Sourced from addressable's changelog.

Addressable 2.8.0

• fixes ReDoS vulnerability in Addressable::Template#match
• no longer replaces + with spaces in queries for non-http(s) schemes
• fixed encoding ipv6 literals
• the :compacted flag for normalized_query now dedupes parameters
• fix broken escape_component alias
• dropping support for Ruby 2.0 and 2.1
• adding Ruby 3.0 compatibility for development tasks
• drop support for rack-mount and remove Addressable::Template#generate
• performance improvements
• switch CI/CD to GitHub Actions

Addressable 2.7.0

• added :compacted flag to normalized_query
• heuristic_parse handles mailto: more intuitively
• dropped explicit support for JRuby 9.0.5.0
• compatibility w/ public_suffix 4.x
• performance improvements

• 6469a23 Updating gemspec again
• 2433638 Merge branch 'main' of github.com:sporkmonger/addressable into main
• e9c76b8 Merge pull request #378 from ashmaroli/flat-map
• 56c5cf7 Update the gemspec
• c1fed1c Require a non-vulnerable rake
• 0d8a312 Adding note about ReDoS vulnerability
• 89c7613 Merge branch 'template-regexp' into main
• cf8884f Note about alias fix
• bb03f71 Merge pull request #371 from charleystran/add_missing_encode_component_doc_entry
• 6d1d809 Adding note about :compacted normalization
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from nokogiri's releases.

1.11.4 / 2021-05-14

Security

[CRuby] Vendored libxml2 upgraded to v2.9.12 which addresses:

• CVE-2019-20388
• CVE-2020-24977
• CVE-2021-3517
• CVE-2021-3518
• CVE-2021-3537
• CVE-2021-3541

Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).

Please see nokogiri/GHSA-7rrm-v45f-jp64 or #2233 for a more complete analysis of these CVEs and patches.

Dependencies

• [CRuby] vendored libxml2 is updated from 2.9.10 to 2.9.12. (Note that 2.9.11 was skipped because it was superseded by 2.9.12 a few hours after its release.)

1.11.3 / 2021-04-07

Fixed

• [CRuby] Passing non-Node objects to Document#root= now raises an ArgumentError exception. Previously this likely segfaulted. [#1900]
• [JRuby] Passing non-Node objects to Document#root= now raises an ArgumentError exception. Previously this raised a TypeError exception.
• [CRuby] arm64/aarch64 systems (like Apple's M1) can now compile libxml2 and libxslt from source (though we continue to strongly advise users to install the native gems for the best possible experience)

1.11.2 / 2021-03-11

Fixed

• [CRuby] NodeSet may now safely contain Node objects from multiple documents. Previously the GC lifecycle of the parent Document objects could lead to nodes being GCed while still in scope. [#1952]
• [CRuby] Patch libxml2 to avoid "huge input lookup" errors on large CDATA elements. (See upstream GNOME/libxml2#200 and GNOME/libxml2!100.) [#2132].
• [CRuby+Windows] Enable Nokogumbo (and other downstream gems) to compile and link against nokogiri.so by including LDFLAGS in Nokogiri::VERSION_INFO. [#2167]
• [CRuby] {XML,HTML}::Document.parse now invokes #initialize exactly once. Previously #initialize was invoked twice on each object.
• [JRuby] {XML,HTML}::Document.parse now invokes #initialize exactly once. Previously #initialize was not called, which was a problem for subclassing such as done by Loofah.

Improved

• Reduce the number of object allocations needed when parsing an HTML::DocumentFragment. [#2087] (Thanks, @​ashmaroli!)
• [JRuby] Update the algorithm used to calculate Node#line to be wrong less-often. The underlying parser, Xerces, does not track line numbers, and so we've always used a hacky solution for this method. [#1223, #2177]
• Introduce --enable-system-libraries and --disable-system-libraries flags to extconf.rb. These flags provide the same functionality as --use-system-libraries and the NOKOGIRI_USE_SYSTEM_LIBRARIES environment variable, but are more idiomatic. [#2193] (Thanks, @​eregon!)
• [TruffleRuby] --disable-static is now the default on TruffleRuby when the packaged libraries are used. This is more flexible and compiles faster. (Note, though, that the default on TR is still to use system libraries.) [#2191, #2193] (Thanks, @​eregon!)

... (truncated)

Sourced from nokogiri's changelog.

1.11.4 / 2021-05-14

Security

[CRuby] Vendored libxml2 upgraded to v2.9.12 which addresses:

• CVE-2019-20388
• CVE-2020-24977
• CVE-2021-3517
• CVE-2021-3518
• CVE-2021-3537
• CVE-2021-3541

Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).

Please see nokogiri/GHSA-7rrm-v45f-jp64 or #2233 for a more complete analysis of these CVEs and patches.

Dependencies

• [CRuby] vendored libxml2 is updated from 2.9.10 to 2.9.12. (Note that 2.9.11 was skipped because it was superseded by 2.9.12 a few hours after its release.)

1.11.3 / 2021-04-07

Fixed

• [CRuby] Passing non-Node objects to Document#root= now raises an ArgumentError exception. Previously this likely segfaulted. [#1900]
• [JRuby] Passing non-Node objects to Document#root= now raises an ArgumentError exception. Previously this raised a TypeError exception.
• [CRuby] arm64/aarch64 systems (like Apple's M1) can now compile libxml2 and libxslt from source (though we continue to strongly advise users to install the native gems for the best possible experience)

1.11.2 / 2021-03-11

Fixed

• [CRuby] NodeSet may now safely contain Node objects from multiple documents. Previously the GC lifecycle of the parent Document objects could lead to nodes being GCed while still in scope. [#1952]
• [CRuby] Patch libxml2 to avoid "huge input lookup" errors on large CDATA elements. (See upstream GNOME/libxml2#200 and GNOME/libxml2!100.) [#2132].
• [CRuby+Windows] Enable Nokogumbo (and other downstream gems) to compile and link against nokogiri.so by including LDFLAGS in Nokogiri::VERSION_INFO. [#2167]
• [CRuby] {XML,HTML}::Document.parse now invokes #initialize exactly once. Previously #initialize was invoked twice on each object.
• [JRuby] {XML,HTML}::Document.parse now invokes #initialize exactly once. Previously #initialize was not called, which was a problem for subclassing such as done by Loofah.

Improved

• Reduce the number of object allocations needed when parsing an HTML::DocumentFragment. [#2087] (Thanks, @​ashmaroli!)
• [JRuby] Update the algorithm used to calculate Node#line to be wrong less-often. The underlying parser, Xerces, does not track line numbers, and so we've always used a hacky solution for this method. [#1223, #2177]
• Introduce --enable-system-libraries and --disable-system-libraries flags to extconf.rb. These flags provide the same functionality as --use-system-libraries and the NOKOGIRI_USE_SYSTEM_LIBRARIES environment variable, but are more idiomatic. [#2193] (Thanks, @​eregon!)
• [TruffleRuby] --disable-static is now the default on TruffleRuby when the packaged libraries are used. This is more flexible and compiles faster. (Note, though, that the default on TR is still to use system libraries.) [#2191, #2193] (Thanks, @​eregon!)

... (truncated)

• 9d69b44 version bump to v1.11.4
• 058e87f update CHANGELOG with complete CVE information
• 9285251 Merge pull request #2234 from sparklemotion/2233-upgrade-to-libxml-2-9-12
• 5436f61 update CHANGELOG
• 761d320 patch: renumber libxml2 patches
• 889ee2a test: update behavior of namespaces in HTML
• 9751d85 test: remove low-value HTML::SAX::PushParser encoding test
• 9fcb7d2 test: adjust xpath gc test to libxml2's max recursion depth
• 1c99019 patch: backport libxslt configure.ac change for libxml2 config
• 82a253f patch: fix isnan/isinf patch to apply cleanly to libxml 2.9.12
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from rack's changelog.

Changelog

All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference Keep A Changelog.

[3.0.0] - Unreleased

Security

• Do not use semicolon as GET parameter separator. (#1733, @jeremyevans)

Added

• Rack::RewindableInput supports size. (@ahorek)

Changed

• BREAKING CHANGE: Require status to be an Integer. (#1662, @olleolleolle)
• Relax validations around Rack::Request#host and Rack::Request#hostname. (#1606, @pvande)
• Removed antiquated handlers: FCGI, LSWS, SCGI, Thin. (#1658, @ioquatix)
• Removed options from Rack::Builder.parse_file and Rack::Builder.load_file. (#1663, @ioquatix)
• HMAC argument for Rack::Session::Cookie doesn't accept a class constant anymore, but only a string recognized by OpenSSL (e.g. "SHA256") or compatible instance (e.g. OpenSSL::Digest.new("SHA256")) (#1676, @bdewater)
• Rack::HTTP_VERSION has been removed and the HTTP_VERSION env setting is no longer set in the CGI and Webrick handlers . (#970, @jeremyevans)
• Rack::Request#[] and #[]= now warn even in non-verbose mode. (#1277, @jeremyevans)
• Decrease default allowed parameter recursion level from 100 to 32. (#1640, @jeremyevans)
• Attempting to parse a multipart response with an empty body now raises Rack::Multipart::EmptyContentError. (#1603, @jeremyevans)
• Rack::Utils.secure_compare uses OpenSSL's faster implementation if available. (#1711, @bdewater)

Fixed

• Make Rack::MockResponse handle non-hash headers. (#1629, @jeremyevans)
• TempfileReaper now deletes temp files if application raises an exception. (#1679, @jeremyevans)
• Fix using Rack::Session::Cookie with coder: Rack::Session::Cookie::Base64::{JSON,Zip}. (#1666, @jeremyevans)
• Avoid NoMethodError when accessing Rack::Session::Cookie without requiring delegate first. (#1610, @onigra)
• Handle cookies with values that end in '=' (#1645, @lukaso)

[2.2.3] - 2020-06-15

Security

• [CVE-2020-8184] Do not allow percent-encoded cookie name to override existing cookie names. BREAKING CHANGE: Accessing cookie names that require URL encoding with decoded name no longer works. (@fletchto99)

[2.2.2] - 2020-02-11

Fixed

• Fix incorrect Rack::Request#host value. (#1591, @ioquatix)
• Revert Rack::Handler::Thin implementation. (#1583, @jeremyevans)
• Double assignment is still needed to prevent an "unused variable" warning. (#1589, @kamipo)
• Fix to handle same_site option for session pool. (#1587, @kamipo)

... (truncated)

• 5280870 bump version
• a243510 When parsing cookies, only decode the values
• e7ba1b0 fix directory listing
• b9b8652 bump version
• 775c836 adding a test for directory traversal
• dddb7ad Use Dir.entries instead of Dir[glob] to prevent user-specified glob metachara...
• 16a51d8 Bump for 2.1.2 release
• 0a2c927 Update changelog in preparation for 2.1.2
• b50bc8b Fix multipart parser for special files #1308
• f9ef9a0 Fix use with kwargs
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from nokogiri's releases.

v1.11.0 / 2021-01-03

Notes

Faster, more reliable installation: Native Gems for Linux and OSX/Darwin

"Native gems" contain pre-compiled libraries for a specific machine architecture. On supported platforms, this removes the need for compiling the C extension and the packaged libraries. This results in much faster installation and more reliable installation, which as you probably know are the biggest headaches for Nokogiri users.

We've been shipping native Windows gems since 2009, but starting in v1.11.0 we are also shipping native gems for these platforms:

• Linux: x86-linux and x86_64-linux -- including musl platforms like alpine
• OSX/Darwin: x86_64-darwin and arm64-darwin

We'd appreciate your thoughts and feedback on this work at #2075.

Dependencies

Ruby

This release introduces support for Ruby 2.7 and 3.0 in the precompiled native gems.

This release ends support for:

• Ruby 2.3, for which official support ended on 2019-03-31 [#1886] (Thanks @ashmaroli!)
• Ruby 2.4, for which official support ended on 2020-04-05
• JRuby 9.1, which is the Ruby 2.3-compatible release.

Gems

• Explicitly add racc as a runtime dependency. [#1988] (Thanks, @voxik!)
• [MRI] Upgrade mini_portile2 dependency from ~> 2.4.0 to ~> 2.5.0 [#2005] (Thanks, @alejandroperea!)

Security

See note below about CVE-2020-26247 in the "Changed" subsection entitled "XML::Schema parsing treats input as untrusted by default".

Added

• Add Node methods for manipulating "keyword attributes" (for example, class and rel): #kwattr_values, #kwattr_add, #kwattr_append, and #kwattr_remove. [#2000]
• Add support for CSS queries a:has(> b), a:has(~ b), and a:has(+ b). [#688] (Thanks, @jonathanhefner!)
• Add Node#value? to better match expected semantics of a Hash-like object. [#1838, #1840] (Thanks, @MatzFan!)
• [CRuby] Add Nokogiri::XML::Node#line= for use by downstream libs like nokogumbo. [#1918] (Thanks, @stevecheckoway!)
• nokogiri.gemspec is back after a 10-year hiatus. We still prefer you use the official releases, but master is pretty stable these days, and YOLO.

Performance

... (truncated)

Sourced from nokogiri's changelog.

v1.11.0 / 2021-01-03

Notes

Faster, more reliable installation: Native Gems for Linux and OSX/Darwin

"Native gems" contain pre-compiled libraries for a specific machine architecture. On supported platforms, this removes the need for compiling the C extension and the packaged libraries. This results in much faster installation and more reliable installation, which as you probably know are the biggest headaches for Nokogiri users.

We've been shipping native Windows gems since 2009, but starting in v1.11.0 we are also shipping native gems for these platforms:

• Linux: x86-linux and x86_64-linux -- including musl platforms like alpine
• OSX/Darwin: x86_64-darwin and arm64-darwin

We'd appreciate your thoughts and feedback on this work at #2075.

Dependencies

Ruby

This release introduces support for Ruby 2.7 and 3.0 in the precompiled native gems.

This release ends support for:

• Ruby 2.3, for which official support ended on 2019-03-31 [#1886] (Thanks @ashmaroli!)
• Ruby 2.4, for which official support ended on 2020-04-05
• JRuby 9.1, which is the Ruby 2.3-compatible release.

Gems

• Explicitly add racc as a runtime dependency. [#1988] (Thanks, @voxik!)
• [MRI] Upgrade mini_portile2 dependency from ~> 2.4.0 to ~> 2.5.0 [#2005] (Thanks, @alejandroperea!)

Security

See note below about CVE-2020-26247 in the "Changed" subsection entitled "XML::Schema parsing treats input as untrusted by default".

Added

• Add Node methods for manipulating "keyword attributes" (for example, class and rel): #kwattr_values, #kwattr_add, #kwattr_append, and #kwattr_remove. [#2000]
• Add support for CSS queries a:has(> b), a:has(~ b), and a:has(+ b). [#688] (Thanks, @jonathanhefner!)
• Add Node#value? to better match expected semantics of a Hash-like object. [#1838, #1840] (Thanks, @MatzFan!)
• [CRuby] Add Nokogiri::XML::Node#line= for use by downstream libs like nokogumbo. [#1918] (Thanks, @stevecheckoway!)
• nokogiri.gemspec is back after a 10-year hiatus. We still prefer you use the official releases, but main is pretty stable these days, and YOLO.

Performance

... (truncated)

• 1c1fba5 version bump to v1.11.0
• c6b17a6 doc: remove versioning policy from CHANGELOG since it's in README
• ff14f06 Create dependabot.yml
• 638ab65 doc: tweak logo and "Description" section in README
• 340686b ci: move truffleruby jobs to a separate pipeline
• f6d2742 ci: update nokogiri master-branch git resource with webhook
• 4b55ecb Merge pull request #2162 from parndt/use-ruby-setup-ruby
• e6c0772 Use ruby/setup-ruby action which bundles
• 940823f ci: update macos builds to install latest bundler
• 0e6ce7c gem: fix packaging of native gems without java files
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from redcarpet's releases.

Redcarpet v3.5.1

Fix a security vulnerability using :quote in combination with the :escape_html option.

Reported by Johan Smits.

v3.5.0

This release mostly ships with bug fixes and tiny improvements.

Improvements

• Avoid mutating the options hash passed to a render object (See #663).

• Automatically enable the fenced_code_blocks option passing a HTML_TOC object to the Markdown object's constructor since some languages rely on the sharp to comment code (See #451).

• Remove the rel and rev attributes from the output generated for footnotes as they don't pass the HTML 5 validation (See #536).

• Allow passing Range objects to the nesting_level option to have a higher level of customization for table of contents (See #519):

  Redcarpet::Render::HTML_TOC.new(nesting_level: 2..5)
  

Bug fixes

• Fix a segfault rendering quotes using StripDown and the :quote option.

• Fix SmartyPants single quotes right after a link. For example:

  [John](http://john.doe)'s cat
  

  Will now properly converts ' to a right single quote (i.e. ’).

Sourced from redcarpet's changelog.

Version 3.5.1 (Security)

• Fix a security vulnerability using :quote in combination with the :escape_html option.

  Reported by Johan Smits.

Version 3.5.0

• Avoid mutating the options hash passed to a render object.

  Refs #663.

  Max Schwenk

• Fix a segfault rendering quotes using StripDown and the :quote option.

  Fixes #639.

• Fix warning: instance variable @options not initialized when running under verbose mode (-w, $VERBOSE = true).

• Fix SmartyPants single quotes right after a link. For example:

  [John](http://john.doe)'s cat
  

  Will now properly converts ' to a right single quote (i.e. ’).

  Fixes #624.

• Remove the rel and rev attributes from the output generated for footnotes as they don't pass the HTML 5 validation.

  Fixes #536.

• Automatically enable the fenced_code_blocks option passing a HTML_TOC object to the Markdown object's constructor since some languages rely on the sharp to comment code.

  Fixes #451.

• Allow passing Range objects to the nesting_level option to have a higher level of customization for table of contents:

  Redcarpet::Render::HTML_TOC.new(nesting_level: 2..5)
  

... (truncated)

• a699c82 Fix a security issue using :quote with :escape_html
• 6270d6b Redcarpet v3.5.0
• 94f6e27 Tiny follow-up to #663
• 3100f65 Merge pull request #663 from maschwenk/dont-mutate-options
• fc52d9c Add regression test
• 03e7997 Don't mutated passed options
• 92a7b3a Fix a segfault with StripDown and the :quote option
• 7352162 Merge pull request #649 from rbalint/master
• e23383e Merge pull request #650 from kolen/fix-warning-options-not-initialized
• 6b86656 Fix "instance variable @options not initialized" warning
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from junit's releases.

JUnit 4.13.1

Please refer to the release notes for details.

Sourced from junit's changelog.

Summary of changes in version 4.13.1

Rules

Security fix: TemporaryFolder now limits access to temporary folders on Java 1.7 or later

A local information disclosure vulnerability in TemporaryFolder has been fixed. See the published security advisory for details.

Test Runners

[Pull request #1669:](junit-team/junit#1669) Make FrameworkField constructor public

Prior to this change, custom runners could make FrameworkMethod instances, but not FrameworkField instances. This small change allows for both now, because FrameworkField's constructor has been promoted from package-private to public.

• 1b683f4 [maven-release-plugin] prepare release r4.13.1
• ce6ce3a Draft 4.13.1 release notes
• c29dd82 Change version to 4.13.1-SNAPSHOT
• 1d17486 Add a link to assertThrows in exception testing
• 543905d Use separate line for annotation in Javadoc
• 510e906 Add sub headlines to class Javadoc
• 610155b Merge pull request from GHSA-269g-pwp5-87pp
• b6cfd1e Explicitly wrap float parameter for consistency (#1671)
• a5d205c Fix GitHub link in FAQ (#1672)
• 3a5c6b4 Deprecated since jdk9 replacing constructor instance of Double and Float (#1660)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from rack's changelog.

Changelog

All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference Keep A Changelog.

[3.0.0] - Unreleased

Changed

• BREAKING CHANGE: Require status to be an Integer. (#1662, @olleolleolle)
• Relax validations around Rack::Request#host and Rack::Request#hostname. (#1606, @pvande)
• Removed antiquated handlers: FCGI, LSWS, SCGI, Thin. (#1658, @ioquatix)
• Removed options from Rack::Builder.parse_file and Rack::Builder.load_file. (#1663, @ioquatix)

Fixed

• Fix using Rack::Session::Cookie with coder: Rack::Session::Cookie::Base64::{JSON,Zip}. (#1666, @jeremyevans)
• Avoid NoMethodError when accessing Rack::Session::Cookie without requiring delegate first. (#1610, @onigra)
• Handle cookies with values that end in '=' (#1645, @lukaso)

[2.2.2] - 2020-02-11

Fixed

• Fix incorrect Rack::Request#host value. (#1591, @ioquatix)
• Revert Rack::Handler::Thin implementation. (#1583, @jeremyevans)
• Double assignment is still needed to prevent an "unused variable" warning. (#1589, @kamipo)
• Fix to handle same_site option for session pool. (#1587, @kamipo)

[2.2.1] - 2020-02-09

Fixed

• Rework Rack::Request#ip to handle empty forwarded_for. (#1577, @ioquatix)

[2.2.0] - 2020-02-08

SPEC Changes

• rack.session request environment entry must respond to to_hash and return unfrozen Hash. (@jeremyevans)
• Request environment cannot be frozen. (@jeremyevans)
• CGI values in the request environment with non-ASCII characters must use ASCII-8BIT encoding. (@jeremyevans)
• Improve SPEC/lint relating to SERVER_NAME, SERVER_PORT and HTTP_HOST. (#1561, @ioquatix)

Added

• rackup supports multiple -r options and will require all arguments. (@jeremyevans)
• Server supports an array of paths to require for the :require option. (@khotta)
• Files supports multipart range requests. (@fatkodima)
• Multipart::UploadedFile supports an IO-like object instead of using the filesystem, using :filename and :io options. (@jeremyevans)
• Multipart::UploadedFile supports keyword arguments :path, :content_type, and :binary in addition to positional arguments. (@jeremyevans)

• 1741c58 bump version
• 5ccca47 When parsing cookies, only decode the values
• a5e80f0 Bump version.
• b0de37d Remove trailing whitespace.
• 1a784e5 Prepare CHANGELOG for next patch release.
• a0d57d4 Fix to handle same_site option for session pool
• a9b223b Ensure full match. Fixes #1590.
• f4c5645 Double assignment is still needed to prevent an "unused variable" warning
• 5c121dd Revert "Update Thin handler to better handle more options"
• 961d976 Prepare point release.
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from rake's changelog.

=== 13.0.1

==== Bug fixes

• Fixed bug: Reenabled task raises previous exception on second invokation Pull Request #271 by thorsteneckel
• Fix an incorrectly resolved arg pattern Pull Request #327 by mjbellantoni

=== 13.0.0

==== Enhancements

• Follows recent changes on keyword arguments in ruby 2.7. Pull Request #326 by nobu
• Make PackageTask be able to omit parent directory while packing files Pull Request #310 by tonytonyjan
• Add order only dependency Pull Request #269 by take-cheeze

==== Compatibility changes

• Drop old ruby versions(< 2.2)

=== 12.3.3

==== Bug fixes

• Use the application's name in error message if a task is not found. Pull Request #303 by tmatilai

==== Enhancements:

• Use File.open explicitly.

• c8251e2 Bump version to 13.0.1
• 8edd860 Fixed build failure of the latest GitHub Actions
• b6e2a66 Merge pull request #271 from thorsteneckel/bugfix-reenable_invocation_exception
• 985abff Merge pull request #327 from mjbellantoni/mjb-order-only-arg-fix
• 4a90acb Merge pull request #329 from jeremyevans/skip-taint-test-on-2.7
• 4dc6282 Skip a taint test on Ruby 2.7
• a08b697 Merge pull request #328 from orien/gem-metadata
• c3953d4 Add project metadata to the gemspec
• 46a8f7c Update comments to reflect the current state
• 00aacdc Fix an incorrectly resolved arg pattern
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.