From 59504c3d84132619b881fe37fa15027819c48c07 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 27 Jul 2022 07:29:49 +0000 Subject: [PATCH 1/3] Bump rails from 6.1.6 to 6.1.6.1 Bumps [rails](https://github.com/rails/rails) from 6.1.6 to 6.1.6.1. - [Release notes](https://github.com/rails/rails/releases) - [Commits](https://github.com/rails/rails/compare/v6.1.6...v6.1.6.1) --- updated-dependencies: - dependency-name: rails dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Gemfile.lock | 122 +++++++++++++++++++++++++-------------------------- 1 file changed, 61 insertions(+), 61 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 8d94bdd660..86aa1c3177 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -51,42 +51,42 @@ GEM remote: https://rubygems.org/ specs: Ascii85 (1.1.0) - actioncable (6.1.6) - actionpack (= 6.1.6) - activesupport (= 6.1.6) + actioncable (6.1.6.1) + actionpack (= 6.1.6.1) + activesupport (= 6.1.6.1) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailbox (6.1.6) - actionpack (= 6.1.6) - activejob (= 6.1.6) - activerecord (= 6.1.6) - activestorage (= 6.1.6) - activesupport (= 6.1.6) + actionmailbox (6.1.6.1) + actionpack (= 6.1.6.1) + activejob (= 6.1.6.1) + activerecord (= 6.1.6.1) + activestorage (= 6.1.6.1) + activesupport (= 6.1.6.1) mail (>= 2.7.1) - actionmailer (6.1.6) - actionpack (= 6.1.6) - actionview (= 6.1.6) - activejob (= 6.1.6) - activesupport (= 6.1.6) + actionmailer (6.1.6.1) + actionpack (= 6.1.6.1) + actionview (= 6.1.6.1) + activejob (= 6.1.6.1) + activesupport (= 6.1.6.1) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) - actionpack (6.1.6) - actionview (= 6.1.6) - activesupport (= 6.1.6) + actionpack (6.1.6.1) + actionview (= 6.1.6.1) + activesupport (= 6.1.6.1) rack (~> 2.0, >= 2.0.9) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.2.0) actionpack-action_caching (1.2.2) actionpack (>= 4.0.0) - actiontext (6.1.6) - actionpack (= 6.1.6) - activerecord (= 6.1.6) - activestorage (= 6.1.6) - activesupport (= 6.1.6) + actiontext (6.1.6.1) + actionpack (= 6.1.6.1) + activerecord (= 6.1.6.1) + activestorage (= 6.1.6.1) + activesupport (= 6.1.6.1) nokogiri (>= 1.8.5) - actionview (6.1.6) - activesupport (= 6.1.6) + actionview (6.1.6.1) + activesupport (= 6.1.6.1) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) @@ -98,19 +98,19 @@ GEM activemodel (>= 5.2.0) activestorage (>= 5.2.0) activesupport (>= 5.2.0) - activejob (6.1.6) - activesupport (= 6.1.6) + activejob (6.1.6.1) + activesupport (= 6.1.6.1) globalid (>= 0.3.6) activemerchant (1.123.0) activesupport (>= 4.2) builder (>= 2.1.2, < 4.0.0) i18n (>= 0.6.9) nokogiri (~> 1.4) - activemodel (6.1.6) - activesupport (= 6.1.6) - activerecord (6.1.6) - activemodel (= 6.1.6) - activesupport (= 6.1.6) + activemodel (6.1.6.1) + activesupport (= 6.1.6.1) + activerecord (6.1.6.1) + activemodel (= 6.1.6.1) + activesupport (= 6.1.6.1) activerecord-import (1.4.0) activerecord (>= 4.2) activerecord-postgresql-adapter (0.0.1) @@ -121,14 +121,14 @@ GEM multi_json (~> 1.11, >= 1.11.2) rack (>= 2.0.8, < 3) railties (>= 5.2.4.1) - activestorage (6.1.6) - actionpack (= 6.1.6) - activejob (= 6.1.6) - activerecord (= 6.1.6) - activesupport (= 6.1.6) + activestorage (6.1.6.1) + actionpack (= 6.1.6.1) + activejob (= 6.1.6.1) + activerecord (= 6.1.6.1) + activesupport (= 6.1.6.1) marcel (~> 1.0) mini_mime (>= 1.1.0) - activesupport (6.1.6) + activesupport (6.1.6.1) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 1.6, < 2) minitest (>= 5.1) @@ -190,7 +190,7 @@ GEM rails (>= 5.2) thread-local (>= 1.1.0) cancancan (1.15.0) - capybara (3.36.0) + capybara (3.37.1) addressable matrix mini_mime (>= 0.1.3) @@ -404,10 +404,10 @@ GEM paper_trail (12.1.0) activerecord (>= 5.2) request_store (~> 1.1) - parallel (1.21.0) + parallel (1.22.1) paranoia (2.6.0) activerecord (>= 5.1, < 7.1) - parser (3.1.0.0) + parser (3.1.2.0) ast (~> 2.4.1) paypal-sdk-core (0.3.4) multi_json (~> 1.0) @@ -446,20 +446,20 @@ GEM rack-test (2.0.2) rack (>= 1.3) rack-timeout (0.6.3) - rails (6.1.6) - actioncable (= 6.1.6) - actionmailbox (= 6.1.6) - actionmailer (= 6.1.6) - actionpack (= 6.1.6) - actiontext (= 6.1.6) - actionview (= 6.1.6) - activejob (= 6.1.6) - activemodel (= 6.1.6) - activerecord (= 6.1.6) - activestorage (= 6.1.6) - activesupport (= 6.1.6) + rails (6.1.6.1) + actioncable (= 6.1.6.1) + actionmailbox (= 6.1.6.1) + actionmailer (= 6.1.6.1) + actionpack (= 6.1.6.1) + actiontext (= 6.1.6.1) + actionview (= 6.1.6.1) + activejob (= 6.1.6.1) + activemodel (= 6.1.6.1) + activerecord (= 6.1.6.1) + activestorage (= 6.1.6.1) + activesupport (= 6.1.6.1) bundler (>= 1.15.0) - railties (= 6.1.6) + railties (= 6.1.6.1) sprockets-rails (>= 2.0.0) rails-controller-testing (1.0.5) actionpack (>= 5.0.1.rc1) @@ -474,9 +474,9 @@ GEM i18n (>= 0.7, < 2) railties (>= 6.0.0, < 8) rails_safe_tasks (1.0.0) - railties (6.1.6) - actionpack (= 6.1.6) - activesupport (= 6.1.6) + railties (6.1.6.1) + actionpack (= 6.1.6.1) + activesupport (= 6.1.6.1) method_source rake (>= 12.2) thor (~> 1.0) @@ -491,7 +491,7 @@ GEM ffi (~> 1.0) redcarpet (3.5.1) redis (4.7.1) - regexp_parser (2.2.0) + regexp_parser (2.5.0) request_store (1.5.0) rack (>= 1.4) responders (3.0.1) @@ -552,9 +552,9 @@ GEM rubocop-ast (>= 1.12.0, < 2.0) ruby-progressbar (~> 1.7) unicode-display_width (>= 1.4.0, < 3.0) - rubocop-ast (1.15.1) - parser (>= 3.0.1.1) - rubocop-rails (2.13.2) + rubocop-ast (1.19.1) + parser (>= 3.1.1.0) + rubocop-rails (2.15.2) activesupport (>= 4.2.0) rack (>= 1.1) rubocop (>= 1.7.0, < 2.0) @@ -633,7 +633,7 @@ GEM concurrent-ruby (~> 1.0) uglifier (4.2.0) execjs (>= 0.3.0, < 3) - unicode-display_width (2.1.0) + unicode-display_width (2.2.0) uniform_notifier (1.16.0) valid_email2 (4.0.0) activemodel (>= 3.2) From 7747f2592e3fd5603f07db7c08e725276b3aada5 Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Bellet Date: Wed, 27 Jul 2022 11:26:42 +0200 Subject: [PATCH 2/3] Add BigDecimal classe allowed for YAML deserialization The soft enforcement of the Rails 6.1.6.1 security update in picked up one more classes that were serialized in the database with YAML: BigDecimal --- config/application.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/config/application.rb b/config/application.rb index f71167fd30..0203fffb59 100644 --- a/config/application.rb +++ b/config/application.rb @@ -226,6 +226,7 @@ module Openfoodnetwork config.active_record.belongs_to_required_by_default = false config.active_record.cache_versioning = false config.active_record.has_many_inversing = false + config.active_record.yaml_column_permitted_classes = [BigDecimal] config.active_support.escape_html_entities_in_json = true From 006bcd2cf842cba7e2cbd2024b4e0674be3ac37d Mon Sep 17 00:00:00 2001 From: Jean-Baptiste Bellet Date: Wed, 27 Jul 2022 15:00:19 +0200 Subject: [PATCH 3/3] Add Symbol class allowed for YAML deserialization --- config/application.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/application.rb b/config/application.rb index 0203fffb59..11e8cf12b8 100644 --- a/config/application.rb +++ b/config/application.rb @@ -226,7 +226,7 @@ module Openfoodnetwork config.active_record.belongs_to_required_by_default = false config.active_record.cache_versioning = false config.active_record.has_many_inversing = false - config.active_record.yaml_column_permitted_classes = [BigDecimal] + config.active_record.yaml_column_permitted_classes = [BigDecimal, Symbol] config.active_support.escape_html_entities_in_json = true