Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump rails from 6.0.3.6 to 6.1.3.2 #2099

Merged
merged 3 commits into from
Jul 29, 2021
Merged

Bump rails from 6.0.3.6 to 6.1.3.2 #2099

merged 3 commits into from
Jul 29, 2021

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github May 6, 2021
edited
Loading

Bumps rails from 6.0.3.6 to 6.1.3.2.

Release notes

Sourced from rails's releases.

6.1.3.2

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Prevent open redirects by correctly escaping the host allow list CVE-2021-22903

  • Prevent catastrophic backtracking during mime parsing CVE-2021-22902

  • Prevent regex DoS in HTTP token authentication CVE-2021-22904

  • Prevent string polymorphic route arguments.

    url_for supports building polymorphic URLs via an array of arguments (usually symbols and records). If a developer passes a user input array, strings can result in unwanted route helper calls.

    CVE-2021-22885

    Gannon McGibbon

Active Job

... (truncated)

Commits
  • 75ac626 Preparing for 6.1.3.2 release
  • 8b3d6be updating lockfile
  • 9c21201 Prep for release
  • 20a4e60 Prevent slow regex when parsing host authorization header
  • 1439db5 Escape allow list hosts correctly
  • 0303187 Prevent string polymorphic route arguments
  • 40f82dc Prevent catastrophic backtracking during mime parsing
  • 85c6823 v6.1.3.1
  • 853d594 Upgrade to Marcel 1.0.0
  • 7c55e37 Replace mimemagic with mini_mime
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot added dependencies ruby Pull requests that update Ruby code labels May 6, 2021
@dependabot dependabot bot mentioned this pull request May 6, 2021
Closed
@bevanloon bevanloon temporarily deployed to government-f-dependabot-y2r7ya May 6, 2021 05:20 Inactive
@dependabot dependabot bot force-pushed the dependabot/bundler/rails-6.1.3.2 branch from 97b8d5f to a99a038 Compare May 7, 2021 08:56
@bevanloon bevanloon temporarily deployed to government-f-dependabot-y2r7ya May 7, 2021 08:56 Inactive
@dependabot dependabot bot force-pushed the dependabot/bundler/rails-6.1.3.2 branch 2 times, most recently from 44efd55 to a21db28 Compare June 4, 2021 13:53
@dependabot dependabot bot force-pushed the dependabot/bundler/rails-6.1.3.2 branch 6 times, most recently from 074ba15 to 11d16b1 Compare June 21, 2021 14:15
@dependabot dependabot bot force-pushed the dependabot/bundler/rails-6.1.3.2 branch from 11d16b1 to 117a77e Compare June 23, 2021 14:35
@benjamineskola benjamineskola force-pushed the dependabot/bundler/rails-6.1.3.2 branch 5 times, most recently from 715893b to 4db5740 Compare June 25, 2021 08:17
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Jun 25, 2021

A newer version of rails exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

@benjamineskola benjamineskola force-pushed the dependabot/bundler/rails-6.1.3.2 branch 3 times, most recently from 61b4c19 to bf3735d Compare July 1, 2021 15:35
@benjamineskola benjamineskola force-pushed the dependabot/bundler/rails-6.1.3.2 branch 4 times, most recently from 407fc7b to 58dae1b Compare July 16, 2021 14:30
@benjamineskola benjamineskola force-pushed the dependabot/bundler/rails-6.1.3.2 branch from 58dae1b to 3762e13 Compare July 16, 2021 14:34
@benjamineskola benjamineskola force-pushed the dependabot/bundler/rails-6.1.3.2 branch from 3762e13 to 28a9e92 Compare July 23, 2021 10:17
@benjamineskola benjamineskola self-assigned this Jul 23, 2021
@benjamineskola
Switch from DalliStore to MemcacheStore
eae8178 
This fixes an issue where the Dalli store is not supported in Rails 6.1: petergoldstein/dalli#771, cf. alphagov/local-links-manager#751 and alphagov/collections#2287
@benjamineskola benjamineskola force-pushed the dependabot/bundler/rails-6.1.3.2 branch from 4abfe4c to eae8178 Compare July 29, 2021 14:07
brucebolt
brucebolt approved these changes Jul 29, 2021
View reviewed changes
config/environments/production.rb
@@ -54,7 +54,7 @@

# Use a different cache store in production.
# config.cache_store = :mem_cache_store
config.cache_store = :dalli_store, nil, { namespace: :government_frontend, compress: true }
config.cache_store = :mem_cache_store, nil, { namespace: :government_frontend, compress: true }
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good spot. Can the dalli gem also be removed from the Gemfile?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems not — I had assumed so at first but it looks like MemcacheStore is also provided by the dalli gem. The other cases where we've had to fix this issue both retain the gem (1, 2)

@benjamineskola benjamineskola merged commit c795133 into main Jul 29, 2021
@benjamineskola benjamineskola deleted the dependabot/bundler/rails-6.1.3.2 branch July 29, 2021 14:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@benjamineskola benjamineskola benjamineskola left review comments

@brucebolt brucebolt brucebolt approved these changes

Assignees

@benjamineskola benjamineskola

Labels
dependencies ruby Pull requests that update Ruby code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@benjamineskola @brucebolt @bevanloon