🚨 [security] Update yard 0.9.38 → 0.9.43 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ yard (0.9.38 → 0.9.43) · Repo · Changelog

Security Advisories 🚨

🚨 yard: Possible arbitrary path traversal and file access via yard server

Impact

A path traversal vulnerability was discovered in YARD <= 0.9.41 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions.

The original patch in GHSA-xfhh-rx56-rxcr was incorrectly applied.

Patches

Please upgrade to YARD v0.9.42 immediately if you are relying on yard server to host documentation in any untrusted environments without WEBrick and rely on --docroot.

Workarounds

For users who cannot upgrade, it is possible to perform path sanitization of HTTP requests at your webserver level. WEBrick, for example, can perform such sanitization by default (which you can use via yard server -s webrick), as can certain rules in your webserver configuration.

Release Notes

0.9.42

• Fix alternating rows when loading a module in default HTML templates with subelements in the nav frame
• Fix reliability of keypresses and copy/paste in search box (#1174)
• Fix regression in yard server search box styling
• Fix possible path traversal with document_root (--docroot) set in yard server (GHSA-xfhh-rx56-rxcr)

0.9.41

• Add support for rdoc-image:... syntax in HybridMarkup (#1676)
• Add support for colon suffix code blocks in HybridMarkup (rdoc compatibility)
• Fix responsiveness and state issues with nav frame links in yard server

0.9.40

• Add support for Ruby .rbs files (docstrings included) (#1673)
• Add built-in hybrid RDoc/Markdown renderer (HybridMarkdown) requiring no external gems (#1674)
• Add support for #- as a comment-block separator. See Getting Started Guide.
• Add support for commonmarker version >= 1.0.
• Remove usage of jQuery in default templates. jQuery library is still packaged in templates for backward compatibility (#1675)
• Fix false self-referential mixin when bare name matches ancestor namespace (#1672)
• Fix bracket/brace map corruption from Ruby 3.0+ pattern matching deconstruction (#1671)
• Fix @!scope class on attributes (#1582, #1655, #1666)
• Fix @!parse directives not including source for block (#1665)
• Fix inherited methods not appearing in groups (#1656)

0.9.39

• Add support for Ruby 4.0 (#1663)
• Add changelog URI to gemspec metadata (#1641)
• Fix issues with source ranges (#1642)
• Fix an issue loading relative links from file list in HTML template (#1660)
• Various test fixes (#1650, #1651)

Does any of this look wrong? Please let us know.

↗️ dynamoid (indirect, 3.12.1 → 3.13.0) · Repo · Changelog

Release Notes

3.13.0

What's Changed

• TransactionWrite sanitizes items by @ckhsponge in #897
• Rubocop 1.80 by @ckhsponge in #935
• Support table arn by @andrykonchin in #941
• Implement delete class method by @andrykonchin in #943
• Fix #destroyed? when deleting fails by @andrykonchin in #944
• Implement #update_attribute! method by @andrykonchin in #945
• Add :skip_generating_fields option of the table method by @andrykonchin in #947
• 📌 Ruby 3.4.7 for development by @pboling in #950
• Revise supported versions and vulnerability reporting by @pboling in #973
• Fix primary key validation in transactional methods by @andrykonchin in #987
• Add Ruby 4.0 and Rails 8.1 in CI by @andrykonchin in #988
• Prepare to release 3.13.0 by @andrykonchin in #994

Full Changelog: v3.12.1...v3.13.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 48 commits:

• Merge pull request #994 from Dynamoid/ak/prepare-to-release-3-13-0
• Bump Dynamoid version to 3.13.0
• Update CHANGELONG.md and add new entries
• Merge pull request #988 from Dynamoid/ak/upgrade-to-ruby-4-0
• Add Rails 8.1 in CI
• Run Ruby 4.0 on CI
• Merge pull request #987 from Dynamoid/ak/fix-primary-key-validation-in-transactional-methods
• Upgrade Rubocop an fix warnings
• Fix transactional #destroy and place primary key validation after running callbacks
• Fix transactional #save and place primary key validation after running callbacks
• Merge pull request #973 from Dynamoid/pboling-patch-1
• Revise supported versions and vulnerability reporting
• Merge pull request #950 from Dynamoid/feat/upgrade-deps
• 🚨 Linting
• 🔨 binstub: rake
• ⬆️ Upgrade deps within current allowed ranges
• 📝 Tweaks to CONTRIBUTING.md
• 🔨 binstub: rspec
• 📌 Ruby 3.4.7 for development
• Merge pull request #947 from Dynamoid/ak/add-skip-generating-fields-table-method-option
• Add :skip_generating_fields option of the table() method
• Merge pull request #945 from Dynamoid/ak/add-update-attribute-with-bang
• Update RDoc comments for #save!, #update_attributes! and create! to raise RecordNotSaved
• Add missing specs for create, create! and #update_attribute
• Add #update_attribute! method
• Merge pull request #944 from Dynamoid/ak/fix-destroyed-edge-cases
• Fix #delete and #destroy to set #destroyed? correctly when deleting fails
• Add specs for #destroy() method
• Merge pull request #943 from Dynamoid/ak/add-delete-class-method
• Implement class method delete()
• Merge pull request #941 from Dynamoid/ak/allow-quering-with-gsi-and-table-arn
• Improve RDoc comment for the field method
• Clean up the persistence_spec.rb file
• Add :arn option for the table method
• Add RSpec matcher for DynamoDB requests
• Merge pull request #935 from ckhsponge/ckh/rubocop-1.80
• Merge pull request #897 from ckhsponge/ckh/transaction-sanitize-item
• Rubocop 1.80
• In transaction writes, setting an attribute to nil should actually remove it RUBOCOP
• In transaction writes, setting an attribute to nil should actually remove it
• In transaction writes, setting an attribute to nil should actually remove it RUBOCOP
• In transaction writes, setting an attribute to nil should actually remove it
• In transaction writes, setting an attribute to nil should actually remove it
• In transaction writes, setting an attribute to nil should actually remove it RUBOCOP
• In transaction writes, setting an attribute to nil should actually remove it
• transaction write indexes spec WIP
• TransactionWrite should call sanitize_item so that nils are not persisted. Rubocop.
• TransactionWrite should call sanitize_item so that nils are not persisted. Otherwise GSI will fail with a nil range key.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[github-actions]

Package	Line Rate	Health
dynamoid	92%	➖
Summary	92% (3823 / 4135)	➖

Minimum allowed line rate is 90%