in favor of #320.

[depfu]

Closed in favor of #320.

[depfu]

Closed in favor of #320.