🚨 [security] Update rails 7.0.8 → 7.0.8.1 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rails (7.0.8 → 7.0.8.1) · Repo

Release Notes

7.0.8.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix possible XSS vulnerability with the translate method in controllers

  CVE-2024-26143

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Disables the session in ActiveStorage::Blobs::ProxyController
  and ActiveStorage::Representations::ProxyController
  in order to allow caching by default in some CDNs as CloudFlare

  Fixes #44136

  Bruno Prieto

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 7.0.8.1 release
• update changelog
• fix XSS vulnerability when using translation
• Merge pull request #48869 from brunoprietog/disable-session-active-storage-proxy-controllers

✳️ net-imap (0.4.9.1 → 0.4.10) · Repo

Release Notes

0.4.10

What's Changed

Fixes

• 🐛 Do not automatically freeze SearchResult by @nevans in #263
  This fixes a backwards incompatible change in v0.4.8 that affected the mail gem.
  See #262, reported by @stanley90.

Documentation

• 📚 Workaround rdoc method visibility issue by @nevans in #257
• 📚 Workaround rdoc issue with :yield: and visibility by @nevans in #258

Miscellaneous

• ⬆️ Bump actions/upload-pages-artifact from 2 to 3 by @dependabot in #256
• ⬆️ Bump actions/deploy-pages from 3 to 4 by @dependabot in #255
• Renew test certificates by @sorah in #259
• Add base64 dev dependency by @hsbt in #261
• Import sample code from ruby/ruby by @hsbt in #260

New Contributors

• @sorah made their first contribution in #259

Full Changelog: v0.4.9...v0.4.10

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ nokogiri (1.16.0 → 1.16.2) · Repo · Changelog

Security Advisories 🚨

🚨 Improper Handling of Unexpected Data Type in Nokogiri

Summary

Nokogiri v1.16.2 upgrades the version of its dependency libxml2 to v2.12.5.

libxml2 v2.12.5 addresses the following vulnerability:

CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.16.2, and only if the packaged libraries are being used. If
you've overridden defaults at installation time to use system libraries
instead of packaged libraries, you should instead pay attention to your
distro's libxml2 release announcements.

Severity

The Nokogiri maintainers have evaluated this as Moderate.

Mitigation

Upgrade to Nokogiri >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated
mitigation: compile and link Nokogiri against external libraries libxml2 >=
2.12.5 which will also address these same issues.

JRuby users are not affected.

Workarounds

Release Notes

1.16.2

v1.16.2 / 2024-02-04

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See GHSA-xc9x-jj77-9p9j for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.5 from v2.12.4. (@flavorjones)

---

sha256 checksums:

69ba15d2a2498324489ed63850997f0b8f684260114ea81116d3082f16551d2d  nokogiri-1.16.2-aarch64-linux.gem
6a05ce42e3587a40cf8936ece0beaa5d32922254215d2e8cf9ad40588bb42e57  nokogiri-1.16.2-arm-linux.gem
c957226c8e36b31be6a3afb8602e2128282bf8b40ea51016c4cd21aa2608d3f8  nokogiri-1.16.2-arm64-darwin.gem
122652bfc338cd8a54a692ac035e245e41fd3b8283299202ca26e7a7d50db310  nokogiri-1.16.2-java.gem
7344b5072ca69fc5bedb61cb01a3b765b93a27aae5a2a845c2ba7200e4345074  nokogiri-1.16.2-x64-mingw-ucrt.gem
a2a5e184a424111a0d5b77947986484920ad708009c667f061e8d02035c562dd  nokogiri-1.16.2-x64-mingw32.gem
833efddeb51a6c2c9f6356295623c2b2e0d50050d468695c59bd929162953323  nokogiri-1.16.2-x86-linux.gem
e67fc0418dffaff9dc8b1dc65f0605282c3fee9488832d0223b620b4319e0b53  nokogiri-1.16.2-x86-mingw32.gem
5def799e5f139f21a79d7cf71172313a7b6fb0e4b2a31ab9bd5d4ad305994539  nokogiri-1.16.2-x86_64-darwin.gem
5b146240ac6ec6c40fd4367623e74442bca45a542bd3282b1d4d18b07b8e5dfe  nokogiri-1.16.2-x86_64-linux.gem
68922ee5cde27497d995c46f2821957bae961947644eed2822d173daf7567f9c  nokogiri-1.16.2.gem

1.16.1

v1.16.1 / 2024-02-03

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.4 from v2.12.3. (@flavorjones)

Fixed

• [CRuby] XML::Reader defaults the encoding to UTF-8 if it's not specified in either the document or as a method parameter. Previously non-ASCII characters were serialized as NCRs in this case. [#2891] (@flavorjones)
• [CRuby] Restored support for compilation by GCC versions earlier than 4.6, which was broken in v1.15.0 (540e9ae). [#3090] (@adfoster-r7)
• [CRuby] Patched upstream libxml2 to allow parsing HTML5 in the context of a namespaced node (e.g., foreign content like MathML). [#3112, #3116] (@flavorjones)
• [CRuby] Fixed a small memory leak in libgumbo (HTML5 parser) when the maximum tree depth limit is hit. [#3098, #3100] (@stevecheckoway)

---

sha256 checksums:

a541f35e5b9798a0c97300f9ee18f4217da2a2945a6d5499e4123b9018f9cafc  nokogiri-1.16.1-aarch64-linux.gem
6b82affd195000ab2f9c36cc08744ec2d2fcf6d8da88d59a2db67e83211f7c69  nokogiri-1.16.1-arm-linux.gem
487f0072c154b8a8fd12716f746beee9fb7cea1d62773471bb2951e540f3798a  nokogiri-1.16.1-arm64-darwin.gem
d45378ce34b8d2cfac2428cebb0e21ace4d9c97e76c565ba2e8cec041df02afb  nokogiri-1.16.1-java.gem
d50359f604e650e47365baa8af231b587080ffa7bb84ffca836f34f8c06ae10d  nokogiri-1.16.1-x64-mingw-ucrt.gem
5b656174e77db8f97ee2cc45c4f1476c8262797b577e8fc8abf458beefd4372c  nokogiri-1.16.1-x64-mingw32.gem
c6ba741e41b73a75cdefbf3733101c66a93eb041cab22ba3472a6c548f5b20d7  nokogiri-1.16.1-x86-linux.gem
e37439f5ce9bf91f3797420f8a1e1502ebc3654c3ca4eca80a0b2707235c9326  nokogiri-1.16.1-x86-mingw32.gem
380c94bd8a7fbdee4633db117e5c1ef04cafd35e0dbbdb20eb9224631fe0dc49  nokogiri-1.16.1-x86_64-darwin.gem
cf43557ea7eed0e9f9ed90837a27e1dbfb7fd56d65eb806955965e02231bed3e  nokogiri-1.16.1-x86_64-linux.gem
304db173d8a87afc63f1e1702a671d9eb9e4a30974b297ccca604f6cfd3ed2a7  nokogiri-1.16.1.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 63 commits:

• version bump to v1.16.2
• dep: update libxml to 2.12.5 (branch v1.16.x) (#3122)
• dep: update libxml2 to v2.12.5
• dep: remove patch from #3112 which has been released upstream
• version bump to v1.16.1
• dev: add files to manifest ignore list
• build(deps): bump actions/{download,upload}-artifact from 3 to 4
• .gitignore: clangd-related files
• doc: update CHANGELOG
• fix: apply upstream patch for in-context parsing (#3116)
• fix: apply upstream patch for in-context parsing
• build(deps-dev): update rake-compiler requirement from 1.2.5 to 1.2.6 (#3114)
• build(deps-dev): update rubocop requirement from 1.60.1 to 1.60.2 (#3113)
• build(deps-dev): update rake-compiler requirement from 1.2.5 to 1.2.6
• build(deps-dev): update rubocop requirement from 1.60.1 to 1.60.2
• test: handle upstream libxml2 error message changes (#3109)
• test: update to handle changed libxml 2.13 error messages
• build(deps-dev): update rubocop-minitest requirement from 0.34.4 to 0.34.5 (#3107)
• build(deps-dev): update minitest requirement from 5.21.1 to 5.21.2 (#3106)
• style(rubocop/minitest): Minitest/AssertKindOf
• build(deps): bump actions/cache from 3 to 4 (#3108)
• build(deps-dev): update minitest requirement from 5.21.1 to 5.21.2
• build(deps-dev): update rubocop-minitest requirement
• build(deps-dev): update rubocop requirement from 1.59.0 to 1.60.1 (#3105)
• build(deps): bump actions/cache from 3 to 4
• build(deps-dev): update rubocop requirement from 1.59.0 to 1.60.1
• fix(fuzzer): ensure a failed build will fail early
• Delay breaking out of the parse loop when max_tree_depth is hit (#3100)
• doc: update CONTRIBUTING with info about `test:memory_suite`
• build(deps-dev): update rubocop-performance requirement from 1.20.1 to 1.20.2 (#3094)
• build(deps-dev): update rubocop-minitest requirement from 0.34.3 to 0.34.4 (#3095)
• build(deps-dev): update minitest requirement from 5.20.0 to 5.21.1 (#3096)
• dep: update libxml2 to 2.12.4 (#3097)
• dep: update libxml2 to 2.12.4
• build(deps-dev): update minitest requirement from 5.20.0 to 5.21.1
• build(deps-dev): update rubocop-minitest requirement
• build(deps-dev): update rubocop-performance requirement
• maintain oss-fuzz target building upstream (#3093)
• fix extra new line
• added missing new line
• maintain oss-fuzz target building upstream
• ci: declare mutex_m in Gemfile; it's been removed from ruby 3.4 (#3092)
• test: remove unnecessary dependency on NKF
• ci: declare mutex_m in Gemfile; it's been removed from ruby 3.4
• ci: drop mingw from ci.yml because it's upstream ruby-head (#3091)
• ci: drop mingw from ci.yml because it's upstream ruby-head
• doc: update CHANGELOG
• Allow compilation on older gcc versions (#3090)
• Allow compilation on older gcc versions
• ci: libxml2 callstack changed, so updating the suppression (#3087)
• ci: libxml2 callstack changed, so updating the suppression
• build(deps-dev): update rubocop-minitest requirement from 0.34.2 to 0.34.3 (#3086)
• build(deps-dev): update rubocop-minitest requirement
• tests: support upstream libxml (#3085)
• test: accept upstream libxml2 error messages for IO errors
• style: clean up test_entity_reference.rb
• fix(libxml): default Reader node encoding to UTF-8 (#3084)
• fix(libxml): default Reader node encoding to UTF-8
• doc: improve XSLT::Stylesheet doc strings
• doc: note that the Reader does not recover from syntax errors
• tests: updated for upstream libxml support (#3083)
• test: accept updated libxml2 IO error messages
• test: accept updated libxml2 XPath error messages

↗️ actioncable (indirect, 7.0.8 → 7.0.8.1) · Repo · Changelog

Release Notes

7.0.8.1 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 7.0.8.1 release
• update changelog
• fix XSS vulnerability when using translation
• Merge pull request #48869 from brunoprietog/disable-session-active-storage-proxy-controllers

↗️ actionmailbox (indirect, 7.0.8 → 7.0.8.1) · Repo · Changelog

↗️ actionmailer (indirect, 7.0.8 → 7.0.8.1) · Repo · Changelog

Release Notes

7.0.8.1 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 7.0.8.1 release
• update changelog
• fix XSS vulnerability when using translation
• Merge pull request #48869 from brunoprietog/disable-session-active-storage-proxy-controllers

↗️ actionpack (indirect, 7.0.8 → 7.0.8.1) · Repo · Changelog

Security Advisories 🚨

🚨 Possible XSS Vulnerability in Action Controller

There is a possible XSS vulnerability when using the translation helpers
(translate, t, etc) in Action Controller. This vulnerability has been
assigned the CVE identifier CVE-2024-26143.

Versions Affected: All. Not affected: None Fixed Versions: 7.1.3.1, 7.0.8.1

Impact

Applications using translation methods like translate, or t on a
controller, with a key ending in “_html”, a :default key which contains
untrusted user input, and the resulting string is used in a view, may be
susceptible to an XSS vulnerability.

For example, impacted code will look something like this:

class ArticlesController < ApplicationController
  def show
    @message = t("message_html", default: untrusted_input)
    # The `show` template displays the contents of `@message`
  end
end

To reiterate the pre-conditions, applications must:

• Use a translation function from a controller (i.e. not I18n.t, or
  t from a view)
• Use a key that ends in _html
• Use a default value where the default value is untrusted and unescaped input
• Send the text to the victim (whether that’s part of a template, or a
  render call)

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

🚨 Possible Sensitive Session Information Leak in Active Storage

There is a possible sensitive session information leak in Active Storage.
By default, Active Storage sends a Set-Cookie header along with the user’s
session cookie when serving blobs. It also sets Cache-Control to public.
Certain proxies may cache the Set-Cookie, leading to an information leak.

This vulnerability has been assigned the CVE identifier CVE-2024-26144.

Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, >= 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7

Impact

A proxy which chooses to caches this request can cause users to share
sessions. This may include a user receiving an attacker’s session or vice
versa.

This was patched in 7.1.0 but not previously identified as a security
vulnerability.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

Upgrade to Rails 7.1.X, or configure caching proxies not to cache the
Set-Cookie headers.

Release Notes

7.0.8.1 (from changelog)

• Fix possible XSS vulnerability with the translate method in controllers

  CVE-2024-26143

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 7.0.8.1 release
• update changelog
• fix XSS vulnerability when using translation
• Merge pull request #48869 from brunoprietog/disable-session-active-storage-proxy-controllers

↗️ actiontext (indirect, 7.0.8 → 7.0.8.1) · Repo · Changelog

Release Notes

7.0.8.1 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 7.0.8.1 release
• update changelog
• fix XSS vulnerability when using translation
• Merge pull request #48869 from brunoprietog/disable-session-active-storage-proxy-controllers

↗️ actionview (indirect, 7.0.8 → 7.0.8.1) · Repo · Changelog

Release Notes

7.0.8.1 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 7.0.8.1 release
• update changelog
• fix XSS vulnerability when using translation
• Merge pull request #48869 from brunoprietog/disable-session-active-storage-proxy-controllers

↗️ activejob (indirect, 7.0.8 → 7.0.8.1) · Repo · Changelog

Release Notes

7.0.8.1 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 7.0.8.1 release
• update changelog
• fix XSS vulnerability when using translation
• Merge pull request #48869 from brunoprietog/disable-session-active-storage-proxy-controllers

↗️ activemodel (indirect, 7.0.8 → 7.0.8.1) · Repo · Changelog

Release Notes

7.0.8.1 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 7.0.8.1 release
• update changelog
• fix XSS vulnerability when using translation
• Merge pull request #48869 from brunoprietog/disable-session-active-storage-proxy-controllers

↗️ activerecord (indirect, 7.0.8 → 7.0.8.1) · Repo · Changelog

Release Notes

7.0.8.1 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 7.0.8.1 release
• update changelog
• fix XSS vulnerability when using translation
• Merge pull request #48869 from brunoprietog/disable-session-active-storage-proxy-controllers

↗️ activestorage (indirect, 7.0.8 → 7.0.8.1) · Repo · Changelog

Release Notes

7.0.8.1 (from changelog)

• Disables the session in ActiveStorage::Blobs::ProxyController and ActiveStorage::Representations::ProxyController in order to allow caching by default in some CDNs as CloudFlare

  Fixes #44136

  Bruno Prieto

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 7.0.8.1 release
• update changelog
• fix XSS vulnerability when using translation
• Merge pull request #48869 from brunoprietog/disable-session-active-storage-proxy-controllers

↗️ activesupport (indirect, 7.0.8 → 7.0.8.1) · Repo · Changelog

Release Notes

7.0.8.1 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 7.0.8.1 release
• update changelog
• fix XSS vulnerability when using translation
• Merge pull request #48869 from brunoprietog/disable-session-active-storage-proxy-controllers

↗️ minitest (indirect, 5.21.1 → 5.22.2) · Repo · Changelog

Release Notes

5.22.2 (from changelog)

• 1 bug fix:

  • Third time’s a charm? Remember: ‘ensure’ is almost always the wrong way to go (for results… it’s great for cleaning up).

5.22.1 (from changelog)

• 1 bug fix:

  • Don’t exit non-zero if no tests ran and no filter (aka, the test file is empty). (I’m starting to think the exit 1 thing for @tenderlove was a mistake…)

5.22.0 (from changelog)

• 1 minor enhancement:

  • Added “did you mean” output if your –name filter matches nothing. (tenderlove)

• 2 bug fixes:

  • Big cleanup of test filtering. Much prettier / more functional.

  • Fix situation where Assertion#location can’t find the location. (pftg)

5.21.2 (from changelog)

• 1 bug fix:

  • Fixed bug in Minitest::Compress#compress formatting w/ nested patterns. Now recurses properly.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

• prepped for release
• - Third time's a charm? Remember: 'ensure' is almost always the wrong way to go.
• prepped for release
• - Don't exit non-zero if no tests ran and no filter (aka, the test file is empty).
• prepped for release
• + Added "did you mean" output if your --name filter matches nothing. (tenderlove)
• - Big cleanup of test filtering. Much prettier / more functional.
• - Fix situation where Assertion#location can't find the location. (pftg)
• prepped for release
• - Fixed bug in Minitest::Compress#compress formatting w/ nested patterns. Now recurses properly.

↗️ rack (indirect, 2.2.8 → 2.2.8.1) · Repo · Changelog

Security Advisories 🚨

🚨 Possible Denial of Service Vulnerability in Rack Header Parsing

There is a possible denial of service vulnerability in the header parsing
routines in Rack. This vulnerability has been assigned the CVE identifier
CVE-2024-26146.

Versions Affected: All. Not affected: None Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1

Impact

Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue. Accept and
Forwarded headers are impacted.

Ruby 3.2 has mitigations for this problem, so Rack applications using
Ruby 3.2 or newer are unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

🚨 Possible DoS Vulnerability with Range Header in Rack

There is a possible DoS vulnerability relating to the Range request header in
Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.

Versions Affected: >= 1.3.0. Not affected: < 1.3.0 Fixed Versions: 3.0.9.1, 2.2.8.1

Impact

Carefully crafted Range headers can cause a server to respond with an
unexpectedly large response. Responding with such large responses could lead
to a denial of service issue.

Vulnerable applications will use the Rack::File middleware or the
Rack::Utils.byte_ranges methods (this includes Rails applications).

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

🚨 Denial of Service Vulnerability in Rack Content-Type Parsing

There is a possible denial of service vulnerability in the content type
parsing component of Rack. This vulnerability has been assigned the CVE
identifier CVE-2024-25126.

Versions Affected: >= 0.4 Not affected: < 0.4 Fixed Versions: 3.0.9.1, 2.2.8.1

Impact

Carefully crafted content type headers can cause Rack’s media type parser to
take much longer than expected, leading to a possible denial of service
vulnerability.

Impacted code will use Rack’s media type parser to parse content type headers.
This code will look like below:

request.media_type
OR
request.media_type_params
OR
Rack::MediaType.type(content_type)

Some frameworks (including Rails) call this code internally, so upgrading is
recommended!

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Release Notes

2.2.8.1

What's Changed

• Fixed ReDoS in Accept header parsing [CVE-2024-26146]
• Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
• Reject Range headers which are too large [CVE-2024-26141]

Full Changelog: v2.2.8...v2.2.8.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

• bump version
• Avoid 2nd degree polynomial regexp in MediaType
• Return an empty array when ranges are too large
• Fixing ReDoS in header parsing

↗️ railties (indirect, 7.0.8 → 7.0.8.1) · Repo · Changelog

Release Notes

7.0.8.1 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

• Preparing for 7.0.8.1 release
• update changelog
• fix XSS vulnerability when using translation
• Merge pull request #48869 from brunoprietog/disable-session-active-storage-proxy-controllers

↗️ zeitwerk (indirect, 2.6.12 → 2.6.13) · Repo · Changelog

Release Notes

2.6.13 (from changelog)

• There is a new experimental null inflector that simply returns its input unchanged:

  loader.inflector = Zeitwerk::NullInflector.new

  Projects using this inflector are expected to define their constants in files and directories with names exactly matching them:

  User.rb       -> User
  HTMLParser.rb -> HTMLParser
  Admin/Role.rb -> Admin::Role
  

  Please see its documentation for further details.

• Documentation improvements.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 13 commits:

• Ready for 2.6.13
• Document null inflector and case-insensitive file systems
• Add test coverage for symlinks and for_gem
• Merge pull request #286 from m-nakamura145/update-actions-checkout
• Bump actions/checkout
• Revise the conceptual translation of for_gem
• Delete comment in Kernel#require decoration
• Merge pull request #279 from stevenharman/typo_and_doc_tweeks
• Fix small typo & clarify some grammar in the docs
• Merge pull request #278 from m-nakamura145/update-ci-matrix
• Add Ruby 3.3 to CI matrix
• Revise docs re the null inflector and Rails
• Provide a null inflector

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[coveralls]

coverage: 99.216%. remained the same
when pulling 09d5dea on depfu/update/group/rails-7.0.8.1
into f4fafb5 on main.

[depfu]

Closing because this update has already been applied