🚨 [security] [ruby] Update rspec-rails 6.1.5 → 7.1.1 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rspec-rails (6.1.5 → 7.1.1) · Repo · Changelog

Release Notes

7.1.1 (from changelog)

Full Changelog

Bug Fixes:

• Check wether rspec-mocks has been loaded before enabling signature verification for have_enqueued_job et al (Jon Rowe, #2823)

7.1.0 (from changelog)

Full Changelog

Enhancements:

• Improve implicit description for ActionCable matchers have_broadcasted_to / have_broadcast. (Simon Fish, #2795)
• Comment out infer_spec_type_from_file_location! in newly generated rails_helper.rb files. (Jon Rowe, #2804)
• Allow turning off active job / mailer argument validation. (Oli Peate, #2808)

7.0.2 (from changelog)

Full Changelog

Bug Fixes:

• Fix issue with have_enqueued_mail when jobs were incorrectly matched due to refactoring in #2780. (David Runger, #2793)

7.0.1 (from changelog)

Full Changelog

Bug Fixes:

• Remove mutation of Rails constant in favour of public api. (Petrik de Heus, #2789)
• Cleanup Rails scaffold for unsupported versions. (Matt Jankowski, #2790)
• Remove deprecated scaffold that was unintentionally included in 7.0.0 (Jon Rowe, #2791)

7.0.0 (from changelog)

Full Changelog

Enhancements:

• Change default driver for system specs on Rails 7.2 to match its default. (Steve Polito, #2746)
• Verify ActiveJob arguments by comparing to the method signature. (Oli Peate, #2745)
• Add suggestion to rails_helper.rb to skip when not in test most. (Glauco Custódio, #2751)
• Add at_priority qualifier to have_enqueued_job set of matchers. (mbajur, #2759)
• Add spec directories to rails stats on Rails main / 8.0.0. (Petrik de Heus, #2781)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ diff-lcs (indirect, 1.5.1 → 1.6.0) · Repo · Changelog

Release Notes

1.6.0 (from changelog)

• Baptiste Courtois (@Annih) has done significant work on making bin/ldiff work better, contributing a number of issues and pull requests. These include:

  • Separation of command parsing from diff-generation in Diff::LCS::Ldiff code extraction making it easier to use separately from the bin/ldiff command in #103. This partially resolves #46.

  • Improvement of binary and empty file detection and tests in #104 and #105. This resolves issues #100, #102.

  • Various ldiff fixes for output #101 resolves issues #106 (ldiff ed scripts are inverted), #107 (ldiff hunk ranges are incorrect; regression or incorrect fix for #60), and #95.

• Patrick Linnane fixed various minor typos. #93

• Mark Young added a Changelog link to the RubyGems metadata. #92 This has been modified to incorporate it into the README.

• Updated the documentation on Diff::LCS#lcs to be clearer about the requirements for object equality comparison. This resolves #70.

• Governance:

  Changes described here are effective 2024-12-31.

  • Update gem management details to use markdown files for everything, enabled in part by flavorjones/hoe-markdown. Several files were renamed to be more consistent with standard practices.

  • Updated security notes with an age public key rather than pointing to Keybase.io and a PGP public key which I no longer use. The use of the Tidelift security contact is recommended over direct disclosure.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ erubi (indirect, 1.13.0 → 1.13.1) · Repo · Changelog

Release Notes

1.13.1 (from changelog)

* Avoid spurious frozen string literal warnings for chilled strings when using Ruby 3.4 (jeremyevans)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ irb (indirect, 1.14.2 → 1.15.1) · Repo

Release Notes

1.15.1

What's Changed

🐛 Bug Fixes

• Fix pager preview with escape sequence and newlines by @tompng in #1069

🛠 Other Changes

• Bump version to 1.15.1 by @tompng in #1070

Full Changelog: v1.15.0...v1.15.1

1.15.0

What's Changed

✨ Enhancements

• Add ri as an alias to the show_doc command by @st0012 in #1054
• Add copy command by @Prajjwal in #1044
• Show a quick preview of inspect result before pager launch by @tompng in #1040

🐛 Bug Fixes

• Fix broken history command with -g by @sanfrecce-osaka in #1057
• Gracefully handle incorrect command aliases by @st0012 in #1059
• Print more actionable message when the exception may be an IRB bug by @st0012 in #1061
• IRB.conf[:SAVE_HISTORY] should handle boolean values by @st0012 in #1062
• Colorize backref token bold green like global variables by @tompng in #1065

📚 Documentation

• Restructure IRB's documentation by @st0012 in #1053
• Use the documentation site as the source of truth by @st0012 in #1055
• Extract contributing guideline into a CONTRIBUTING.md by @st0012 in #1056
• [DOC] Remove unnecessary escape from completor class names by @st0012 in #1063
• [DOC] Update documentation about the new copy command by @st0012 in #1067
• [DOC] Exclude the word IRB from RDoc's autolinking by @st0012 in #1068

🛠 Other Changes

• Simplify vterm-yamatanooroti's steps by @st0012 in #1060
• Drop ColorPrinter's workaround for BasicObject by @st0012 in #1051
• Group private methods together in IRB::Context by @st0012 in #1064
• Bump version to v1.15.0 by @st0012 in #1066

New Contributors

• @sanfrecce-osaka made their first contribution in #1057
• @Prajjwal made their first contribution in #1044

Full Changelog: v1.14.3...v1.15.0

1.14.3

What's Changed

🐛 Bug Fixes

• Load history when starting a direct debug session by @sunblaze in #1046

📚 Documentation

• Avoid generating documentation pages for internal components by @st0012 in #1047
• [DOC] Fix broken rdoc-ref caused by a typo by @st0012 in #1049

🛠 Other Changes

• Bump version to v1.14.3 by @st0012 in #1050

New Contributors

• @sunblaze made their first contribution in #1046

Full Changelog: v1.14.2...v1.14.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ logger (indirect, 1.6.5 → 1.6.6) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ loofah (indirect, 2.23.1 → 2.24.0) · Repo · Changelog

Release Notes

2.24.0

2.24.0 / 2024-12-24

Added

• Built-in scrubber :double_breakpoint which sees <br><br> and wraps the surrounding content in <p> tags. #279, #284 @josecolella @torihuang

Improved

• Built-in scrubber :targetblank now skips a tags whose href attribute is an anchor link. Previously, all a tags were modified to have target='_blank'. #291 @fnando

New Contributors

• @andrew made their first contribution in #289
• @fnando made their first contribution in #291
• @josecolella and @torihuang made their first contribution in #284

Full Changelog: v2.23.1...v2.24.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rack (indirect, 3.1.10 → 3.1.11) · Repo · Changelog

Security Advisories 🚨

🚨 Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection

Summary

Rack::Sendfile can be exploited by crafting input that includes newline characters to manipulate log entries.

Details

The Rack::Sendfile middleware logs unsanitized header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection.

Impact

This vulnerability can distort log files, obscure attack traces, and complicate security auditing.

Mitigation

• Update to the latest version of Rack, or
• Remove usage of Rack::Sendfile.

Release Notes

3.1.11 (from changelog)

Security

• CVE-2025-27111 Possible Log Injection in Rack::Sendfile.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rack-session (indirect, 2.0.0 → 2.1.0) · Repo · Changelog

Release Notes

2.1.0

Full Changelog: v2.0.0...v2.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rack-test (indirect, 2.1.0 → 2.2.0) · Repo · Changelog

Release Notes

2.2.0 (from changelog)

• Bug fixes:

  • Rack::Test::Cookie now parses cookie parameters using a case-insensitive approach (Guillaume Malette #349)

• Minor enhancements:

  • Arrays of cookies containing a blank cookie are now handled correctly when processing responses. (Martin Emde #343)
  • Rack::Test::UploadedFile no longer uses a finalizer for named paths to close and unlink the created Tempfile. Tempfile itself uses a finalizer to close and unlink itself, so there is no reason for Rack::Test::UploadedFile to do so (Jeremy Evans #338)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ reline (indirect, 0.5.12 → 0.6.0) · Repo

Release Notes

0.6.0

What's Changed

🐛 Bug Fixes

• Fix RELINE_TEST_ENCODING by @ima1zumi in #743
• Don't skip start_with check on encoding-incompatible candidates by @tompng in #787
• Call user defined sigwinch and sigcont handler by @tompng in #788
• Fix line wrapped cursor position by @tompng in #791
• Undo and redo should restore indentation by @tompng in #793

🛠 Other Changes

• Fix tests failing when INPUTRC is defined by @pterjan in #789
• Implement buffered output to Reline::ANSI by @tompng in #790
• Merge key mapping with key bindings by @tompng in #715
• Refactor Reline::Unicode ed_ vi_ em_ methods by @tompng in #720
• Change quoted_insert and bracketed_paste to a single key input by @tompng in #792
• Bump version to 0.6.0 by @ima1zumi in #795

New Contributors

• @pterjan made their first contribution in #789

Full Changelog: v0.5.12...v0.6.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rspec-core (indirect, 3.13.2 → 3.13.3) · Repo · Changelog

↗️ stringio (indirect, 3.1.3 → 3.1.5) · Repo · Changelog

Release Notes

3.1.5

Improvements

• JRuby: Improved compatibility with CRuby for StringIO#seek with
  frozen string.
  • GH-119
  • GH-121

3.1.4

Improvements

• JRuby: Improved compatibility with CRuby.
  • GH-116

Fixes

• CRuby: Fixed a bug that StringIO may mutate a shared string.
  • GH-117

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ uri (indirect, 1.0.2 → 1.0.3) · Repo

Security Advisories 🚨

🚨 URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+

There is a possibility for userinfo leakage by in the uri gem.
This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem.

Details

The methods URI#join, URI#merge, and URI#+ retained userinfo, such as user:password, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur.

Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later.

Affected versions

uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2.

Credits

Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue.
Also thanks to nobu for additional fixes of this vulnerability.

Release Notes

1.0.3

What's Changed

• Bump step-security/harden-runner from 2.10.1 to 2.10.2 by @dependabot in #136
• Bump rubygems/release-gem from 612653d273a73bdae1df8453e090060bb4db5f31 to 9e85cb11501bebc2ae661c1500176316d3987059 by @dependabot in #137
• Prevent a warning: URI::REGEXP is obsolete by @mame in #138
• Revisit deprecated test by @hsbt in #139
• Suppress deprecate warning of test class (retry) by @mame in #140
• Fix README by @hsbt in #142
• Bump rubygems/release-gem from 1.1.0 to 1.1.1 by @dependabot in #143
• Bump step-security/harden-runner from 2.10.2 to 2.10.3 by @dependabot in #144
• Bump step-security/harden-runner from 2.10.3 to 2.10.4 by @dependabot in #145
• Make documentation 100% by @nobu in #147
• Bump step-security/harden-runner from 2.10.4 to 2.11.0 by @dependabot in #153
• Remove userinfo by @hsbt in #154

New Contributors

• @mame made their first contribution in #138

Full Changelog: v1.0.2...v1.0.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ zeitwerk (indirect, 2.7.1 → 2.7.2) · Repo · Changelog

Release Notes

2.7.2 (from changelog)

• Internal improvements and micro-optimizations.

• Add stable TruffleRuby to CI.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 pp (added, 0.6.2)

🆕 prettyprint (added, 0.2.0)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)