🚨 [security] Update activesupport 7.1.3 → 8.1.2.1 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ activesupport (indirect, 7.1.3 → 8.1.2.1) · Repo · Changelog

Security Advisories 🚨

🚨 Rails Active Support has a possible ReDoS vulnerability in number_to_delimited

Impact

NumberToDelimitedConverter used a regular expression with gsub! to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

Impact

SafeBuffer#% does not propagate the @html_unsafe flag to the newly created buffer. If a SafeBuffer is mutated in place (e.g. via gsub!) and then formatted with % using untrusted arguments, the result incorrectly reports html_safe? == true, bypassing ERB auto-escaping and possibly leading to XSS.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible DoS vulnerability in its number helpers

Impact

Active Support number helpers accept strings containing scientific notation (e.g. 1e10000), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible ReDoS vulnerability in number_to_delimited

Impact

NumberToDelimitedConverter used a regular expression with gsub! to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

Impact

SafeBuffer#% does not propagate the @html_unsafe flag to the newly created buffer. If a SafeBuffer is mutated in place (e.g. via gsub!) and then formatted with % using untrusted arguments, the result incorrectly reports html_safe? == true, bypassing ERB auto-escaping and possibly leading to XSS.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible DoS vulnerability in its number helpers

Impact

Active Support number helpers accept strings containing scientific notation (e.g. 1e10000), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible ReDoS vulnerability in number_to_delimited

Impact

NumberToDelimitedConverter used a regular expression with gsub! to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

Impact

SafeBuffer#% does not propagate the @html_unsafe flag to the newly created buffer. If a SafeBuffer is mutated in place (e.g. via gsub!) and then formatted with % using untrusted arguments, the result incorrectly reports html_safe? == true, bypassing ERB auto-escaping and possibly leading to XSS.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible DoS vulnerability in its number helpers

Impact

Active Support number helpers accept strings containing scientific notation (e.g. 1e10000), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ base64 (indirect, 0.2.0 → 0.3.0) · Repo · Changelog

Release Notes

0.3.0

What's Changed

• Provide a 'Changelog' link on rubygems.org/gems/base64 by @mark-young-atg in #18
• Exclude older than 2.6 on macos-14 by @nobu in #21
• Add RBS signature and testing by @ksss in #25
• Enabled trusted publisher for rubygems.org by @hsbt in #29
• [DOC] Tweaks for module Base64 by @BurdetteLamar in #23

New Contributors

• @mark-young-atg made their first contribution in #18
• @nobu made their first contribution in #21
• @ksss made their first contribution in #25

Full Changelog: v0.2.0...v0.3.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ bigdecimal (indirect, 3.2.2 → 3.3.1) · Repo · Changelog

Release Notes

3.3.1

What's Changed

• Fix modulo/remainder of negative zero by @tompng in #441
• Unify all precision validation to be consistent with BigDecimal#add by @tompng in #442
• Bump version to 3.3.1 by @tompng in #443

Full Changelog: v3.3.0...v3.3.1

3.3.0

What's Changed

• Allow calling Rational#to_d without arguments by @fsateler in #421
• Fix test_no_memory_leak failure by @tompng in #424
• Change BigMath.sin and cos to always calculate in relative precision. by @tompng in #422
• Faster exp calculation by @tompng in #399
• Rename assert_relative_precision to assert_converge_in_precision by @tompng in #425
• Add support for tangent function by @rhannequin in #231
• Make bigdecimal.rb work in JRuby by @tompng in #420
• BigMath methods common interface: coerce x, validate prec, check nan error by @tompng in #415
• Round result of sqrt and BigMath methods by @tompng in #427
• Update example calculation result in BigMath document by @tompng in #428
• BigMath.log(0,n)==-Infinity just like Math.log(0) by @tompng in #430
• Fix divmod and modulo by infinity to match Float#divmod and Float#modulo by @tompng in #429
• Bump step-security/harden-runner from 2.13.0 to 2.13.1 by @dependabot[bot] in #431
• Make internal BigMath method a private method by @tompng in #432
• Improve performance of x**y when y is a huge value by @tompng in #438
• Fix precision of x.power(y, prec) when the result is nearly infinity by @tompng in #439
• Bump version to 3.3.0 by @tompng in #437

New Contributors

• @fsateler made their first contribution in #421

Full Changelog: v3.2.3...v3.3.0

3.2.3

What's Changed

• Fix sign of bigdecimal**bigint by @tompng in #341
• Fix BigMath.atan precision safe margin by @tompng in #320
• Fix typo in BigDecimal#scale comment by @timcraft in #348
• Allow BigDecimal accept Float without precision by @mrzasa in #314
• Fix edgecase segfault of BigDecimal#remainder by @tompng in #349
• Fix precision of BigMath.sin(x,prec) and BigMath.cos(x,prec) for large x by @tompng in #346
• Fix wrong converge check in VpSqrt by @tompng in #353
• Bump step-security/harden-runner from 2.12.0 to 2.12.1 by @dependabot[bot] in #356
• Ensure BigMath.sin and BigMath.cos to be within -1..1 by @tompng in #317
• Remove BigDecimal_divremain(which has a bug) and use BigDecimal_DoDivmod instead by @tompng in #351
• Bump step-security/harden-runner from 2.12.1 to 2.12.2 by @dependabot[bot] in #359
• Remove back pointer from Real to VALUE by @tompng in #344
• Update docs for #to_d core extensions by @dduugg in #360
• Fix compiling issue (when BIGDECIMAL_DEBUG is 1) by @tompng in #363
• Use a correct term: engineering notation -> scientific notation by @mame in #365
• Fix to_f underflow check when DECDIG is uint16_t by @tompng in #364
• Fix VpNumOfChars calculation for the longest case by @tompng in #366
• Fix a bug that exponent overflow is ignored in add, sub, mult and div operation by @tompng in #367
• Fix dump/load bigdecimal with few or large precs by @tompng in #362
• Refactor AddExponent overflow/underflow check by @tompng in #368
• Strict BigDecimal("0.1e#{exponent}") exponent overflow/underflow check by @tompng in #369
• Add DECDIG=16bit CI workflow by @tompng in #370
• Fix wrong multiplying BASE_FIG in precision calculation by @tompng in #372
• Remove debug print by @tompng in #375
• Remove unused #define macros by @tompng in #376
• VpDivd bugfix by @tompng in #374
• Fix VpDivd to fully use quotient array by @tompng in #377
• Add RB_GC_GUARD to test-only methods by @tompng in #378
• Use minimum necessary division precision in BigDecimal_DoDivmod by @tompng in #371
• Remove dead code and ineffective optimization path form VpDivd by @tompng in #379
• Implement exp, log, power and ** in ruby by @tompng in #347
• Remove unused "# define" macros by @tompng in #382
• Bump step-security/harden-runner from 2.12.2 to 2.13.0 by @dependabot[bot] in #383
• VpFormatSt O(n^2) to O(n) by @tompng in #384
• Ignore ndigits passed to BigDecimal(string, ndigits) by @tompng in #385
• Better error message for negative**intinite and zero-converge case fix by @tompng in #386
• Refactor truncate floor and ceil duplicated part by @tompng in #387
• Fix exp log power to raise "Computation results in Infinity/NaN" in EXCEPTION_INFINITY/EXCEPTION_NaN mode by @tompng in #389
• Reduce guard obj by @tompng in #390
• Remove ENTER and GUARD_OBJ macro by @tompng in #391
• Coerce to bigdecimal refactor by @tompng in #392
• Coerce rational with the given prec in exp, log and power calculation by @tompng in #393
• Unify coerce prec calculation by @tompng in #394
• Use bool instead of Qtrue/Qfalse for normal c boolish value by @tompng in #395
• Fix adjusting x to 0.3..3 in log calculation by @tompng in #397
• missing.h cleanup by @tompng in #396
• Hide internal method of BigMath into BigDecimal::Internal by @tompng in #400
• Remove gc_compaction test by @tompng in #401
• Bump actions/checkout from 4 to 5 by @dependabot[bot] in #402
• Fix VpMult result size calculation by @tompng in #403
• Fix GetAddSubPrec calculation by @tompng in #406
• Fix PrecLimit not restored on exception by @tompng in #405
• Fix div,modulo,remainder and divmod precision when prec limit is specified by @tompng in #408
• Fix x.fix and x.frac affected by prec limit, Stop -x and x.abs round with prec limit by @tompng in #409
• Don't use ZeroWrapLimited. Use unlimited version instead. by @tompng in #410
• Fix x / y precision when prec limit is huge by @tompng in #412
• Calculate exp, log, pow with the given prec even if prec limit is set by @tompng in #411
• Simplify to_i logic by @tompng in #413
• Add BigMath::E and BigMath::PI precision test by @tompng in #414
• Rewrite BigDecimal#sqrt in ruby with improved Newton's method by @tompng in #381
• Update bigdecimal version used in benchmark from 3.0.0 to 3.1.1 by @tompng in #416
• Implement BigDecimal#_decimal_shift for internal use by @tompng in #324
• In JRuby, don't add sqrt, exp, log, power implemented in ruby by @tompng in #417
• Add JRuby minimum ci by @tompng in #418
• Bump version to 3.2.3 by @tompng in #419

New Contributors

• @timcraft made their first contribution in #348
• @dduugg made their first contribution in #360

Full Changelog: v3.2.2...v3.2.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.2.3 → 1.3.6) · Repo · Changelog

Release Notes

1.3.6

What's Changed

• Run tests without the C extension in CI by @eregon in #1081
• Fix typo in Promise docs by @danieldiekmeier in #1083
• Correct word in readme by @wwahammy in #1084
• Fix mistakes in MVar documentation by @trinistr in #1087
• Fix multi require concurrent/executor/cached_thread_pool by @OuYangJinTing in #1085
• Use typed data APIs by @nobu in #1096
• Add Joshua Young to the list of maintainers by @eregon in #1097
• Asynchronous pruning for RubyThreadPoolExecutor by @joshuay03 in #1082
• Mark RubySingleThreadExecutor as a SerialExecutorService by @meineerde in #1070
• Allow TimerTask to be safely restarted after shutdown and avoid duplicate tasks by @bensheldon in #1001
• Flaky test fix: allow ThreadPool to shutdown before asserting completed_task_count by @bensheldon in #1098
• ThreadPoolExecutor#kill will wait_for_termination in JRuby; ensure TimerSet timer thread shuts down cleanly by @bensheldon in #1044

New Contributors

• @danieldiekmeier made their first contribution in #1083
• @wwahammy made their first contribution in #1084
• @trinistr made their first contribution in #1087
• @OuYangJinTing made their first contribution in #1085
• @nobu made their first contribution in #1096
• @joshuay03 made their first contribution in #1082

Full Changelog: v1.3.5...v1.3.6

1.3.5

What's Changed

• Remove dependency on logger by @eregon in #1062
• Avoid error when member is present on ancestor class by @francesmcmullin in #1068
• Set rake-compiler source and target to Java 8 by @headius in #1071
• chore: fix typos by @chenrui333 in #1076

New Contributors

• @francesmcmullin made their first contribution in #1068
• @chenrui333 made their first contribution in #1076

Full Changelog: v1.3.4...v1.3.5

1.3.4

What's Changed

• Update comment for JRuby variant of processor_count to reality by @meineerde in #1054
• Add Concurrent.cpu_requests that is cgroups aware. by @heka1024 in #1058
• Fix the doc of Concurrent.available_processor_count by @y-yagi in #1059
• Fix the return value of Concurrent.available_processor_count when cpu.cfs_quota_us is -1 by @y-yagi in #1060

New Contributors

• @heka1024 made their first contribution in #1058
• @y-yagi made their first contribution in #1059

Full Changelog: v1.3.3...v1.3.4

1.3.3

What's Changed

• Improve speed for windows Get-CimInstance by @Earlopain in #1053

Full Changelog: v1.3.2...v1.3.3

1.3.2

What's Changed

• Fix method name in CHANGELOG.md by @nertzy in #1049
• Remove dependency on win32ole by @Earlopain in #1051

New Contributors

• @nertzy made their first contribution in #1049
• @Earlopain made their first contribution in #1051

Full Changelog: v1.3.1...v1.3.2

1.3.1

This release is essentially v1.3.0, but with a properly packaged gem. There was an issue publishing v1.3.0 and that gem needed to be yanked to avoid breaking downstream projects. The v1.3.0 changelog is reproduced below.

What's Changed

• Add Concurrent.usable_processor_count that is cgroups aware by @casperisfine in #1038
• Align Java Executor Service behavior for shuttingdown?, shutdown? by @bensheldon in #1042

New Contributors

• @dependabot made their first contribution in #1028
• @kkohrt made their first contribution in #1037

Full Changelog: v1.2.3...v1.3.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ connection_pool (indirect, 2.4.1 → 3.0.2) · Repo · Changelog

Release Notes

3.0.2 (from changelog)

• Support :name keyword for backwards compatibility [#210]

3.0.1 (from changelog)

• Add missing fork.rb to gemspec.

3.0.0 (from changelog)

• BREAKING CHANGES ConnectionPool and ConnectionPool::TimedStack now use keyword arguments rather than positional arguments everywhere. Expected impact is minimal as most people use the with API, which is unchanged.

pool = ConnectionPool.new(size: 5, timeout: 5)
pool.checkout(1) # 2.x
pool.reap(30)    # 2.x
pool.checkout(timeout: 1) # 3.x
pool.reap(idle_seconds: 30) # 3.x

• Dropped support for Ruby <3.2.0

2.5.5 (from changelog)

• Support ConnectionPool::TimedStack#pop(exception: false) [#207] to avoid using exceptions as control flow.

2.5.4 (from changelog)

• Add ability to remove a broken connection from the pool [#204, womblep]

2.5.3 (from changelog)

• Fix TruffleRuby/JRuby crash [#201]

2.5.2 (from changelog)

• Rollback inadvertant change to auto_reload_after_fork default. [#200]

2.5.1 (from changelog)

• Pass options to TimedStack in checkout [#195]
• Optimize connection lookup [#196]
• Fixes for use with Ractors

2.5.0 (from changelog)

• Reap idle connections [#187]

idle_timeout = 60
pool = ConnectionPool.new ...
pool.reap(idle_timeout, &:close)

• ConnectionPool#idle returns the count of connections not in use [#187]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ drb (indirect, 2.2.0 → 2.2.3) · Repo · Changelog

Release Notes

2.2.3

Improvement

• Added support for "Changelog" link in RubyGems.org page.

  • GH-30
  • Patch by Mark Young

• Dropped ObjectSpace._id2ref dependency because
  ObjectSpace._id2ref is deprecated. Drb::WeakIdConv is
  meaningless by this. So it's deprecated. Use the default ID
  converter instead.

  • GH-35
  • https://bugs.ruby-lang.org/issues/15711

Fixes

• SSL: Fixed wrong certificate version.
  • GH-29

Thanks

• Mark Young

2.2.1

What's Changed

• Use a single quote instead of a backtick as an open quote by @mame in #25
• Drop dependency on ruby2_keywords by @Earlopain in #27
• Fix warnings during test runs by @Earlopain in #26

New Contributors

• @mame made their first contribution in #25
• @Earlopain made their first contribution in #27

Full Changelog: v2.2.0...v2.2.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ i18n (indirect, 1.14.1 → 1.14.8) · Repo · Changelog

Release Notes

1.14.8

Full Changelog: v1.14.7...v1.14.8

What's Changed

• Remove unused cgi require for Ruby 3.5 compatibility by @Earlopain in #713
• Explicitly require pathname by @voxik in #708
• CI: Add Ruby 3.4 to CI Matrix by @taketo1113 in #722
• Fix: I18n.locale reset in Fiber context by using Thread#thread_variable by @lee266 in #724
• CI: Use actions/checkout@v5 by @olleolleolle in #721
• Fix compatibility with --enable-frozen-string-literal by @byroot in #726

New Contributors

• @Earlopain made their first contribution in #713
• @taketo1113 made their first contribution in #722
• @lee266 made their first contribution in #724
• @byroot made their first contribution in #726

Full Changelog: v1.14.7...v1.14.8

1.14.7

What's Changed

• Ruby 3.4 Hash#inspect compatibility. by @voxik in #709
• Removed (annoying) post-install message that was triggering on all Rubies, rather than the specified versions.

Full Changelog: v1.14.6...v1.14.7

1.14.6

What's Changed

Ruby < 3.2 support will be dropped April 2025. Upgrade now to continue using i18n after that date.

• fix issues with RDoc generation by @davetron5000 in #698
• Fix loading of .rb locale files when load_path is not a string by @stevegeek in #701
• Fixes strings being interpolated multiple times by @alexpls in #699
• Optimize pluralization logic in test data by @zachmargolis in #697
• [FIX] Raise ArgumentError on nil key in exists? by @KinWang-2013 in #696

New Contributors

• @davetron5000 made their first contribution in #698
• @stevegeek made their first contribution in #701
• @alexpls made their first contribution in #699
• @zachmargolis made their first contribution in #697
• @KinWang-2013 made their first contribution in #696

Full Changelog: v1.14.5...v1.14.6

1.14.5

What's Changed

• Explicitly bundle racc gem for Ruby 3.3+ by @amatsuda in #690
• Optimize I18n::Locale::Fallbacks#[] for recursive locale mappings by @uiur in #692
• Add I18n.interpolation_keys by @tom-lord in #682
• Fix syntax in documentation for I18n::Backend::Base.interpolate by @tom-lord in #691
• Fix that escaped interpolations with reserved keywords raised ReservedInterpolationKey by @Bilka2 in #688

New Contributors

• @uiur made their first contribution in #692
• @tom-lord made their first contribution in #682
• @Bilka2 made their first contribution in #688

Full Changelog: v1.14.4...v1.14.5

1.14.4

What's Changed

Note: the racc dependency will be coming back in Version 2.

• undo strict racc dependency on this branch by @radar in #687

Full Changelog: v1.14.3...v1.14.4

1.14.3

What's Changed

• Pass options to along to exists? super calls by @radar in #671
• Improve TOKENIZER by 23% by @kbrock in #668
• Regex part deux - INTERPOLATION_SYNTAX by @kbrock in #669
• Raise when translated entry contains interpolations for reserved keywords and no substitutions provided by @fatkodima in #678
• Implement Fallbacks#inspect and Fallbacks#empty? by @fatkodima in #683

Upkeep

• Update mocha gem by @fatkodima in #677
• Update workflows by @yykamei in #684

New Contributors

• @kbrock made their first contribution in #668

Full Changelog: v1.14.1...v1.14.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.22.2 → 6.0.2) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 json (added, 2.19.2)

🆕 prism (added, 1.9.0)

🆕 securerandom (added, 0.4.1)

🗑️ mutex_m (removed)

🗑️ ruby2_keywords (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)