Skip to content

build(deps): bump mechanize from 2.7.6 to 2.8.2 in /Library/Homebrew#324

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/bundler/Library/Homebrew/mechanize-2.8.2
Closed

build(deps): bump mechanize from 2.7.6 to 2.8.2 in /Library/Homebrew#324
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/bundler/Library/Homebrew/mechanize-2.8.2

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Aug 9, 2021

Copy link
Copy Markdown

Bumps mechanize from 2.7.6 to 2.8.2.

Release notes

Sourced from mechanize's releases.

2.8.2 / 2021-08-06

Dependencies

2.8.1 / 2021-05-09

Fix

  • Gracefully handle parsing errors that contain an invalid byte sequence. Previously, if libxml2 registered a parsing error that itself contained invalid encoding, an exception might be raised. (#553)

2.8.0 / 2021-04-01

  • Requirements

    • Mechanize now requires Ruby 2.5 or newer.
    • Move from ntlm-http to rubyntlm gem. (#495, #574)
  • New Features

    • Page::Link#uri now handles non-ASCII hrefs. (#569) @​terryyin
    • FileConnection supports Windows drive letters (#483)
    • Credential headers 'Authorization' and 'Cookie' are deleted on cross-origin redirects. (#538) @​kyoshidajp
    • ContentDispositionParser handles ISO8601 date headers, to be robust with websites that ignore RFC2183. (#554) @​reitermarkus
  • Bug fix

    • POST headers 'Content-Length', 'Content-MD5', and 'Content-Type' are deleted in a case-insensitive manner on redirects. Previously these headers were treated as case-sensitive.

2.7.7 / 2021-02-01

  • Security fixes for CVE-2021-21289

    Mechanize >= v2.0, < v2.7.7 allows for OS commands to be injected into several classes' methods via implicit use of Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls:

    • Mechanize::CookieJar#load: since v2.0 (see 208e3ed)
    • Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)
    • Mechanize#download: since v2.2 (see dc91667)
    • Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)
    • Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)
    • Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)

    See GHSA-qrqm-fpv6-6r8g for more information.

    Also see #547, #548. Thank you, @​kyoshidajp!

  • New Features

... (truncated)

Changelog

Sourced from mechanize's changelog.

2.8.2 / 2021-08-06

Dependencies

2.8.1 / 2021-05-09

Fix

  • Gracefully handle parsing errors that contain an invalid byte sequence. Previously, if libxml2 registered a parsing error that itself contained invalid encoding, an exception might be raised. (#553)

2.8.0 / 2021-04-01

Requirements

  • Mechanize now requires Ruby 2.5 or newer.
  • Move from ntlm-http to rubyntlm gem. (#495, #574)

New Features

  • Page::Link#uri now handles non-ASCII hrefs. (#569) @​terryyin
  • FileConnection supports Windows drive letters (#483)
  • Credential headers 'Authorization' and 'Cookie' are deleted on cross-origin redirects. (#538) @​kyoshidajp
  • ContentDispositionParser handles ISO8601 date headers, to be robust with websites that ignore RFC2183. (#554) @​reitermarkus

Bug fix

  • POST headers 'Content-Length', 'Content-MD5', and 'Content-Type' are deleted in a case-insensitive manner on redirects. Previously these headers were treated as case-sensitive.

2.7.7 / 2021-02-01

  • Security fixes for CVE-2021-21289

    Mechanize >= v2.0, < v2.7.7 allows for OS commands to be injected into several classes' methods via implicit use of Ruby's Kernel.open method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls:

    • Mechanize::CookieJar#load: since v2.0 (see 208e3ed)
    • Mechanize::CookieJar#save_as: since v2.0 (see 5b776a4)
    • Mechanize#download: since v2.2 (see dc91667)
    • Mechanize::Download#save and #save! since v2.1 (see 98b2f51, bd62ff0)
    • Mechanize::File#save and #save_as: since v2.1 (see 2bf7519)
    • Mechanize::FileResponse#read_body: since v2.0 (see 01039f5)

    See GHSA-qrqm-fpv6-6r8g for more information.

... (truncated)

Commits
  • 975827a version bump to v2.8.2
  • d8b698a update CHANGELOG
  • 1841196 update CHANGELOG
  • 9640de7 Merge pull request #584 from yidingww/update-required-version-of-addressable
  • 721dbad Update required version of addressable to 2.8
  • 64bbe05 Merge pull request #585 from sparklemotion/flavorjones-refactor-ci
  • 1b3345a ci: split out rubocop as an initial job
  • 3f046bd Create dependabot.yml
  • 840cf80 Merge pull request #582 from sparklemotion/flavorjones-investigate-failing-en...
  • 1ff5168 test: update libxml2 encoding test to handle later versions
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [mechanize](https://github.com/sparklemotion/mechanize) from 2.7.6 to 2.8.2.
- [Release notes](https://github.com/sparklemotion/mechanize/releases)
- [Changelog](https://github.com/sparklemotion/mechanize/blob/main/CHANGELOG.md)
- [Commits](sparklemotion/mechanize@v2.7.6...v2.8.2)

---
updated-dependencies:
- dependency-name: mechanize
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code labels Aug 9, 2021
@dependabot @github

dependabot Bot commented on behalf of github Nov 12, 2021

Copy link
Copy Markdown
Author

Superseded by #438.

@dependabot dependabot Bot closed this Nov 12, 2021
@dependabot dependabot Bot deleted the dependabot/bundler/Library/Homebrew/mechanize-2.8.2 branch November 12, 2021 02:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants