🚨 [security] Update octokit: 4.14.0 → 4.25.1 (minor)

[depfu]

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ octokit (indirect, 4.14.0 → 4.25.1) · Repo · Changelog

Security Advisories 🚨

🚨 Octokit gem published with world-writable files

Impact

Versions 4.23.0
and 4.24.0 of the octokit gem
were published containing world-writeable files.

Specifically, the gem was packed
with files having their permissions set to -rw-rw-rw- (i.e. 0666) instead of rw-r--r--
(i.e. 0644). This means everyone who is not the owner (Group and Public) with access
to the instance where this release had been installed could modify the world-writable
files from this gem.

Malicious code already present and running on your machine,
separate from this package, could modify the gem’s files and change its behavior
during runtime.

Patches

• octokit 4.25.0

Workarounds

Users can use the previous version of the gem v4.22.0.
Alternatively, users can modify the file permissions manually until they are able
to upgrade to the latest version.

Release Notes

4.25.1

• Stop configuring Faraday's retry middleware twice (@Edouard-chin)
• Fix various Ruby warnings (e.g. missing parentheses) (@coryf)

4.25.0

✅ NOTE: This remediates A security advisory was published on versions 4.23.0 and 4.24.0 of this gem. You can read more about this in the published security advisory. ✅

DX Improvements

• Rubocop improvements by @timrogers in #1441
• Require multi-factor authentication to push new releases to RubyGems by @timrogers in #1443

CI Improvements

Updates all build scripts to be more durable and adds details on how to run a manual file integrity check by @nickfloyd in #1446

Housekeeping

• Drop support for Ruby 1.9.2 in Octokit::Client::Contents#create_contents by @timrogers in #1442

Full Changelog: v4.24.0...v4.25.0

4.24.0

Known issues

Note: This release fixes the issue around autoloading modules causing some modules to not load before use #1428

---

Code improvements

• #1354, #1426 Enabling Ruby's immutable ("frozen") string literals i.e. --enable-frozen-string-literal via @timrogers and @olleolleolle

---

CI Improvements

• Adds Code QL analysis to octokit.rb via @nickfloyd

---

Bug fixes

• #1428 Fixes module loading issue with autoloading (this reverts #1351 ) - more information here via @collinsauve. @waiting-for-dev, @etiennebarrie, @timrogers, and @nickfloyd

---

Full Changelog: v4.23.0...v4.24.0

4.23.0

Code improvements

• #1382 Correctly raise Octokit::TooManyRequests when hitting secondary rate limit via @jasonopslevel
• #1411 Adds support for Faraday v2 usage via @skryukov

---

CI Improvements

• #1395 Adds Ruby 3.1 to CI via @petergoldstein

---

Performance improvements

• #1351 Make clients autoload via @gmcgibbon

---

Bug fixes

• #1297 Escape label names with URL characters via @Fryguy
• #1375 Escape ref in archive_link via @max611
• #1117 & #1419 Ensures that any nil parameters being passed in will initialize with Octokit's defaults instead of nil via @akerl, @nickfloyd
• #1321 & #1415 Fixed total_count calculation when paginating results for check runs and check suites via @a2ikm, @matiasalbarello
• #1121 Fixes service status methods via @vierarb

---

Documentation

• #1414 replace git.io link in source docs via @wonda-tea-coffee
• #1412 Document how and when the SDK raises exceptions via @timrogers
• #1356 Fixes grammar and style via @nikoandpiko

---

Full Changelog: v4.22.0...v4.23.0

4.22.0

Deprecation Fix

• #1359 Fix Faraday deprecation warning @ybiquitous

Code Improvements

• #1336 Update regex for create ref @thepwagner
• #1350 Support pagination in compare api @mrpinsky

CI and dependency updates

• #1353 Add Ruby 3.0 support for CI builds @olleolleolle
• #1387 Update pry-byebug requirement @ashishkeshan

Documentation

• #1376 Update example README code with token filtering @bencolon
• #1381 Update organization migration documentation links @rzhade3

4.21.0

API Support

• #1319 Add delete workflow run support @szemek
• #1322 Add match refs support @AHaymond
• #1329 Add rename branch support @gmcgibbon
• #1332 Add billing actions support @M-Yamashita01

Error handling

• #1324 Handle path diff too large errors @yykamei

Code clean up

• #1326 Remove graduated preview headers @ivailop

Documentation

• #1314 Update authentication usage @curquiza
• #1317 Fix logo link @gjtorikian
• #1318 Fix GitHub typo @bl-ue

4.20.0

API Support

• #1304 Added the ability to delete a deployment @jer-k
• #1308 Add repo vulnerability alerts related functionality for repositories @calvinhughes

Bug fixes

• #1309 Paginate outside_collaborators calls @sds
• #1316 Uses of FaradayMiddleware#on_complete should not be private @tarebyte

Code improvements

• #1131 Add CommitIsNotPartOfPullRequest error @wata727
• #1303 Remove integrations preview header @MichaelViveros
• #1307 Raise Octokit::InstallationSuspended when another error is received @yykamei

Documentation

• #1302 Add documentation on how to specify the ref option for RubyDoc @aomathwift
• #1311 Fix Code of Conduct link in Table of Contents @eduardoj

4.19.0

Code Improvements

• #1223 Ensure a boolean is returned for application_authenticated @zakallen
• #1255 Update api paths in the organization api to take ids @hmharvey
• #1260 Fix last_response behavior after failures @JackTLi
• #1253 Ensure adapters set SSL options properly @tjwallace
• #1270 Add context around rate limit errors @jatindhankhar

API Support

• #1252 Introduces support for the ActionWorkflow and ActionWorkflowRun APIs @petar-lazarov
• #1236 Support for ActionsSecrets API @jylitalo
• #1266 Support for get the authenticated app @kitop
• #1281 Support for create a workflow dispatch event @igfoo
• #1286 Support installation suspended failures @stmllr
• #1288 Support for user migration endpoints @stmllr

Documentation

• #1248 Fix documentation link for update a repository @spier
• #1269 Update some documentation param names @tarebyte
• #1276 Remove dangling phrase in CONTRIBUTING.md @igfoo
• #1278 Link related doc in CONTRIBUTING.md @igfoo
• #1279 Fix script typo in README.md @igfoo
• #1291 Fix typo in authorizations comments @ohbarye

CI and dependency updates

• #1206 Increased CI coverage @MSP-Greg
• #1243 Add Ruby 2.7 CI support @ybiquitous
• #1244 Removed coveralls dependency @hmharvey
• #1263 Remove duplicated CI coverage @hmharvey
• #1264 Keep running CI on PRs @hmharvey

4.18.0

Documentation

• #1200 Fix an API link in the Search client @NickLaMuro

Preview Header Support

• #1183 Enable issue events API to return project events @gammons
• #1203 Update deprecated application API to new preview @oreoshake

Bug Fixes

• #1201 Fix random test failures @MSP-Greg
• #1218 Fix incorrect URLs for the Authorizations client @tarebyte

4.17.0

Documentation

• #1200 Fix an API link in the Search client @NickLaMuro

Preview Header Support

• #1183 Enable issue events API to return project events @gammons
• #1203 Update deprecated application API to new preview @oreoshake

Bug Fixes

• #1201 Fix random test failures @MSP-Greg

4.16.0

New features

• #1187 Support for Commit Branches @tgmachina

Resolve deprecation warnings

• #1192 Fix deprecation notice for authentication via query parameters @tarebyte

Documentation

• #1137 Clarify force parameter documentation @rmacklin
• #1186 Fix team_by_name example @steinbrueckri
• #1190 Fix API links in the Apps client @ybiquitous

Tooling updates

• #1185 Fix action builds against 4-stable @tarebyte

4.15.0

Preview header support
#1114 Adds drafts preview header @andrew
#1132 Update branch protection preview @spikex

New features
#1133 Support for template repositories @EricPickup
#1136 Add method to find team by name @gallexi
#1153 Add method to delete installation @yykamei
#1151 Add method to update pull request review @eric-silverman
#1162 Support for Commit pulls @tgmachina

Improved error handling
#1115 Add BillingIssue error @stmllr
#1106 Add TooLargeContent error @ybiquitous
#1164 Add SAMLProtected error @tarebyte

Resolve deprecation warnings
#1152 Fix version deprecation warning in ci builds @hmharvey
#1154 Fix faraday error subclass @Gasparila

Documentation
#1123 Add option in the pull request state parameter @4geru
#1135 Fix the contributing doc steps @gallexi
#1134 Fix the code example for update branch @rmacklin
#1139 Add assignee params @4geru
#1138 Update link to new collaborators api @shaunakpp
#1129 Add code of conduct @spikex
#1102 Update readme to point directly to v3 api @binhums

Tooling updates
#1142 Migrated to actions @tarebyte

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ addressable (indirect, 2.7.0 → 2.8.0) · Repo · Changelog

Security Advisories 🚨

🚨 Regular Expression Denial of Service in Addressable templates

Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption,
leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input,
but nonetheless, no previous security advisory for Addressable has cautioned against doing this.
Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.

Release Notes

2.8.0 (from changelog)

• fixes ReDoS vulnerability in Addressable::Template#match
• no longer replaces + with spaces in queries for non-http(s) schemes
• fixed encoding ipv6 literals
• the :compacted flag for normalized_query now dedupes parameters
• fix broken escape_component alias
• dropping support for Ruby 2.0 and 2.1
• adding Ruby 3.0 compatibility for development tasks
• drop support for rack-mount and remove Addressable::Template#generate
• performance improvements
• switch CI/CD to GitHub Actions

Does any of this look wrong? Please let us know.

↗️ faraday (indirect, 0.16.2 → 2.3.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sawyer (indirect, 0.8.2 → 0.9.2) · Repo

Release Notes

0.9.1

What's Changed

• Specify correct minimal Faraday version by @skryukov in #73

New Contributors

• @skryukov made their first contribution in #73

Full Changelog: v0.9.0...v0.9.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

• Release 0.9.2
• Version bump to 0.9.2
• Add `dig` and `fetch` to `Sawyer::Resource` (#74)
• Version bump to 0.9.1
• Specify correct minimal Faraday version (#73)
• Version bump to 0.9.0
• Enhance Faraday Support (#72)
• Allow closing underlying connection. (#67)

🆕 faraday-net_http (added, 2.0.3)

🆕 ruby2_keywords (added, 0.0.5)

🗑️ multipart-post (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[vtex-io-ci-cd]

Hi! I'm VTEX IO CI/CD Bot and I'll be helping you to publish your app! 🤖

Please select which version do you want to release:

• Patch (backwards-compatible bug fixes)

• Minor (backwards-compatible functionality)

• Major (incompatible API changes)

And then you just need to merge your PR when you are ready! There is no need to create a release commit/tag.

• No thanks, I would rather do it manually 😞

[changeset-bot]

⚠️ No Changeset found

Latest commit: 14af749

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information