build(deps): bump the bundler group across 1 directory with 11 updates

[dependabot]

Bumps the bundler group with 2 updates in the / directory: rails and puma.

Updates rails from 7.0.2.3 to 7.0.8.1

Release notes

Sourced from rails's releases.

7.0.8.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix possible XSS vulnerability with the translate method in controllers

  CVE-2024-26143

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

... (truncated)

Commits

• 506462a Preparing for 7.0.8.1 release
• 030cd01 update changelog
• 4c83b33 fix XSS vulnerability when using translation
• 723f545 Merge pull request #48869 from brunoprietog/disable-session-active-storage-pr...
• fc734f2 Preparing for 7.0.8 release
• af486be Merge pull request #44370 from mohits/patch-1
• 72bad1a Upgrade stringio to 3.0.8 to make sure guides CI pass
• d230670 Force upgrade bundler to invalidate Bundler cache on CI
• d84000d Require job used in this test file
• 3c17dab We expect queue adapters to be objects, no classes
• Additional commits viewable in compare view

Updates puma from 5.6.4 to 5.6.8

Release notes

Sourced from puma's releases.

5.6.7

Security Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields (GHSA-68xg-gqqm-vgj8)

5.6.5 / 2022-08-23

• Bugfixes
  • NullIO#closed should return false (#2883)
  • Puma::ControlCLI - allow refork command to be sent as a request (#2868, #2866)
  • [jruby] Fix TLS verification hang (#2890, #2729)
  • extconf.rb - don't use pkg_config('openssl') if '--with-openssl-dir' is used (#2885, #2839)
  • MiniSSL - detect SSL_CTX_set_dh_auto (#2864, #2863)
  • Fix rack.after_reply exceptions breaking connections (#2861, #2856)
  • Escape SSL cert and filenames (#2855)
  • Fail hard if SSL certs or keys are invalid (#2848)
  • Fail hard if SSL certs or keys cannot be read by user (#2847)
  • Fix build with Opaque DH in LibreSSL 3.5. (#2838)
  • Pre-existing socket file removed when TERM is issued after USR2 (if puma is running in cluster mode) (#2817)
  • Fix Puma::StateFile#load incompatibility (#2810)

Changelog

Sourced from puma's changelog.

5.6.8 / 2024-01-08

• Security
  • Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. (GHSA-c2f4-cvqm-65w2)

5.6.7 / 2023-08-18

• Security
  • Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields (GHSA-68xg-gqqm-vgj8)

5.6.6 / 2023-06-21

• Bugfix
  • Prevent loading with rack 3 (#3166)

5.6.5 / 2022-08-23

• Feature

  • Puma::ControlCLI - allow refork command to be sent as a request (#2868, #2866)

• Bugfixes

  • NullIO#closed should return false (#2883)
  • [jruby] Fix TLS verification hang (#2890, #2729)
  • extconf.rb - don't use pkg_config('openssl') if '--with-openssl-dir' is used (#2885, #2839)
  • MiniSSL - detect SSL_CTX_set_dh_auto (#2864, #2863)
  • Fix rack.after_reply exceptions breaking connections (#2861, #2856)
  • Escape SSL cert and filenames (#2855)
  • Fail hard if SSL certs or keys are invalid (#2848)
  • Fail hard if SSL certs or keys cannot be read by user (#2847)
  • Fix build with Opaque DH in LibreSSL 3.5. (#2838)
  • Pre-existing socket file removed when TERM is issued after USR2 (if puma is running in cluster mode) (#2817)
  • Fix Puma::StateFile#load incompatibility (#2810)

Commits

• 1293573 5.6.8
• bbb880f Merge pull request from GHSA-c2f4-cvqm-65w2
• 78393bf 5.6.7
• 7405a21 Merge pull request from GHSA-68xg-gqqm-vgj8
• d33424b 5.6.7 release note [ci skip]
• f8c7b23 5.6.6
• 08af1b5 5.6.6 release note
• 6dac5d9 Prevent loading with rack 3 (#3166)
• 0892558 Fix and update 5-6-stable CI, two backports (#3167)
• 3a6ea4f Release note fix for 5.6.5
• Additional commits viewable in compare view

Updates actionpack from 7.0.2.3 to 7.0.8.1

Release notes

Sourced from actionpack's releases.

7.0.8.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix possible XSS vulnerability with the translate method in controllers

  CVE-2024-26143

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

... (truncated)

Commits

• 506462a Preparing for 7.0.8.1 release
• 030cd01 update changelog
• 4c83b33 fix XSS vulnerability when using translation
• fc734f2 Preparing for 7.0.8 release
• f9175db Fix webdrivers on 7-0-stable branch for issue #48973. (#48977)
• ed9f292 Merge tag 'v7.0.7.2' into 7-0-stable
• 3668b4b Preparing for 7.0.7.2 release
• 2294b8b Bumping version
• 2766c93 Merge branch '7-0-sec' into 7-0-stable
• c92caef Preparing for 7.0.7.1 release
• Additional commits viewable in compare view

Updates actionview from 7.0.2.3 to 7.0.8.1

Release notes

Sourced from actionview's releases.

7.0.8.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix possible XSS vulnerability with the translate method in controllers

  CVE-2024-26143

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

... (truncated)

Commits

• 506462a Preparing for 7.0.8.1 release
• 030cd01 update changelog
• fc734f2 Preparing for 7.0.8 release
• 7d31cea Fix no _method input in form_for namespaced model
• ed9f292 Merge tag 'v7.0.7.2' into 7-0-stable
• 3668b4b Preparing for 7.0.7.2 release
• 2294b8b Bumping version
• 2766c93 Merge branch '7-0-sec' into 7-0-stable
• c92caef Preparing for 7.0.7.1 release
• 936587d updating version / changelog
• Additional commits viewable in compare view

Updates activerecord from 7.0.2.3 to 7.0.8.1

Release notes

Sourced from activerecord's releases.

7.0.8.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix possible XSS vulnerability with the translate method in controllers

  CVE-2024-26143

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

... (truncated)

Commits

• 506462a Preparing for 7.0.8.1 release
• 030cd01 update changelog
• fc734f2 Preparing for 7.0.8 release
• 8db97a7 Fix change_column not setting precision for sqlite
• ce75465 Merge pull request #48095 from ippachi/triple-dot-range-unscope
• d1ac40c Merge pull request #48657 from alpaca-tc/fix-association-with-has-many-inversing
• 164fcfd Merge pull request #48653 from alpaca-tc/fix-association-pretty-print
• cdb6d89 Fix Compatibility tests using @internal_metadata
• c1150f4 Merge pull request #49101 from xfifix/fix/sti_class_name
• 729dfda Merge pull request #49089 from emilyqiu1005/emilyqiu/add-kill-to-mysql-read-q...
• Additional commits viewable in compare view

Updates activestorage from 7.0.2.3 to 7.0.8.1

Release notes

Sourced from activestorage's releases.

7.0.8.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix possible XSS vulnerability with the translate method in controllers

  CVE-2024-26143

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

... (truncated)

Commits

• 506462a Preparing for 7.0.8.1 release
• 030cd01 update changelog
• 723f545 Merge pull request #48869 from brunoprietog/disable-session-active-storage-pr...
• fc734f2 Preparing for 7.0.8 release
• 3668b4b Preparing for 7.0.7.2 release
• 2294b8b Bumping version
• c92caef Preparing for 7.0.7.1 release
• 936587d updating version / changelog
• 522c86f Preparing for 7.0.7 release
• 593893c Preparing for 7.0.6 release
• Additional commits viewable in compare view

Updates activesupport from 7.0.2.3 to 7.0.8.1

Release notes

Sourced from activesupport's releases.

7.0.8.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix possible XSS vulnerability with the translate method in controllers

  CVE-2024-26143

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

... (truncated)

Commits

• 506462a Preparing for 7.0.8.1 release
• 030cd01 update changelog
• fc734f2 Preparing for 7.0.8 release
• 7bf0e43 Fix TimeWithZone#to_s being overriden with ENV set
• f5fd433 Document how to remove to_s deprecation warnings when defaul format is changed
• ed9f292 Merge tag 'v7.0.7.2' into 7-0-stable
• 3668b4b Preparing for 7.0.7.2 release
• 2294b8b Bumping version
• 2766c93 Merge branch '7-0-sec' into 7-0-stable
• c92caef Preparing for 7.0.7.1 release
• Additional commits viewable in compare view

Updates globalid from 1.0.0 to 1.2.1

Release notes

Sourced from globalid's releases.

1.2.0

What's Changed

• Drop support to Rails < 6.1 and Ruby <2.7 by @​rafaelfranca in rails/globalid#153
• Don't show secrets for SignedGlobalID#inspect by @​p8 in rails/globalid#160
• Allow for composite identifiers delimited by / by @​nvasilevski in rails/globalid#163
• Add Eager Load Option by @​rafacoello in rails/globalid#139

New Contributors

• @​rafaelfranca made their first contribution in rails/globalid#153
• @​p8 made their first contribution in rails/globalid#159
• @​nvasilevski made their first contribution in rails/globalid#162
• @​rafacoello made their first contribution in rails/globalid#139

Full Changelog: rails/globalid@v1.1.0...v1.2.0

1.1.0

What's Changed

• URI::GID: Update #check_scheme, no need to call super by @​alexcwatt in rails/globalid#146
• JSON-encode GlobalIDs as strings by @​georgeclaghorn in rails/globalid#149
• Support pattern matching of GlobalID & GlobalID::URI by @​ojab in rails/globalid#140
• prevent double find by @​ooooooo-q in rails/globalid#148
• implement non signed global_id helper method on fixture set by @​rainerborene in rails/globalid#144

New Contributors

• @​daemonsy made their first contribution in rails/globalid#142
• @​alexcwatt made their first contribution in rails/globalid#146
• @​liijunwei made their first contribution in rails/globalid#150
• @​ojab made their first contribution in rails/globalid#140
• @​ooooooo-q made their first contribution in rails/globalid#148
• @​rainerborene made their first contribution in rails/globalid#144

Full Changelog: rails/globalid@v1.0.1...v1.1.0

v1.0.1

Possible ReDoS based DoS vulnerability in GlobalID

There is a ReDoS based DoS vulnerability in the GlobalID gem. This vulnerability has been assigned the CVE identifier CVE-2023-22799.

Versions Affected: >= 0.2.1 Not affected: NOTAFFECTED Fixed Versions: 1.0.1

Impact

There is a possible DoS vulnerability in the model name parsing section of the GlobalID gem. Carefully crafted input can cause the regular expression engine to take an unexpected amount of time. All users running an affected release should either upgrade or use one of the workarounds immediately.

... (truncated)

Commits

• 488ab6c Prepare for 1.2.1
• 0f585e9 Whitespaces
• 626a342 Merge pull request #168 from ghiculescu/handle-no-primary-key
• 759d1eb Don't break on models where primary_key is not defined
• 27dff72 Prepare for 1.2.0
• 4ec9833 Merge pull request #165 from rails/rm-json-serializer
• d371dd1 Change verifier to conform Rails 7.1 API
• b73e5f9 Remove deprecation when default cache format is used
• 5246758 Make sure legacy verifier behavior work with JSON serializer and symbol values
• 2fab171 Update the ruby extension to use Ruby LSP
• Additional commits viewable in compare view

Updates nokogiri from 1.13.4 to 1.16.3

Release notes

Sourced from nokogiri's releases.

v1.16.3 / 2024-03-15

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.6 from v2.12.5. (@​flavorjones)

Changed

• [CRuby] XML::Reader sets the @encoding instance variable during reading if it is not passed into the initializer. Previously, it would remain nil. The behavior of Reader#encoding has not changed. This works around changes to how libxml2 reports the encoding used in v2.12.6.

---

sha256 checksums:

3d806263a0548e5163ff256655d78a87998fa83a5ae256b83c14a1a97731e824  nokogiri-1.16.3-aarch64-linux.gem
cfb923c02bde065005e2521f0a6883c63cf305cb899a9dd4c74897731bb2af1d  nokogiri-1.16.3-arm-linux.gem
5d3268558c002fa493e33076798cfda1df8effbd5363060dc41595cfebb1cf90  nokogiri-1.16.3-arm64-darwin.gem
6bf0918233959c7d5e703061ada0f436544612397475a866aa314071f02bfabb  nokogiri-1.16.3-java.gem
656f163dd287671c3a28157a2e853ee1a36afeb3f4185a78af863f3980efc58d  nokogiri-1.16.3-x64-mingw-ucrt.gem
7330f65cf2f8fa442327112b6515b4988f396d23010d33571714fd2ac0648fb9  nokogiri-1.16.3-x64-mingw32.gem
08d8a369940fa2309379cd8af1e7b3cc702b0115d3ddd197cfa7b33daedfd541  nokogiri-1.16.3-x86-linux.gem
cd26e99fa6388cd73c8892bb99ac98af162fe83c8f71c6473dfeba7aac76bcb9  nokogiri-1.16.3-x86-mingw32.gem
bc22786f4db4c32a5587e3b77a106408148d3bb1602dd0b52c0f5c968c42d17d  nokogiri-1.16.3-x86_64-darwin.gem
47a3330e41b49a100225b6fab490b2dc43410931e01e791886e0c2998412e8cb  nokogiri-1.16.3-x86_64-linux.gem
498aa253ccd5b89a0fa5c4c82b346d22176fc865f4a12ef8da642064d1d3e248  nokogiri-1.16.3.gem

v1.16.2 / 2024-02-04

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See GHSA-xc9x-jj77-9p9j for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.5 from v2.12.4. (@​flavorjones)

---

sha256 checksums:

69ba15d2a2498324489ed63850997f0b8f684260114ea81116d3082f16551d2d  nokogiri-1.16.2-aarch64-linux.gem
6a05ce42e3587a40cf8936ece0beaa5d32922254215d2e8cf9ad40588bb42e57  nokogiri-1.16.2-arm-linux.gem
c957226c8e36b31be6a3afb8602e2128282bf8b40ea51016c4cd21aa2608d3f8  nokogiri-1.16.2-arm64-darwin.gem
122652bfc338cd8a54a692ac035e245e41fd3b8283299202ca26e7a7d50db310  nokogiri-1.16.2-java.gem
</tr></table> 

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.16.3 / 2024-03-15

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.6 from v2.12.5. (@​flavorjones)

Changed

• [CRuby] XML::Reader sets the @encoding instance variable during reading if it is not passed into the initializer. Previously, it would remain nil. The behavior of Reader#encoding has not changed. This works around changes to how libxml2 reports the encoding used in v2.12.6.

v1.16.2 / 2024-02-04

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See GHSA-xc9x-jj77-9p9j for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.5 from v2.12.4. (@​flavorjones)

v1.16.1 / 2024-02-03

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.4 from v2.12.3. (@​flavorjones)

Fixed

• [CRuby] XML::Reader defaults the encoding to UTF-8 if it's not specified in either the document or as a method parameter. Previously non-ASCII characters were serialized as NCRs in this case. #2891 (@​flavorjones)
• [CRuby] Restored support for compilation by GCC versions earlier than 4.6, which was broken in v1.15.0 (540e9aee). #3090 (@​adfoster-r7)
• [CRuby] Patched upstream libxml2 to allow parsing HTML5 in the context of a namespaced node (e.g., foreign content like MathML). [#3112, #3116] (@​flavorjones)
• [CRuby] Fixed a small memory leak in libgumbo (HTML5 parser) when the maximum tree depth limit is hit. [#3098, #3100] (@​stevecheckoway)

v1.16.0 / 2023-12-27

Notable Changes

Ruby

This release introduces native gem support for Ruby 3.3.

This release ends support for Ruby 2.7, for which upstream support ended 2023-03-31.

... (truncated)

Commits

• 80fb608 version bump to v1.16.3
• 710bd96 dep: update libxml 2.12.6 (branch v1.16.x) (#3151)
• 461a96e fix: Reader#read sets @​encoding if it is unset
• 801f978 dep: update libxml2 to v2.12.6
• 673756f version bump to v1.16.2
• 74ffd67 dep: update libxml to 2.12.5 (branch v1.16.x) (#3122)
• 0d4018d dep: update libxml2 to v2.12.5
• f33a25f dep: remove patch from #3112 which has been released upstream
• e994168 version bump to v1.16.1
• 77ea2f2 dev: add files to manifest ignore list
• Additional commits viewable in compare view

Updates rack from 2.2.3 to 2.2.9

Release notes

Sourced from rack's releases.

v2.2.8.1

What's Changed

• Fixed ReDoS in Accept header parsing [CVE-2024-26146]
• Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
• Reject Range headers which are too large [CVE-2024-26141]

Full Changelog: rack/rack@v2.2.8...v2.2.8.1

v2.2.8

What's Changed

• Limit file extension length of multipart tempfiles (2.2 backport) by @​dentarg in rack/rack#2075
• CHANGELOG: Add missing 2.2.7 by @​tisba in rack/rack#2081
• Update cookie.rb by @​dchandekstark in rack/rack#2092
• Prefer ubuntu-latest for testing. by @​ioquatix in rack/rack#2095
• Fix inefficient assert pattern in Rack::Lint [2-2-stable] by @​skipkayhil in rack/rack#2101
• Regenerate SPEC [2-2-stable] by @​skipkayhil in rack/rack#2102

New Contributors

• @​tisba made their first contribution in rack/rack#2081
• @​dchandekstark made their first contribution in rack/rack#2092

Full Changelog: rack/rack@v2.2.7...v2.2.8

v2.2.7

What's Changed

• Correct the year number in the changelog by @​kimulab in rack/rack#2015
• Support underscore in host names for Rack 2.2 (Fixes #2070) by @​jeremyevans in rack/rack#2071

New Contributors

• @​kimulab made their first contribution in rack/rack#2015

Full Changelog: rack/rack@v2.2.6.4...v2.2.7

v2.2.6.4

No release notes provided.

Changelog

Sourced from rack's changelog.

Changelog

All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference Keep A Changelog.

Unreleased

SPEC Changes

• rack.input is now optional. (#1997, [@​ioquatix])
• Rack::Utils.escape_html is now delegated to CGI.escapeHTML. ' is escaped to [#39](https://github.com/rack/rack/issues/39); instead of #x27;. (decimal vs hexadecimal) (#2099, @​JunichiIto)

Changed

• rack.input is now optional, and if missing, will raise an error. Use this to fail on multipart parsing a request without an input body. (#2018, [@​ioquatix])
• Introduce module Rack::BadRequest which is included in multipart and query parser errors. (#2019, [@​ioquatix])
• MIME type for JavaScript files (.js) changed from application/javascript to text/javascript (1bd0f15)
• Add .mjs MIME type (#2057, [@​axilleas])
• Update MIME types associated to .ttf, .woff, .woff2 and .otf extensions to use mondern font/* types. (#2065, [@​davidstosik])
• set_cookie_header utility now supports the partitioned cookie attribute. This is required by Chrome in some embedded contexts. (#2131, [@​flavio-b])
• Remove non-standard status codes 306, 509, & 510 and update descriptions for 413, 422, & 451. (#2137, [@​wtn])
• Add fallback lookup and deprecation warning for obsolete status symbols. (#2137, [@​wtn])
• In Rack::Files, ignore the Range header if served file is 0 bytes. (#2159, [@​zarqman])

[3.0.10] - 2024-03-21

• Backport #2104 to 3-0-stable: Return empty when parsing a multi-part POST with only one end delimiter. (#2164, @​JoeDupuis)

[3.0.9] - 2024-01-31

• Fix incorrect content-length header that was emitted when Rack::Response#write was used in some situations. (#2150, @​mattbrictson)

[3.0.8] - 2023-06-14

• Fix some unused variable verbose warnings. (#2084, [@​jeremyevans], @​skipkayhil)

[3.0.7] - 2023-03-16

• Make query parameters without = have nil values. (#2059, [@​jeremyevans])

[3.0.6.1] - 2023-03-13

• [CVE-2023-27539] Avoid ReDoS in header parsing

[3.0.6] - 2023-03-13

• Add QueryParser#missing_value for handling missing values + tests. (#2052, [@​ioquatix])

[3.0.5] - 2023-03-13

• Split form/query parsing into two steps. (#2038, @​matthewd)

... (truncated)

Commits

• b1deebd Bump patch version.
• f7d40f9 Merge branch '2-2-sec' into 2-2-stable
• e830011 bump version
• d9c163a Avoid 2nd degree polynomial regexp in MediaType
• 6245768 Return an empty array when ranges are too large
• e4c1177 Fixing ReDoS in header parsing
• fdb12cb backport #2104 (#2121)
• 99057e6 Update CHANGELOG for 2.2.8 (#2107)
• 3314622 Adds missing 2.2.8 to CHANGELOG.md (#2106)
• f169ff7 Bump patch version.
• Additional commits viewable in compare view

Updates rails-html-sanitizer from 1.4.2 to 1.6.0

Release notes

Sourced from rails-html-sanitizer's releases.

1.6.0 / 2023-05-26

• Dependencies have been updated:

  • Loofah ~>2.21 and Nokogiri ~>1.14 for HTML5 parser support
  • As a result, required Ruby version is now >= 2.7.0

  Security updates will continue to be made on the 1.5.x release branch as long as Rails 6.1 (which supports Ruby 2.5) is still in security support.

  Mike Dalessio

• HTML5 standards-compliant sanitizers are now available on platforms supported by Nokogiri::HTML5. These are available as:

  • Rails::HTML5::FullSanitizer
  • Rails::HTML5::LinkSanitizer
  • Rails::HTML5::SafeListSanitizer

  And a new "vendor" is provided at Rails::HTML5::Sanitizer that can be used in a future version of Rails.

  Note that for symmetry Rails::HTML4::Sanitizer is also added, though its behavior is identical to the vendor class methods on Rails::HTML::Sanitizer.

  Users may call Rails::HTML::Sanitizer.best_supported_vendor to get back the HTML5 vendor if it's supported, else the legacy HTML4 vendor.

  Mike Dalessio

• Module namespaces have changed, but backwards compatibility is provided by aliases.

  The library defines three additional modules:

  • Rails::HTML for general functionality (replacing Rails::Html)
  • Rails::HTML4 containing sanitizers that parse content as HTML4
  • Rails::HTML5 containing sanitizers that parse content as HTML5

  The following aliases are maintained for backwards compatibility:

  • Rails::Html points to Rails::HTML
  • Rails::HTML::FullSanitizer points to Rails::HTML4::FullSanitizer
  • Rails::HTML::LinkSanitizer points to Rails::HTML4::LinkSanitizer
  • Rails::HTML::SafeListSanitizer points to Rails::HTML4::SafeListSanitizer

  Mike Dalessio

• LinkSanitizer always returns UTF-8 encoded strings. SafeListSanitizer and FullSanitizer already ensured this encoding.

... (truncated)

Changelog

Sourced from rails-html-sanitizer's changelog.

1.6.0 / 2023-05-26

• Dependencies have been updated:

  • Loofah ~>2.21 and Nokogiri ~>1.14 for HTML5 parser support
  • As a result, required Ruby version is now >= 2.7.0

  Security updates will continue to be made on the 1.5.x release branch as long as Rails 6.1 (which supports Ruby 2.5) is still in security support.

  Mike Dalessio

• HTML5 standards-compliant sanitizers are now available on platforms supported by Nokogiri::HTML5. These are available as:

  • Rails::HTML5::FullSanitizer
  • Rails::HTML5::LinkSanitizer
  • Rails::HTML5::SafeListSanitizer

  And a new "vendor" is provided at Rails::HTML5::Sanitizer that can be used in a future version of Rails.

  Note that for symmetry Rails::HTML4::Sanitizer is also added, though its behavior is identical to the vendor class methods on Rails::HTML::Sanitizer.

  Users may call Rails::HTML::Sanitizer.best_supported_vendor to get back the HTML5 vendor if it's supported, else the legacy HTML4 vendor.

  Mike Dalessio

• Module namespaces have changed, but backwards compatibility is provided by aliases.

  The library defines three additional modules:

  • Rails::HTML for general functionality (replacing Rails::Html)
  • Rails::HTML4 containing sanitizers that parse content as HTML4
  • Rails::HTML5 containing sanitizers that parse content as HTML5

  The following aliases are maintained for backwards compatibility:

  • Rails::Html points to Rails::HTML
  • Rails::HTML::FullSanitizer points to Rails::HTML4::FullSanitizer
  • Rails::HTML::LinkSanitizer points to Rails::HTML4::LinkSanitizer
  • Rails::HTML::SafeListSanitizer points to Rails::HTML4::SafeListSanitizer

  Mike Dalessio

• LinkSanitizer always returns UTF-8 encoded strings. SafeListSanitizer and FullSanitizer already ensured this encoding.

... (truncated)

Commits

• 19fd6cd version bump to v1.6.0
• a9b2f1e doc: update CHANGELOG and README with supported branch info
• ca29c20 doc: update README moving verbose notes after usage
• 3b31be5 version bump to v1.6.0.rc2
• b98af6c Merge pull request #167 from rails/flavorjones-best-supported-vendor-method
• e953444 feat: introduce Rails::HTML::Sanitizer.best_supported_vendor
• 5419017 version bump to v1.6.0.rc1
• 669dcd0 doc: update CONTRIBUTING with release process
• cd77210 Merge pull request #166 from rails/flavorjones-update-deps-for-html5-variation2
• 7cc07bb dep: update loofah and nokogiri to versions fully supporting HTML5
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.