{"id":22539,"name":"sanitize","ecosystem":"rubygems","repository_url":"https://github.com/rgrove/sanitize","issues_count":14,"created_at":"2025-06-07T02:56:11.754Z","updated_at":"2025-06-07T02:56:11.754Z","purl":"pkg:gem/sanitize","metadata":{"id":296061,"name":"sanitize","ecosystem":"rubygems","description":"Sanitize is an allowlist-based HTML and CSS sanitizer. It removes all HTML\nand/or CSS from a string except the elements, attributes, and properties you\nchoose to allow.'\n","homepage":"https://github.com/rgrove/sanitize/","licenses":"MIT","normalized_licenses":["MIT"],"repository_url":"https://github.com/rgrove/sanitize","keywords_array":[],"namespace":null,"versions_count":71,"first_release_published_at":"2009-07-25T17:53:48.000Z","latest_release_published_at":"2024-12-30T05:00:35.019Z","latest_release_number":"7.0.0","last_synced_at":"2025-06-07T02:06:33.254Z","created_at":"2022-04-06T10:31:03.280Z","updated_at":"2025-06-07T02:07:55.711Z","registry_url":"https://rubygems.org/gems/sanitize","install_command":"gem install sanitize -s https://rubygems.org","documentation_url":"http://www.rubydoc.info/gems/sanitize/","metadata":{"funding":null},"repo_metadata":{"id":471581,"uuid":"96577","full_name":"rgrove/sanitize","owner":"rgrove","description":"Ruby HTML and CSS sanitizer.","archived":false,"fork":false,"pushed_at":"2024-12-30T22:30:26.000Z","size":2039,"stargazers_count":2049,"open_issues_count":0,"forks_count":145,"subscribers_count":20,"default_branch":"main","last_synced_at":"2025-05-28T09:54:14.618Z","etag":null,"topics":["css","html","ruby","sanitization"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rgrove.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2008-12-25T06:03:43.000Z","updated_at":"2025-05-07T12:15:21.000Z","dependencies_parsed_at":"2024-01-27T05:30:52.813Z","dependency_job_id":"6ffd948b-e263-4bc5-9bfa-37a24a88f83f","html_url":"https://github.com/rgrove/sanitize","commit_stats":{"total_commits":443,"total_committers":49,"mean_commits":9.040816326530612,"dds":"0.16930022573363435","last_synced_commit":"2dfa666ed5f8c59e1f9efcf0339f1e769876d3df"},"previous_names":[],"tags_count":57,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rgrove","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":258092973,"owners_count":22649735,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"},"owner_record":{"login":"rgrove","name":"Ryan Grove","uuid":"1465","kind":"user","description":"I like pie.","email":"","website":"https://wonko.com","location":"Portland, OR","twitter":null,"company":"SmugMug","icon_url":"https://avatars.githubusercontent.com/u/1465?u=1e86f1faa0a945cc1ef91c86c86428dc0bf603d4\u0026v=4","repositories_count":88,"last_synced_at":"2024-04-08T15:11:43.710Z","metadata":{"has_sponsors_listing":false},"html_url":"https://github.com/rgrove","funding_links":[],"total_stars":8034,"followers":793,"following":47,"created_at":"2022-11-02T16:43:30.650Z","updated_at":"2024-04-08T15:11:53.065Z","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rgrove","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rgrove/repositories"},"tags":[{"name":"v7.0.0","sha":"19ee751d1b1c1e9d0335c0438fdb6b389544c45c","kind":"commit","published_at":"2024-12-30T04:57:57.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v7.0.0","html_url":"https://github.com/rgrove/sanitize/releases/tag/v7.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v7.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v7.0.0/manifests"},{"name":"v6.1.3","sha":"b0ec1d6104d1048d4e91d898ae0d752b8d7c14a1","kind":"tag","published_at":"2024-08-14T17:16:07.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v6.1.3","html_url":"https://github.com/rgrove/sanitize/releases/tag/v6.1.3","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v6.1.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v6.1.3/manifests"},{"name":"v6.1.2","sha":"a98ac98c3260b8cf034e508eb069d613016b7aab","kind":"tag","published_at":"2024-07-27T18:55:59.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v6.1.2","html_url":"https://github.com/rgrove/sanitize/releases/tag/v6.1.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v6.1.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v6.1.2/manifests"},{"name":"v6.1.1","sha":"2bc3d4a7bfd76cef9dac1a5ea946557b05612147","kind":"tag","published_at":"2024-06-13T00:10:36.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v6.1.1","html_url":"https://github.com/rgrove/sanitize/releases/tag/v6.1.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v6.1.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v6.1.1/manifests"},{"name":"v6.1.0","sha":"7194dca84a1238fa3294c2eb08a6062b9f60e7f8","kind":"commit","published_at":"2023-09-14T21:50:29.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v6.1.0","html_url":"https://github.com/rgrove/sanitize/releases/tag/v6.1.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v6.1.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v6.1.0/manifests"},{"name":"v6.0.2","sha":"76ed46e6dc70820f38efe27de8dabd54dddb5220","kind":"commit","published_at":"2023-07-06T14:54:00.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v6.0.2","html_url":"https://github.com/rgrove/sanitize/releases/tag/v6.0.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v6.0.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v6.0.2/manifests"},{"name":"v6.0.1","sha":"a92f21cd223a32a1737262d68e56a4fb8b9470f9","kind":"tag","published_at":"2023-01-27T18:21:08.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v6.0.1","html_url":"https://github.com/rgrove/sanitize/releases/tag/v6.0.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v6.0.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v6.0.1/manifests"},{"name":"v6.0.0","sha":"3fb1d86b47f48a1ad7de648bf318488cdd7f65ce","kind":"tag","published_at":"2021-08-04T04:29:24.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v6.0.0","html_url":"https://github.com/rgrove/sanitize/releases/tag/v6.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v6.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v6.0.0/manifests"},{"name":"v5.2.3","sha":"9b8b55b6b90895a232f4243eaf5a4e6454136e20","kind":"tag","published_at":"2021-01-11T23:41:32.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v5.2.3","html_url":"https://github.com/rgrove/sanitize/releases/tag/v5.2.3","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v5.2.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v5.2.3/manifests"},{"name":"v5.2.2","sha":"4ea3d8ec48563f19c0927153ae1217fd9aa3d962","kind":"tag","published_at":"2021-01-06T19:01:25.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v5.2.2","html_url":"https://github.com/rgrove/sanitize/releases/tag/v5.2.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v5.2.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v5.2.2/manifests"},{"name":"v5.2.1","sha":"773d1af976b0e67a966bd3676ebab4f037395699","kind":"commit","published_at":"2020-06-16T00:27:27.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v5.2.1","html_url":"https://github.com/rgrove/sanitize/releases/tag/v5.2.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v5.2.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v5.2.1/manifests"},{"name":"v5.2.0","sha":"4166da2437c2424ca5ae843cddc06201331751a9","kind":"commit","published_at":"2020-06-06T23:51:20.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v5.2.0","html_url":"https://github.com/rgrove/sanitize/releases/tag/v5.2.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v5.2.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v5.2.0/manifests"},{"name":"v5.1.0","sha":"245c705bac3723c439f2025a090ca751635c23c2","kind":"tag","published_at":"2019-09-08T04:03:18.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v5.1.0","html_url":"https://github.com/rgrove/sanitize/releases/tag/v5.1.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v5.1.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v5.1.0/manifests"},{"name":"v5.0.0","sha":"424f02f4fd279e650117d32388d0840097dbc4c9","kind":"tag","published_at":"2018-10-15T01:14:32.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v5.0.0","html_url":"https://github.com/rgrove/sanitize/releases/tag/v5.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v5.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v5.0.0/manifests"},{"name":"v2.1.1","sha":"8dc3dcab79b5eb917535c4ace73db1c08eea71b7","kind":"tag","published_at":"2018-09-30T20:43:54.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v2.1.1","html_url":"https://github.com/rgrove/sanitize/releases/tag/v2.1.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v2.1.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v2.1.1/manifests"},{"name":"v4.6.6","sha":"cee5bfa9dfa00a9f4fd11f598039cd47b997d585","kind":"tag","published_at":"2018-07-24T03:28:03.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v4.6.6","html_url":"https://github.com/rgrove/sanitize/releases/tag/v4.6.6","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.6.6","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.6.6/manifests"},{"name":"v4.6.5","sha":"662b0e3dc4323ecb6cc42808972efec4bdb43128","kind":"tag","published_at":"2018-05-17T03:04:38.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v4.6.5","html_url":"https://github.com/rgrove/sanitize/releases/tag/v4.6.5","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.6.5","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.6.5/manifests"},{"name":"v4.6.4","sha":"acc7e6440139379a0c6b4b76b662ed90acd4b923","kind":"tag","published_at":"2018-03-20T16:37:57.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v4.6.4","html_url":"https://github.com/rgrove/sanitize/releases/tag/v4.6.4","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.6.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.6.4/manifests"},{"name":"v4.6.3","sha":"5f66eb1c66ba69bc83c503ff0a7ab57e7e940e66","kind":"tag","published_at":"2018-03-20T02:28:13.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v4.6.3","html_url":"https://github.com/rgrove/sanitize/releases/tag/v4.6.3","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.6.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.6.3/manifests"},{"name":"v4.6.2","sha":"0eee92eb939d0c709fdf4e337c0643cba0fb894c","kind":"tag","published_at":"2018-03-19T18:58:41.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v4.6.2","html_url":"https://github.com/rgrove/sanitize/releases/tag/v4.6.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.6.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.6.2/manifests"},{"name":"v4.6.1","sha":"184709be85e06a613311f01e00930010b2cbc6bf","kind":"tag","published_at":"2018-03-15T22:50:20.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v4.6.1","html_url":"https://github.com/rgrove/sanitize/releases/tag/v4.6.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.6.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.6.1/manifests"},{"name":"v4.6.0","sha":"1cbdff38bf84939a8981c05fe4ba0dd7eec0ed6e","kind":"tag","published_at":"2018-01-30T01:48:31.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v4.6.0","html_url":"https://github.com/rgrove/sanitize/releases/tag/v4.6.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.6.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.6.0/manifests"},{"name":"v4.5.0","sha":"c1b5ff2e50241743bff6129e47a862b7a5e86f8c","kind":"commit","published_at":"2017-06-04T22:53:09.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v4.5.0","html_url":"https://github.com/rgrove/sanitize/releases/tag/v4.5.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.5.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.5.0/manifests"},{"name":"v4.4.0","sha":"c2343fd56d97276434cacf49a52d876d30eb86d7","kind":"commit","published_at":"2016-09-30T00:19:52.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v4.4.0","html_url":"https://github.com/rgrove/sanitize/releases/tag/v4.4.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.4.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.4.0/manifests"},{"name":"v4.3.0","sha":"bf1cade2e3f73bc3eb5fa360aa2987a4e36396d0","kind":"commit","published_at":"2016-09-20T17:17:59.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v4.3.0","html_url":"https://github.com/rgrove/sanitize/releases/tag/v4.3.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.3.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.3.0/manifests"},{"name":"v4.2.0","sha":"5d1e07cd2224724824f02ec6465c14d780fad984","kind":"commit","published_at":"2016-08-23T00:57:04.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v4.2.0","html_url":"https://github.com/rgrove/sanitize/releases/tag/v4.2.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.2.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.2.0/manifests"},{"name":"v4.1.0","sha":"926df4aa041908a939908a98e29efbac622230b8","kind":"commit","published_at":"2016-07-17T20:51:10.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v4.1.0","html_url":"https://github.com/rgrove/sanitize/releases/tag/v4.1.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.1.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.1.0/manifests"},{"name":"v4.0.1","sha":"425641797ee44d868c1124734258ea9e83afac1d","kind":"commit","published_at":"2015-12-09T19:07:05.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v4.0.1","html_url":"https://github.com/rgrove/sanitize/releases/tag/v4.0.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.0.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.0.1/manifests"},{"name":"v4.0.0","sha":"d7c74e84a00e305cfec078dbf63856afc776f90c","kind":"commit","published_at":"2015-04-20T18:32:09.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v4.0.0","html_url":"https://github.com/rgrove/sanitize/releases/tag/v4.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v4.0.0/manifests"},{"name":"v3.1.2","sha":"f93115b64e07f37eb41c14e70d708aee2da4b3c9","kind":"commit","published_at":"2015-02-22T21:12:33.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v3.1.2","html_url":"https://github.com/rgrove/sanitize/releases/tag/v3.1.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v3.1.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v3.1.2/manifests"},{"name":"v3.1.1","sha":"bfaf14ade98be3600cc0e93b8f9596bd80f054b6","kind":"commit","published_at":"2015-02-04T17:37:50.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v3.1.1","html_url":"https://github.com/rgrove/sanitize/releases/tag/v3.1.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v3.1.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v3.1.1/manifests"},{"name":"v3.1.0","sha":"4db352f1b802558d0452548146ff3cd8657b963d","kind":"commit","published_at":"2014-12-23T01:26:05.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v3.1.0","html_url":"https://github.com/rgrove/sanitize/releases/tag/v3.1.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v3.1.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v3.1.0/manifests"},{"name":"v3.0.4","sha":"4fc3a8e3873feeb9c85f3fae1d38fa226bc507a2","kind":"commit","published_at":"2014-12-12T23:22:46.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v3.0.4","html_url":"https://github.com/rgrove/sanitize/releases/tag/v3.0.4","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v3.0.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v3.0.4/manifests"},{"name":"v3.0.3","sha":"404e5defbd19daf2bbae6e31609fb4ea529e72fd","kind":"commit","published_at":"2014-10-29T22:45:38.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v3.0.3","html_url":"https://github.com/rgrove/sanitize/releases/tag/v3.0.3","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v3.0.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v3.0.3/manifests"},{"name":"v3.0.2","sha":"c62e83b34296f6433213cc008af8dee1421c5d1e","kind":"commit","published_at":"2014-09-03T00:36:52.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v3.0.2","html_url":"https://github.com/rgrove/sanitize/releases/tag/v3.0.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v3.0.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v3.0.2/manifests"},{"name":"v3.0.1","sha":"b8934d84fa94b8e4f335e1a037a4ff225445664c","kind":"commit","published_at":"2014-09-03T00:22:34.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v3.0.1","html_url":"https://github.com/rgrove/sanitize/releases/tag/v3.0.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v3.0.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v3.0.1/manifests"},{"name":"v3.0.0","sha":"3b68765f21c7387fa6ee0d348a40f7d4d4e94f21","kind":"commit","published_at":"2014-06-21T22:56:03.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v3.0.0","html_url":"https://github.com/rgrove/sanitize/releases/tag/v3.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v3.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v3.0.0/manifests"},{"name":"v2.1.0","sha":"76ee6e448b5480c49a79ed1f7ed6f212069f272b","kind":"commit","published_at":"2014-01-13T23:27:16.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v2.1.0","html_url":"https://github.com/rgrove/sanitize/releases/tag/v2.1.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v2.1.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v2.1.0/manifests"},{"name":"v2.0.6","sha":"7d5fed1931402986b314bfd742d7610a389691d7","kind":"commit","published_at":"2013-07-11T00:33:46.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v2.0.6","html_url":"https://github.com/rgrove/sanitize/releases/tag/v2.0.6","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v2.0.6","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v2.0.6/manifests"},{"name":"v2.0.5","sha":"28fc8c3bb22e2d88d4f0681019d35c27f1c8e80d","kind":"commit","published_at":"2013-07-10T16:48:27.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v2.0.5","html_url":"https://github.com/rgrove/sanitize/releases/tag/v2.0.5","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v2.0.5","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v2.0.5/manifests"},{"name":"v2.0.4","sha":"db6cb39407547da7644fe1bbdad1c13b0ed904c6","kind":"commit","published_at":"2013-06-12T18:05:01.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v2.0.4","html_url":"https://github.com/rgrove/sanitize/releases/tag/v2.0.4","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v2.0.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v2.0.4/manifests"},{"name":"v2.0.3","sha":"afdfa8f7f4129820c573f94f79b99aed715a385d","kind":"commit","published_at":"2011-07-02T05:27:43.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/v2.0.3","html_url":"https://github.com/rgrove/sanitize/releases/tag/v2.0.3","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v2.0.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/v2.0.3/manifests"},{"name":"release-2.0.2","sha":"1d1c14355b3414da172d3ee912bbbd2822b06308","kind":"commit","published_at":"2011-05-21T16:48:21.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/release-2.0.2","html_url":"https://github.com/rgrove/sanitize/releases/tag/release-2.0.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-2.0.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-2.0.2/manifests"},{"name":"release-2.0.1","sha":"1c8291fa7a446bdda4162f2f61ffbd929e9f4169","kind":"commit","published_at":"2011-03-16T21:48:54.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/release-2.0.1","html_url":"https://github.com/rgrove/sanitize/releases/tag/release-2.0.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-2.0.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-2.0.1/manifests"},{"name":"release-2.0.0","sha":"515e9d8cc4588acc8d7c2e491d1c96e7f7509051","kind":"commit","published_at":"2011-01-15T21:22:01.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/release-2.0.0","html_url":"https://github.com/rgrove/sanitize/releases/tag/release-2.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-2.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-2.0.0/manifests"},{"name":"release-1.2.1","sha":"d88227e8d6fa5713a0522574a65dcd79f8285fd9","kind":"commit","published_at":"2010-04-21T01:04:52.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/release-1.2.1","html_url":"https://github.com/rgrove/sanitize/releases/tag/release-1.2.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.2.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.2.1/manifests"},{"name":"release-1.2.0","sha":"cd99fa585a59eb44f26601cb47e5addbed6f96d2","kind":"commit","published_at":"2010-01-17T23:45:26.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/release-1.2.0","html_url":"https://github.com/rgrove/sanitize/releases/tag/release-1.2.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.2.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.2.0/manifests"},{"name":"release-1.1.0","sha":"d95f2c70aa9903cd69f1b72fe83a549c4664f642","kind":"commit","published_at":"2009-10-11T20:13:50.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/release-1.1.0","html_url":"https://github.com/rgrove/sanitize/releases/tag/release-1.1.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.1.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.1.0/manifests"},{"name":"release-1.0.8","sha":"5d01e561fa1c554ea46b621d77f2e278c7771050","kind":"commit","published_at":"2009-04-24T01:52:16.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/release-1.0.8","html_url":"https://github.com/rgrove/sanitize/releases/tag/release-1.0.8","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.0.8","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.0.8/manifests"},{"name":"release-1.0.7","sha":"ff87e40ac0092270a9fda624f43bae321bf5c970","kind":"commit","published_at":"2009-04-12T01:57:10.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/release-1.0.7","html_url":"https://github.com/rgrove/sanitize/releases/tag/release-1.0.7","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.0.7","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.0.7/manifests"},{"name":"release-1.0.6","sha":"31e19100548ad6d133dfd17d98fefca6fa43880b","kind":"commit","published_at":"2009-02-24T05:24:24.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/release-1.0.6","html_url":"https://github.com/rgrove/sanitize/releases/tag/release-1.0.6","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.0.6","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.0.6/manifests"},{"name":"release-1.0.5","sha":"c20ff3b5b5ac90a023e643f79e4344da7086c633","kind":"commit","published_at":"2009-02-06T02:13:58.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/release-1.0.5","html_url":"https://github.com/rgrove/sanitize/releases/tag/release-1.0.5","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.0.5","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.0.5/manifests"},{"name":"release-1.0.4","sha":"9e81fd9c26cdf1d9148306311d92d86f8bfbbce7","kind":"commit","published_at":"2009-01-16T23:40:58.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/release-1.0.4","html_url":"https://github.com/rgrove/sanitize/releases/tag/release-1.0.4","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.0.4","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.0.4/manifests"},{"name":"release-1.0.3","sha":"152999220c4d3167b8a850f5fede97e3152380e2","kind":"commit","published_at":"2009-01-16T06:09:41.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/release-1.0.3","html_url":"https://github.com/rgrove/sanitize/releases/tag/release-1.0.3","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.0.3","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.0.3/manifests"},{"name":"release-1.0.2","sha":"8ec7a8f06af8d937e53d99bd8b3240558e5b5a3e","kind":"commit","published_at":"2009-01-04T20:10:23.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/release-1.0.2","html_url":"https://github.com/rgrove/sanitize/releases/tag/release-1.0.2","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.0.2","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.0.2/manifests"},{"name":"release-1.0.1","sha":"ad7b483977a0ebb241677d6a3d66d3405b46abad","kind":"commit","published_at":"2009-01-01T21:16:32.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/release-1.0.1","html_url":"https://github.com/rgrove/sanitize/releases/tag/release-1.0.1","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.0.1","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.0.1/manifests"},{"name":"release-1.0.0","sha":"50cdcf2cdc94d6e95de6f1894a7cc8eb91520b76","kind":"commit","published_at":"2008-12-25T06:06:06.000Z","download_url":"https://codeload.github.com/rgrove/sanitize/tar.gz/release-1.0.0","html_url":"https://github.com/rgrove/sanitize/releases/tag/release-1.0.0","dependencies_parsed_at":null,"dependency_job_id":null,"tag_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.0.0","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rgrove%2Fsanitize/tags/release-1.0.0/manifests"}]},"repo_metadata_updated_at":"2025-06-07T02:07:55.711Z","dependent_packages_count":260,"downloads":107510441,"downloads_period":"total","dependent_repos_count":10715,"rankings":{"downloads":0.22078255148805212,"dependent_repos_count":0.326156041970986,"dependent_packages_count":0.1544362797025011,"stargazers_count":1.1239838984846289,"forks_count":1.992060748653561,"docker_downloads_count":0.18287039618202294,"average":0.666714986080292},"purl":"pkg:gem/sanitize","advisories":[{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTdmNDItcDg0ai1mNThw","url":"https://github.com/advisories/GHSA-7f42-p84j-f58p","title":"Sanitize vulnerable to Improper Input Validation and Cross-site Scripting","description":"When Sanitize \u003c= 4.6.2 is used in combination with libxml2 \u003e= 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-whitelisted attributes to be used on whitelisted elements.\n\nThis can allow HTML and JavaScript injection, which could result in XSS if Sanitize's output is served to browsers.","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2018-03-21T11:56:32.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://nvd.nist.gov/vuln/detail/CVE-2018-3740","https://github.com/rgrove/sanitize/issues/176","https://github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e","https://about.gitlab.com/2018/06/25/security-release-gitlab-11-dot-0-dot-1-released/","https://www.debian.org/security/2018/dsa-4358","https://github.com/rgrove/sanitize/commit/93feeb38e21864146bb29191792b971dbe1ec62e","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sanitize/CVE-2018-3740.yml","https://github.com/advisories/GHSA-7f42-p84j-f58p"],"source_kind":"github","identifiers":["GHSA-7f42-p84j-f58p","CVE-2018-3740"],"repository_url":"https://github.com/rgrove/sanitize","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"4.6.3","vulnerable_version_range":"\u003e= 3.0.0, \u003c 4.6.3"}],"ecosystem":"rubygems","package_name":"sanitize"}],"created_at":"2022-12-21T16:11:56.314Z","updated_at":"2023-01-23T20:47:12.000Z","epss_percentage":0.00251,"epss_percentile":0.48525},{"uuid":"GSA_kwCzR0hTQS1mNXd3LWNxM20tcTNnN84AA0Xi","url":"https://github.com/advisories/GHSA-f5ww-cq3m-q3g7","title":"Sanitize vulnerable to Cross-site Scripting via insufficient neutralization of `style` element content","description":"### Impact\n\nUsing carefully crafted input, an attacker may be able to sneak arbitrary HTML and CSS through Sanitize `\u003e= 3.0.0, \u003c 6.0.2` when Sanitize is configured to use the built-in \"relaxed\" config or when using a custom config that allows `style` elements and one or more CSS at-rules. This could result in XSS (cross-site scripting) or other undesired behavior when the malicious HTML and CSS are rendered in a browser.\n\n### Patches\n\nSanitize `\u003e= 6.0.2` performs additional escaping of CSS in `style` element content, which fixes this issue.\n\n### Workarounds\n\nUsers who are unable to upgrade can prevent this issue by using a Sanitize config that doesn't allow `style` elements, using a Sanitize config that doesn't allow CSS at-rules, or by manually escaping the character sequence `\u003c/` as `\u003c\\/` in `style` element content.\n\n### Credit\n\nThis issue was found by @cure53 during an audit of a project that uses Sanitize and was reported by one of that project's maintainers. Thank you!","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2023-07-06T19:45:44.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7","https://nvd.nist.gov/vuln/detail/CVE-2023-36823","https://github.com/rgrove/sanitize/commit/76ed46e6dc70820f38efe27de8dabd54dddb5220","https://github.com/rgrove/sanitize/releases/tag/v6.0.2","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sanitize/CVE-2023-36823.yml","https://lists.debian.org/debian-lts-announce/2023/11/msg00008.html","https://github.com/advisories/GHSA-f5ww-cq3m-q3g7"],"source_kind":"github","identifiers":["GHSA-f5ww-cq3m-q3g7","CVE-2023-36823"],"repository_url":"https://github.com/rgrove/sanitize","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"6.0.2","vulnerable_version_range":"\u003e= 3.0.0, \u003c 6.0.2"}],"ecosystem":"rubygems","package_name":"sanitize"}],"created_at":"2023-07-06T20:03:48.926Z","updated_at":"2023-11-23T05:05:19.000Z","epss_percentage":0.0021,"epss_percentile":0.4369},{"uuid":"MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXA0eDQtcncycC04ajht","url":"https://github.com/advisories/GHSA-p4x4-rw2p-8j8m","title":"Cross-site Scripting in Sanitize ","description":"When HTML is sanitized using Sanitize's \"relaxed\" config or a custom config that allows certain elements, some content in a `\u003cmath\u003e` or `\u003csvg\u003e` element may not be sanitized correctly even if `math` and `svg` are not in the allowlist.\n\nYou are likely to be vulnerable to this issue if you use Sanitize's relaxed config or a custom config that allows one or more of the following HTML elements:\n\n- `iframe`\n- `math`\n- `noembed`\n- `noframes`\n- `noscript`\n- `plaintext`\n- `script`\n- `style`\n- `svg`\n- `xmp`\n\n### Impact\n\nUsing carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize, potentially resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser.\n\n### Releases\n\nThis problem has been fixed in Sanitize 5.2.1.\n\n### Workarounds\n\nIf upgrading is not possible, a workaround is to override the default value of Sanitize's `:remove_contents` config option with the following value, which ensures that the contents of `math` and `svg` elements (among others) are removed entirely when those elements are not in the allowlist:\n\n```ruby\n%w[iframe math noembed noframes noscript plaintext script style svg xmp]\n```\n\nFor example, if you currently use Sanitize's relaxed config, you can create a custom config object that overrides the default value of `:remove_contents` like this:\n\n```ruby\ncustom_config = Sanitize::Config.merge(\n  Sanitize::Config::RELAXED,\n  :remove_contents =\u003e %w[iframe math noembed noframes noscript plaintext script style svg xmp]\n)\n```\n\nYou would then pass this custom config to Sanitize when sanitizing HTML.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open an issue in the [Sanitize repo](https://github.com/rgrove/sanitize).\n- See Sanitize's [security policy](https://github.com/rgrove/sanitize/security/policy).\n\n### Credits\n\nMany thanks to Michal Bentkowski of Securitum for reporting this bug and helping to verify the fix.\n\n### References\n\n- [GHSA-p4x4-rw2p-8j8m](https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m)\n- [CVE-2020-4054](https://nvd.nist.gov/vuln/detail/CVE-2020-4054)\n- https://github.com/rgrove/sanitize/releases/tag/v5.2.1","origin":"UNSPECIFIED","severity":"HIGH","published_at":"2020-06-16T22:08:06.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m","https://github.com/rgrove/sanitize/commit/a11498de9e283cd457b35ee252983662f7452aa9","https://github.com/rgrove/sanitize/releases/tag/v5.2.1","https://nvd.nist.gov/vuln/detail/CVE-2020-4054","https://www.debian.org/security/2020/dsa-4730","https://usn.ubuntu.com/4543-1/","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sanitize/CVE-2020-4054.yml","https://github.com/advisories/GHSA-p4x4-rw2p-8j8m"],"source_kind":"github","identifiers":["GHSA-p4x4-rw2p-8j8m","CVE-2020-4054"],"repository_url":"https://github.com/rgrove/sanitize","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"5.2.1","vulnerable_version_range":"\u003e= 3.0.0, \u003c 5.2.1"}],"ecosystem":"rubygems","package_name":"sanitize"}],"created_at":"2022-12-21T16:13:24.058Z","updated_at":"2023-05-16T16:18:27.000Z","epss_percentage":0.00484,"epss_percentile":0.6394},{"uuid":"GSA_kwCzR0hTQS1mdzNnLTJoM2otcW1tN84AAxPa","url":"https://github.com/advisories/GHSA-fw3g-2h3j-qmm7","title":"Improper neutralization of `noscript` element content may allow XSS in Sanitize","description":"### Impact\n\nUsing carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize `\u003e= 5.0.0, \u003c 6.0.1` when Sanitize is configured with a custom allowlist that allows `noscript` elements. This could result in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser.\n\nSanitize's default configs don't allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist.\n\n### Patches\n\nSanitize `\u003e= 6.0.1` always removes `noscript` elements and their contents, even when `noscript` is in the allowlist.\n\n### Workarounds\n\nUsers who are unable to upgrade can prevent this issue by using one of Sanitize's default configs or by ensuring that their custom config does not include `noscript` in the element allowlist.\n\n### Details\n\nThe root cause of this issue is that HTML parsing rules treat the contents of a `noscript` element differently depending on whether scripting is enabled in the user agent. Nokogiri (the HTML parser Sanitize uses) doesn't support scripting so it follows the \"scripting disabled\" rules, but a web browser with scripting enabled will follow the \"scripting enabled\" rules. This means that Sanitize can't reliably make the contents of a `noscript` element safe for scripting enabled browsers. The safest thing to do is to remove the element and its contents entirely, which is now what Sanitize does in version 6.0.1 and later.\n\n### References\n\n- [Release Notes](https://github.com/rgrove/sanitize/releases/tag/v6.0.1)\n\n### Credit\n\nThanks to David Klein from [TU Braunschweig](https://www.tu-braunschweig.de/en/ias) (@leeN) for reporting this issue.","origin":"UNSPECIFIED","severity":"MODERATE","published_at":"2023-01-28T01:17:44.000Z","withdrawn_at":null,"classification":"GENERAL","cvss_score":0.0,"cvss_vector":null,"references":["https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7","https://nvd.nist.gov/vuln/detail/CVE-2023-23627","https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22","https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sanitize/CVE-2023-23627.yml","https://github.com/advisories/GHSA-fw3g-2h3j-qmm7"],"source_kind":"github","identifiers":["GHSA-fw3g-2h3j-qmm7","CVE-2023-23627"],"repository_url":"https://github.com/rgrove/sanitize","blast_radius":0.0,"packages":[{"versions":[{"first_patched_version":"6.0.1","vulnerable_version_range":"\u003e= 5.0.0, \u003c 6.0.1"}],"ecosystem":"rubygems","package_name":"sanitize"}],"created_at":"2023-01-28T02:02:56.422Z","updated_at":"2023-02-13T16:34:52.000Z","epss_percentage":0.00289,"epss_percentile":0.51743}],"docker_usage_url":"https://docker.ecosyste.ms/usage/rubygems/sanitize","docker_dependents_count":342,"docker_downloads_count":638935199,"usage_url":"https://repos.ecosyste.ms/usage/rubygems/sanitize","dependent_repositories_url":"https://repos.ecosyste.ms/api/v1/usage/rubygems/sanitize/dependencies","status":null,"funding_links":[],"critical":true,"versions_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/packages/sanitize/versions","version_numbers_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/packages/sanitize/version_numbers","dependent_packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/packages/sanitize/dependent_packages","related_packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/packages/sanitize/related_packages","maintainers":[{"uuid":"763","login":"rgrove","name":null,"email":null,"url":null,"packages_count":9,"html_url":"https://rubygems.org/profiles/rgrove","role":null,"created_at":"2022-11-09T09:49:55.830Z","updated_at":"2022-11-09T09:49:55.830Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers/rgrove/packages"}],"registry":{"name":"rubygems.org","url":"https://rubygems.org","ecosystem":"rubygems","default":true,"packages_count":198121,"maintainers_count":66429,"namespaces_count":0,"keywords_count":17804,"github":"rubygems","metadata":{"funded_packages_count":7046},"icon_url":"https://github.com/rubygems.png","created_at":"2022-04-04T15:19:23.446Z","updated_at":"2025-06-07T05:38:31.497Z","packages_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/packages","maintainers_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/maintainers","namespaces_url":"https://packages.ecosyste.ms/api/v1/registries/rubygems.org/namespaces"}},"unique_repositories_count":14,"unique_repositories_count_past_30_days":0,"recent_issues":[{"uuid":"2822017856","node_id":"PR_kwDOATht286oNJNA","number":144,"state":"closed","title":"Bump sanitize from 6.0.0 to 6.0.2","user":"dependabot[bot]","labels":["dependencies","ruby"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2025-09-12T09:46:36.000Z","author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-09-12T09:39:49.000Z","updated_at":"2025-09-12T09:46:36.000Z","time_to_close":407,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"6.0.0","new_version":"6.0.2","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 6.0.0 to 6.0.2.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev6.0.2\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eCVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS (cross-site scripting). This issue affects Sanitize versions 3.0.0 through 6.0.1.\u003c/p\u003e\n\u003cp\u003eWhen using Sanitize's relaxed config or a custom config that allows \u003ccode\u003e\u0026lt;style\u0026gt;\u003c/code\u003e elements and one or more CSS at-rules, carefully crafted input could be used to sneak arbitrary HTML through Sanitize.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7\"\u003eGHSA-f5ww-cq3m-q3g7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to \u003ca href=\"https://github.com/cure53\"\u003e\u003ccode\u003e@​cure53\u003c/code\u003e\u003c/a\u003e for finding this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.0.1\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even when \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed by a custom allowlist. In this scenario, carefully crafted input could sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not vulnerable. This issue only affects users who are using a custom config that adds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled in the user agent. Nokogiri doesn't support scripting so it follows the \u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will follow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably make the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled browsers, so the safest thing to do is to remove the element and its contents entirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such as \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was allowlisted and was also inside an allowlisted \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\n\u003cp\u003eThe only way to encounter this situation was to ignore multiple warnings in the readme and create a custom config that allowlisted all the elements involved, including \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e. If you're using a default config or if you heeded the warnings about MathML and SVG not being supported, you're not affected by this issue.\u003c/p\u003e\n\u003cp\u003ePlease let this be a reminder that Sanitize cannot safely sanitize MathML or SVG content and does not support this use case. The default configs don't allow MathML or SVG elements, and allowlisting MathML or SVG elements in a custom config may create a security vulnerability in your application.\u003c/p\u003e\n\u003cp\u003eDocumentation has been updated to add more warnings and to make the existing warnings about this more prominent.\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/CHANGELOG.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e6.0.2 (2023-07-06)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eCVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS\n(cross-site scripting). This issue affects Sanitize versions 3.0.0 through\n6.0.1.\u003c/p\u003e\n\u003cp\u003eWhen using Sanitize's relaxed config or a custom config that allows \u003ccode\u003e\u0026lt;style\u0026gt;\u003c/code\u003e\nelements and one or more CSS at-rules, carefully crafted input could be used\nto sneak arbitrary HTML through Sanitize.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details:\n\u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7\"\u003eGHSA-f5ww-cq3m-q3g7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to \u003ca href=\"https://github.com/cure53\"\u003e\u003ccode\u003e@​cure53\u003c/code\u003e\u003c/a\u003e for finding this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.0.1 (2023-01-27)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even\nwhen \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed\nby a custom allowlist. In this scenario, carefully crafted input could sneak\narbitrary HTML through Sanitize, potentially enabling an XSS (cross-site\nscripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not\nvulnerable. This issue only affects users who are using a custom config that\nadds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of\na \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled\nin the user agent. Nokogiri doesn't support scripting so it follows the\n\u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will\nfollow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably\nmake the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled\nbrowsers, so the safest thing to do is to remove the element and its contents\nentirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details:\n\u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e\n(\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such\nas \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/76ed46e6dc70820f38efe27de8dabd54dddb5220\"\u003e\u003ccode\u003e76ed46e\u003c/code\u003e\u003c/a\u003e Merge pull request from GHSA-f5ww-cq3m-q3g7\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/3481ac3f1255c6584c67fad2f9e44d809273125d\"\u003e\u003ccode\u003e3481ac3\u003c/code\u003e\u003c/a\u003e Release 6.0.2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/773d927bc457f5cae21edc059654abc98101413c\"\u003e\u003ccode\u003e773d927\u003c/code\u003e\u003c/a\u003e Update history\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/041c068cec516474d61862faf3910b26c7e10073\"\u003e\u003ccode\u003e041c068\u003c/code\u003e\u003c/a\u003e Escape \u003ccode\u003e\u0026lt;/\u003c/code\u003e to prevent a style element from being closed prematurely\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/a92f21cd223a32a1737262d68e56a4fb8b9470f9\"\u003e\u003ccode\u003ea92f21c\u003c/code\u003e\u003c/a\u003e Release 6.0.1\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/7ac1dfb413f85bc15130435d64326576a345fe8a\"\u003e\u003ccode\u003e7ac1dfb\u003c/code\u003e\u003c/a\u003e Update links\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/784e78915a8fa9decbc67a06b85664432a3d14ab\"\u003e\u003ccode\u003e784e789\u003c/code\u003e\u003c/a\u003e Remove outdated comparison\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22\"\u003e\u003ccode\u003eec14265\u003c/code\u003e\u003c/a\u003e Always remove \u003ccode\u003e\\\u0026lt;noscript\u0026gt;\u003c/code\u003e elements\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/b4ee521df0d0616340c9648444be488381c238b1\"\u003e\u003ccode\u003eb4ee521\u003c/code\u003e\u003c/a\u003e Forcibly escape content in \u0026quot;unescaped text\u0026quot; elements inside math or svg names...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/94d5c220cd5f22f3865ed448b44215733a6976dc\"\u003e\u003ccode\u003e94d5c22\u003c/code\u003e\u003c/a\u003e Add Ruby 3.1 to the test matrix\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v6.0.0...v6.0.2\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=6.0.0\u0026new-version=6.0.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/shireeshj/blog/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/shireeshj/blog/pull/144","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/shireeshj%2Fblog/issues/144","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/144/packages"},{"uuid":"2818097460","node_id":"PR_kwDOPrrxLM6n-ME0","number":61,"state":"open","title":"Bump sanitize from 6.1.3 to 7.0.0","user":"dependabot[bot]","labels":["dependencies","ruby"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"NONE","state_reason":null,"created_at":"2025-09-11T08:08:01.000Z","updated_at":"2025-09-11T08:08:02.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"6.1.3","new_version":"7.0.0","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 6.1.3 to 7.0.0.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev7.0.0\u003c/h2\u003e\n\u003cp\u003eSanitize has no breaking API changes in this release, but the major version number has been incremented because we've dropped support for end-of-life versions of Ruby. As long as you're using Ruby 3.1.0 or later, this should be a painless upgrade!\u003c/p\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eAdded over 100 new CSS properties to the relaxed config, representing all properties that are listed with a status of \u0026quot;Working Draft\u0026quot; or better in the latest \u003ca href=\"https://www.w3.org/Style/CSS/all-properties.en.html\"\u003eW3C \u0026quot;All Properties\u0026quot; list\u003c/a\u003e.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e-webkit-text-fill-color\u003c/code\u003e CSS property to the relaxed config. [\u003ca href=\"https://github.com/radar\"\u003e\u003ccode\u003e@​radar\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/244\"\u003e#244\u003c/a\u003e](\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/244\"\u003ergrove/sanitize#244\u003c/a\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eRuby 3.1.0 is now the oldest supported Ruby version.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now requires Nokogiri 1.16.8 or higher.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/CHANGELOG.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e7.0.0 (2024-12-29)\u003c/h2\u003e\n\u003cp\u003eSanitize has no breaking API changes in this release, but the major version number has been incremented because we've dropped support for end-of-life versions of Ruby. As long as you're using Ruby 3.1.0 or later, this should be a painless upgrade!\u003c/p\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eAdded over 100 new CSS properties to the relaxed config, representing all properties that are listed with a status of \u0026quot;Working Draft\u0026quot; or better in the latest \u003ca href=\"https://www.w3.org/Style/CSS/all-properties.en.html\"\u003eW3C \u0026quot;All Properties\u0026quot; list\u003c/a\u003e.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e-webkit-text-fill-color\u003c/code\u003e CSS property to the relaxed config. [\u003ca href=\"https://github.com/radar\"\u003e\u003ccode\u003e@​radar\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/244\"\u003e#244\u003c/a\u003e](\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/244\"\u003ergrove/sanitize#244\u003c/a\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eRuby 3.1.0 is now the oldest supported Ruby version.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now requires Nokogiri 1.16.8 or higher.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/19ee751d1b1c1e9d0335c0438fdb6b389544c45c\"\u003e\u003ccode\u003e19ee751\u003c/code\u003e\u003c/a\u003e Release 7.0.0\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/859c3aa11fdd71829a2424d98346fb8d8d14e522\"\u003e\u003ccode\u003e859c3aa\u003c/code\u003e\u003c/a\u003e Add contribution guidelines\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/45dbeac426189fca4772bf7221744be86cdd969f\"\u003e\u003ccode\u003e45dbeac\u003c/code\u003e\u003c/a\u003e Add \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/010e4e2a6e2423290876db4c5e7bbfa6845d1c3e\"\u003e\u003ccode\u003e010e4e2\u003c/code\u003e\u003c/a\u003e Add new CSS properties\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/c8ce4edcc228d02cae718ea5d71fbb7948938c64\"\u003e\u003ccode\u003ec8ce4ed\u003c/code\u003e\u003c/a\u003e Require MFA\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/0aece5eca67d7a3edefd301af3c90d5ecae0342d\"\u003e\u003ccode\u003e0aece5e\u003c/code\u003e\u003c/a\u003e Remove rubocop_todo.yml\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/99d67ab63cb25d2efb7c4f027c6cd21df1159264\"\u003e\u003ccode\u003e99d67ab\u003c/code\u003e\u003c/a\u003e Remove redundant Ruby 3.4 from the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/1127a0760302e796f8b76016fa7d78364d54721d\"\u003e\u003ccode\u003e1127a07\u003c/code\u003e\u003c/a\u003e Loosen Bundler dependency\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/a41c5f609af9fb64d83945949e332042d621d94e\"\u003e\u003ccode\u003ea41c5f6\u003c/code\u003e\u003c/a\u003e Adopt Standard Ruby style\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/fa8d5e66b724928f16f8d05e27a958407350b3aa\"\u003e\u003ccode\u003efa8d5e6\u003c/code\u003e\u003c/a\u003e Move development dependencies to Gemfile\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v6.1.3...v7.0.0\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=6.1.3\u0026new-version=7.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/thinh20011111/test_backend/pull/61","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/thinh20011111%2Ftest_backend/issues/61","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/61/packages"},{"uuid":"2626910278","node_id":"PR_kwDOAB9lK86ck3hG","number":3122,"state":"closed","title":"Bump sanitize from 6.1.3 to 7.0.0","user":"dependabot[bot]","labels":["dependencies","ruby"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":"2025-06-29T12:37:12.000Z","author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-06-29T11:59:26.000Z","updated_at":"2025-06-29T12:37:12.000Z","time_to_close":2266,"merged_at":"2025-06-29T12:37:12.000Z","merged_by":"ZeiP","closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"6.1.3","new_version":"7.0.0","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 6.1.3 to 7.0.0.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev7.0.0\u003c/h2\u003e\n\u003cp\u003eSanitize has no breaking API changes in this release, but the major version number has been incremented because we've dropped support for end-of-life versions of Ruby. As long as you're using Ruby 3.1.0 or later, this should be a painless upgrade!\u003c/p\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eAdded over 100 new CSS properties to the relaxed config, representing all properties that are listed with a status of \u0026quot;Working Draft\u0026quot; or better in the latest \u003ca href=\"https://www.w3.org/Style/CSS/all-properties.en.html\"\u003eW3C \u0026quot;All Properties\u0026quot; list\u003c/a\u003e.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e-webkit-text-fill-color\u003c/code\u003e CSS property to the relaxed config. [\u003ca href=\"https://github.com/radar\"\u003e\u003ccode\u003e@​radar\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/244\"\u003e#244\u003c/a\u003e](\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/244\"\u003ergrove/sanitize#244\u003c/a\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eRuby 3.1.0 is now the oldest supported Ruby version.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now requires Nokogiri 1.16.8 or higher.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/CHANGELOG.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e7.0.0 (2024-12-29)\u003c/h2\u003e\n\u003cp\u003eSanitize has no breaking API changes in this release, but the major version number has been incremented because we've dropped support for end-of-life versions of Ruby. As long as you're using Ruby 3.1.0 or later, this should be a painless upgrade!\u003c/p\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eAdded over 100 new CSS properties to the relaxed config, representing all properties that are listed with a status of \u0026quot;Working Draft\u0026quot; or better in the latest \u003ca href=\"https://www.w3.org/Style/CSS/all-properties.en.html\"\u003eW3C \u0026quot;All Properties\u0026quot; list\u003c/a\u003e.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e-webkit-text-fill-color\u003c/code\u003e CSS property to the relaxed config. [\u003ca href=\"https://github.com/radar\"\u003e\u003ccode\u003e@​radar\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/244\"\u003e#244\u003c/a\u003e](\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/244\"\u003ergrove/sanitize#244\u003c/a\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eRuby 3.1.0 is now the oldest supported Ruby version.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now requires Nokogiri 1.16.8 or higher.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/19ee751d1b1c1e9d0335c0438fdb6b389544c45c\"\u003e\u003ccode\u003e19ee751\u003c/code\u003e\u003c/a\u003e Release 7.0.0\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/859c3aa11fdd71829a2424d98346fb8d8d14e522\"\u003e\u003ccode\u003e859c3aa\u003c/code\u003e\u003c/a\u003e Add contribution guidelines\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/45dbeac426189fca4772bf7221744be86cdd969f\"\u003e\u003ccode\u003e45dbeac\u003c/code\u003e\u003c/a\u003e Add \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/010e4e2a6e2423290876db4c5e7bbfa6845d1c3e\"\u003e\u003ccode\u003e010e4e2\u003c/code\u003e\u003c/a\u003e Add new CSS properties\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/c8ce4edcc228d02cae718ea5d71fbb7948938c64\"\u003e\u003ccode\u003ec8ce4ed\u003c/code\u003e\u003c/a\u003e Require MFA\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/0aece5eca67d7a3edefd301af3c90d5ecae0342d\"\u003e\u003ccode\u003e0aece5e\u003c/code\u003e\u003c/a\u003e Remove rubocop_todo.yml\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/99d67ab63cb25d2efb7c4f027c6cd21df1159264\"\u003e\u003ccode\u003e99d67ab\u003c/code\u003e\u003c/a\u003e Remove redundant Ruby 3.4 from the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/1127a0760302e796f8b76016fa7d78364d54721d\"\u003e\u003ccode\u003e1127a07\u003c/code\u003e\u003c/a\u003e Loosen Bundler dependency\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/a41c5f609af9fb64d83945949e332042d621d94e\"\u003e\u003ccode\u003ea41c5f6\u003c/code\u003e\u003c/a\u003e Adopt Standard Ruby style\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/fa8d5e66b724928f16f8d05e27a958407350b3aa\"\u003e\u003ccode\u003efa8d5e6\u003c/code\u003e\u003c/a\u003e Move development dependencies to Gemfile\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v6.1.3...v7.0.0\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=6.1.3\u0026new-version=7.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/TracksApp/tracks/pull/3122","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/TracksApp%2Ftracks/issues/3122","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/3122/packages"},{"uuid":"2624965995","node_id":"PR_kwDOPC91Ss6cdc1r","number":172,"state":"open","title":"Bump sanitize from 6.0.1 to 7.0.0","user":"dependabot[bot]","labels":["dependencies","ruby"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"NONE","state_reason":null,"created_at":"2025-06-27T17:05:01.000Z","updated_at":"2025-06-27T17:05:02.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"6.0.1","new_version":"7.0.0","repository_url":null}],"path":null,"ecosystem":"rubygems"},"body":"\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=6.0.1\u0026new-version=7.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/dbortz/mastodon/pull/172","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/dbortz%2Fmastodon/issues/172","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/172/packages"},{"uuid":"2976531235","node_id":"PR_kwDOAAVuNc6RnYH8","number":1949,"state":"closed","title":"chore(deps): bump sanitize from 6.1.3 to 7.0.0","user":"dependabot[bot]","labels":["ruby","Stale","dependencies"],"assignees":[],"locked":false,"comments_count":2,"pull_request":true,"closed_at":"2025-08-26T12:12:30.000Z","author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-04-07T11:23:57.000Z","updated_at":"2025-08-26T12:12:32.000Z","time_to_close":12185313,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"chore(deps)","packages":[{"name":"sanitize","old_version":"6.1.3","new_version":"7.0.0","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 6.1.3 to 7.0.0.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev7.0.0\u003c/h2\u003e\n\u003cp\u003eSanitize has no breaking API changes in this release, but the major version number has been incremented because we've dropped support for end-of-life versions of Ruby. As long as you're using Ruby 3.1.0 or later, this should be a painless upgrade!\u003c/p\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eAdded over 100 new CSS properties to the relaxed config, representing all properties that are listed with a status of \u0026quot;Working Draft\u0026quot; or better in the latest \u003ca href=\"https://www.w3.org/Style/CSS/all-properties.en.html\"\u003eW3C \u0026quot;All Properties\u0026quot; list\u003c/a\u003e.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e-webkit-text-fill-color\u003c/code\u003e CSS property to the relaxed config. [\u003ca href=\"https://github.com/radar\"\u003e\u003ccode\u003e@​radar\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/244\"\u003e#244\u003c/a\u003e](\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/244\"\u003ergrove/sanitize#244\u003c/a\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eRuby 3.1.0 is now the oldest supported Ruby version.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now requires Nokogiri 1.16.8 or higher.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/CHANGELOG.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e7.0.0 (2024-12-29)\u003c/h2\u003e\n\u003cp\u003eSanitize has no breaking API changes in this release, but the major version number has been incremented because we've dropped support for end-of-life versions of Ruby. As long as you're using Ruby 3.1.0 or later, this should be a painless upgrade!\u003c/p\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eAdded over 100 new CSS properties to the relaxed config, representing all properties that are listed with a status of \u0026quot;Working Draft\u0026quot; or better in the latest \u003ca href=\"https://www.w3.org/Style/CSS/all-properties.en.html\"\u003eW3C \u0026quot;All Properties\u0026quot; list\u003c/a\u003e.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e-webkit-text-fill-color\u003c/code\u003e CSS property to the relaxed config. [\u003ca href=\"https://github.com/radar\"\u003e\u003ccode\u003e@​radar\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/244\"\u003e#244\u003c/a\u003e](\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/244\"\u003ergrove/sanitize#244\u003c/a\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eRuby 3.1.0 is now the oldest supported Ruby version.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now requires Nokogiri 1.16.8 or higher.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/19ee751d1b1c1e9d0335c0438fdb6b389544c45c\"\u003e\u003ccode\u003e19ee751\u003c/code\u003e\u003c/a\u003e Release 7.0.0\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/859c3aa11fdd71829a2424d98346fb8d8d14e522\"\u003e\u003ccode\u003e859c3aa\u003c/code\u003e\u003c/a\u003e Add contribution guidelines\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/45dbeac426189fca4772bf7221744be86cdd969f\"\u003e\u003ccode\u003e45dbeac\u003c/code\u003e\u003c/a\u003e Add \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/010e4e2a6e2423290876db4c5e7bbfa6845d1c3e\"\u003e\u003ccode\u003e010e4e2\u003c/code\u003e\u003c/a\u003e Add new CSS properties\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/c8ce4edcc228d02cae718ea5d71fbb7948938c64\"\u003e\u003ccode\u003ec8ce4ed\u003c/code\u003e\u003c/a\u003e Require MFA\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/0aece5eca67d7a3edefd301af3c90d5ecae0342d\"\u003e\u003ccode\u003e0aece5e\u003c/code\u003e\u003c/a\u003e Remove rubocop_todo.yml\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/99d67ab63cb25d2efb7c4f027c6cd21df1159264\"\u003e\u003ccode\u003e99d67ab\u003c/code\u003e\u003c/a\u003e Remove redundant Ruby 3.4 from the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/1127a0760302e796f8b76016fa7d78364d54721d\"\u003e\u003ccode\u003e1127a07\u003c/code\u003e\u003c/a\u003e Loosen Bundler dependency\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/a41c5f609af9fb64d83945949e332042d621d94e\"\u003e\u003ccode\u003ea41c5f6\u003c/code\u003e\u003c/a\u003e Adopt Standard Ruby style\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/fa8d5e66b724928f16f8d05e27a958407350b3aa\"\u003e\u003ccode\u003efa8d5e6\u003c/code\u003e\u003c/a\u003e Move development dependencies to Gemfile\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v6.1.3...v7.0.0\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=6.1.3\u0026new-version=7.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nYou can trigger a rebase of this PR by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e\n\n\u003e **Note**\n\u003e Automatic rebases have been disabled on this pull request as it has been open for over 30 days.\n","html_url":"https://github.com/github/markup/pull/1949","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/github%2Fmarkup/issues/1949","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/1949/packages"},{"uuid":"2798523570","node_id":"PR_kwDOAT6yh86IUKyf","number":1043,"state":"closed","title":"Bump sanitize from 6.1.0 to 7.0.0","user":"dependabot[bot]","labels":["dependencies","ruby"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2025-09-30T13:51:58.000Z","author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-01-20T08:13:26.000Z","updated_at":"2025-09-30T13:52:00.000Z","time_to_close":21879512,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"6.1.0","new_version":"7.0.0","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 6.1.0 to 7.0.0.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev7.0.0\u003c/h2\u003e\n\u003cp\u003eSanitize has no breaking API changes in this release, but the major version number has been incremented because we've dropped support for end-of-life versions of Ruby. As long as you're using Ruby 3.1.0 or later, this should be a painless upgrade!\u003c/p\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eAdded over 100 new CSS properties to the relaxed config, representing all properties that are listed with a status of \u0026quot;Working Draft\u0026quot; or better in the latest \u003ca href=\"https://www.w3.org/Style/CSS/all-properties.en.html\"\u003eW3C \u0026quot;All Properties\u0026quot; list\u003c/a\u003e.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e-webkit-text-fill-color\u003c/code\u003e CSS property to the relaxed config. [\u003ca href=\"https://github.com/radar\"\u003e\u003ccode\u003e@​radar\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/244\"\u003e#244\u003c/a\u003e](\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/244\"\u003ergrove/sanitize#244\u003c/a\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eRuby 3.1.0 is now the oldest supported Ruby version.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now requires Nokogiri 1.16.8 or higher.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.1.3\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eThe CSS URL protocol allowlist is now enforced on the nonstandard \u003ccode\u003e-webkit-image-set\u003c/code\u003e CSS function. [\u003ca href=\"https://github.com/ltk\"\u003e\u003ccode\u003e@​ltk\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/242\"\u003e#242\u003c/a\u003e]\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/242\"\u003e242\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.1.2\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eThe CSS URL protocol allowlist is now properly enforced in \u003ca href=\"https://drafts.csswg.org/css-images-4/\"\u003eCSS Images Module Level 4\u003c/a\u003e \u003ccode\u003eimage\u003c/code\u003e and \u003ccode\u003eimage-set\u003c/code\u003e functions. [\u003ca href=\"https://github.com/ltk\"\u003e\u003ccode\u003e@​ltk\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/240\"\u003e#240\u003c/a\u003e]\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/240\"\u003e240\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.1.1\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eProactively fixed a compatibility issue with libxml \u0026gt;= 2.13.0 (which will be used in an upcoming version of Nokogiri) that caused HTML doctype sanitization to fail. [\u003ca href=\"https://github.com/flavorjones\"\u003e\u003ccode\u003e@​flavorjones\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/238\"\u003e#238\u003c/a\u003e]\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/238\"\u003e238\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/CHANGELOG.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e7.0.0 (2024-12-29)\u003c/h2\u003e\n\u003cp\u003eSanitize has no breaking API changes in this release, but the major version number has been incremented because we've dropped support for end-of-life versions of Ruby. As long as you're using Ruby 3.1.0 or later, this should be a painless upgrade!\u003c/p\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eAdded over 100 new CSS properties to the relaxed config, representing all properties that are listed with a status of \u0026quot;Working Draft\u0026quot; or better in the latest \u003ca href=\"https://www.w3.org/Style/CSS/all-properties.en.html\"\u003eW3C \u0026quot;All Properties\u0026quot; list\u003c/a\u003e.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e-webkit-text-fill-color\u003c/code\u003e CSS property to the relaxed config. [\u003ca href=\"https://github.com/radar\"\u003e\u003ccode\u003e@​radar\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/244\"\u003e#244\u003c/a\u003e](\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/244\"\u003ergrove/sanitize#244\u003c/a\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eRuby 3.1.0 is now the oldest supported Ruby version.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now requires Nokogiri 1.16.8 or higher.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.1.3 (2024-08-14)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eThe CSS URL protocol allowlist is now enforced on the nonstandard \u003ccode\u003e-webkit-image-set\u003c/code\u003e CSS function. [\u003ca href=\"https://github.com/ltk\"\u003e\u003ccode\u003e@​ltk\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/242\"\u003e#242\u003c/a\u003e]\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/242\"\u003e242\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.1.2 (2024-07-27)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eThe CSS URL protocol allowlist is now properly enforced in \u003ca href=\"https://drafts.csswg.org/css-images-4/\"\u003eCSS Images Module Level 4\u003c/a\u003e \u003ccode\u003eimage\u003c/code\u003e and \u003ccode\u003eimage-set\u003c/code\u003e functions. [\u003ca href=\"https://github.com/ltk\"\u003e\u003ccode\u003e@​ltk\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/240\"\u003e#240\u003c/a\u003e]\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/240\"\u003e240\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.1.1 (2024-06-12)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eProactively fixed a compatibility issue with libxml \u0026gt;= 2.13.0 (which will be used in an upcoming version of Nokogiri) that caused HTML doctype sanitization to fail. [\u003ca href=\"https://github.com/flavorjones\"\u003e\u003ccode\u003e@​flavorjones\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/238\"\u003e#238\u003c/a\u003e]\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/238\"\u003e238\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/19ee751d1b1c1e9d0335c0438fdb6b389544c45c\"\u003e\u003ccode\u003e19ee751\u003c/code\u003e\u003c/a\u003e Release 7.0.0\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/859c3aa11fdd71829a2424d98346fb8d8d14e522\"\u003e\u003ccode\u003e859c3aa\u003c/code\u003e\u003c/a\u003e Add contribution guidelines\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/45dbeac426189fca4772bf7221744be86cdd969f\"\u003e\u003ccode\u003e45dbeac\u003c/code\u003e\u003c/a\u003e Add \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/010e4e2a6e2423290876db4c5e7bbfa6845d1c3e\"\u003e\u003ccode\u003e010e4e2\u003c/code\u003e\u003c/a\u003e Add new CSS properties\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/c8ce4edcc228d02cae718ea5d71fbb7948938c64\"\u003e\u003ccode\u003ec8ce4ed\u003c/code\u003e\u003c/a\u003e Require MFA\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/0aece5eca67d7a3edefd301af3c90d5ecae0342d\"\u003e\u003ccode\u003e0aece5e\u003c/code\u003e\u003c/a\u003e Remove rubocop_todo.yml\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/99d67ab63cb25d2efb7c4f027c6cd21df1159264\"\u003e\u003ccode\u003e99d67ab\u003c/code\u003e\u003c/a\u003e Remove redundant Ruby 3.4 from the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/1127a0760302e796f8b76016fa7d78364d54721d\"\u003e\u003ccode\u003e1127a07\u003c/code\u003e\u003c/a\u003e Loosen Bundler dependency\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/a41c5f609af9fb64d83945949e332042d621d94e\"\u003e\u003ccode\u003ea41c5f6\u003c/code\u003e\u003c/a\u003e Adopt Standard Ruby style\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/fa8d5e66b724928f16f8d05e27a958407350b3aa\"\u003e\u003ccode\u003efa8d5e6\u003c/code\u003e\u003c/a\u003e Move development dependencies to Gemfile\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v6.1.0...v7.0.0\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=6.1.0\u0026new-version=7.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nYou can trigger a rebase of this PR by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e\n\n\u003e **Note**\n\u003e Automatic rebases have been disabled on this pull request as it has been open for over 30 days.\n","html_url":"https://github.com/ministryofjustice/peoplefinder/pull/1043","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/ministryofjustice%2Fpeoplefinder/issues/1043","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/1043/packages"},{"uuid":"1874319525","node_id":"PR_kwDOJTNuTc5vt9il","number":8,"state":"closed","title":"Build(deps): Bump the bundler group across 1 directory with 10 updates","user":"dependabot[bot]","labels":["dependencies","ruby"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":"2025-06-14T09:59:32.000Z","author_association":"NONE","state_reason":null,"created_at":"2024-05-16T21:12:59.000Z","updated_at":"2025-06-14T09:59:32.000Z","time_to_close":34001193,"merged_at":"2025-06-14T09:59:32.000Z","merged_by":"MNDL-27","closed_by":null,"dependency_metadata":{"prefix":"Build(deps): Bump","group_name":"bundler","update_count":10,"packages":[{"name":"nokogiri","old_version":"1.14.2","new_version":"1.16.5","repository_url":"https://github.com/sparklemotion/nokogiri"},{"name":"omniauth","old_version":"1.9.2","new_version":"2.0.0","repository_url":"https://github.com/omniauth/omniauth"},{"name":"sidekiq","old_version":"6.5.8","new_version":"6.5.10","repository_url":"https://github.com/sidekiq/sidekiq"},{"name":"rack","old_version":"2.2.6.4","new_version":"2.2.8.1","repository_url":"https://github.com/rack/rack"},{"name":"yard","old_version":"0.9.28","new_version":"0.9.36","repository_url":"https://github.com/lsegal/yard"},{"name":"puma","old_version":"6.2.1","new_version":"6.4.2","repository_url":"https://github.com/puma/puma"},{"name":"rotp","old_version":"6.2.2","new_version":"6.3.0","repository_url":"https://github.com/mdp/rotp"},{"name":"sanitize","old_version":"6.0.1","new_version":"6.0.2","repository_url":"https://github.com/rgrove/sanitize"},{"name":"rexml","old_version":"3.2.5","new_version":"3.2.8","repository_url":"https://github.com/ruby/rexml"},{"name":"uri","old_version":"0.12.1","new_version":"0.13.0","repository_url":"https://github.com/ruby/uri"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps the bundler group with 10 updates in the / directory:\n\n| Package | From | To |\n| --- | --- | --- |\n| [nokogiri](https://github.com/sparklemotion/nokogiri) | `1.14.2` | `1.16.5` |\n| [omniauth](https://github.com/omniauth/omniauth) | `1.9.2` | `2.0.0` |\n| [sidekiq](https://github.com/sidekiq/sidekiq) | `6.5.8` | `6.5.10` |\n| [rack](https://github.com/rack/rack) | `2.2.6.4` | `2.2.8.1` |\n| [yard](https://github.com/lsegal/yard) | `0.9.28` | `0.9.36` |\n| [puma](https://github.com/puma/puma) | `6.2.1` | `6.4.2` |\n| [rotp](https://github.com/mdp/rotp) | `6.2.2` | `6.3.0` |\n| [sanitize](https://github.com/rgrove/sanitize) | `6.0.1` | `6.0.2` |\n| [rexml](https://github.com/ruby/rexml) | `3.2.5` | `3.2.8` |\n| [uri](https://github.com/ruby/uri) | `0.12.1` | `0.13.0` |\n\n\nUpdates `nokogiri` from 1.14.2 to 1.16.5\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/sparklemotion/nokogiri/releases\"\u003enokogiri's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev1.16.5 / 2024-05-13\u003c/h2\u003e\n\u003ch3\u003eSecurity\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Vendored libxml2 is updated to address CVE-2024-34459. See \u003ca href=\"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-r95h-9x8f-r3f7\"\u003eGHSA-r95h-9x8f-r3f7\u003c/a\u003e for more information.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eDependencies\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Vendored libxml2 is updated to \u003ca href=\"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7\"\u003ev2.12.7\u003c/a\u003e from v2.12.6. (\u003ca href=\"https://github.com/flavorjones\"\u003e\u003ccode\u003e@​flavorjones\u003c/code\u003e\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr /\u003e\n\u003cp\u003esha256 checksums:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eaf0f44fa3e664dfb2aa10de8b551447d720c1e8d1f0aa3f35783dcc43e40a874  nokogiri-1.16.5-aarch64-linux.gem\n23dc2357b26409a5c33b7e32a82902f0e9995305420f16d1a03ab3ea1a482fec  nokogiri-1.16.5-arm-linux.gem\n950d037530edb49f75ad35de0b8038b970a7dda57e2b6326895b0e49fadf6214  nokogiri-1.16.5-arm64-darwin.gem\nb7aefc94370c62476b8528e8d8abb6160203abd84a1f4eceda8f1aa8974d9989  nokogiri-1.16.5-java.gem\nec2167160df8fec3137bf95d574ed80ebc1d002bb3b281546b60b4aa9002466e  nokogiri-1.16.5-x64-mingw-ucrt.gem\n6984200491fac69974005ecfa2de129d61843d345eafa5d6f58e8b908d1cf107  nokogiri-1.16.5-x64-mingw32.gem\nabdc389ab1ec6604492da16bd9d06ad746fdb6bd6a1bd274c400d61ffcadb3c4  nokogiri-1.16.5-x86-linux.gem\n63d24981345856f2baf7f4089870a62d3042fb8d3021b280fb04fc052532e3c4  nokogiri-1.16.5-x86-mingw32.gem\n71b5f54e378c433d13df67c3b71acc4716129da62402d8181f310c4216a63279  nokogiri-1.16.5-x86_64-darwin.gem\n0ca238da870066bed2f7837af6f35791bb9b76c4c5638999c46aac44818a6a97  nokogiri-1.16.5-x86_64-linux.gem\nec36162c68984fa0a90a5c4ae7ab7759460639e716cc1ce75f34c3cb54158ad2  nokogiri-1.16.5.gem\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2\u003ev1.16.4 / 2024-04-10\u003c/h2\u003e\n\u003ch3\u003eDependencies\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Vendored zlib in the precompiled native gems is updated to \u003ca href=\"https://zlib.net/ChangeLog.txt\"\u003ev1.3.1\u003c/a\u003e from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see \u003ca href=\"https://github.com/sparklemotion/nokogiri/discussions/3168\"\u003ethis discussion\u003c/a\u003e about removing the compression libraries altogether in a future version of Nokogiri.\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr /\u003e\n\u003cp\u003esha256 checksums:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ebdb1dc4378ebcf3ade8f440c7df68f6d76946a1a96c4823a2b4c53c01a320cd5  nokogiri-1.16.4-aarch64-linux.gem\n0c994b9996d5576eddcc3201a94ef2bff6fc3627c4ae4d2708b0ec9b9743ec6a  nokogiri-1.16.4-arm-linux.gem\n8e86abb64c93c06d3c588042a0e757279e8f1dc88b5210a00be892a9a7a27196  nokogiri-1.16.4-arm64-darwin.gem\nbf84fa28be4943692bd64772186e0832fb1061f80714ccb93e111e9d72b1cadc  nokogiri-1.16.4-java.gem\na46808467c1f63a2031e1ca0715cd5336bb4ec759e9c0e2f4c951c1cc30994ae  nokogiri-1.16.4-x64-mingw-ucrt.gem\n4cdf64bc5e9443ec3e0b595347ecc8affe21968d9ae934c0825d26630ef96468  nokogiri-1.16.4-x64-mingw32.gem\nd86d21bae47dd9f6f5223055e45d33fae08b0b89aad94cbc0ece4f4274fa7af5  nokogiri-1.16.4-x86-linux.gem\nd488b872884844686780fda7cf5da44ee884d32faa713a55aeb4736d76718168  nokogiri-1.16.4-x86-mingw32.gem\na896e52a56951ffb0e6a9279afbf485d683e357a053d27f4cfcb2a73b0824628  nokogiri-1.16.4-x86_64-darwin.gem\n92ff4f09910255fec84b3bc4c4b182e94cada3ed12b9f7a6ea058e0af186fb31  nokogiri-1.16.4-x86_64-linux.gem\n\u0026lt;/tr\u0026gt;\u0026lt;/table\u0026gt; \n\u003c/code\u003e\u003c/pre\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md\"\u003enokogiri's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev1.16.5\u003c/h2\u003e\n\u003ch3\u003eSecurity\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Vendored libxml2 is updated to address CVE-2024-34459. See \u003ca href=\"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-r95h-9x8f-r3f7\"\u003eGHSA-r95h-9x8f-r3f7\u003c/a\u003e for more information.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eDependencies\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Vendored libxml2 is updated to \u003ca href=\"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7\"\u003ev2.12.7\u003c/a\u003e from v2.12.6. (\u003ca href=\"https://github.com/flavorjones\"\u003e\u003ccode\u003e@​flavorjones\u003c/code\u003e\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev1.16.4 / 2024-04-10\u003c/h2\u003e\n\u003ch3\u003eDependencies\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Vendored zlib in the precompiled native gems is updated to \u003ca href=\"https://zlib.net/ChangeLog.txt\"\u003ev1.3.1\u003c/a\u003e from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see \u003ca href=\"https://github.com/sparklemotion/nokogiri/discussions/3168\"\u003ethis discussion\u003c/a\u003e about removing the compression libraries altogether in a future version of Nokogiri.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev1.16.3 / 2024-03-15\u003c/h2\u003e\n\u003ch3\u003eDependencies\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Vendored libxml2 is updated to \u003ca href=\"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.6\"\u003ev2.12.6\u003c/a\u003e from v2.12.5. (\u003ca href=\"https://github.com/flavorjones\"\u003e\u003ccode\u003e@​flavorjones\u003c/code\u003e\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] \u003ccode\u003eXML::Reader\u003c/code\u003e sets the \u003ccode\u003e@encoding\u003c/code\u003e instance variable during reading if it is not passed into the initializer. Previously, it would remain \u003ccode\u003enil\u003c/code\u003e. The behavior of \u003ccode\u003eReader#encoding\u003c/code\u003e has not changed. This works around changes to how libxml2 reports the encoding used in v2.12.6.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev1.16.2 / 2024-02-04\u003c/h2\u003e\n\u003ch3\u003eSecurity\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See \u003ca href=\"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j\"\u003eGHSA-xc9x-jj77-9p9j\u003c/a\u003e for more information.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eDependencies\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Vendored libxml2 is updated to \u003ca href=\"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5\"\u003ev2.12.5\u003c/a\u003e from v2.12.4. (\u003ca href=\"https://github.com/flavorjones\"\u003e\u003ccode\u003e@​flavorjones\u003c/code\u003e\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev1.16.1 / 2024-02-03\u003c/h2\u003e\n\u003ch3\u003eDependencies\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Vendored libxml2 is updated to \u003ca href=\"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.4\"\u003ev2.12.4\u003c/a\u003e from v2.12.3. (\u003ca href=\"https://github.com/flavorjones\"\u003e\u003ccode\u003e@​flavorjones\u003c/code\u003e\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sparklemotion/nokogiri/commit/cd70bd3dc9e0dc15b04b42d67b639eb5804e77d5\"\u003e\u003ccode\u003ecd70bd3\u003c/code\u003e\u003c/a\u003e version bump to v1.16.5\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sparklemotion/nokogiri/commit/afc36de553085b6b397b23a0c09a2449655a3a47\"\u003e\u003ccode\u003eafc36de\u003c/code\u003e\u003c/a\u003e dep: update vendored libxml2 to v2.12.7 (\u003ca href=\"https://redirect.github.com/sparklemotion/nokogiri/issues/3191\"\u003e#3191\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sparklemotion/nokogiri/commit/41b4f0846d2c264b48ef93ecd034dd230ab8125a\"\u003e\u003ccode\u003e41b4f08\u003c/code\u003e\u003c/a\u003e ci: add arm64-darwin coverage using macos-14\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sparklemotion/nokogiri/commit/67b9e863a67164ae6ffbe5ed4cc482267db7c436\"\u003e\u003ccode\u003e67b9e86\u003c/code\u003e\u003c/a\u003e dep: update libxml2 to v2.12.7\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sparklemotion/nokogiri/commit/17c0362082341208bf9aadb61939e4de74005b44\"\u003e\u003ccode\u003e17c0362\u003c/code\u003e\u003c/a\u003e version bump to v1.16.4\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sparklemotion/nokogiri/commit/1c329e9c09148155624b52ffe630cc1b01d6787f\"\u003e\u003ccode\u003e1c329e9\u003c/code\u003e\u003c/a\u003e dep: update to zlib 1.3.1 (v1.16.x) (\u003ca href=\"https://redirect.github.com/sparklemotion/nokogiri/issues/3175\"\u003e#3175\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sparklemotion/nokogiri/commit/edeac07bb21b3f00c2a6aaf27806ce9d0871a08d\"\u003e\u003ccode\u003eedeac07\u003c/code\u003e\u003c/a\u003e dep: update to zlib 1.3.1\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sparklemotion/nokogiri/commit/80fb6085c069e053457ed6f6325ac032f2b029fe\"\u003e\u003ccode\u003e80fb608\u003c/code\u003e\u003c/a\u003e version bump to v1.16.3\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sparklemotion/nokogiri/commit/710bd96d70f39baadd0405cf0f3c0c42805019af\"\u003e\u003ccode\u003e710bd96\u003c/code\u003e\u003c/a\u003e dep: update libxml 2.12.6 (branch v1.16.x) (\u003ca href=\"https://redirect.github.com/sparklemotion/nokogiri/issues/3151\"\u003e#3151\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sparklemotion/nokogiri/commit/461a96ea163b144ea2898d088efe65fce311d5be\"\u003e\u003ccode\u003e461a96e\u003c/code\u003e\u003c/a\u003e fix: Reader#read sets \u003ca href=\"https://github.com/encoding\"\u003e\u003ccode\u003e@​encoding\u003c/code\u003e\u003c/a\u003e if it is unset\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/sparklemotion/nokogiri/compare/v1.14.2...v1.16.5\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `omniauth` from 1.9.2 to 2.0.0\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/omniauth/omniauth/releases\"\u003eomniauth's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev2.0.0\u003c/h2\u003e\n\u003cp\u003eVersion 2.0 of OmniAuth includes some changes that may be breaking depending on how you use OmniAuth in your app.\u003c/p\u003e\n\u003cp\u003eMany thanks to the folks who contributed in code and discussion for these changes.\u003c/p\u003e\n\u003ch2\u003e\u003cstrong\u003eOmniAuth now defaults to only POST as the allowed request_phase method.\u003c/strong\u003e\u003c/h2\u003e\n\u003cp\u003eHopefully, you were already doing this as a result of the warnings due to \u003ca href=\"https://nvd.nist.gov/vuln/detail/CVE-2015-9284\"\u003eCVE-2015-9284\u003c/a\u003e.\u003cbr /\u003e\nFor detailed context, see:\u003cbr /\u003e\n\u003ca href=\"https://redirect.github.com/omniauth/omniauth/issues/960\"\u003e#960\u003c/a\u003e\u003cbr /\u003e\n\u003ca href=\"https://redirect.github.com/omniauth/omniauth/pull/809\"\u003e#809\u003c/a\u003e\u003cbr /\u003e\n\u003ca href=\"https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284\"\u003eResolving CVE-2015-9284\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThis change also includes an additional configurable phase: \u003ccode\u003erequest_validation_phase\u003c/code\u003e.\u003c/p\u003e\n\u003ch3\u003eRack/Sinatra\u003c/h3\u003e\n\u003cp\u003eBy default, this uses rack-protection's \u003ca href=\"https://github.com/sinatra/sinatra/tree/master/rack-protection\"\u003eAuthenticityToken\u003c/a\u003e class to validate authenticity tokens. If you are using a rack based framework like sinatra, you can find an example of how to add authenticity tokens to your view \u003ca href=\"https://github.com/BobbyMcWho/omniauth_2_examples/blob/main/sinatra_app.ru#L18-L21\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003ch3\u003eRails\u003c/h3\u003e\n\u003cp\u003eBecause Rails handles its CSRF protection in its \u003ca href=\"https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html\"\u003eRequestForgeryProtection\u003c/a\u003e class, and stores tokens in a non-vanilla-rack friendly way, you must pass a rails-friendly validator in instead, similar to what \u003ca href=\"https://github.com/cookpad/omniauth-rails_csrf_protection/blob/master/lib/omniauth/rails_csrf_protection/token_verifier.rb\"\u003eomniauth-rails_csrf_protection\u003c/a\u003e does.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eUpdate:\u003c/strong\u003e omniauth-rails_csrf_protection has released \u003ca href=\"https://redirect.github.com/cookpad/omniauth-rails_csrf_protection/pull/9\"\u003ev1.0.0\u003c/a\u003e, which means if you're using this library already, you should be able to upgrade omniauth to the 2.0 series as long as omniauth-rails_csrf_protection is also upgraded \u003ccode\u003e'~\u0026gt; 1.0'\u003c/code\u003e\u003c/p\u003e\n\u003cp\u003eAn example of creating your own non-dependency implementation is below, though I would recommend using the gem.\u003c/p\u003e\n\u003cpre lang=\"ruby\"\u003e\u003ccode\u003e# Derived from https://github.com/cookpad/omniauth-rails_csrf_protection/blob/master/lib/omniauth/rails_csrf_protection/token_verifier.rb\n# This specific implementation has been pared down and should not be taken as the most correct way to do this.\nclass TokenVerifier\n  include ActiveSupport::Configurable\n  include ActionController::RequestForgeryProtection\n\u003cp\u003edef call(env)\n\u003ca href=\"https://github.com/request\"\u003e\u003ccode\u003e@​request\u003c/code\u003e\u003c/a\u003e = ActionDispatch::Request.new(env.dup)\nraise OmniAuth::AuthenticityError unless verified_request?\nend\u003c/p\u003e\n\u003cp\u003eprivate\nattr_reader :request\ndelegate :params, :session, to: :request\nend\u003c/p\u003e\n\u003ch1\u003ein an initializer\u003c/h1\u003e\n\u003cp\u003eOmniAuth.config.request_validation_phase = TokenVerifier.new\n\u003c/code\u003e\u003c/pre\u003e\u003c/p\u003e\n\u003cp\u003e\u003ca href=\"https://github.com/BobbyMcWho/omniauth_2_examples/blob/main/rails_app.ru#L14-L28\"\u003eExample Rails App\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eIf you're using Rails' \u003ca href=\"https://api.rubyonrails.org/classes/ActionView/Helpers/FormHelper.html#method-i-form_for\"\u003eform helpers\u003c/a\u003e, they automatically include an authenticity token.\u003c/p\u003e\n\u003cp\u003eIf you are using hyperlinks or buttons styled to redirect to your login route, you should update these to be a submit input or a submit type button wrapped in a form.\u003c/p\u003e\n\u003cpre lang=\"diff\"\u003e\u003ccode\u003e- \u0026lt;a href='/auth/developer'\u0026gt;Login with Developer\u0026lt;/a\u0026gt;\n\u0026lt;/tr\u0026gt;\u0026lt;/table\u0026gt; \n\u003c/code\u003e\u003c/pre\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/omniauth/omniauth/commit/29c8216e0de59097074224ebb92daf696a1326fa\"\u003e\u003ccode\u003e29c8216\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/omniauth/omniauth/issues/1021\"\u003e#1021\u003c/a\u003e from omniauth/2_0-indev\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/omniauth/omniauth/commit/fe26931f2e7934e0800dd3fe646bef4a1ad2e192\"\u003e\u003ccode\u003efe26931\u003c/code\u003e\u003c/a\u003e Release 2.0.0\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/omniauth/omniauth/commit/8a6b7a6f9e1b95dd98eb6ac22eeb8e7fb0df77a6\"\u003e\u003ccode\u003e8a6b7a6\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/omniauth/omniauth/issues/1016\"\u003e#1016\u003c/a\u003e from BobbyMcWho/add-to-readme\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/omniauth/omniauth/commit/19b3d347a41d8a55c706edba1a991d55cac577db\"\u003e\u003ccode\u003e19b3d34\u003c/code\u003e\u003c/a\u003e Add v2.0.0 text\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/omniauth/omniauth/commit/97714aa6a5da8e3b7e76e52cccd82110ab204adf\"\u003e\u003ccode\u003e97714aa\u003c/code\u003e\u003c/a\u003e Tag version\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/omniauth/omniauth/commit/1956a95e6466f0bcefbe2cd4e444a14dad60a7b4\"\u003e\u003ccode\u003e1956a95\u003c/code\u003e\u003c/a\u003e Fix deprecation warnings\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/omniauth/omniauth/commit/1b784ffa5f128bea1a22d7d26477f73bb6b3cd08\"\u003e\u003ccode\u003e1b784ff\u003c/code\u003e\u003c/a\u003e Wrap mock_call in rescue\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/omniauth/omniauth/commit/49ca57789a26eae3fc516615a32f16e46e9e786f\"\u003e\u003ccode\u003e49ca577\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/omniauth/omniauth/issues/1015\"\u003e#1015\u003c/a\u003e from omniauth/make-sure-strategy-passes-rack-freeze\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/omniauth/omniauth/commit/e405613685394932bba0d1ffa8bb8fc484e4279c\"\u003e\u003ccode\u003ee405613\u003c/code\u003e\u003c/a\u003e Freeze omniauth in test to verify thread safety\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/omniauth/omniauth/commit/d4c1ff0ffb0586f99490a1c3a427cfb40657cec9\"\u003e\u003ccode\u003ed4c1ff0\u003c/code\u003e\u003c/a\u003e Dup options when a strategy is dup'd or cloned\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/omniauth/omniauth/compare/v1.9.2...v2.0.0\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `sidekiq` from 6.5.8 to 6.5.10\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/sidekiq/sidekiq/blob/main/Changes.md\"\u003esidekiq's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch1\u003eSidekiq Changes\u003c/h1\u003e\n\u003cp\u003e\u003ca href=\"https://github.com/sidekiq/sidekiq/blob/main/Changes.md\"\u003eSidekiq Changes\u003c/a\u003e | \u003ca href=\"https://github.com/sidekiq/sidekiq/blob/main/Pro-Changes.md\"\u003eSidekiq Pro Changes\u003c/a\u003e | \u003ca href=\"https://github.com/sidekiq/sidekiq/blob/main/Ent-Changes.md\"\u003eSidekiq Enterprise Changes\u003c/a\u003e\u003c/p\u003e\n\u003ch2\u003e7.2.4\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eFix XSS in metrics filtering introduced in 7.2.0, CVE-2024-32887\nThanks to \u003ca href=\"https://github.com/UmerAdeemCheema\"\u003e\u003ccode\u003e@​UmerAdeemCheema\u003c/code\u003e\u003c/a\u003e for the security report.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e7.2.3\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://www.mikeperham.com/2024/02/01/supporting-dragonfly/\"\u003eSupport Dragonfly.io\u003c/a\u003e as an alternative Redis implementation\u003c/li\u003e\n\u003cli\u003eFix error unpacking some compressed error backtraces \u003ca href=\"https://redirect.github.com/sidekiq/sidekiq/issues/6241\"\u003e#6241\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eFix potential heartbeat data leak \u003ca href=\"https://redirect.github.com/sidekiq/sidekiq/issues/6227\"\u003e#6227\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAdd ability to find a currently running work by jid [#6212, fatkodima]\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e7.2.2\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAdd \u003ccode\u003eProcess.warmup\u003c/code\u003e call in Ruby 3.3+\u003c/li\u003e\n\u003cli\u003eBatch jobs now skip transactional push \u003ca href=\"https://redirect.github.com/sidekiq/sidekiq/issues/6160\"\u003e#6160\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e7.2.1\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAdd \u003ccode\u003eSidekiq::Work\u003c/code\u003e type which replaces the raw Hash as the third parameter in\n\u003ccode\u003eSidekiq::WorkSet#each { |pid, tid, hash| ... }\u003c/code\u003e \u003ca href=\"https://redirect.github.com/sidekiq/sidekiq/issues/6145\"\u003e#6145\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDEPRECATED\u003c/strong\u003e: direct access to the attributes within the \u003ccode\u003ehash\u003c/code\u003e block parameter above.\nThe \u003ccode\u003eSidekiq::Work\u003c/code\u003e instance contains accessor methods to get at the same data, e.g.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cpre lang=\"ruby\"\u003e\u003ccode\u003ework[\u0026quot;queue\u0026quot;] # Old\nwork.queue # New\n\u003c/code\u003e\u003c/pre\u003e\n\u003cul\u003e\n\u003cli\u003eFix Ruby 3.3 warnings around \u003ccode\u003ebase64\u003c/code\u003e gem [#6151, earlopain]\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e7.2.0\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003esidekiq_retries_exhausted\u003c/code\u003e can return \u003ccode\u003e:discard\u003c/code\u003e to avoid the deadset\nand all death handlers \u003ca href=\"https://redirect.github.com/sidekiq/sidekiq/issues/6091\"\u003e#6091\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eMetrics filtering by job class in Web UI \u003ca href=\"https://redirect.github.com/sidekiq/sidekiq/issues/5974\"\u003e#5974\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eBetter readability and formatting for numbers within the Web UI \u003ca href=\"https://redirect.github.com/sidekiq/sidekiq/issues/6080\"\u003e#6080\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAdd explicit error if user code tries to nest test modes \u003ca href=\"https://redirect.github.com/sidekiq/sidekiq/issues/6078\"\u003e#6078\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cpre lang=\"ruby\"\u003e\u003ccode\u003eSidekiq::Testing.inline! # global setting\nSidekiq::Testing.fake! do # override within block\n  # ok\n  Sidekiq::Testing.inline! do # can't override the override\n\u0026lt;/tr\u0026gt;\u0026lt;/table\u0026gt; \n\u003c/code\u003e\u003c/pre\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sidekiq/sidekiq/commit/f67a7abccffc9337f144e7be96bb1ed4b0fee49a\"\u003e\u003ccode\u003ef67a7ab\u003c/code\u003e\u003c/a\u003e Cherry pick:\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sidekiq/sidekiq/commit/101435c5a73095ca62b610d5d6456e7e5dc7f81a\"\u003e\u003ccode\u003e101435c\u003c/code\u003e\u003c/a\u003e Merge 62c90d7\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sidekiq/sidekiq/commit/022c059c7b417d24cf1f892fa71f8e98d19ca93f\"\u003e\u003ccode\u003e022c059\u003c/code\u003e\u003c/a\u003e bump, prep\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sidekiq/sidekiq/commit/fa6723e20131f6d8ca990fc44ca056a351376f2e\"\u003e\u003ccode\u003efa6723e\u003c/code\u003e\u003c/a\u003e formatting, ensure environment is updated in Sidekiq.options\u003c/li\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/sidekiq/sidekiq/compare/v6.5.8...v6.5.10\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `rack` from 2.2.6.4 to 2.2.8.1\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rack/rack/releases\"\u003erack's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev2.2.8.1\u003c/h2\u003e\n\u003ch2\u003eWhat's Changed\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eFixed ReDoS in Accept header parsing [CVE-2024-26146]\u003c/li\u003e\n\u003cli\u003eFixed ReDoS in Content Type header parsing [CVE-2024-25126]\u003c/li\u003e\n\u003cli\u003eReject Range headers which are too large [CVE-2024-26141]\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eFull Changelog\u003c/strong\u003e: \u003ca href=\"https://github.com/rack/rack/compare/v2.2.8...v2.2.8.1\"\u003ehttps://github.com/rack/rack/compare/v2.2.8...v2.2.8.1\u003c/a\u003e\u003c/p\u003e\n\u003ch2\u003ev2.2.8\u003c/h2\u003e\n\u003ch2\u003eWhat's Changed\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eLimit file extension length of multipart tempfiles (2.2 backport) by \u003ca href=\"https://github.com/dentarg\"\u003e\u003ccode\u003e@​dentarg\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2075\"\u003erack/rack#2075\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eCHANGELOG: Add missing 2.2.7 by \u003ca href=\"https://github.com/tisba\"\u003e\u003ccode\u003e@​tisba\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2081\"\u003erack/rack#2081\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eUpdate cookie.rb by \u003ca href=\"https://github.com/dchandekstark\"\u003e\u003ccode\u003e@​dchandekstark\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2092\"\u003erack/rack#2092\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePrefer ubuntu-latest for testing. by \u003ca href=\"https://github.com/ioquatix\"\u003e\u003ccode\u003e@​ioquatix\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2095\"\u003erack/rack#2095\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eFix inefficient assert pattern in Rack::Lint [2-2-stable] by \u003ca href=\"https://github.com/skipkayhil\"\u003e\u003ccode\u003e@​skipkayhil\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2101\"\u003erack/rack#2101\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eRegenerate SPEC [2-2-stable] by \u003ca href=\"https://github.com/skipkayhil\"\u003e\u003ccode\u003e@​skipkayhil\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2102\"\u003erack/rack#2102\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eNew Contributors\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/tisba\"\u003e\u003ccode\u003e@​tisba\u003c/code\u003e\u003c/a\u003e made their first contribution in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2081\"\u003erack/rack#2081\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/dchandekstark\"\u003e\u003ccode\u003e@​dchandekstark\u003c/code\u003e\u003c/a\u003e made their first contribution in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2092\"\u003erack/rack#2092\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eFull Changelog\u003c/strong\u003e: \u003ca href=\"https://github.com/rack/rack/compare/v2.2.7...v2.2.8\"\u003ehttps://github.com/rack/rack/compare/v2.2.7...v2.2.8\u003c/a\u003e\u003c/p\u003e\n\u003ch2\u003ev2.2.7\u003c/h2\u003e\n\u003ch2\u003eWhat's Changed\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eCorrect the year number in the changelog by \u003ca href=\"https://github.com/kimulab\"\u003e\u003ccode\u003e@​kimulab\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2015\"\u003erack/rack#2015\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eSupport underscore in host names for Rack 2.2 (Fixes \u003ca href=\"https://redirect.github.com/rack/rack/issues/2070\"\u003e#2070\u003c/a\u003e) by \u003ca href=\"https://github.com/jeremyevans\"\u003e\u003ccode\u003e@​jeremyevans\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2071\"\u003erack/rack#2071\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eNew Contributors\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/kimulab\"\u003e\u003ccode\u003e@​kimulab\u003c/code\u003e\u003c/a\u003e made their first contribution in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2015\"\u003erack/rack#2015\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eFull Changelog\u003c/strong\u003e: \u003ca href=\"https://github.com/rack/rack/compare/v2.2.6.4...v2.2.7\"\u003ehttps://github.com/rack/rack/compare/v2.2.6.4...v2.2.7\u003c/a\u003e\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rack/rack/commit/e83001100ad9dd24e1744b13669dcb2736a13ebd\"\u003e\u003ccode\u003ee830011\u003c/code\u003e\u003c/a\u003e bump version\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49\"\u003e\u003ccode\u003ed9c163a\u003c/code\u003e\u003c/a\u003e Avoid 2nd degree polynomial regexp in MediaType\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b\"\u003e\u003ccode\u003e6245768\u003c/code\u003e\u003c/a\u003e Return an empty array when ranges are too large\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd\"\u003e\u003ccode\u003ee4c1177\u003c/code\u003e\u003c/a\u003e Fixing ReDoS in header parsing\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rack/rack/commit/f169ff75b0a0b84c031960ffc5fcd0414eb64a2e\"\u003e\u003ccode\u003ef169ff7\u003c/code\u003e\u003c/a\u003e Bump patch version.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rack/rack/commit/0a4648773ecab7437c52d04de071b5bf65b63058\"\u003e\u003ccode\u003e0a46487\u003c/code\u003e\u003c/a\u003e Regenerate SPEC (\u003ca href=\"https://redirect.github.com/rack/rack/issues/2102\"\u003e#2102\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rack/rack/commit/cee73b3a0e7b195dd3304f6c2e4c1cf9e4a4ad9e\"\u003e\u003ccode\u003ecee73b3\u003c/code\u003e\u003c/a\u003e Fix inefficient assert pattern in Rack::Lint (\u003ca href=\"https://redirect.github.com/rack/rack/issues/2101\"\u003e#2101\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rack/rack/commit/1fdcf1fcfa08a64c9916281f2ff0996e6d50e0b3\"\u003e\u003ccode\u003e1fdcf1f\u003c/code\u003e\u003c/a\u003e Prefer ubuntu-latest for testing. (\u003ca href=\"https://redirect.github.com/rack/rack/issues/2095\"\u003e#2095\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rack/rack/commit/287fe435720b4612d4908c3216cfe2b82ad666da\"\u003e\u003ccode\u003e287fe43\u003c/code\u003e\u003c/a\u003e Update cookie.rb (\u003ca href=\"https://redirect.github.com/rack/rack/issues/2092\"\u003e#2092\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rack/rack/commit/e7f486987d25be2c726576309951053ec1fe1738\"\u003e\u003ccode\u003ee7f4869\u003c/code\u003e\u003c/a\u003e adds missing 2.2.7 to CHANGELOG.md (\u003ca href=\"https://redirect.github.com/rack/rack/issues/2081\"\u003e#2081\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rack/rack/compare/v2.2.6.4...v2.2.8.1\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `yard` from 0.9.28 to 0.9.36\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/lsegal/yard/releases\"\u003eyard's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003eRelease v0.9.36\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eFurther XSS fixes for generated frameset pages (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1538\"\u003e#1538\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eImprove tests for Ruby 3.3 compatibility (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1519\"\u003e#1519\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1531\"\u003e#1531\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eDocumentation improvements (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1524\"\u003e#1524\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eRelease v0.9.35\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eFix possible XSS on generated YARD frameset pages (thanks to \u003ca href=\"https://github.com/RedYetiDev\"\u003e\u003ccode\u003e@​RedYetiDev\u003c/code\u003e\u003c/a\u003e for finding and patching) (2069e2b).\u003c/li\u003e\n\u003cli\u003eFix errors when using \u003ccode\u003e@option\u003c/code\u003e on non-method objects (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1508\"\u003e#1508\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eSupport Ruby 3.3 changes in Ripper parser (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1510\"\u003e#1510\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eRelease v0.9.34\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAdd changelog to yard.gemspec\u003c/li\u003e\n\u003cli\u003eFix fork behavior in \u003ccode\u003eyard server --fork\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eRelease v0.9.33\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure .yardopts is present in gem package (internal YARD documentation change)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eRelease v0.9.32\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eFix issue with custom Rack::Request attributes in \u003ccode\u003eyard server\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eRelease v0.9.31\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRemove dependency on webrick in YARD::Server::Commands::StaticFileHelpers\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eRelease v0.9.30\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eHot release fix to correct issue with gem packaging missing templates (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1490\"\u003e#1490\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eRelease v0.9.29\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable table support for CommonMarker (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1443\"\u003e#1443\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eParser performance improvements (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1452\"\u003e#1452\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1453\"\u003e#1453\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1454\"\u003e#1454\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1455\"\u003e#1455\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eFix autoload of RipperParser (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1460\"\u003e#1460\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eRemove dependency on webrick for better Ruby 3.1+ support\u003c/li\u003e\n\u003cli\u003eImprovements for mixin resolution (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1467\"\u003e#1467\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1468\"\u003e#1468\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/lsegal/yard/blob/main/CHANGELOG.md\"\u003eyard's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch1\u003e\u003ca href=\"https://github.com/lsegal/yard/compare/v0.9.35...v0.9.36\"\u003e0.9.36\u003c/a\u003e - February 29th, 2024\u003c/h1\u003e\n\u003cul\u003e\n\u003cli\u003eFurther XSS fixes for generated frameset pages (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1538\"\u003e#1538\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eImprove tests for Ruby 3.3 compatibility (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1519\"\u003e#1519\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1531\"\u003e#1531\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eDocumentation improvements (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1524\"\u003e#1524\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch1\u003e\u003ca href=\"https://github.com/lsegal/yard/compare/v0.9.34...v0.9.35\"\u003e0.9.35\u003c/a\u003e - February 28th, 2024\u003c/h1\u003e\n\u003cul\u003e\n\u003cli\u003eFix possible XSS on generated YARD frameset pages (thanks to \u003ca href=\"https://github.com/RedYetiDev\"\u003e\u003ccode\u003e@​RedYetiDev\u003c/code\u003e\u003c/a\u003e for finding and patching) (2069e2b).\u003c/li\u003e\n\u003cli\u003eFix errors when using \u003ccode\u003e@option\u003c/code\u003e on non-method objects (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1508\"\u003e#1508\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eSupport Ruby 3.3 changes in Ripper parser (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1510\"\u003e#1510\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch1\u003e\u003ca href=\"https://github.com/lsegal/yard/compare/v0.9.33...v0.9.34\"\u003e0.9.34\u003c/a\u003e - April 12nd, 2023\u003c/h1\u003e\n\u003cul\u003e\n\u003cli\u003eAdd changelog to yard.gemspec\u003c/li\u003e\n\u003cli\u003eFix fork behavior in \u003ccode\u003eyard server --fork\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch1\u003e\u003ca href=\"https://github.com/lsegal/yard/compare/v0.9.32...v0.9.33\"\u003e0.9.33\u003c/a\u003e - April 11st, 2023\u003c/h1\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure .yardopts is present in gem package (internal YARD documentation change)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch1\u003e0.9.32 - April 9th, 2023\u003c/h1\u003e\n\u003cul\u003e\n\u003cli\u003eFix issue with custom Rack::Request attributes in \u003ccode\u003eyard server\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch1\u003e\u003ca href=\"https://github.com/lsegal/yard/compare/v0.9.30...v0.9.31\"\u003e0.9.31\u003c/a\u003e - April 9th, 2023\u003c/h1\u003e\n\u003cul\u003e\n\u003cli\u003eRemove dependency on webrick in YARD::Server::Commands::StaticFileHelpers\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch1\u003e\u003ca href=\"https://github.com/lsegal/yard/compare/v0.9.29...v0.9.30\"\u003e0.9.30\u003c/a\u003e - April 9th, 2023\u003c/h1\u003e\n\u003cul\u003e\n\u003cli\u003eHot release fix to correct issue with gem packaging missing templates (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1490\"\u003e#1490\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch1\u003e\u003ca href=\"https://github.com/lsegal/yard/compare/v0.9.28...v0.9.29\"\u003e0.9.29\u003c/a\u003e - April 8th, 2023\u003c/h1\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lsegal/yard/commit/e833aac7a01510245dd4ae1d1d18b046c8293c2d\"\u003e\u003ccode\u003ee833aac\u003c/code\u003e\u003c/a\u003e Tag release v0.9.36\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lsegal/yard/commit/1fcb2d8b316caf8779cfdcf910715e9ab583f0aa\"\u003e\u003ccode\u003e1fcb2d8\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1538\"\u003e#1538\u003c/a\u003e from RedYetiDev/patch-2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lsegal/yard/commit/a831a596b2a7cabdd2e17855dd179af2ebf3d559\"\u003e\u003ccode\u003ea831a59\u003c/code\u003e\u003c/a\u003e Fix semicolon\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lsegal/yard/commit/2a0b9990b64ceeeb0456177c593e36e204a06df1\"\u003e\u003ccode\u003e2a0b999\u003c/code\u003e\u003c/a\u003e assign url_for_main to a variable\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lsegal/yard/commit/305901723e75bb8027a656aef8888557c1d1488b\"\u003e\u003ccode\u003e3059017\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1519\"\u003e#1519\u003c/a\u003e from mtasaka/ruby33_test_fix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lsegal/yard/commit/c88406e4b78f8dd4ba38c79eea0bcec716dbbef8\"\u003e\u003ccode\u003ec88406e\u003c/code\u003e\u003c/a\u003e Update frames.erb\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lsegal/yard/commit/7cb3fc5b3e1c71dcc368f4a25a5acd0674e44b48\"\u003e\u003ccode\u003e7cb3fc5\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1524\"\u003e#1524\u003c/a\u003e from frsantos/fix_tuple_docs\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lsegal/yard/commit/04e4c9a2fa770768a7eb724030cc6e434fdbd0ce\"\u003e\u003ccode\u003e04e4c9a\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1531\"\u003e#1531\u003c/a\u003e from rafaelfranca/rm-ruby-3.3\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lsegal/yard/commit/ebf5005e282475d51732eca16e9a2d9f1e769941\"\u003e\u003ccode\u003eebf5005\u003c/code\u003e\u003c/a\u003e Tag release v0.9.35\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lsegal/yard/commit/62e18b472beb0c7245ed52fee2993ab7477c49ab\"\u003e\u003ccode\u003e62e18b4\u003c/code\u003e\u003c/a\u003e Prepare changelog\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/lsegal/yard/compare/v0.9.28...v0.9.36\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `puma` from 6.2.1 to 6.4.2\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/puma/puma/releases\"\u003epuma's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e6.4.1\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eBugfixes\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDSL#warn_if_in_single_mode - fixup when workers set via CLI (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3256\"\u003e#3256\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eFix \u003ccode\u003eidle-timeout\u003c/code\u003e not working in cluster mode (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3235\"\u003e#3235\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3228\"\u003e#3228\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3282\"\u003e#3282\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3283\"\u003e#3283\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eFix worker 0 timing out during phased restart (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3225\"\u003e#3225\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/2786\"\u003e#2786\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003econtext_builder.rb - require openssl if verify_mode != 'none' (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3179\"\u003e#3179\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eMake puma cluster process suitable as PID 1 (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3255\"\u003e#3255\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eImprove Puma::NullIO consistency with real IO (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3276\"\u003e#3276\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eextconf.rb - fixup to detect openssl info in Ruby build (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3271\"\u003e#3271\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3266\"\u003e#3266\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eMiniSSL.java - set serialVersionUID, fix RaiseException deprecation (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3270\"\u003e#3270\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003edsl.rb - fix warn_if_in_single_mode when WEB_CONCURRENCY is set (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3265\"\u003e#3265\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3264\"\u003e#3264\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eMaintenance\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eLOTS of test refactoring to make tests more stable and easier to write - thanks to \u003ca href=\"https://github.com/MSP-Greg\"\u003e\u003ccode\u003e@​MSP-Greg\u003c/code\u003e\u003c/a\u003e!\u003c/li\u003e\n\u003cli\u003eFix bug in tests re: TestPuma::HOST4 (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3254\"\u003e#3254\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eDockerfile for minimal repros: use Ruby 3.2, expect bundler installed (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3245\"\u003e#3245\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix define_method calls, use Symbol parameter instead of String (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3293\"\u003e#3293\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eDocs\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eREADME.md - add the puma-acme plugin (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3301\"\u003e#3301\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eRemove \u003ccode\u003e--keep-file-descriptors\u003c/code\u003e flag from systemd docs (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3248\"\u003e#3248\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eNote symlink mechanism in restart documentation for hot restart (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3298\"\u003e#3298\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.4.0 - The Eagle of Durango\u003c/h2\u003e\n\u003cp\u003e\u003cimg src=\"https://github.com/puma/puma/assets/845662/8702eb06-b397-4c6b-a3a4-251186fe4513\" alt=\"image\" /\u003e\u003c/p\u003e\n\u003cp\u003eAmerica is \u003ca href=\"https://redirect.github.com/puma/puma/issues/1\"\u003e#1\u003c/a\u003e in professional cycling, baby!\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eFeatures\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eon_thread_exit hook (\u003ca href=\"https://redirect.github.com/puma/puma/issues/2920\"\u003e#2920\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eon_thread_start_hook (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3195\"\u003e#3195\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eShutdown on idle (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3209\"\u003e#3209\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/2580\"\u003e#2580\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eNew error message when control server port taken (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3204\"\u003e#3204\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eRefactor\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eRemove \u003ccode\u003eForwardable\u003c/code\u003e dependency (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3191\"\u003e#3191\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3190\"\u003e#3190\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eUpdate URLMap Regexp usage for Ruby v3.3 (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3165\"\u003e#3165\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eBugfixes\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eBring the cert_pem: parameter into parity with the cert: parameter to ssl_bind. (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3174\"\u003e#3174\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eFix using control server with IPv6 host (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3181\"\u003e#3181\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003econtrol_cli.rb - add require_relative 'log_writer' (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3187\"\u003e#3187\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eFix cases where fallback Rack response wasn't sent to the client (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3094\"\u003e#3094\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.3.1\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eSecurity\n\u003cul\u003e\n\u003cli\u003eAddress HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields (\u003ca href=\"https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8\"\u003eGHSA-68xg-gqqm-vgj8\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.3.0 - Mugi No Toki Itaru\u003c/h2\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/puma/puma/blob/master/History.md\"\u003epuma's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e6.4.2 / 2024-01-08\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eSecurity\n\u003cul\u003e\n\u003cli\u003eLimit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. (\u003ca href=\"https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2\"\u003eGHSA-c2f4-cvqm-65w2\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.4.1 / 2024-01-03\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eBugfixes\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDSL#warn_if_in_single_mode - fixup when workers set via CLI (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3256\"\u003e#3256\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eFix \u003ccode\u003eidle-timeout\u003c/code\u003e not working in cluster mode (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3235\"\u003e#3235\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3228\"\u003e#3228\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3282\"\u003e#3282\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3283\"\u003e#3283\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eFix worker 0 timing out during phased restart (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3225\"\u003e#3225\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/2786\"\u003e#2786\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003econtext_builder.rb - require openssl if verify_mode != 'none' (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3179\"\u003e#3179\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eMake puma cluster process suitable as PID 1 (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3255\"\u003e#3255\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eImprove Puma::NullIO consistency with real IO (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3276\"\u003e#3276\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eextconf.rb - fixup to detect openssl info in Ruby build (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3271\"\u003e#3271\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3266\"\u003e#3266\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eMiniSSL.java - set serialVersionUID, fix RaiseException deprecation (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3270\"\u003e#3270\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003edsl.rb - fix warn_if_in_single_mode when WEB_CONCURRENCY is set (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3265\"\u003e#3265\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3264\"\u003e#3264\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eMaintenance\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eLOTS of test refactoring to make tests more stable and easier to write - thanks to \u003ca href=\"https://github.com/MSP-Greg\"\u003e\u003ccode\u003e@​MSP-Greg\u003c/code\u003e\u003c/a\u003e!\u003c/li\u003e\n\u003cli\u003eFix bug in tests re: TestPuma::HOST4 (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3254\"\u003e#3254\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eDockerfile for minimal repros: use Ruby 3.2, expect bundler installed (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3245\"\u003e#3245\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix define_method calls, use Symbol parameter instead of String (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3293\"\u003e#3293\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eDocs\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eREADME.md - add the puma-acme plugin (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3301\"\u003e#3301\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eRemove \u003ccode\u003e--keep-file-descriptors\u003c/code\u003e flag from systemd docs (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3248\"\u003e#3248\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eNote symlink mechanism in restart documentation for hot restart (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3298\"\u003e#3298\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.4.0 / 2023-09-21\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eFeatures\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eon_thread_exit hook (\u003ca href=\"https://redirect.github.com/puma/puma/issues/2920\"\u003e#2920\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eon_thread_start_hook (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3195\"\u003e#3195\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eShutdown on idle (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3209\"\u003e#3209\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/2580\"\u003e#2580\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eNew error message when control server port taken (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3204\"\u003e#3204\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eRefactor\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eRemove \u003ccode\u003eForwardable\u003c/code\u003e dependency (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3191\"\u003e#3191\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3190\"\u003e#3190\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eUpdate URLMap Regexp usage for Ruby v3.3 (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3165\"\u003e#3165\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eBugfixes\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eBring the cert_pem: parameter into parity with the cert: parameter to ssl_bind. (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3174\"\u003e#3174\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eFix using control server with IPv6 host (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3181\"\u003e#3181\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003econtrol_cli.rb - add require_relative 'log_writer' (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3187\"\u003e#3187\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eFix cases where fallback Rack response wasn't sent to the client (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3094\"\u003e#3094\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.3.1 / 2023-08-18\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eSecurity\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93\"\u003e\u003ccode\u003e5fc43d7\u003c/code\u003e\u003c/a\u003e 5.6.8 and 6.4.2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/puma/puma/commit/dfbba22216f34a60bb55e1e007b1ad5951934cb8\"\u003e\u003ccode\u003edfbba22\u003c/code\u003e\u003c/a\u003e 6.4.2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/puma/puma/commit/60d5ee3734adc8cee85c3f0561af392448fe19b7\"\u003e\u003ccode\u003e60d5ee3\u003c/code\u003e\u003c/a\u003e Merge pull request from GHSA-c2f4-cvqm-65w2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/puma/puma/commit/a2870252e3c525f6529358807faee1169f28270e\"\u003e\u003ccode\u003ea287025\u003c/code\u003e\u003c/a\u003e 6.4.1 version tick!\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/puma/puma/commit/32a629dc3cffb2b3299df12d86f0ade98099dc4e\"\u003e\u003ccode\u003e32a629d\u003c/code\u003e\u003c/a\u003e 6.4.1\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/puma/puma/commit/7e17826da540019940a8e1a95fabe00883332d1a\"\u003e\u003ccode\u003e7e17826\u003c/code\u003e\u003c/a\u003e [Fix \u003ca href=\"https://redirect.github.com/puma/puma/issues/3282\"\u003e#3282\u003c/a\u003e] \u003ccode\u003eidle-timeout\u003c/code\u003e not waiting on all workers in cluster mode (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3283\"\u003e#3283\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/puma/puma/commit/437142e01d60531a86708dd446873ac9e0f3a03c\"\u003e\u003ccode\u003e437142e\u003c/code\u003e\u003c/a\u003e README.md - add the puma-acme plugin (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3301\"\u003e#3301\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/puma/puma/commit/e9125faa5633362b69cde3170b6002aaf7ac618f\"\u003e\u003ccode\u003ee9125fa\u003c/code\u003e\u003c/a\u003e [CI] Change all workflow file extensions to '.yml' (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3300\"\u003e#3300\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/puma/puma/commit/d49dec941ea603e68cdcba6f88d030cc9254c2ed\"\u003e\u003ccode\u003ed49dec9\u003c/code\u003e\u003c/a\u003e [CI] Add Ruby 3.3, use 'rubygems: latest' in tests.yaml MRI (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3299\"\u003e#3299\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/puma/puma/commit/2d27225e44e3b2110d39e7832f33c8314ae22bd9\"\u003e\u003ccode\u003e2d27225\u003c/code\u003e\u003c/a\u003e Note symlink mechanism in restart documentation for hot restart (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3298\"\u003e#3298\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/puma/puma/compare/v6.2.1...v6.4.2\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `rotp` from 6.2.2 to 6.3.0\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/mdp/rotp/releases\"\u003erotp's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev6.3.0\u003c/h2\u003e\n\u003ch2\u003e\u003ca href=\"https://github.com/mdp/rotp/compare/v6.2.2...v6.3.0\"\u003e6.3.0\u003c/a\u003e (2023-08-30)\u003c/h2\u003e\n\u003ch3\u003eFeatures\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eAllow for non-standard provisioning URI params, eg. image/icon (\u003ca href=\"https://redirect.github.com/mdp/rotp/issues/91\"\u003e#91\u003c/a\u003e) (\u003ca href=\"https://github.com/mdp/rotp/commit/45d8aac8356424897faf3a0dbda59f88b22df775\"\u003e45d8aac\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/mdp/rotp/blob/main/CHANGELOG.md\"\u003erotp's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e\u003ca href=\"https://github.com/mdp/rotp/compare/v6.2.2...v6.3.0\"\u003e6.3.0\u003c/a\u003e (2023-08-30)\u003c/h2\u003e\n\u003ch3\u003eFeatures\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eAllow for non-standard provisioning URI params, eg. image/icon (\u003ca href=\"https://redirect.github.com/mdp/rotp/issues/91\"\u003e#91\u003c/a\u003e) (\u003ca href=\"https://github.com/mdp/rotp/commit/45d8aac8356424897faf3a0dbda59f88b22df775\"\u003e45d8aac\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/mdp/rotp/commit/131d2c325ba5f94887b27eefe24a214bdbcd0a5c\"\u003e\u003ccode\u003e131d2c3\u003c/code\u003e\u003c/a\u003e chore(main): release 6.3.0 (\u003ca href=\"https://redirect.github.com/mdp/rotp/issues/132\"\u003e#132\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/mdp/rotp/commit/45d8aac8356424897faf3a0dbda59f88b22df775\"\u003e\u003ccode\u003e45d8aac\u003c/code\u003e\u003c/a\u003e feat: Allow for non-standard provisioning URI params, eg. image/icon (\u003ca href=\"https://redirect.github.com/mdp/rotp/issues/91\"\u003e#91\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/mdp/rotp/commit/3908511dee95f52e7d7d56255709f7683bcd2d47\"\u003e\u003ccode\u003e3908511\u003c/code\u003e\u003c/a\u003e chore: bootstrap releases for path: . (\u003ca href=\"https://redirect.github.com/mdp/rotp/issues/131\"\u003e#131\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/mdp/rotp/commit/06581e7f09354d9eea82497e5642ec25a1d05915\"\u003e\u003ccode\u003e06581e7\u003c/code\u003e\u003c/a\u003e Chore: run CI on all pull requests (\u003ca href=\"https://redirect.github.com/mdp/rotp/issues/130\"\u003e#130\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/mdp/rotp/commit/9a48b390fb972d7ed9e0abdc7d527fa8f9cbe9b1\"\u003e\u003ccode\u003e9a48b39\u003c/code\u003e\u003c/a\u003e chore: docker-compose.yml: Use ruby-3.0 (\u003ca href=\"https://redirect.github.com/mdp/rotp/issues/128\"\u003e#128\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/mdp/rotp/commit/b38a738eb53c06b67ba0bab0730092d34abbf260\"\u003e\u003ccode\u003eb38a738\u003c/code\u003e\u003c/a\u003e Chore: CI Update for please release and Devcontainer addition of \u003ccode\u003eact\u003c/code\u003e (\u003ca href=\"https://redirect.github.com/mdp/rotp/issues/127\"\u003e#127\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/mdp/rotp/commit/242591141a7bac910d93b0d30ad5b118500417f1\"\u003e\u003ccode\u003e2425911\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/mdp/rotp/issues/126\"\u003e#126\u003c/a\u003e from mdp/mdp/pr_rollup\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/mdp/rotp/commit/9b5390ea4aadf093bcb39bea716bf4da9b74d858\"\u003e\u003ccode\u003e9b5390e\u003c/code\u003e\u003c/a\u003e Merge branch 'main' into mdp/pr_rollup\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/mdp/rotp/commit/be137f1af7d7d2e5cbc57c8d15dba4a3ff11e65e\"\u003e\u003ccode\u003ebe137f1\u003c/code\u003e\u003c/a\u003e Add Ruby 3.2 to CI.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/mdp/rotp/commit/5b609123d344c30a350c85628be29acaaff70fa6\"\u003e\u003ccode\u003e5b60912\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/mdp/rotp/issues/116\"\u003e#116\u003c/a\u003e from gogainda/patch-1\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/mdp/rotp/compare/v6.2.2...v6.3.0\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `sanitize` from 6.0.1 to 6.0.2\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev6.0.2\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eCVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS (cross-site scripting). This issue affects Sanitize versions 3.0.0 through 6.0.1.\u003c/p\u003e\n\u003cp\u003eWhen using Sanitize's relaxed config or a custom config that allows \u003ccode\u003e\u0026lt;style\u0026gt;\u003c/code\u003e elements and one or more CSS at-rules, carefully crafted input could be used to sneak arbitrary HTML through Sanitize.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7\"\u003eGHSA-f5ww-cq3m-q3g7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to \u003ca href=\"https://github.com/cure53\"\u003e\u003ccode\u003e@​cure53\u003c/code\u003e\u003c/a\u003e for finding this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/HISTORY.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e6.0.2 (2023-07-06)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eCVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS\n(cross-site scripting). This issue affects Sanitize versions 3.0.0 through\n6.0.1.\u003c/p\u003e\n\u003cp\u003eWhen using Sanitize's relaxed config or a custom config that allows \u003ccode\u003e\u0026lt;style\u0026gt;\u003c/code\u003e\nelements and one or more CSS at-rules, carefully crafted input could be used\nto sneak arbitrary HTML through Sanitize.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details:\n\u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7\"\u003eGHSA-f5ww-cq3m-q3g7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to \u003ca href=\"https://github.com/cure53\"\u003e\u003ccode\u003e@​cure53\u003c/code\u003e\u003c/a\u003e for finding this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/76ed46e6dc70820f38efe27de8dabd54dddb5220\"\u003e\u003ccode\u003e76ed46e\u003c/code\u003e\u003c/a\u003e Merge pull request from GHSA-f5ww-cq3m-q3g7\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/3481ac3f1255c6584c67fad2f9e44d809273125d\"\u003e\u003ccode\u003e3481ac3\u003c/code\u003e\u003c/a\u003e Release 6.0.2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/773d927bc457f5cae21edc059654abc98101413c\"\u003e\u003ccode\u003e773d927\u003c/code\u003e\u003c/a\u003e Update history\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/041c068cec516474d61862faf3910b26c7e10073\"\u003e\u003ccode\u003e041c068\u003c/code\u003e\u003c/a\u003e Escape \u003ccode\u003e\u0026lt;/\u003c/code\u003e to prevent a style element from being closed prematurely\u003c/li\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v6.0.1...v6.0.2\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `rexml` from 3.2.5 to 3.2.8\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/ruby/rexml/releases\"\u003erexml's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003eREXML 3.2.8 - 2024-05-16\u003c/h2\u003e\n\u003ch3\u003eFixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eSuppressed a warning\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eREXML 3.2.7 - 2024-05-16\u003c/h2\u003e\n\u003ch3\u003eImprovements\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eImprove parse performance by using \u003ccode\u003eStringScanner\u003c/code\u003e.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/106\"\u003eGH-106\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/107\"\u003eGH-107\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/108\"\u003eGH-108\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/109\"\u003eGH-109\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/112\"\u003eGH-112\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/113\"\u003eGH-113\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/114\"\u003eGH-114\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/115\"\u003eGH-115\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/116\"\u003eGH-116\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/117\"\u003eGH-117\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/118\"\u003eGH-118\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/119\"\u003eGH-119\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/121\"\u003eGH-121\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePatch by NAITOH Jun.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eImproved parse performance when an attribute has many \u003ccode\u003e\u0026lt;\u003c/code\u003es.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/124\"\u003eGH-124\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eFixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eXPath: Fixed a bug of \u003ccode\u003enormalize_space(array)\u003c/code\u003e.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/110\"\u003eGH-110\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/111\"\u003eGH-111\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePatch by flatisland.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eXPath: Fixed a bug that wrong position is used with nested path.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/110\"\u003eGH-110\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/122\"\u003eGH-122\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eReported by jcavalieri.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePatch by NAITOH Jun.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed a bug that an exception message can't be generated for\ninvalid encoding XML.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/ruby/rexml/blob/master/NEWS.md\"\u003erexml's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e3.2.8 - 2024-05-16 {#version-3-2-8}\u003c/h2\u003e\n\u003ch3\u003eFixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eSuppressed a warning\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e3.2.7 - 2024-05-16 {#version-3-2-7}\u003c/h2\u003e\n\u003ch3\u003eImprovements\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eImprove parse performance by using \u003ccode\u003eStringScanner\u003c/code\u003e.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/106\"\u003eGH-106\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/107\"\u003eGH-107\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/108\"\u003eGH-108\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/109\"\u003eGH-109\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/112\"\u003eGH-112\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/113\"\u003eGH-113\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/114\"\u003eGH-114\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/115\"\u003eGH-115\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/116\"\u003eGH-116\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/117\"\u003eGH-117\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/118\"\u003eGH-118\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/119\"\u003eGH-119\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/121\"\u003eGH-121\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePatch by NAITOH Jun.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eImproved parse performance when an attribute has many \u003ccode\u003e\u0026lt;\u003c/code\u003es.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/124\"\u003eGH-124\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eFixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eXPath: Fixed a bug of \u003ccode\u003enormalize_space(array)\u003c/code\u003e.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/110\"\u003eGH-110\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/111\"\u003eGH-111\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePatch by flatisland.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eXPath: Fixed a bug that wrong position is used with nested path.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/110\"\u003eGH-110\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/122\"\u003eGH-122\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eReported by jcavalieri.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePatch by NAITOH Jun.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed a bug that an exception message can't be generated for\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/rexml/commit/1cf37bab79d61d6183bbda8bf525ed587012b718\"\u003e\u003ccode\u003e1cf37ba\u003c/code\u003e\u003c/a\u003e Add 3.2.8 entry\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/rexml/commit/b67081caa807fad48d31983137b7ed8711e7f0df\"\u003e\u003ccode\u003eb67081c\u003c/code\u003e\u003c/a\u003e Remove an unused variable (\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/128\"\u003e#128\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/rexml/commit/94e180e939baff8f7e328a287bb96ebbd99db6eb\"\u003e\u003ccode\u003e94e180e\u003c/code\u003e\u003c/a\u003e Suppress a warning\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/rexml/commit/d574ba5fe1c40adbafbf16e47533f4eb32b43e60\"\u003e\u003ccode\u003ed574ba5\u003c/code\u003e\u003c/a\u003e ci: install only gems required for running tests (\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/129\"\u003e#129\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/rexml/commit/4670f8fc187c89d0504d027ea997959287143453\"\u003e\u003ccode\u003e4670f8f\u003c/code\u003e\u003c/a\u003e Add missing Thanks section\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/rexml/commit/9ba35f9f032c07c39b8c86536ac13a9cb313bef2\"\u003e\u003ccode\u003e9ba35f9\u003c/code\u003e\u003c/a\u003e Bump version\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/rexml/commit/085def07425561862d8329001168d8bc9c75ae8f\"\u003e\u003ccode\u003e085def0\u003c/code\u003e\u003c/a\u003e Add 3.2.7 entry\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb\"\u003e\u003ccode\u003e4325835\u003c/code\u003e\u003c/a\u003e Read quoted attributes in chunks (\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/126\"\u003e#126\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/rexml/commit/e77365e2d1c9cdb822c7e09b05fc5a4903d92c23\"\u003e\u003ccode\u003ee77365e\u003c/code\u003e\u003c/a\u003e Exclude older than 2.6 on macos-14\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/rexml/commit/bf2c8edb5facb206c25a62952aa37218793283e6\"\u003e\u003ccode\u003ebf2c8ed\u003c/code\u003e\u003c/a\u003e Move development dependencies to Gemfile (\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/124\"\u003e#124\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/ruby/rexml/compare/v3.2.5...v3.2.8\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `uri` from 0.12.1 to 0.13.0\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/ruby/uri/releases\"\u003euri's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev0.13.0\u003c/h2\u003e\n\u003ch2\u003eWhat's Changed\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e[DOC] Enhanced RDoc for common methods by \u003ca href=\"https://github.com/BurdetteLamar\"\u003e\u003ccode\u003e@​BurdetteLamar\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/48\"\u003eruby/uri#48\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e[DOC] Common methods rdoc by \u003ca href=\"https://github.com/BurdetteLamar\"\u003e\u003ccode\u003e@​BurdetteLamar\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/49\"\u003eruby/uri#49\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e[DOC] Enhanced RDoc for common methods by \u003ca href=\"https://github.com/BurdetteLamar\"\u003e\u003ccode\u003e@​BurdetteLamar\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/50\"\u003eruby/uri#50\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAdd Ruby 3.2 to CI matrix by \u003ca href=\"https://github.com/tricknotes\"\u003e\u003ccode\u003e@​tricknotes\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/51\"\u003eruby/uri#51\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e[DOC] Common rdoc by \u003ca href=\"https://github.com/BurdetteLamar\"\u003e\u003ccode\u003e@​BurdetteLamar\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/52\"\u003eruby/uri#52\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e[DOC] Enhanced RDoc for URI.decode_www_form by \u003ca href=\"https://github.com/BurdetteLamar\"\u003e\u003ccode\u003e@​BurdetteLamar\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/53\"\u003eruby/uri#53\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e[DOC] Enhanced RDoc for URI by \u003ca href=\"https://github.com/BurdetteLamar\"\u003e\u003ccode\u003e@​BurdetteLamar\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/55\"\u003eruby/uri#55\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eGenerate rdoc document by GitHub Pages Action by \u003ca href=\"https://github.com/hsbt\"\u003e\u003ccode\u003e@​hsbt\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/59\"\u003eruby/uri#59\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAdd documentation links by \u003ca href=\"https://github.com/AlexWayfer\"\u003e\u003ccode\u003e@​AlexWayfer\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/58\"\u003eruby/uri#58\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eUpdate test libraries from ruby/ruby 2023-03-24 by \u003ca href=\"https://github.com/hsbt\"\u003e\u003ccode\u003e@​hsbt\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/65\"\u003eruby/uri#65\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eSwitch to use callable workflow for Actions by \u003ca href=\"https://github.com/hsbt\"\u003e\u003ccode\u003e@​hsbt\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/67\"\u003eruby/uri#67\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eRefine tests by \u003ca href=\"https://github.com/nobu\"\u003e\u003ccode\u003e@​nobu\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/71\"\u003eruby/uri#71\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eDrop support for 2.4 by \u003ca href=\"https://github.com/nobu\"\u003e\u003ccode\u003e@​nobu\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/77\"\u003eruby/uri#77\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eUpdate test libraries from ruby/ruby 2023-06-02 by \u003ca href=\"https://github.com/nobu\"\u003e\u003ccode\u003e@​nobu\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/78\"\u003eruby/uri#78\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eUse released version of test-unit-ruby-core by \u003ca href=\"https://github.com/hsbt\"\u003e\u003ccode\u003e@​hsbt\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/79\"\u003eruby/uri#79\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eRefactor RFC3986 regexps to make more readable by \u003ca href=\"https://github.com/nobu\"\u003e\u003ccode\u003e@​nobu\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/46\"\u003eruby/uri#46\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eFix RFC3986 regexps by \u003ca href=\"https://github.com/nobu\"\u003e\u003ccode\u003e@​nobu\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/81\"\u003eruby/uri#81\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eFix host part in relative referece by \u003ca href=\"https://github.com/nobu\"\u003e\u003ccode\u003e@​nobu\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/84\"\u003eruby/uri#84\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eString literals are frozen now by \u003ca href=\"https://github.com/nobu\"\u003e\u003ccode\u003e@​nobu\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/85\"\u003eruby/uri#85\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eNew Contributors\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/BurdetteLamar\"\u003e\u003ccode\u003e@​BurdetteLamar\u003c/code\u003e\u003c/a\u003e made their first contribution in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/48\"\u003eruby/uri#48\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/AlexWayfer\"\u003e\u003ccode\u003e@​AlexWayfer\u003c/code\u003e\u003c/a\u003e made their first contribution in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/58\"\u003eruby/uri#58\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eFull Changelog\u003c/strong\u003e: \u003ca href=\"https://github.com/ruby/uri/compare/v0.12.0...v0.13.0\"\u003ehttps://github.com/ruby/uri/compare/v0.12.0...v0.13.0\u003c/a\u003e\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/uri/commit/b50d37f7a193991c56bda7f94e8dd6fec0bb3f7f\"\u003e\u003ccode\u003eb50d37f\u003c/code\u003e\u003c/a\u003e Bump up 0.13.0\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/uri/commit/5c17cd20930c2ac5c288c6aaeb470c7dc7547d8c\"\u003e\u003ccode\u003e5c17cd2\u003c/code\u003e\u003c/a\u003e add #to_str to URI::Generic\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/uri/commit/f4999b61daa40f2c99fdc7159e2c85c036b22c67\"\u003e\u003ccode\u003ef4999b6\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/ruby/uri/issues/88\"\u003e#88\u003c/a\u003e from ruby/dependabot/github_actions/actions/checkout-4\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/uri/commit/b0b029ce34465766f351b511693fc573ea0a509c\"\u003e\u003ccode\u003eb0b029c\u003c/code\u003e\u003c/a\u003e Bump actions/checkout from 3 to 4\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/uri/commit/bec5ef95cf6e378560f55fd6b0e9f1c139626670\"\u003e\u003ccode\u003ebec5ef9\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/ruby/uri/issues/86\"\u003e#86\u003c/a\u003e from ruby/dependabot/github_actions/actions/upload-pag...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/uri/commit/5a626d6a2f9a702ebd8de4d630c408616a346412\"\u003e\u003ccode\u003e5a626d6\u003c/code\u003e\u003c/a\u003e Bump actions/upload-pages-artifact from 1 to 2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/uri/commit/e18e657ea8eedb851e8ba187229c7d0b0bcef20c\"\u003e\u003ccode\u003ee18e657\u003c/code\u003e\u003c/a\u003e Bump up v0.12.2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/uri/commit/9d7bcef1e6ad23c9c6e4932f297fb737888144c8\"\u003e\u003ccode\u003e9d7bcef\u003c/code\u003e\u003c/a\u003e Fix quadratic backtracking on invalid port number\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/uri/commit/9010ee2536adda10a0555ae1ed6fe2f5808e6bf1\"\u003e\u003ccode\u003e9010ee2\u003c/code\u003e\u003c/a\u003e Fix quadratic backtracking on invalid relative URI\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/uri/commit/fd2146558b4e9882613b320705ca82e8fc777383\"\u003e\u003ccode\u003efd21465\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/ruby/uri/issues/85\"\u003e#85\u003c/a\u003e from nobu/frozen-literals\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/ruby/uri/compare/v0.12.1...v0.13.0\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore \u003cdependency name\u003e major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e` will close this group update PR and ...\n\n_Description has been truncated_","html_url":"https://github.com/MNDL-27/discourse/pull/8","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/MNDL-27%2Fdiscourse/issues/8","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/8/packages"},{"uuid":"1900796776","node_id":"PR_kwDOHFui2c5aj91s","number":845,"state":"closed","title":"Bump sanitize from 6.0.0 to 6.1.0","user":"dependabot[bot]","labels":["dependencies","ruby"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2025-09-03T18:22:35.000Z","author_association":"NONE","state_reason":null,"created_at":"2023-09-18T12:09:06.000Z","updated_at":"2025-09-03T18:22:36.000Z","time_to_close":61884809,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"6.0.0","new_version":"6.1.0","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 6.0.0 to 6.1.0.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev6.1.0\u003c/h2\u003e\n\u003ch3\u003eFeatures\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eAdded the \u003ccode\u003etext-decoration-skip-ink\u003c/code\u003e and \u003ccode\u003etext-decoration-thickness\u003c/code\u003e CSS properties to the relaxed config. [\u003ca href=\"https://github.com/martineriksson\"\u003e\u003ccode\u003e@​martineriksson\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/228\"\u003e#228\u003c/a\u003e]\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/228\"\u003e228\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.0.2\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eCVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS (cross-site scripting). This issue affects Sanitize versions 3.0.0 through 6.0.1.\u003c/p\u003e\n\u003cp\u003eWhen using Sanitize's relaxed config or a custom config that allows \u003ccode\u003e\u0026lt;style\u0026gt;\u003c/code\u003e elements and one or more CSS at-rules, carefully crafted input could be used to sneak arbitrary HTML through Sanitize.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7\"\u003eGHSA-f5ww-cq3m-q3g7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to \u003ca href=\"https://github.com/cure53\"\u003e\u003ccode\u003e@​cure53\u003c/code\u003e\u003c/a\u003e for finding this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.0.1\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even when \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed by a custom allowlist. In this scenario, carefully crafted input could sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not vulnerable. This issue only affects users who are using a custom config that adds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled in the user agent. Nokogiri doesn't support scripting so it follows the \u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will follow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably make the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled browsers, so the safest thing to do is to remove the element and its contents entirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such as \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was allowlisted and was also inside an allowlisted \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\n\u003cp\u003eThe only way to encounter this situation was to ignore multiple warnings in the readme and create a custom config that allowlisted all the elements involved, including \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e. If you're using a default config or if you heeded the warnings about MathML and SVG not being supported, you're not affected by this issue.\u003c/p\u003e\n\u003cp\u003ePlease let this be a reminder that Sanitize cannot safely sanitize MathML or SVG content and does not support this use case. The default configs don't allow MathML or SVG elements, and allowlisting MathML or SVG elements in a custom config may create a security vulnerability in your application.\u003c/p\u003e\n\u003cp\u003eDocumentation has been updated to add more warnings and to make the existing warnings about this more prominent.\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/HISTORY.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e6.1.0 (2023-09-14)\u003c/h2\u003e\n\u003ch3\u003eFeatures\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eAdded the \u003ccode\u003etext-decoration-skip-ink\u003c/code\u003e and \u003ccode\u003etext-decoration-thickness\u003c/code\u003e CSS properties to the relaxed config. [\u003ca href=\"https://github.com/martineriksson\"\u003e\u003ccode\u003e@​martineriksson\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/228\"\u003e#228\u003c/a\u003e]\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/228\"\u003e228\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.0.2 (2023-07-06)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eCVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS\n(cross-site scripting). This issue affects Sanitize versions 3.0.0 through\n6.0.1.\u003c/p\u003e\n\u003cp\u003eWhen using Sanitize's relaxed config or a custom config that allows \u003ccode\u003e\u0026lt;style\u0026gt;\u003c/code\u003e\nelements and one or more CSS at-rules, carefully crafted input could be used\nto sneak arbitrary HTML through Sanitize.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details:\n\u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7\"\u003eGHSA-f5ww-cq3m-q3g7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to \u003ca href=\"https://github.com/cure53\"\u003e\u003ccode\u003e@​cure53\u003c/code\u003e\u003c/a\u003e for finding this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.0.1 (2023-01-27)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even\nwhen \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed\nby a custom allowlist. In this scenario, carefully crafted input could sneak\narbitrary HTML through Sanitize, potentially enabling an XSS (cross-site\nscripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not\nvulnerable. This issue only affects users who are using a custom config that\nadds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of\na \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled\nin the user agent. Nokogiri doesn't support scripting so it follows the\n\u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will\nfollow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably\nmake the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled\nbrowsers, so the safest thing to do is to remove the element and its contents\nentirely.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/7194dca84a1238fa3294c2eb08a6062b9f60e7f8\"\u003e\u003ccode\u003e7194dca\u003c/code\u003e\u003c/a\u003e Release 6.1.0\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/1bba64eae268d34eb6616f637755668af727ad17\"\u003e\u003ccode\u003e1bba64e\u003c/code\u003e\u003c/a\u003e Add a couple of CSS properties to relaxed config\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/d76c8aa8f91d259751fd57da2faeabad82d8334c\"\u003e\u003ccode\u003ed76c8aa\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/225\"\u003e#225\u003c/a\u003e from igor-drozdov/igor-drozdov-patch-1\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/cf84bfe24e1a984929f5aa59a2b86fbc3a4d4051\"\u003e\u003ccode\u003ecf84bfe\u003c/code\u003e\u003c/a\u003e Add 3.2 to the list of Ruby CI versions\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/76ed46e6dc70820f38efe27de8dabd54dddb5220\"\u003e\u003ccode\u003e76ed46e\u003c/code\u003e\u003c/a\u003e Merge pull request from GHSA-f5ww-cq3m-q3g7\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/3481ac3f1255c6584c67fad2f9e44d809273125d\"\u003e\u003ccode\u003e3481ac3\u003c/code\u003e\u003c/a\u003e Release 6.0.2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/773d927bc457f5cae21edc059654abc98101413c\"\u003e\u003ccode\u003e773d927\u003c/code\u003e\u003c/a\u003e Update history\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/041c068cec516474d61862faf3910b26c7e10073\"\u003e\u003ccode\u003e041c068\u003c/code\u003e\u003c/a\u003e Escape \u003ccode\u003e\u0026lt;/\u003c/code\u003e to prevent a style element from being closed prematurely\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/a92f21cd223a32a1737262d68e56a4fb8b9470f9\"\u003e\u003ccode\u003ea92f21c\u003c/code\u003e\u003c/a\u003e Release 6.0.1\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/7ac1dfb413f85bc15130435d64326576a345fe8a\"\u003e\u003ccode\u003e7ac1dfb\u003c/code\u003e\u003c/a\u003e Update links\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v6.0.0...v6.1.0\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=6.0.0\u0026new-version=6.1.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/Izorkin/mastodon/pull/845","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/Izorkin%2Fmastodon/issues/845","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/845/packages"},{"uuid":"1563314910","node_id":"PR_kwDOBWzxzs5I3I2h","number":781,"state":"closed","title":"Bump sanitize from 6.0.0 to 6.0.1","user":"dependabot[bot]","labels":["dependencies","ruby","rebase needed :construction:"],"assignees":[],"locked":false,"comments_count":2,"pull_request":true,"closed_at":"2026-01-24T06:44:56.000Z","author_association":null,"state_reason":null,"created_at":"2023-01-30T22:31:48.000Z","updated_at":"2026-01-24T06:45:04.000Z","time_to_close":94119188,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"6.0.0","new_version":"6.0.1","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 6.0.0 to 6.0.1.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev6.0.1\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even when \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed by a custom allowlist. In this scenario, carefully crafted input could sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not vulnerable. This issue only affects users who are using a custom config that adds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled in the user agent. Nokogiri doesn't support scripting so it follows the \u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will follow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably make the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled browsers, so the safest thing to do is to remove the element and its contents entirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such as \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was allowlisted and was also inside an allowlisted \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\n\u003cp\u003eThe only way to encounter this situation was to ignore multiple warnings in the readme and create a custom config that allowlisted all the elements involved, including \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e. If you're using a default config or if you heeded the warnings about MathML and SVG not being supported, you're not affected by this issue.\u003c/p\u003e\n\u003cp\u003ePlease let this be a reminder that Sanitize cannot safely sanitize MathML or SVG content and does not support this use case. The default configs don't allow MathML or SVG elements, and allowlisting MathML or SVG elements in a custom config may create a security vulnerability in your application.\u003c/p\u003e\n\u003cp\u003eDocumentation has been updated to add more warnings and to make the existing warnings about this more prominent.\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/HISTORY.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e6.0.1 (2023-01-27)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even\nwhen \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed\nby a custom allowlist. In this scenario, carefully crafted input could sneak\narbitrary HTML through Sanitize, potentially enabling an XSS (cross-site\nscripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not\nvulnerable. This issue only affects users who are using a custom config that\nadds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of\na \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled\nin the user agent. Nokogiri doesn't support scripting so it follows the\n\u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will\nfollow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably\nmake the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled\nbrowsers, so the safest thing to do is to remove the element and its contents\nentirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details:\n\u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e\n(\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such\nas \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was\nallowlisted and was also inside an allowlisted \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\n\u003cp\u003eThe only way to encounter this situation was to ignore multiple warnings in\nthe readme and create a custom config that allowlisted all the elements\ninvolved, including \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e. If you're using a default config or\nif you heeded the warnings about MathML and SVG not being supported, you're\nnot affected by this issue.\u003c/p\u003e\n\u003cp\u003ePlease let this be a reminder that Sanitize cannot safely sanitize MathML or\nSVG content and does not support this use case. The default configs don't\nallow MathML or SVG elements, and allowlisting MathML or SVG elements in a\ncustom config may create a security vulnerability in your application.\u003c/p\u003e\n\u003cp\u003eDocumentation has been updated to add more warnings and to make the existing\nwarnings about this more prominent.\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/a92f21cd223a32a1737262d68e56a4fb8b9470f9\"\u003e\u003ccode\u003ea92f21c\u003c/code\u003e\u003c/a\u003e Release 6.0.1\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/7ac1dfb413f85bc15130435d64326576a345fe8a\"\u003e\u003ccode\u003e7ac1dfb\u003c/code\u003e\u003c/a\u003e Update links\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/784e78915a8fa9decbc67a06b85664432a3d14ab\"\u003e\u003ccode\u003e784e789\u003c/code\u003e\u003c/a\u003e Remove outdated comparison\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22\"\u003e\u003ccode\u003eec14265\u003c/code\u003e\u003c/a\u003e Always remove \u003ccode\u003e\\\u0026lt;noscript\u0026gt;\u003c/code\u003e elements\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/b4ee521df0d0616340c9648444be488381c238b1\"\u003e\u003ccode\u003eb4ee521\u003c/code\u003e\u003c/a\u003e Forcibly escape content in \u0026quot;unescaped text\u0026quot; elements inside math or svg names...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/94d5c220cd5f22f3865ed448b44215733a6976dc\"\u003e\u003ccode\u003e94d5c22\u003c/code\u003e\u003c/a\u003e Add Ruby 3.1 to the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/55f766e7a7857efeead30792f4646d10c693e819\"\u003e\u003ccode\u003e55f766e\u003c/code\u003e\u003c/a\u003e Simplify the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/69b4597a6e08600459bb925ebb4fabb166573784\"\u003e\u003ccode\u003e69b4597\u003c/code\u003e\u003c/a\u003e Use actions/checkout@v3\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/2924038559e7ea3ce52c0d968bda8022fcb58149\"\u003e\u003ccode\u003e2924038\u003c/code\u003e\u003c/a\u003e Add Ruby 3.1 to the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/ce1af491a9b36eed4cdc38e8ea3c85743b804129\"\u003e\u003ccode\u003ece1af49\u003c/code\u003e\u003c/a\u003e Update the online demo link\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v6.0.0...v6.0.1\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=6.0.0\u0026new-version=6.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/koba-lab/mastodon/pull/781","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/koba-lab%2Fmastodon/issues/781","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/781/packages"},{"uuid":"1562324235","node_id":"PR_kwDOB6Ga_s5IzxMA","number":1509,"state":"closed","title":"Bump sanitize from 6.0.0 to 6.0.1","user":"dependabot[bot]","labels":["dependencies","ruby","rebase needed :construction:"],"assignees":[],"locked":false,"comments_count":2,"pull_request":true,"closed_at":"2026-03-01T05:11:29.000Z","author_association":null,"state_reason":null,"created_at":"2023-01-30T12:10:14.000Z","updated_at":"2026-03-01T06:24:02.000Z","time_to_close":97261275,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"6.0.0","new_version":"6.0.1","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 6.0.0 to 6.0.1.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev6.0.1\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even when \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed by a custom allowlist. In this scenario, carefully crafted input could sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not vulnerable. This issue only affects users who are using a custom config that adds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled in the user agent. Nokogiri doesn't support scripting so it follows the \u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will follow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably make the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled browsers, so the safest thing to do is to remove the element and its contents entirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such as \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was allowlisted and was also inside an allowlisted \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\n\u003cp\u003eThe only way to encounter this situation was to ignore multiple warnings in the readme and create a custom config that allowlisted all the elements involved, including \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e. If you're using a default config or if you heeded the warnings about MathML and SVG not being supported, you're not affected by this issue.\u003c/p\u003e\n\u003cp\u003ePlease let this be a reminder that Sanitize cannot safely sanitize MathML or SVG content and does not support this use case. The default configs don't allow MathML or SVG elements, and allowlisting MathML or SVG elements in a custom config may create a security vulnerability in your application.\u003c/p\u003e\n\u003cp\u003eDocumentation has been updated to add more warnings and to make the existing warnings about this more prominent.\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/HISTORY.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e6.0.1 (2023-01-27)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even\nwhen \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed\nby a custom allowlist. In this scenario, carefully crafted input could sneak\narbitrary HTML through Sanitize, potentially enabling an XSS (cross-site\nscripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not\nvulnerable. This issue only affects users who are using a custom config that\nadds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of\na \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled\nin the user agent. Nokogiri doesn't support scripting so it follows the\n\u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will\nfollow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably\nmake the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled\nbrowsers, so the safest thing to do is to remove the element and its contents\nentirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details:\n\u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e\n(\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such\nas \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was\nallowlisted and was also inside an allowlisted \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\n\u003cp\u003eThe only way to encounter this situation was to ignore multiple warnings in\nthe readme and create a custom config that allowlisted all the elements\ninvolved, including \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e. If you're using a default config or\nif you heeded the warnings about MathML and SVG not being supported, you're\nnot affected by this issue.\u003c/p\u003e\n\u003cp\u003ePlease let this be a reminder that Sanitize cannot safely sanitize MathML or\nSVG content and does not support this use case. The default configs don't\nallow MathML or SVG elements, and allowlisting MathML or SVG elements in a\ncustom config may create a security vulnerability in your application.\u003c/p\u003e\n\u003cp\u003eDocumentation has been updated to add more warnings and to make the existing\nwarnings about this more prominent.\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/a92f21cd223a32a1737262d68e56a4fb8b9470f9\"\u003e\u003ccode\u003ea92f21c\u003c/code\u003e\u003c/a\u003e Release 6.0.1\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/7ac1dfb413f85bc15130435d64326576a345fe8a\"\u003e\u003ccode\u003e7ac1dfb\u003c/code\u003e\u003c/a\u003e Update links\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/784e78915a8fa9decbc67a06b85664432a3d14ab\"\u003e\u003ccode\u003e784e789\u003c/code\u003e\u003c/a\u003e Remove outdated comparison\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22\"\u003e\u003ccode\u003eec14265\u003c/code\u003e\u003c/a\u003e Always remove \u003ccode\u003e\\\u0026lt;noscript\u0026gt;\u003c/code\u003e elements\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/b4ee521df0d0616340c9648444be488381c238b1\"\u003e\u003ccode\u003eb4ee521\u003c/code\u003e\u003c/a\u003e Forcibly escape content in \u0026quot;unescaped text\u0026quot; elements inside math or svg names...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/94d5c220cd5f22f3865ed448b44215733a6976dc\"\u003e\u003ccode\u003e94d5c22\u003c/code\u003e\u003c/a\u003e Add Ruby 3.1 to the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/55f766e7a7857efeead30792f4646d10c693e819\"\u003e\u003ccode\u003e55f766e\u003c/code\u003e\u003c/a\u003e Simplify the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/69b4597a6e08600459bb925ebb4fabb166573784\"\u003e\u003ccode\u003e69b4597\u003c/code\u003e\u003c/a\u003e Use actions/checkout@v3\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/2924038559e7ea3ce52c0d968bda8022fcb58149\"\u003e\u003ccode\u003e2924038\u003c/code\u003e\u003c/a\u003e Add Ruby 3.1 to the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/ce1af491a9b36eed4cdc38e8ea3c85743b804129\"\u003e\u003ccode\u003ece1af49\u003c/code\u003e\u003c/a\u003e Update the online demo link\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v6.0.0...v6.0.1\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=6.0.0\u0026new-version=6.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/wd-shiroma/mastodon/pull/1509","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/wd-shiroma%2Fmastodon/issues/1509","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/1509/packages"},{"uuid":"1220084913","node_id":"PR_kwDOAEW1wM5IuQSx","number":87,"state":"closed","title":"Bump sanitize from 6.0.0 to 6.0.1","user":"dependabot[bot]","labels":["dependencies"],"assignees":[],"locked":false,"comments_count":2,"pull_request":true,"closed_at":"2025-09-28T06:19:04.000Z","author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2023-01-28T01:20:57.000Z","updated_at":"2025-09-28T06:19:04.000Z","time_to_close":84171487,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"6.0.0","new_version":"6.0.1","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 6.0.0 to 6.0.1.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev6.0.1\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even when \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed by a custom allowlist. In this scenario, carefully crafted input could sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not vulnerable. This issue only affects users who are using a custom config that adds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled in the user agent. Nokogiri doesn't support scripting so it follows the \u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will follow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably make the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled browsers, so the safest thing to do is to remove the element and its contents entirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such as \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was allowlisted and was also inside an allowlisted \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\n\u003cp\u003eThe only way to encounter this situation was to ignore multiple warnings in the readme and create a custom config that allowlisted all the elements involved, including \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e. If you're using a default config or if you heeded the warnings about MathML and SVG not being supported, you're not affected by this issue.\u003c/p\u003e\n\u003cp\u003ePlease let this be a reminder that Sanitize cannot safely sanitize MathML or SVG content and does not support this use case. The default configs don't allow MathML or SVG elements, and allowlisting MathML or SVG elements in a custom config may create a security vulnerability in your application.\u003c/p\u003e\n\u003cp\u003eDocumentation has been updated to add more warnings and to make the existing warnings about this more prominent.\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/HISTORY.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e6.0.1 (2023-01-27)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even\nwhen \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed\nby a custom allowlist. In this scenario, carefully crafted input could sneak\narbitrary HTML through Sanitize, potentially enabling an XSS (cross-site\nscripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not\nvulnerable. This issue only affects users who are using a custom config that\nadds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of\na \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled\nin the user agent. Nokogiri doesn't support scripting so it follows the\n\u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will\nfollow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably\nmake the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled\nbrowsers, so the safest thing to do is to remove the element and its contents\nentirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details:\n\u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e\n(\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such\nas \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was\nallowlisted and was also inside an allowlisted \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\n\u003cp\u003eThe only way to encounter this situation was to ignore multiple warnings in\nthe readme and create a custom config that allowlisted all the elements\ninvolved, including \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e. If you're using a default config or\nif you heeded the warnings about MathML and SVG not being supported, you're\nnot affected by this issue.\u003c/p\u003e\n\u003cp\u003ePlease let this be a reminder that Sanitize cannot safely sanitize MathML or\nSVG content and does not support this use case. The default configs don't\nallow MathML or SVG elements, and allowlisting MathML or SVG elements in a\ncustom config may create a security vulnerability in your application.\u003c/p\u003e\n\u003cp\u003eDocumentation has been updated to add more warnings and to make the existing\nwarnings about this more prominent.\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/a92f21cd223a32a1737262d68e56a4fb8b9470f9\"\u003e\u003ccode\u003ea92f21c\u003c/code\u003e\u003c/a\u003e Release 6.0.1\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/7ac1dfb413f85bc15130435d64326576a345fe8a\"\u003e\u003ccode\u003e7ac1dfb\u003c/code\u003e\u003c/a\u003e Update links\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/784e78915a8fa9decbc67a06b85664432a3d14ab\"\u003e\u003ccode\u003e784e789\u003c/code\u003e\u003c/a\u003e Remove outdated comparison\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22\"\u003e\u003ccode\u003eec14265\u003c/code\u003e\u003c/a\u003e Always remove \u003ccode\u003e\\\u0026lt;noscript\u0026gt;\u003c/code\u003e elements\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/b4ee521df0d0616340c9648444be488381c238b1\"\u003e\u003ccode\u003eb4ee521\u003c/code\u003e\u003c/a\u003e Forcibly escape content in \u0026quot;unescaped text\u0026quot; elements inside math or svg names...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/94d5c220cd5f22f3865ed448b44215733a6976dc\"\u003e\u003ccode\u003e94d5c22\u003c/code\u003e\u003c/a\u003e Add Ruby 3.1 to the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/55f766e7a7857efeead30792f4646d10c693e819\"\u003e\u003ccode\u003e55f766e\u003c/code\u003e\u003c/a\u003e Simplify the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/69b4597a6e08600459bb925ebb4fabb166573784\"\u003e\u003ccode\u003e69b4597\u003c/code\u003e\u003c/a\u003e Use actions/checkout@v3\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/2924038559e7ea3ce52c0d968bda8022fcb58149\"\u003e\u003ccode\u003e2924038\u003c/code\u003e\u003c/a\u003e Add Ruby 3.1 to the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/ce1af491a9b36eed4cdc38e8ea3c85743b804129\"\u003e\u003ccode\u003ece1af49\u003c/code\u003e\u003c/a\u003e Update the online demo link\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v6.0.0...v6.0.1\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=6.0.0\u0026new-version=6.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language\n- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language\n- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language\n- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language\n\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/TechnoDann/PPC-board-2.0/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/TechnoDann/PPC-board-2.0/pull/87","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/TechnoDann%2FPPC-board-2.0/issues/87","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/87/packages"},{"uuid":"1560619941","node_id":"PR_kwDOABcwys5IuQJ2","number":1286,"state":"closed","title":"Bump sanitize from 5.2.1 to 6.0.1","user":"dependabot[bot]","labels":["dependencies","ruby"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2025-05-20T14:36:22.000Z","author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2023-01-28T01:19:27.000Z","updated_at":"2025-05-20T14:36:31.000Z","time_to_close":72883015,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"5.2.1","new_version":"6.0.1","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 5.2.1 to 6.0.1.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev6.0.1\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even when \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed by a custom allowlist. In this scenario, carefully crafted input could sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not vulnerable. This issue only affects users who are using a custom config that adds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled in the user agent. Nokogiri doesn't support scripting so it follows the \u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will follow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably make the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled browsers, so the safest thing to do is to remove the element and its contents entirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such as \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was allowlisted and was also inside an allowlisted \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\n\u003cp\u003eThe only way to encounter this situation was to ignore multiple warnings in the readme and create a custom config that allowlisted all the elements involved, including \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e. If you're using a default config or if you heeded the warnings about MathML and SVG not being supported, you're not affected by this issue.\u003c/p\u003e\n\u003cp\u003ePlease let this be a reminder that Sanitize cannot safely sanitize MathML or SVG content and does not support this use case. The default configs don't allow MathML or SVG elements, and allowlisting MathML or SVG elements in a custom config may create a security vulnerability in your application.\u003c/p\u003e\n\u003cp\u003eDocumentation has been updated to add more warnings and to make the existing warnings about this more prominent.\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.0.0\u003c/h2\u003e\n\u003ch3\u003ePotentially Breaking Changes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eRuby 2.5.0 is now the oldest officially supported Ruby version.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now requires Nokogiri 1.12.0 or higher, which includes Nokogumbo. The separate dependency on Nokogumbo has been removed. [\u003ca href=\"https://github.com/lis2\"\u003e\u003ccode\u003e@​lis2\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/211\"\u003e#211\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/211\"\u003e211\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev5.2.3\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure protocol sanitization is applied to data attributes. [\u003ca href=\"https://github.com/ccutrer\"\u003e\u003ccode\u003e@​ccutrer\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/207\"\u003e#207\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/207\"\u003e207\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev5.2.2\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eFixed a deprecation warning in Ruby 2.7+ when using keyword arguments in a custom transformer. [\u003ca href=\"https://github.com/mscrivo\"\u003e\u003ccode\u003e@​mscrivo\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/206\"\u003e#206\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/206\"\u003e206\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/HISTORY.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e6.0.1 (2023-01-27)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even\nwhen \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed\nby a custom allowlist. In this scenario, carefully crafted input could sneak\narbitrary HTML through Sanitize, potentially enabling an XSS (cross-site\nscripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not\nvulnerable. This issue only affects users who are using a custom config that\nadds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of\na \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled\nin the user agent. Nokogiri doesn't support scripting so it follows the\n\u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will\nfollow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably\nmake the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled\nbrowsers, so the safest thing to do is to remove the element and its contents\nentirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details:\n\u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e\n(\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such\nas \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was\nallowlisted and was also inside an allowlisted \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\n\u003cp\u003eThe only way to encounter this situation was to ignore multiple warnings in\nthe readme and create a custom config that allowlisted all the elements\ninvolved, including \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e. If you're using a default config or\nif you heeded the warnings about MathML and SVG not being supported, you're\nnot affected by this issue.\u003c/p\u003e\n\u003cp\u003ePlease let this be a reminder that Sanitize cannot safely sanitize MathML or\nSVG content and does not support this use case. The default configs don't\nallow MathML or SVG elements, and allowlisting MathML or SVG elements in a\ncustom config may create a security vulnerability in your application.\u003c/p\u003e\n\u003cp\u003eDocumentation has been updated to add more warnings and to make the existing\nwarnings about this more prominent.\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/a92f21cd223a32a1737262d68e56a4fb8b9470f9\"\u003e\u003ccode\u003ea92f21c\u003c/code\u003e\u003c/a\u003e Release 6.0.1\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/7ac1dfb413f85bc15130435d64326576a345fe8a\"\u003e\u003ccode\u003e7ac1dfb\u003c/code\u003e\u003c/a\u003e Update links\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/784e78915a8fa9decbc67a06b85664432a3d14ab\"\u003e\u003ccode\u003e784e789\u003c/code\u003e\u003c/a\u003e Remove outdated comparison\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22\"\u003e\u003ccode\u003eec14265\u003c/code\u003e\u003c/a\u003e Always remove \u003ccode\u003e\\\u0026lt;noscript\u0026gt;\u003c/code\u003e elements\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/b4ee521df0d0616340c9648444be488381c238b1\"\u003e\u003ccode\u003eb4ee521\u003c/code\u003e\u003c/a\u003e Forcibly escape content in \u0026quot;unescaped text\u0026quot; elements inside math or svg names...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/94d5c220cd5f22f3865ed448b44215733a6976dc\"\u003e\u003ccode\u003e94d5c22\u003c/code\u003e\u003c/a\u003e Add Ruby 3.1 to the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/55f766e7a7857efeead30792f4646d10c693e819\"\u003e\u003ccode\u003e55f766e\u003c/code\u003e\u003c/a\u003e Simplify the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/69b4597a6e08600459bb925ebb4fabb166573784\"\u003e\u003ccode\u003e69b4597\u003c/code\u003e\u003c/a\u003e Use actions/checkout@v3\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/2924038559e7ea3ce52c0d968bda8022fcb58149\"\u003e\u003ccode\u003e2924038\u003c/code\u003e\u003c/a\u003e Add Ruby 3.1 to the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/ce1af491a9b36eed4cdc38e8ea3c85743b804129\"\u003e\u003ccode\u003ece1af49\u003c/code\u003e\u003c/a\u003e Update the online demo link\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v5.2.1...v6.0.1\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=5.2.1\u0026new-version=6.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/railsbridge/bridge_troll/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/railsbridge/bridge_troll/pull/1286","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/railsbridge%2Fbridge_troll/issues/1286","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/1286/packages"},{"uuid":"569535143","node_id":"MDExOlB1bGxSZXF1ZXN0NTY5NTM1MTQz","number":1,"state":"closed","title":"Bump sanitize from 5.0.0 to 5.2.3","user":"dependabot[bot]","labels":["dependencies"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2025-07-29T12:37:29.000Z","author_association":"NONE","state_reason":null,"created_at":"2021-02-08T14:58:23.000Z","updated_at":"2025-07-29T12:37:29.000Z","time_to_close":140996346,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"5.0.0","new_version":"5.2.3","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 5.0.0 to 5.2.3.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev5.2.3\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure protocol sanitization is applied to data attributes. [\u003ca href=\"https://github.com/ccutrer\"\u003e\u003ccode\u003e@ccutrer\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/207\"\u003e#207\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/207\"\u003e207\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev5.2.2\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eFixed a deprecation warning in Ruby 2.7+ when using keyword arguments in a custom transformer. [\u003ca href=\"https://github.com/mscrivo\"\u003e\u003ccode\u003e@mscrivo\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/206\"\u003e#206\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/206\"\u003e206\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev5.2.1\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an HTML sanitization bypass that could allow XSS. This issue affects Sanitize versions 3.0.0 through 5.2.0.\u003c/p\u003e\n\u003cp\u003eWhen HTML was sanitized using the \u0026quot;relaxed\u0026quot; config or a custom config that allows certain elements, some content in a \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element may not have beeen sanitized correctly even if \u003ccode\u003emath\u003c/code\u003e and \u003ccode\u003esvg\u003c/code\u003e were not in the allowlist. This could allow carefully crafted input to sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack.\u003c/p\u003e\n\u003cp\u003eYou are likely to be vulnerable to this issue if you use Sanitize's relaxed config or a custom config that allows one or more of the following HTML elements:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eiframe\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emath\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoembed\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoframes\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoscript\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eplaintext\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003escript\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003estyle\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esvg\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003exmp\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eSee the security advisory for more details, including a workaround if you're not able to upgrade: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m\"\u003eGHSA-p4x4-rw2p-8j8m\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eMany thanks to Michał Bentkowski of Securitum for reporting this issue and helping to verify the fix.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev5.2.0\u003c/h2\u003e\n\u003ch3\u003eChanges\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eThe term \u0026quot;whitelist\u0026quot; has been replaced with \u0026quot;allowlist\u0026quot; throughout Sanitize's source and documentation.\u003c/p\u003e\n\u003cp\u003eWhile the etymology of \u0026quot;whitelist\u0026quot; may not be explicitly racist in origin or intent, there are inherent racial connotations in the implication that white is good and black (as in \u0026quot;blacklist\u0026quot;) is not.\u003c/p\u003e\n\u003cp\u003eThis is a change I should have made long ago, and I apologize for not making it sooner.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eIn transformer input, the \u003ccode\u003e:is_whitelisted\u003c/code\u003e and \u003ccode\u003e:node_whitelist\u003c/code\u003e keys are now deprecated. New \u003ccode\u003e:is_allowlisted\u003c/code\u003e and \u003ccode\u003e:node_allowlist\u003c/code\u003e keys have been added. The old keys will continue to work in order to avoid breaking existing code, but they are no longer documented and may be removed in a future semver major release.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/HISTORY.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e5.2.3 (2021-01-11)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure protocol sanitization is applied to data attributes.\n[\u003ca href=\"https://github.com/ccutrer\"\u003e\u003ccode\u003e@ccutrer\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/207\"\u003e#207\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/207\"\u003e207\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e5.2.2 (2021-01-06)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eFixed a deprecation warning in Ruby 2.7+ when using keyword arguments in a\ncustom transformer. [\u003ca href=\"https://github.com/mscrivo\"\u003e\u003ccode\u003e@mscrivo\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/206\"\u003e#206\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/206\"\u003e206\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e5.2.1 (2020-06-16)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an HTML sanitization bypass that could allow XSS. This issue affects\nSanitize versions 3.0.0 through 5.2.0.\u003c/p\u003e\n\u003cp\u003eWhen HTML was sanitized using the \u0026quot;relaxed\u0026quot; config or a custom config that\nallows certain elements, some content in a \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element may not\nhave beeen sanitized correctly even if \u003ccode\u003emath\u003c/code\u003e and \u003ccode\u003esvg\u003c/code\u003e were not in the\nallowlist. This could allow carefully crafted input to sneak arbitrary HTML\nthrough Sanitize, potentially enabling an XSS (cross-site scripting) attack.\u003c/p\u003e\n\u003cp\u003eYou are likely to be vulnerable to this issue if you use Sanitize's relaxed\nconfig or a custom config that allows one or more of the following HTML\nelements:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eiframe\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emath\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoembed\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoframes\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoscript\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eplaintext\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003escript\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003estyle\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esvg\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003exmp\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eSee the security advisory for more details, including a workaround if you're\nnot able to upgrade: [GHSA-p4x4-rw2p-8j8m]\u003c/p\u003e\n\u003cp\u003eMany thanks to Michał Bentkowski of Securitum for reporting this issue and\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/9b8b55b6b90895a232f4243eaf5a4e6454136e20\"\u003e\u003ccode\u003e9b8b55b\u003c/code\u003e\u003c/a\u003e Release 5.2.3\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/eaaaa9d1dd3714c8467b9169edf2ecd1e2a3e277\"\u003e\u003ccode\u003eeaaaa9d\u003c/code\u003e\u003c/a\u003e Clarify comments\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/fac1a2ea3750630d5cb482b9c19fdac703356580\"\u003e\u003ccode\u003efac1a2e\u003c/code\u003e\u003c/a\u003e ensure protocol processing happens on data attributes\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/4f6858ff9f6e3e7ed6d0fba85a2a8fd1d37594df\"\u003e\u003ccode\u003e4f6858f\u003c/code\u003e\u003c/a\u003e Link the Tests badge to the workflow page\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/1c661dc15ad5872f07988e5aced68c68a328c099\"\u003e\u003ccode\u003e1c661dc\u003c/code\u003e\u003c/a\u003e Remove Travis\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/cd68389b041405e47bc5c400ea5c0c63cd5786da\"\u003e\u003ccode\u003ecd68389\u003c/code\u003e\u003c/a\u003e Add GitHub Actions workflow\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/4ea3d8ec48563f19c0927153ae1217fd9aa3d962\"\u003e\u003ccode\u003e4ea3d8e\u003c/code\u003e\u003c/a\u003e Release 5.2.2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/7a7dd3ed42145de137cee2c987d1667ce428837f\"\u003e\u003ccode\u003e7a7dd3e\u003c/code\u003e\u003c/a\u003e Add Ruby 3.0 to the Travis matrix.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/361cc0515aea77de9905140f6fc2546812b5dc05\"\u003e\u003ccode\u003e361cc05\u003c/code\u003e\u003c/a\u003e Fix warning in Ruby 2.7+\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/b032474dbc5a567e41c12d8481e8d4265b51588e\"\u003e\u003ccode\u003eb032474\u003c/code\u003e\u003c/a\u003e Merge branch 'ajmalmsali-patch-1'\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v5.0.0...v5.2.3\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=5.0.0\u0026new-version=5.2.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language\n- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language\n- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language\n- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language\n\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/uklibraries/jester/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/uklibraries/jester/pull/1","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/uklibraries%2Fjester/issues/1","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/1/packages"},{"uuid":"791516882","node_id":"MDExOlB1bGxSZXF1ZXN0NTU5NTYyNTA3","number":33,"state":"closed","title":"Bump sanitize from 5.0.0 to 5.2.3","user":"dependabot[bot]","labels":["dependencies"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2026-04-01T21:28:07.000Z","author_association":null,"state_reason":null,"created_at":"2021-01-21T21:46:37.000Z","updated_at":"2026-04-01T21:28:10.000Z","time_to_close":163813290,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"5.0.0","new_version":"5.2.3","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 5.0.0 to 5.2.3.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev5.2.3\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure protocol sanitization is applied to data attributes. [\u003ca href=\"https://github.com/ccutrer\"\u003e\u003ccode\u003e@ccutrer\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/207\"\u003e#207\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/207\"\u003e207\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev5.2.2\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eFixed a deprecation warning in Ruby 2.7+ when using keyword arguments in a custom transformer. [\u003ca href=\"https://github.com/mscrivo\"\u003e\u003ccode\u003e@mscrivo\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/206\"\u003e#206\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/206\"\u003e206\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev5.2.1\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an HTML sanitization bypass that could allow XSS. This issue affects Sanitize versions 3.0.0 through 5.2.0.\u003c/p\u003e\n\u003cp\u003eWhen HTML was sanitized using the \u0026quot;relaxed\u0026quot; config or a custom config that allows certain elements, some content in a \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element may not have beeen sanitized correctly even if \u003ccode\u003emath\u003c/code\u003e and \u003ccode\u003esvg\u003c/code\u003e were not in the allowlist. This could allow carefully crafted input to sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack.\u003c/p\u003e\n\u003cp\u003eYou are likely to be vulnerable to this issue if you use Sanitize's relaxed config or a custom config that allows one or more of the following HTML elements:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eiframe\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emath\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoembed\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoframes\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoscript\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eplaintext\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003escript\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003estyle\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esvg\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003exmp\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eSee the security advisory for more details, including a workaround if you're not able to upgrade: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m\"\u003eGHSA-p4x4-rw2p-8j8m\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eMany thanks to Michał Bentkowski of Securitum for reporting this issue and helping to verify the fix.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev5.2.0\u003c/h2\u003e\n\u003ch3\u003eChanges\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eThe term \u0026quot;whitelist\u0026quot; has been replaced with \u0026quot;allowlist\u0026quot; throughout Sanitize's source and documentation.\u003c/p\u003e\n\u003cp\u003eWhile the etymology of \u0026quot;whitelist\u0026quot; may not be explicitly racist in origin or intent, there are inherent racial connotations in the implication that white is good and black (as in \u0026quot;blacklist\u0026quot;) is not.\u003c/p\u003e\n\u003cp\u003eThis is a change I should have made long ago, and I apologize for not making it sooner.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eIn transformer input, the \u003ccode\u003e:is_whitelisted\u003c/code\u003e and \u003ccode\u003e:node_whitelist\u003c/code\u003e keys are now deprecated. New \u003ccode\u003e:is_allowlisted\u003c/code\u003e and \u003ccode\u003e:node_allowlist\u003c/code\u003e keys have been added. The old keys will continue to work in order to avoid breaking existing code, but they are no longer documented and may be removed in a future semver major release.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/HISTORY.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e5.2.3 (2021-01-11)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure protocol sanitization is applied to data attributes.\n[\u003ca href=\"https://github.com/ccutrer\"\u003e\u003ccode\u003e@ccutrer\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/207\"\u003e#207\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/207\"\u003e207\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e5.2.2 (2021-01-06)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eFixed a deprecation warning in Ruby 2.7+ when using keyword arguments in a\ncustom transformer. [\u003ca href=\"https://github.com/mscrivo\"\u003e\u003ccode\u003e@mscrivo\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/206\"\u003e#206\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/206\"\u003e206\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e5.2.1 (2020-06-16)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an HTML sanitization bypass that could allow XSS. This issue affects\nSanitize versions 3.0.0 through 5.2.0.\u003c/p\u003e\n\u003cp\u003eWhen HTML was sanitized using the \u0026quot;relaxed\u0026quot; config or a custom config that\nallows certain elements, some content in a \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element may not\nhave beeen sanitized correctly even if \u003ccode\u003emath\u003c/code\u003e and \u003ccode\u003esvg\u003c/code\u003e were not in the\nallowlist. This could allow carefully crafted input to sneak arbitrary HTML\nthrough Sanitize, potentially enabling an XSS (cross-site scripting) attack.\u003c/p\u003e\n\u003cp\u003eYou are likely to be vulnerable to this issue if you use Sanitize's relaxed\nconfig or a custom config that allows one or more of the following HTML\nelements:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eiframe\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emath\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoembed\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoframes\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoscript\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eplaintext\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003escript\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003estyle\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esvg\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003exmp\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eSee the security advisory for more details, including a workaround if you're\nnot able to upgrade: [GHSA-p4x4-rw2p-8j8m]\u003c/p\u003e\n\u003cp\u003eMany thanks to Michał Bentkowski of Securitum for reporting this issue and\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/9b8b55b6b90895a232f4243eaf5a4e6454136e20\"\u003e\u003ccode\u003e9b8b55b\u003c/code\u003e\u003c/a\u003e Release 5.2.3\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/eaaaa9d1dd3714c8467b9169edf2ecd1e2a3e277\"\u003e\u003ccode\u003eeaaaa9d\u003c/code\u003e\u003c/a\u003e Clarify comments\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/fac1a2ea3750630d5cb482b9c19fdac703356580\"\u003e\u003ccode\u003efac1a2e\u003c/code\u003e\u003c/a\u003e ensure protocol processing happens on data attributes\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/4f6858ff9f6e3e7ed6d0fba85a2a8fd1d37594df\"\u003e\u003ccode\u003e4f6858f\u003c/code\u003e\u003c/a\u003e Link the Tests badge to the workflow page\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/1c661dc15ad5872f07988e5aced68c68a328c099\"\u003e\u003ccode\u003e1c661dc\u003c/code\u003e\u003c/a\u003e Remove Travis\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/cd68389b041405e47bc5c400ea5c0c63cd5786da\"\u003e\u003ccode\u003ecd68389\u003c/code\u003e\u003c/a\u003e Add GitHub Actions workflow\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/4ea3d8ec48563f19c0927153ae1217fd9aa3d962\"\u003e\u003ccode\u003e4ea3d8e\u003c/code\u003e\u003c/a\u003e Release 5.2.2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/7a7dd3ed42145de137cee2c987d1667ce428837f\"\u003e\u003ccode\u003e7a7dd3e\u003c/code\u003e\u003c/a\u003e Add Ruby 3.0 to the Travis matrix.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/361cc0515aea77de9905140f6fc2546812b5dc05\"\u003e\u003ccode\u003e361cc05\u003c/code\u003e\u003c/a\u003e Fix warning in Ruby 2.7+\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/b032474dbc5a567e41c12d8481e8d4265b51588e\"\u003e\u003ccode\u003eb032474\u003c/code\u003e\u003c/a\u003e Merge branch 'ajmalmsali-patch-1'\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v5.0.0...v5.2.3\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=5.0.0\u0026new-version=5.2.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language\n- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language\n- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language\n- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language\n\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/upenn-libraries/sdbmss/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/upenn-libraries/sdbmss/pull/33","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/upenn-libraries%2Fsdbmss/issues/33","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/33/packages"}],"issue_packages":[{"old_version":"6.0.0","new_version":"6.0.2","update_type":"patch","path":null,"pr_created_at":"2025-09-12T09:39:49.000Z","version_change":"6.0.0 → 6.0.2","issue":{"uuid":"2822017856","node_id":"PR_kwDOATht286oNJNA","number":144,"state":"closed","title":"Bump sanitize from 6.0.0 to 6.0.2","user":"dependabot[bot]","labels":["dependencies","ruby"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2025-09-12T09:46:36.000Z","author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-09-12T09:39:49.000Z","updated_at":"2025-09-12T09:46:36.000Z","time_to_close":407,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"6.0.0","new_version":"6.0.2","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 6.0.0 to 6.0.2.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev6.0.2\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eCVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS (cross-site scripting). This issue affects Sanitize versions 3.0.0 through 6.0.1.\u003c/p\u003e\n\u003cp\u003eWhen using Sanitize's relaxed config or a custom config that allows \u003ccode\u003e\u0026lt;style\u0026gt;\u003c/code\u003e elements and one or more CSS at-rules, carefully crafted input could be used to sneak arbitrary HTML through Sanitize.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7\"\u003eGHSA-f5ww-cq3m-q3g7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to \u003ca href=\"https://github.com/cure53\"\u003e\u003ccode\u003e@​cure53\u003c/code\u003e\u003c/a\u003e for finding this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.0.1\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even when \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed by a custom allowlist. In this scenario, carefully crafted input could sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not vulnerable. This issue only affects users who are using a custom config that adds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled in the user agent. Nokogiri doesn't support scripting so it follows the \u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will follow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably make the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled browsers, so the safest thing to do is to remove the element and its contents entirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such as \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was allowlisted and was also inside an allowlisted \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\n\u003cp\u003eThe only way to encounter this situation was to ignore multiple warnings in the readme and create a custom config that allowlisted all the elements involved, including \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e. If you're using a default config or if you heeded the warnings about MathML and SVG not being supported, you're not affected by this issue.\u003c/p\u003e\n\u003cp\u003ePlease let this be a reminder that Sanitize cannot safely sanitize MathML or SVG content and does not support this use case. The default configs don't allow MathML or SVG elements, and allowlisting MathML or SVG elements in a custom config may create a security vulnerability in your application.\u003c/p\u003e\n\u003cp\u003eDocumentation has been updated to add more warnings and to make the existing warnings about this more prominent.\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/CHANGELOG.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e6.0.2 (2023-07-06)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eCVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS\n(cross-site scripting). This issue affects Sanitize versions 3.0.0 through\n6.0.1.\u003c/p\u003e\n\u003cp\u003eWhen using Sanitize's relaxed config or a custom config that allows \u003ccode\u003e\u0026lt;style\u0026gt;\u003c/code\u003e\nelements and one or more CSS at-rules, carefully crafted input could be used\nto sneak arbitrary HTML through Sanitize.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details:\n\u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7\"\u003eGHSA-f5ww-cq3m-q3g7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to \u003ca href=\"https://github.com/cure53\"\u003e\u003ccode\u003e@​cure53\u003c/code\u003e\u003c/a\u003e for finding this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.0.1 (2023-01-27)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even\nwhen \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed\nby a custom allowlist. In this scenario, carefully crafted input could sneak\narbitrary HTML through Sanitize, potentially enabling an XSS (cross-site\nscripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not\nvulnerable. This issue only affects users who are using a custom config that\nadds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of\na \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled\nin the user agent. Nokogiri doesn't support scripting so it follows the\n\u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will\nfollow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably\nmake the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled\nbrowsers, so the safest thing to do is to remove the element and its contents\nentirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details:\n\u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e\n(\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such\nas \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/76ed46e6dc70820f38efe27de8dabd54dddb5220\"\u003e\u003ccode\u003e76ed46e\u003c/code\u003e\u003c/a\u003e Merge pull request from GHSA-f5ww-cq3m-q3g7\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/3481ac3f1255c6584c67fad2f9e44d809273125d\"\u003e\u003ccode\u003e3481ac3\u003c/code\u003e\u003c/a\u003e Release 6.0.2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/773d927bc457f5cae21edc059654abc98101413c\"\u003e\u003ccode\u003e773d927\u003c/code\u003e\u003c/a\u003e Update history\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/041c068cec516474d61862faf3910b26c7e10073\"\u003e\u003ccode\u003e041c068\u003c/code\u003e\u003c/a\u003e Escape \u003ccode\u003e\u0026lt;/\u003c/code\u003e to prevent a style element from being closed prematurely\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/a92f21cd223a32a1737262d68e56a4fb8b9470f9\"\u003e\u003ccode\u003ea92f21c\u003c/code\u003e\u003c/a\u003e Release 6.0.1\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/7ac1dfb413f85bc15130435d64326576a345fe8a\"\u003e\u003ccode\u003e7ac1dfb\u003c/code\u003e\u003c/a\u003e Update links\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/784e78915a8fa9decbc67a06b85664432a3d14ab\"\u003e\u003ccode\u003e784e789\u003c/code\u003e\u003c/a\u003e Remove outdated comparison\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22\"\u003e\u003ccode\u003eec14265\u003c/code\u003e\u003c/a\u003e Always remove \u003ccode\u003e\\\u0026lt;noscript\u0026gt;\u003c/code\u003e elements\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/b4ee521df0d0616340c9648444be488381c238b1\"\u003e\u003ccode\u003eb4ee521\u003c/code\u003e\u003c/a\u003e Forcibly escape content in \u0026quot;unescaped text\u0026quot; elements inside math or svg names...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/94d5c220cd5f22f3865ed448b44215733a6976dc\"\u003e\u003ccode\u003e94d5c22\u003c/code\u003e\u003c/a\u003e Add Ruby 3.1 to the test matrix\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v6.0.0...v6.0.2\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=6.0.0\u0026new-version=6.0.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/shireeshj/blog/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/shireeshj/blog/pull/144","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/shireeshj%2Fblog/issues/144","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/144/packages"}},{"old_version":"6.1.3","new_version":"7.0.0","update_type":"major","path":null,"pr_created_at":"2025-09-11T08:08:01.000Z","version_change":"6.1.3 → 7.0.0","issue":{"uuid":"2818097460","node_id":"PR_kwDOPrrxLM6n-ME0","number":61,"state":"open","title":"Bump sanitize from 6.1.3 to 7.0.0","user":"dependabot[bot]","labels":["dependencies","ruby"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"NONE","state_reason":null,"created_at":"2025-09-11T08:08:01.000Z","updated_at":"2025-09-11T08:08:02.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"6.1.3","new_version":"7.0.0","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 6.1.3 to 7.0.0.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev7.0.0\u003c/h2\u003e\n\u003cp\u003eSanitize has no breaking API changes in this release, but the major version number has been incremented because we've dropped support for end-of-life versions of Ruby. As long as you're using Ruby 3.1.0 or later, this should be a painless upgrade!\u003c/p\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eAdded over 100 new CSS properties to the relaxed config, representing all properties that are listed with a status of \u0026quot;Working Draft\u0026quot; or better in the latest \u003ca href=\"https://www.w3.org/Style/CSS/all-properties.en.html\"\u003eW3C \u0026quot;All Properties\u0026quot; list\u003c/a\u003e.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e-webkit-text-fill-color\u003c/code\u003e CSS property to the relaxed config. [\u003ca href=\"https://github.com/radar\"\u003e\u003ccode\u003e@​radar\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/244\"\u003e#244\u003c/a\u003e](\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/244\"\u003ergrove/sanitize#244\u003c/a\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eRuby 3.1.0 is now the oldest supported Ruby version.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now requires Nokogiri 1.16.8 or higher.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/CHANGELOG.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e7.0.0 (2024-12-29)\u003c/h2\u003e\n\u003cp\u003eSanitize has no breaking API changes in this release, but the major version number has been incremented because we've dropped support for end-of-life versions of Ruby. As long as you're using Ruby 3.1.0 or later, this should be a painless upgrade!\u003c/p\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eAdded over 100 new CSS properties to the relaxed config, representing all properties that are listed with a status of \u0026quot;Working Draft\u0026quot; or better in the latest \u003ca href=\"https://www.w3.org/Style/CSS/all-properties.en.html\"\u003eW3C \u0026quot;All Properties\u0026quot; list\u003c/a\u003e.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e-webkit-text-fill-color\u003c/code\u003e CSS property to the relaxed config. [\u003ca href=\"https://github.com/radar\"\u003e\u003ccode\u003e@​radar\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/244\"\u003e#244\u003c/a\u003e](\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/244\"\u003ergrove/sanitize#244\u003c/a\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eRuby 3.1.0 is now the oldest supported Ruby version.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now requires Nokogiri 1.16.8 or higher.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/19ee751d1b1c1e9d0335c0438fdb6b389544c45c\"\u003e\u003ccode\u003e19ee751\u003c/code\u003e\u003c/a\u003e Release 7.0.0\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/859c3aa11fdd71829a2424d98346fb8d8d14e522\"\u003e\u003ccode\u003e859c3aa\u003c/code\u003e\u003c/a\u003e Add contribution guidelines\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/45dbeac426189fca4772bf7221744be86cdd969f\"\u003e\u003ccode\u003e45dbeac\u003c/code\u003e\u003c/a\u003e Add \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/010e4e2a6e2423290876db4c5e7bbfa6845d1c3e\"\u003e\u003ccode\u003e010e4e2\u003c/code\u003e\u003c/a\u003e Add new CSS properties\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/c8ce4edcc228d02cae718ea5d71fbb7948938c64\"\u003e\u003ccode\u003ec8ce4ed\u003c/code\u003e\u003c/a\u003e Require MFA\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/0aece5eca67d7a3edefd301af3c90d5ecae0342d\"\u003e\u003ccode\u003e0aece5e\u003c/code\u003e\u003c/a\u003e Remove rubocop_todo.yml\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/99d67ab63cb25d2efb7c4f027c6cd21df1159264\"\u003e\u003ccode\u003e99d67ab\u003c/code\u003e\u003c/a\u003e Remove redundant Ruby 3.4 from the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/1127a0760302e796f8b76016fa7d78364d54721d\"\u003e\u003ccode\u003e1127a07\u003c/code\u003e\u003c/a\u003e Loosen Bundler dependency\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/a41c5f609af9fb64d83945949e332042d621d94e\"\u003e\u003ccode\u003ea41c5f6\u003c/code\u003e\u003c/a\u003e Adopt Standard Ruby style\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/fa8d5e66b724928f16f8d05e27a958407350b3aa\"\u003e\u003ccode\u003efa8d5e6\u003c/code\u003e\u003c/a\u003e Move development dependencies to Gemfile\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v6.1.3...v7.0.0\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=6.1.3\u0026new-version=7.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/thinh20011111/test_backend/pull/61","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/thinh20011111%2Ftest_backend/issues/61","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/61/packages"}},{"old_version":"6.1.3","new_version":"7.0.0","update_type":"major","path":null,"pr_created_at":"2025-06-29T11:59:26.000Z","version_change":"6.1.3 → 7.0.0","issue":{"uuid":"2626910278","node_id":"PR_kwDOAB9lK86ck3hG","number":3122,"state":"closed","title":"Bump sanitize from 6.1.3 to 7.0.0","user":"dependabot[bot]","labels":["dependencies","ruby"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":"2025-06-29T12:37:12.000Z","author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-06-29T11:59:26.000Z","updated_at":"2025-06-29T12:37:12.000Z","time_to_close":2266,"merged_at":"2025-06-29T12:37:12.000Z","merged_by":"ZeiP","closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"6.1.3","new_version":"7.0.0","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 6.1.3 to 7.0.0.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev7.0.0\u003c/h2\u003e\n\u003cp\u003eSanitize has no breaking API changes in this release, but the major version number has been incremented because we've dropped support for end-of-life versions of Ruby. As long as you're using Ruby 3.1.0 or later, this should be a painless upgrade!\u003c/p\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eAdded over 100 new CSS properties to the relaxed config, representing all properties that are listed with a status of \u0026quot;Working Draft\u0026quot; or better in the latest \u003ca href=\"https://www.w3.org/Style/CSS/all-properties.en.html\"\u003eW3C \u0026quot;All Properties\u0026quot; list\u003c/a\u003e.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e-webkit-text-fill-color\u003c/code\u003e CSS property to the relaxed config. [\u003ca href=\"https://github.com/radar\"\u003e\u003ccode\u003e@​radar\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/244\"\u003e#244\u003c/a\u003e](\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/244\"\u003ergrove/sanitize#244\u003c/a\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eRuby 3.1.0 is now the oldest supported Ruby version.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now requires Nokogiri 1.16.8 or higher.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/CHANGELOG.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e7.0.0 (2024-12-29)\u003c/h2\u003e\n\u003cp\u003eSanitize has no breaking API changes in this release, but the major version number has been incremented because we've dropped support for end-of-life versions of Ruby. As long as you're using Ruby 3.1.0 or later, this should be a painless upgrade!\u003c/p\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eAdded over 100 new CSS properties to the relaxed config, representing all properties that are listed with a status of \u0026quot;Working Draft\u0026quot; or better in the latest \u003ca href=\"https://www.w3.org/Style/CSS/all-properties.en.html\"\u003eW3C \u0026quot;All Properties\u0026quot; list\u003c/a\u003e.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e-webkit-text-fill-color\u003c/code\u003e CSS property to the relaxed config. [\u003ca href=\"https://github.com/radar\"\u003e\u003ccode\u003e@​radar\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/244\"\u003e#244\u003c/a\u003e](\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/244\"\u003ergrove/sanitize#244\u003c/a\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eRuby 3.1.0 is now the oldest supported Ruby version.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now requires Nokogiri 1.16.8 or higher.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/19ee751d1b1c1e9d0335c0438fdb6b389544c45c\"\u003e\u003ccode\u003e19ee751\u003c/code\u003e\u003c/a\u003e Release 7.0.0\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/859c3aa11fdd71829a2424d98346fb8d8d14e522\"\u003e\u003ccode\u003e859c3aa\u003c/code\u003e\u003c/a\u003e Add contribution guidelines\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/45dbeac426189fca4772bf7221744be86cdd969f\"\u003e\u003ccode\u003e45dbeac\u003c/code\u003e\u003c/a\u003e Add \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/010e4e2a6e2423290876db4c5e7bbfa6845d1c3e\"\u003e\u003ccode\u003e010e4e2\u003c/code\u003e\u003c/a\u003e Add new CSS properties\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/c8ce4edcc228d02cae718ea5d71fbb7948938c64\"\u003e\u003ccode\u003ec8ce4ed\u003c/code\u003e\u003c/a\u003e Require MFA\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/0aece5eca67d7a3edefd301af3c90d5ecae0342d\"\u003e\u003ccode\u003e0aece5e\u003c/code\u003e\u003c/a\u003e Remove rubocop_todo.yml\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/99d67ab63cb25d2efb7c4f027c6cd21df1159264\"\u003e\u003ccode\u003e99d67ab\u003c/code\u003e\u003c/a\u003e Remove redundant Ruby 3.4 from the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/1127a0760302e796f8b76016fa7d78364d54721d\"\u003e\u003ccode\u003e1127a07\u003c/code\u003e\u003c/a\u003e Loosen Bundler dependency\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/a41c5f609af9fb64d83945949e332042d621d94e\"\u003e\u003ccode\u003ea41c5f6\u003c/code\u003e\u003c/a\u003e Adopt Standard Ruby style\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/fa8d5e66b724928f16f8d05e27a958407350b3aa\"\u003e\u003ccode\u003efa8d5e6\u003c/code\u003e\u003c/a\u003e Move development dependencies to Gemfile\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v6.1.3...v7.0.0\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=6.1.3\u0026new-version=7.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/TracksApp/tracks/pull/3122","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/TracksApp%2Ftracks/issues/3122","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/3122/packages"}},{"old_version":"6.0.1","new_version":"7.0.0","update_type":"major","path":null,"pr_created_at":"2025-06-27T17:05:01.000Z","version_change":"6.0.1 → 7.0.0","issue":{"uuid":"2624965995","node_id":"PR_kwDOPC91Ss6cdc1r","number":172,"state":"open","title":"Bump sanitize from 6.0.1 to 7.0.0","user":"dependabot[bot]","labels":["dependencies","ruby"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":null,"author_association":"NONE","state_reason":null,"created_at":"2025-06-27T17:05:01.000Z","updated_at":"2025-06-27T17:05:02.000Z","time_to_close":null,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"6.0.1","new_version":"7.0.0","repository_url":null}],"path":null,"ecosystem":"rubygems"},"body":"\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=6.0.1\u0026new-version=7.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/dbortz/mastodon/pull/172","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/dbortz%2Fmastodon/issues/172","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/172/packages"}},{"old_version":"6.1.3","new_version":"7.0.0","update_type":"major","path":null,"pr_created_at":"2025-04-07T11:23:57.000Z","version_change":"6.1.3 → 7.0.0","issue":{"uuid":"2976531235","node_id":"PR_kwDOAAVuNc6RnYH8","number":1949,"state":"closed","title":"chore(deps): bump sanitize from 6.1.3 to 7.0.0","user":"dependabot[bot]","labels":["ruby","Stale","dependencies"],"assignees":[],"locked":false,"comments_count":2,"pull_request":true,"closed_at":"2025-08-26T12:12:30.000Z","author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-04-07T11:23:57.000Z","updated_at":"2025-08-26T12:12:32.000Z","time_to_close":12185313,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"chore(deps)","packages":[{"name":"sanitize","old_version":"6.1.3","new_version":"7.0.0","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 6.1.3 to 7.0.0.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev7.0.0\u003c/h2\u003e\n\u003cp\u003eSanitize has no breaking API changes in this release, but the major version number has been incremented because we've dropped support for end-of-life versions of Ruby. As long as you're using Ruby 3.1.0 or later, this should be a painless upgrade!\u003c/p\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eAdded over 100 new CSS properties to the relaxed config, representing all properties that are listed with a status of \u0026quot;Working Draft\u0026quot; or better in the latest \u003ca href=\"https://www.w3.org/Style/CSS/all-properties.en.html\"\u003eW3C \u0026quot;All Properties\u0026quot; list\u003c/a\u003e.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e-webkit-text-fill-color\u003c/code\u003e CSS property to the relaxed config. [\u003ca href=\"https://github.com/radar\"\u003e\u003ccode\u003e@​radar\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/244\"\u003e#244\u003c/a\u003e](\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/244\"\u003ergrove/sanitize#244\u003c/a\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eRuby 3.1.0 is now the oldest supported Ruby version.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now requires Nokogiri 1.16.8 or higher.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/CHANGELOG.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e7.0.0 (2024-12-29)\u003c/h2\u003e\n\u003cp\u003eSanitize has no breaking API changes in this release, but the major version number has been incremented because we've dropped support for end-of-life versions of Ruby. As long as you're using Ruby 3.1.0 or later, this should be a painless upgrade!\u003c/p\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eAdded over 100 new CSS properties to the relaxed config, representing all properties that are listed with a status of \u0026quot;Working Draft\u0026quot; or better in the latest \u003ca href=\"https://www.w3.org/Style/CSS/all-properties.en.html\"\u003eW3C \u0026quot;All Properties\u0026quot; list\u003c/a\u003e.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e-webkit-text-fill-color\u003c/code\u003e CSS property to the relaxed config. [\u003ca href=\"https://github.com/radar\"\u003e\u003ccode\u003e@​radar\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/244\"\u003e#244\u003c/a\u003e](\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/244\"\u003ergrove/sanitize#244\u003c/a\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eRuby 3.1.0 is now the oldest supported Ruby version.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now requires Nokogiri 1.16.8 or higher.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/19ee751d1b1c1e9d0335c0438fdb6b389544c45c\"\u003e\u003ccode\u003e19ee751\u003c/code\u003e\u003c/a\u003e Release 7.0.0\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/859c3aa11fdd71829a2424d98346fb8d8d14e522\"\u003e\u003ccode\u003e859c3aa\u003c/code\u003e\u003c/a\u003e Add contribution guidelines\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/45dbeac426189fca4772bf7221744be86cdd969f\"\u003e\u003ccode\u003e45dbeac\u003c/code\u003e\u003c/a\u003e Add \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/010e4e2a6e2423290876db4c5e7bbfa6845d1c3e\"\u003e\u003ccode\u003e010e4e2\u003c/code\u003e\u003c/a\u003e Add new CSS properties\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/c8ce4edcc228d02cae718ea5d71fbb7948938c64\"\u003e\u003ccode\u003ec8ce4ed\u003c/code\u003e\u003c/a\u003e Require MFA\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/0aece5eca67d7a3edefd301af3c90d5ecae0342d\"\u003e\u003ccode\u003e0aece5e\u003c/code\u003e\u003c/a\u003e Remove rubocop_todo.yml\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/99d67ab63cb25d2efb7c4f027c6cd21df1159264\"\u003e\u003ccode\u003e99d67ab\u003c/code\u003e\u003c/a\u003e Remove redundant Ruby 3.4 from the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/1127a0760302e796f8b76016fa7d78364d54721d\"\u003e\u003ccode\u003e1127a07\u003c/code\u003e\u003c/a\u003e Loosen Bundler dependency\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/a41c5f609af9fb64d83945949e332042d621d94e\"\u003e\u003ccode\u003ea41c5f6\u003c/code\u003e\u003c/a\u003e Adopt Standard Ruby style\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/fa8d5e66b724928f16f8d05e27a958407350b3aa\"\u003e\u003ccode\u003efa8d5e6\u003c/code\u003e\u003c/a\u003e Move development dependencies to Gemfile\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v6.1.3...v7.0.0\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=6.1.3\u0026new-version=7.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nYou can trigger a rebase of this PR by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e\n\n\u003e **Note**\n\u003e Automatic rebases have been disabled on this pull request as it has been open for over 30 days.\n","html_url":"https://github.com/github/markup/pull/1949","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/github%2Fmarkup/issues/1949","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/1949/packages"}},{"old_version":"6.1.0","new_version":"7.0.0","update_type":"major","path":null,"pr_created_at":"2025-01-20T08:13:26.000Z","version_change":"6.1.0 → 7.0.0","issue":{"uuid":"2798523570","node_id":"PR_kwDOAT6yh86IUKyf","number":1043,"state":"closed","title":"Bump sanitize from 6.1.0 to 7.0.0","user":"dependabot[bot]","labels":["dependencies","ruby"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2025-09-30T13:51:58.000Z","author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2025-01-20T08:13:26.000Z","updated_at":"2025-09-30T13:52:00.000Z","time_to_close":21879512,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"6.1.0","new_version":"7.0.0","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 6.1.0 to 7.0.0.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev7.0.0\u003c/h2\u003e\n\u003cp\u003eSanitize has no breaking API changes in this release, but the major version number has been incremented because we've dropped support for end-of-life versions of Ruby. As long as you're using Ruby 3.1.0 or later, this should be a painless upgrade!\u003c/p\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eAdded over 100 new CSS properties to the relaxed config, representing all properties that are listed with a status of \u0026quot;Working Draft\u0026quot; or better in the latest \u003ca href=\"https://www.w3.org/Style/CSS/all-properties.en.html\"\u003eW3C \u0026quot;All Properties\u0026quot; list\u003c/a\u003e.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e-webkit-text-fill-color\u003c/code\u003e CSS property to the relaxed config. [\u003ca href=\"https://github.com/radar\"\u003e\u003ccode\u003e@​radar\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/244\"\u003e#244\u003c/a\u003e](\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/244\"\u003ergrove/sanitize#244\u003c/a\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eRuby 3.1.0 is now the oldest supported Ruby version.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now requires Nokogiri 1.16.8 or higher.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.1.3\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eThe CSS URL protocol allowlist is now enforced on the nonstandard \u003ccode\u003e-webkit-image-set\u003c/code\u003e CSS function. [\u003ca href=\"https://github.com/ltk\"\u003e\u003ccode\u003e@​ltk\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/242\"\u003e#242\u003c/a\u003e]\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/242\"\u003e242\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.1.2\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eThe CSS URL protocol allowlist is now properly enforced in \u003ca href=\"https://drafts.csswg.org/css-images-4/\"\u003eCSS Images Module Level 4\u003c/a\u003e \u003ccode\u003eimage\u003c/code\u003e and \u003ccode\u003eimage-set\u003c/code\u003e functions. [\u003ca href=\"https://github.com/ltk\"\u003e\u003ccode\u003e@​ltk\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/240\"\u003e#240\u003c/a\u003e]\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/240\"\u003e240\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.1.1\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eProactively fixed a compatibility issue with libxml \u0026gt;= 2.13.0 (which will be used in an upcoming version of Nokogiri) that caused HTML doctype sanitization to fail. [\u003ca href=\"https://github.com/flavorjones\"\u003e\u003ccode\u003e@​flavorjones\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/238\"\u003e#238\u003c/a\u003e]\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/238\"\u003e238\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/CHANGELOG.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e7.0.0 (2024-12-29)\u003c/h2\u003e\n\u003cp\u003eSanitize has no breaking API changes in this release, but the major version number has been incremented because we've dropped support for end-of-life versions of Ruby. As long as you're using Ruby 3.1.0 or later, this should be a painless upgrade!\u003c/p\u003e\n\u003ch3\u003eAdded\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eAdded over 100 new CSS properties to the relaxed config, representing all properties that are listed with a status of \u0026quot;Working Draft\u0026quot; or better in the latest \u003ca href=\"https://www.w3.org/Style/CSS/all-properties.en.html\"\u003eW3C \u0026quot;All Properties\u0026quot; list\u003c/a\u003e.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eAdded the \u003ccode\u003e-webkit-text-fill-color\u003c/code\u003e CSS property to the relaxed config. [\u003ca href=\"https://github.com/radar\"\u003e\u003ccode\u003e@​radar\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/244\"\u003e#244\u003c/a\u003e](\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/244\"\u003ergrove/sanitize#244\u003c/a\u003e)\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eRuby 3.1.0 is now the oldest supported Ruby version.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now requires Nokogiri 1.16.8 or higher.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.1.3 (2024-08-14)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eThe CSS URL protocol allowlist is now enforced on the nonstandard \u003ccode\u003e-webkit-image-set\u003c/code\u003e CSS function. [\u003ca href=\"https://github.com/ltk\"\u003e\u003ccode\u003e@​ltk\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/242\"\u003e#242\u003c/a\u003e]\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/242\"\u003e242\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.1.2 (2024-07-27)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eThe CSS URL protocol allowlist is now properly enforced in \u003ca href=\"https://drafts.csswg.org/css-images-4/\"\u003eCSS Images Module Level 4\u003c/a\u003e \u003ccode\u003eimage\u003c/code\u003e and \u003ccode\u003eimage-set\u003c/code\u003e functions. [\u003ca href=\"https://github.com/ltk\"\u003e\u003ccode\u003e@​ltk\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/240\"\u003e#240\u003c/a\u003e]\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/240\"\u003e240\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.1.1 (2024-06-12)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eProactively fixed a compatibility issue with libxml \u0026gt;= 2.13.0 (which will be used in an upcoming version of Nokogiri) that caused HTML doctype sanitization to fail. [\u003ca href=\"https://github.com/flavorjones\"\u003e\u003ccode\u003e@​flavorjones\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/238\"\u003e#238\u003c/a\u003e]\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/238\"\u003e238\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/19ee751d1b1c1e9d0335c0438fdb6b389544c45c\"\u003e\u003ccode\u003e19ee751\u003c/code\u003e\u003c/a\u003e Release 7.0.0\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/859c3aa11fdd71829a2424d98346fb8d8d14e522\"\u003e\u003ccode\u003e859c3aa\u003c/code\u003e\u003c/a\u003e Add contribution guidelines\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/45dbeac426189fca4772bf7221744be86cdd969f\"\u003e\u003ccode\u003e45dbeac\u003c/code\u003e\u003c/a\u003e Add \u003ccode\u003e@container\u003c/code\u003e CSS at-rule to the relaxed config\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/010e4e2a6e2423290876db4c5e7bbfa6845d1c3e\"\u003e\u003ccode\u003e010e4e2\u003c/code\u003e\u003c/a\u003e Add new CSS properties\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/c8ce4edcc228d02cae718ea5d71fbb7948938c64\"\u003e\u003ccode\u003ec8ce4ed\u003c/code\u003e\u003c/a\u003e Require MFA\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/0aece5eca67d7a3edefd301af3c90d5ecae0342d\"\u003e\u003ccode\u003e0aece5e\u003c/code\u003e\u003c/a\u003e Remove rubocop_todo.yml\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/99d67ab63cb25d2efb7c4f027c6cd21df1159264\"\u003e\u003ccode\u003e99d67ab\u003c/code\u003e\u003c/a\u003e Remove redundant Ruby 3.4 from the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/1127a0760302e796f8b76016fa7d78364d54721d\"\u003e\u003ccode\u003e1127a07\u003c/code\u003e\u003c/a\u003e Loosen Bundler dependency\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/a41c5f609af9fb64d83945949e332042d621d94e\"\u003e\u003ccode\u003ea41c5f6\u003c/code\u003e\u003c/a\u003e Adopt Standard Ruby style\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/fa8d5e66b724928f16f8d05e27a958407350b3aa\"\u003e\u003ccode\u003efa8d5e6\u003c/code\u003e\u003c/a\u003e Move development dependencies to Gemfile\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v6.1.0...v7.0.0\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=6.1.0\u0026new-version=7.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nYou can trigger a rebase of this PR by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e\n\n\u003e **Note**\n\u003e Automatic rebases have been disabled on this pull request as it has been open for over 30 days.\n","html_url":"https://github.com/ministryofjustice/peoplefinder/pull/1043","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/ministryofjustice%2Fpeoplefinder/issues/1043","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/1043/packages"}},{"old_version":"6.0.1","new_version":"6.0.2","update_type":"patch","path":null,"pr_created_at":"2024-05-16T21:12:59.000Z","version_change":"6.0.1 → 6.0.2","issue":{"uuid":"1874319525","node_id":"PR_kwDOJTNuTc5vt9il","number":8,"state":"closed","title":"Build(deps): Bump the bundler group across 1 directory with 10 updates","user":"dependabot[bot]","labels":["dependencies","ruby"],"assignees":[],"locked":false,"comments_count":0,"pull_request":true,"closed_at":"2025-06-14T09:59:32.000Z","author_association":"NONE","state_reason":null,"created_at":"2024-05-16T21:12:59.000Z","updated_at":"2025-06-14T09:59:32.000Z","time_to_close":34001193,"merged_at":"2025-06-14T09:59:32.000Z","merged_by":"MNDL-27","closed_by":null,"dependency_metadata":{"prefix":"Build(deps): Bump","group_name":"bundler","update_count":10,"packages":[{"name":"nokogiri","old_version":"1.14.2","new_version":"1.16.5","repository_url":"https://github.com/sparklemotion/nokogiri"},{"name":"omniauth","old_version":"1.9.2","new_version":"2.0.0","repository_url":"https://github.com/omniauth/omniauth"},{"name":"sidekiq","old_version":"6.5.8","new_version":"6.5.10","repository_url":"https://github.com/sidekiq/sidekiq"},{"name":"rack","old_version":"2.2.6.4","new_version":"2.2.8.1","repository_url":"https://github.com/rack/rack"},{"name":"yard","old_version":"0.9.28","new_version":"0.9.36","repository_url":"https://github.com/lsegal/yard"},{"name":"puma","old_version":"6.2.1","new_version":"6.4.2","repository_url":"https://github.com/puma/puma"},{"name":"rotp","old_version":"6.2.2","new_version":"6.3.0","repository_url":"https://github.com/mdp/rotp"},{"name":"sanitize","old_version":"6.0.1","new_version":"6.0.2","repository_url":"https://github.com/rgrove/sanitize"},{"name":"rexml","old_version":"3.2.5","new_version":"3.2.8","repository_url":"https://github.com/ruby/rexml"},{"name":"uri","old_version":"0.12.1","new_version":"0.13.0","repository_url":"https://github.com/ruby/uri"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps the bundler group with 10 updates in the / directory:\n\n| Package | From | To |\n| --- | --- | --- |\n| [nokogiri](https://github.com/sparklemotion/nokogiri) | `1.14.2` | `1.16.5` |\n| [omniauth](https://github.com/omniauth/omniauth) | `1.9.2` | `2.0.0` |\n| [sidekiq](https://github.com/sidekiq/sidekiq) | `6.5.8` | `6.5.10` |\n| [rack](https://github.com/rack/rack) | `2.2.6.4` | `2.2.8.1` |\n| [yard](https://github.com/lsegal/yard) | `0.9.28` | `0.9.36` |\n| [puma](https://github.com/puma/puma) | `6.2.1` | `6.4.2` |\n| [rotp](https://github.com/mdp/rotp) | `6.2.2` | `6.3.0` |\n| [sanitize](https://github.com/rgrove/sanitize) | `6.0.1` | `6.0.2` |\n| [rexml](https://github.com/ruby/rexml) | `3.2.5` | `3.2.8` |\n| [uri](https://github.com/ruby/uri) | `0.12.1` | `0.13.0` |\n\n\nUpdates `nokogiri` from 1.14.2 to 1.16.5\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/sparklemotion/nokogiri/releases\"\u003enokogiri's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev1.16.5 / 2024-05-13\u003c/h2\u003e\n\u003ch3\u003eSecurity\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Vendored libxml2 is updated to address CVE-2024-34459. See \u003ca href=\"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-r95h-9x8f-r3f7\"\u003eGHSA-r95h-9x8f-r3f7\u003c/a\u003e for more information.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eDependencies\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Vendored libxml2 is updated to \u003ca href=\"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7\"\u003ev2.12.7\u003c/a\u003e from v2.12.6. (\u003ca href=\"https://github.com/flavorjones\"\u003e\u003ccode\u003e@​flavorjones\u003c/code\u003e\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr /\u003e\n\u003cp\u003esha256 checksums:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003eaf0f44fa3e664dfb2aa10de8b551447d720c1e8d1f0aa3f35783dcc43e40a874  nokogiri-1.16.5-aarch64-linux.gem\n23dc2357b26409a5c33b7e32a82902f0e9995305420f16d1a03ab3ea1a482fec  nokogiri-1.16.5-arm-linux.gem\n950d037530edb49f75ad35de0b8038b970a7dda57e2b6326895b0e49fadf6214  nokogiri-1.16.5-arm64-darwin.gem\nb7aefc94370c62476b8528e8d8abb6160203abd84a1f4eceda8f1aa8974d9989  nokogiri-1.16.5-java.gem\nec2167160df8fec3137bf95d574ed80ebc1d002bb3b281546b60b4aa9002466e  nokogiri-1.16.5-x64-mingw-ucrt.gem\n6984200491fac69974005ecfa2de129d61843d345eafa5d6f58e8b908d1cf107  nokogiri-1.16.5-x64-mingw32.gem\nabdc389ab1ec6604492da16bd9d06ad746fdb6bd6a1bd274c400d61ffcadb3c4  nokogiri-1.16.5-x86-linux.gem\n63d24981345856f2baf7f4089870a62d3042fb8d3021b280fb04fc052532e3c4  nokogiri-1.16.5-x86-mingw32.gem\n71b5f54e378c433d13df67c3b71acc4716129da62402d8181f310c4216a63279  nokogiri-1.16.5-x86_64-darwin.gem\n0ca238da870066bed2f7837af6f35791bb9b76c4c5638999c46aac44818a6a97  nokogiri-1.16.5-x86_64-linux.gem\nec36162c68984fa0a90a5c4ae7ab7759460639e716cc1ce75f34c3cb54158ad2  nokogiri-1.16.5.gem\n\u003c/code\u003e\u003c/pre\u003e\n\u003ch2\u003ev1.16.4 / 2024-04-10\u003c/h2\u003e\n\u003ch3\u003eDependencies\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Vendored zlib in the precompiled native gems is updated to \u003ca href=\"https://zlib.net/ChangeLog.txt\"\u003ev1.3.1\u003c/a\u003e from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see \u003ca href=\"https://github.com/sparklemotion/nokogiri/discussions/3168\"\u003ethis discussion\u003c/a\u003e about removing the compression libraries altogether in a future version of Nokogiri.\u003c/li\u003e\n\u003c/ul\u003e\n\u003chr /\u003e\n\u003cp\u003esha256 checksums:\u003c/p\u003e\n\u003cpre\u003e\u003ccode\u003ebdb1dc4378ebcf3ade8f440c7df68f6d76946a1a96c4823a2b4c53c01a320cd5  nokogiri-1.16.4-aarch64-linux.gem\n0c994b9996d5576eddcc3201a94ef2bff6fc3627c4ae4d2708b0ec9b9743ec6a  nokogiri-1.16.4-arm-linux.gem\n8e86abb64c93c06d3c588042a0e757279e8f1dc88b5210a00be892a9a7a27196  nokogiri-1.16.4-arm64-darwin.gem\nbf84fa28be4943692bd64772186e0832fb1061f80714ccb93e111e9d72b1cadc  nokogiri-1.16.4-java.gem\na46808467c1f63a2031e1ca0715cd5336bb4ec759e9c0e2f4c951c1cc30994ae  nokogiri-1.16.4-x64-mingw-ucrt.gem\n4cdf64bc5e9443ec3e0b595347ecc8affe21968d9ae934c0825d26630ef96468  nokogiri-1.16.4-x64-mingw32.gem\nd86d21bae47dd9f6f5223055e45d33fae08b0b89aad94cbc0ece4f4274fa7af5  nokogiri-1.16.4-x86-linux.gem\nd488b872884844686780fda7cf5da44ee884d32faa713a55aeb4736d76718168  nokogiri-1.16.4-x86-mingw32.gem\na896e52a56951ffb0e6a9279afbf485d683e357a053d27f4cfcb2a73b0824628  nokogiri-1.16.4-x86_64-darwin.gem\n92ff4f09910255fec84b3bc4c4b182e94cada3ed12b9f7a6ea058e0af186fb31  nokogiri-1.16.4-x86_64-linux.gem\n\u0026lt;/tr\u0026gt;\u0026lt;/table\u0026gt; \n\u003c/code\u003e\u003c/pre\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md\"\u003enokogiri's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev1.16.5\u003c/h2\u003e\n\u003ch3\u003eSecurity\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Vendored libxml2 is updated to address CVE-2024-34459. See \u003ca href=\"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-r95h-9x8f-r3f7\"\u003eGHSA-r95h-9x8f-r3f7\u003c/a\u003e for more information.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eDependencies\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Vendored libxml2 is updated to \u003ca href=\"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.7\"\u003ev2.12.7\u003c/a\u003e from v2.12.6. (\u003ca href=\"https://github.com/flavorjones\"\u003e\u003ccode\u003e@​flavorjones\u003c/code\u003e\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev1.16.4 / 2024-04-10\u003c/h2\u003e\n\u003ch3\u003eDependencies\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Vendored zlib in the precompiled native gems is updated to \u003ca href=\"https://zlib.net/ChangeLog.txt\"\u003ev1.3.1\u003c/a\u003e from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see \u003ca href=\"https://github.com/sparklemotion/nokogiri/discussions/3168\"\u003ethis discussion\u003c/a\u003e about removing the compression libraries altogether in a future version of Nokogiri.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev1.16.3 / 2024-03-15\u003c/h2\u003e\n\u003ch3\u003eDependencies\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Vendored libxml2 is updated to \u003ca href=\"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.6\"\u003ev2.12.6\u003c/a\u003e from v2.12.5. (\u003ca href=\"https://github.com/flavorjones\"\u003e\u003ccode\u003e@​flavorjones\u003c/code\u003e\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eChanged\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] \u003ccode\u003eXML::Reader\u003c/code\u003e sets the \u003ccode\u003e@encoding\u003c/code\u003e instance variable during reading if it is not passed into the initializer. Previously, it would remain \u003ccode\u003enil\u003c/code\u003e. The behavior of \u003ccode\u003eReader#encoding\u003c/code\u003e has not changed. This works around changes to how libxml2 reports the encoding used in v2.12.6.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev1.16.2 / 2024-02-04\u003c/h2\u003e\n\u003ch3\u003eSecurity\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See \u003ca href=\"https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j\"\u003eGHSA-xc9x-jj77-9p9j\u003c/a\u003e for more information.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eDependencies\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Vendored libxml2 is updated to \u003ca href=\"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5\"\u003ev2.12.5\u003c/a\u003e from v2.12.4. (\u003ca href=\"https://github.com/flavorjones\"\u003e\u003ccode\u003e@​flavorjones\u003c/code\u003e\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev1.16.1 / 2024-02-03\u003c/h2\u003e\n\u003ch3\u003eDependencies\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e[CRuby] Vendored libxml2 is updated to \u003ca href=\"https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.4\"\u003ev2.12.4\u003c/a\u003e from v2.12.3. (\u003ca href=\"https://github.com/flavorjones\"\u003e\u003ccode\u003e@​flavorjones\u003c/code\u003e\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sparklemotion/nokogiri/commit/cd70bd3dc9e0dc15b04b42d67b639eb5804e77d5\"\u003e\u003ccode\u003ecd70bd3\u003c/code\u003e\u003c/a\u003e version bump to v1.16.5\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sparklemotion/nokogiri/commit/afc36de553085b6b397b23a0c09a2449655a3a47\"\u003e\u003ccode\u003eafc36de\u003c/code\u003e\u003c/a\u003e dep: update vendored libxml2 to v2.12.7 (\u003ca href=\"https://redirect.github.com/sparklemotion/nokogiri/issues/3191\"\u003e#3191\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sparklemotion/nokogiri/commit/41b4f0846d2c264b48ef93ecd034dd230ab8125a\"\u003e\u003ccode\u003e41b4f08\u003c/code\u003e\u003c/a\u003e ci: add arm64-darwin coverage using macos-14\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sparklemotion/nokogiri/commit/67b9e863a67164ae6ffbe5ed4cc482267db7c436\"\u003e\u003ccode\u003e67b9e86\u003c/code\u003e\u003c/a\u003e dep: update libxml2 to v2.12.7\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sparklemotion/nokogiri/commit/17c0362082341208bf9aadb61939e4de74005b44\"\u003e\u003ccode\u003e17c0362\u003c/code\u003e\u003c/a\u003e version bump to v1.16.4\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sparklemotion/nokogiri/commit/1c329e9c09148155624b52ffe630cc1b01d6787f\"\u003e\u003ccode\u003e1c329e9\u003c/code\u003e\u003c/a\u003e dep: update to zlib 1.3.1 (v1.16.x) (\u003ca href=\"https://redirect.github.com/sparklemotion/nokogiri/issues/3175\"\u003e#3175\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sparklemotion/nokogiri/commit/edeac07bb21b3f00c2a6aaf27806ce9d0871a08d\"\u003e\u003ccode\u003eedeac07\u003c/code\u003e\u003c/a\u003e dep: update to zlib 1.3.1\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sparklemotion/nokogiri/commit/80fb6085c069e053457ed6f6325ac032f2b029fe\"\u003e\u003ccode\u003e80fb608\u003c/code\u003e\u003c/a\u003e version bump to v1.16.3\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sparklemotion/nokogiri/commit/710bd96d70f39baadd0405cf0f3c0c42805019af\"\u003e\u003ccode\u003e710bd96\u003c/code\u003e\u003c/a\u003e dep: update libxml 2.12.6 (branch v1.16.x) (\u003ca href=\"https://redirect.github.com/sparklemotion/nokogiri/issues/3151\"\u003e#3151\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sparklemotion/nokogiri/commit/461a96ea163b144ea2898d088efe65fce311d5be\"\u003e\u003ccode\u003e461a96e\u003c/code\u003e\u003c/a\u003e fix: Reader#read sets \u003ca href=\"https://github.com/encoding\"\u003e\u003ccode\u003e@​encoding\u003c/code\u003e\u003c/a\u003e if it is unset\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/sparklemotion/nokogiri/compare/v1.14.2...v1.16.5\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `omniauth` from 1.9.2 to 2.0.0\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/omniauth/omniauth/releases\"\u003eomniauth's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev2.0.0\u003c/h2\u003e\n\u003cp\u003eVersion 2.0 of OmniAuth includes some changes that may be breaking depending on how you use OmniAuth in your app.\u003c/p\u003e\n\u003cp\u003eMany thanks to the folks who contributed in code and discussion for these changes.\u003c/p\u003e\n\u003ch2\u003e\u003cstrong\u003eOmniAuth now defaults to only POST as the allowed request_phase method.\u003c/strong\u003e\u003c/h2\u003e\n\u003cp\u003eHopefully, you were already doing this as a result of the warnings due to \u003ca href=\"https://nvd.nist.gov/vuln/detail/CVE-2015-9284\"\u003eCVE-2015-9284\u003c/a\u003e.\u003cbr /\u003e\nFor detailed context, see:\u003cbr /\u003e\n\u003ca href=\"https://redirect.github.com/omniauth/omniauth/issues/960\"\u003e#960\u003c/a\u003e\u003cbr /\u003e\n\u003ca href=\"https://redirect.github.com/omniauth/omniauth/pull/809\"\u003e#809\u003c/a\u003e\u003cbr /\u003e\n\u003ca href=\"https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284\"\u003eResolving CVE-2015-9284\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThis change also includes an additional configurable phase: \u003ccode\u003erequest_validation_phase\u003c/code\u003e.\u003c/p\u003e\n\u003ch3\u003eRack/Sinatra\u003c/h3\u003e\n\u003cp\u003eBy default, this uses rack-protection's \u003ca href=\"https://github.com/sinatra/sinatra/tree/master/rack-protection\"\u003eAuthenticityToken\u003c/a\u003e class to validate authenticity tokens. If you are using a rack based framework like sinatra, you can find an example of how to add authenticity tokens to your view \u003ca href=\"https://github.com/BobbyMcWho/omniauth_2_examples/blob/main/sinatra_app.ru#L18-L21\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003ch3\u003eRails\u003c/h3\u003e\n\u003cp\u003eBecause Rails handles its CSRF protection in its \u003ca href=\"https://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection.html\"\u003eRequestForgeryProtection\u003c/a\u003e class, and stores tokens in a non-vanilla-rack friendly way, you must pass a rails-friendly validator in instead, similar to what \u003ca href=\"https://github.com/cookpad/omniauth-rails_csrf_protection/blob/master/lib/omniauth/rails_csrf_protection/token_verifier.rb\"\u003eomniauth-rails_csrf_protection\u003c/a\u003e does.\u003c/p\u003e\n\u003cp\u003e\u003cstrong\u003eUpdate:\u003c/strong\u003e omniauth-rails_csrf_protection has released \u003ca href=\"https://redirect.github.com/cookpad/omniauth-rails_csrf_protection/pull/9\"\u003ev1.0.0\u003c/a\u003e, which means if you're using this library already, you should be able to upgrade omniauth to the 2.0 series as long as omniauth-rails_csrf_protection is also upgraded \u003ccode\u003e'~\u0026gt; 1.0'\u003c/code\u003e\u003c/p\u003e\n\u003cp\u003eAn example of creating your own non-dependency implementation is below, though I would recommend using the gem.\u003c/p\u003e\n\u003cpre lang=\"ruby\"\u003e\u003ccode\u003e# Derived from https://github.com/cookpad/omniauth-rails_csrf_protection/blob/master/lib/omniauth/rails_csrf_protection/token_verifier.rb\n# This specific implementation has been pared down and should not be taken as the most correct way to do this.\nclass TokenVerifier\n  include ActiveSupport::Configurable\n  include ActionController::RequestForgeryProtection\n\u003cp\u003edef call(env)\n\u003ca href=\"https://github.com/request\"\u003e\u003ccode\u003e@​request\u003c/code\u003e\u003c/a\u003e = ActionDispatch::Request.new(env.dup)\nraise OmniAuth::AuthenticityError unless verified_request?\nend\u003c/p\u003e\n\u003cp\u003eprivate\nattr_reader :request\ndelegate :params, :session, to: :request\nend\u003c/p\u003e\n\u003ch1\u003ein an initializer\u003c/h1\u003e\n\u003cp\u003eOmniAuth.config.request_validation_phase = TokenVerifier.new\n\u003c/code\u003e\u003c/pre\u003e\u003c/p\u003e\n\u003cp\u003e\u003ca href=\"https://github.com/BobbyMcWho/omniauth_2_examples/blob/main/rails_app.ru#L14-L28\"\u003eExample Rails App\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eIf you're using Rails' \u003ca href=\"https://api.rubyonrails.org/classes/ActionView/Helpers/FormHelper.html#method-i-form_for\"\u003eform helpers\u003c/a\u003e, they automatically include an authenticity token.\u003c/p\u003e\n\u003cp\u003eIf you are using hyperlinks or buttons styled to redirect to your login route, you should update these to be a submit input or a submit type button wrapped in a form.\u003c/p\u003e\n\u003cpre lang=\"diff\"\u003e\u003ccode\u003e- \u0026lt;a href='/auth/developer'\u0026gt;Login with Developer\u0026lt;/a\u0026gt;\n\u0026lt;/tr\u0026gt;\u0026lt;/table\u0026gt; \n\u003c/code\u003e\u003c/pre\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/omniauth/omniauth/commit/29c8216e0de59097074224ebb92daf696a1326fa\"\u003e\u003ccode\u003e29c8216\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/omniauth/omniauth/issues/1021\"\u003e#1021\u003c/a\u003e from omniauth/2_0-indev\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/omniauth/omniauth/commit/fe26931f2e7934e0800dd3fe646bef4a1ad2e192\"\u003e\u003ccode\u003efe26931\u003c/code\u003e\u003c/a\u003e Release 2.0.0\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/omniauth/omniauth/commit/8a6b7a6f9e1b95dd98eb6ac22eeb8e7fb0df77a6\"\u003e\u003ccode\u003e8a6b7a6\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/omniauth/omniauth/issues/1016\"\u003e#1016\u003c/a\u003e from BobbyMcWho/add-to-readme\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/omniauth/omniauth/commit/19b3d347a41d8a55c706edba1a991d55cac577db\"\u003e\u003ccode\u003e19b3d34\u003c/code\u003e\u003c/a\u003e Add v2.0.0 text\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/omniauth/omniauth/commit/97714aa6a5da8e3b7e76e52cccd82110ab204adf\"\u003e\u003ccode\u003e97714aa\u003c/code\u003e\u003c/a\u003e Tag version\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/omniauth/omniauth/commit/1956a95e6466f0bcefbe2cd4e444a14dad60a7b4\"\u003e\u003ccode\u003e1956a95\u003c/code\u003e\u003c/a\u003e Fix deprecation warnings\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/omniauth/omniauth/commit/1b784ffa5f128bea1a22d7d26477f73bb6b3cd08\"\u003e\u003ccode\u003e1b784ff\u003c/code\u003e\u003c/a\u003e Wrap mock_call in rescue\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/omniauth/omniauth/commit/49ca57789a26eae3fc516615a32f16e46e9e786f\"\u003e\u003ccode\u003e49ca577\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/omniauth/omniauth/issues/1015\"\u003e#1015\u003c/a\u003e from omniauth/make-sure-strategy-passes-rack-freeze\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/omniauth/omniauth/commit/e405613685394932bba0d1ffa8bb8fc484e4279c\"\u003e\u003ccode\u003ee405613\u003c/code\u003e\u003c/a\u003e Freeze omniauth in test to verify thread safety\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/omniauth/omniauth/commit/d4c1ff0ffb0586f99490a1c3a427cfb40657cec9\"\u003e\u003ccode\u003ed4c1ff0\u003c/code\u003e\u003c/a\u003e Dup options when a strategy is dup'd or cloned\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/omniauth/omniauth/compare/v1.9.2...v2.0.0\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `sidekiq` from 6.5.8 to 6.5.10\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/sidekiq/sidekiq/blob/main/Changes.md\"\u003esidekiq's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch1\u003eSidekiq Changes\u003c/h1\u003e\n\u003cp\u003e\u003ca href=\"https://github.com/sidekiq/sidekiq/blob/main/Changes.md\"\u003eSidekiq Changes\u003c/a\u003e | \u003ca href=\"https://github.com/sidekiq/sidekiq/blob/main/Pro-Changes.md\"\u003eSidekiq Pro Changes\u003c/a\u003e | \u003ca href=\"https://github.com/sidekiq/sidekiq/blob/main/Ent-Changes.md\"\u003eSidekiq Enterprise Changes\u003c/a\u003e\u003c/p\u003e\n\u003ch2\u003e7.2.4\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eFix XSS in metrics filtering introduced in 7.2.0, CVE-2024-32887\nThanks to \u003ca href=\"https://github.com/UmerAdeemCheema\"\u003e\u003ccode\u003e@​UmerAdeemCheema\u003c/code\u003e\u003c/a\u003e for the security report.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e7.2.3\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://www.mikeperham.com/2024/02/01/supporting-dragonfly/\"\u003eSupport Dragonfly.io\u003c/a\u003e as an alternative Redis implementation\u003c/li\u003e\n\u003cli\u003eFix error unpacking some compressed error backtraces \u003ca href=\"https://redirect.github.com/sidekiq/sidekiq/issues/6241\"\u003e#6241\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eFix potential heartbeat data leak \u003ca href=\"https://redirect.github.com/sidekiq/sidekiq/issues/6227\"\u003e#6227\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAdd ability to find a currently running work by jid [#6212, fatkodima]\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e7.2.2\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAdd \u003ccode\u003eProcess.warmup\u003c/code\u003e call in Ruby 3.3+\u003c/li\u003e\n\u003cli\u003eBatch jobs now skip transactional push \u003ca href=\"https://redirect.github.com/sidekiq/sidekiq/issues/6160\"\u003e#6160\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e7.2.1\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAdd \u003ccode\u003eSidekiq::Work\u003c/code\u003e type which replaces the raw Hash as the third parameter in\n\u003ccode\u003eSidekiq::WorkSet#each { |pid, tid, hash| ... }\u003c/code\u003e \u003ca href=\"https://redirect.github.com/sidekiq/sidekiq/issues/6145\"\u003e#6145\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDEPRECATED\u003c/strong\u003e: direct access to the attributes within the \u003ccode\u003ehash\u003c/code\u003e block parameter above.\nThe \u003ccode\u003eSidekiq::Work\u003c/code\u003e instance contains accessor methods to get at the same data, e.g.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cpre lang=\"ruby\"\u003e\u003ccode\u003ework[\u0026quot;queue\u0026quot;] # Old\nwork.queue # New\n\u003c/code\u003e\u003c/pre\u003e\n\u003cul\u003e\n\u003cli\u003eFix Ruby 3.3 warnings around \u003ccode\u003ebase64\u003c/code\u003e gem [#6151, earlopain]\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e7.2.0\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003esidekiq_retries_exhausted\u003c/code\u003e can return \u003ccode\u003e:discard\u003c/code\u003e to avoid the deadset\nand all death handlers \u003ca href=\"https://redirect.github.com/sidekiq/sidekiq/issues/6091\"\u003e#6091\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eMetrics filtering by job class in Web UI \u003ca href=\"https://redirect.github.com/sidekiq/sidekiq/issues/5974\"\u003e#5974\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eBetter readability and formatting for numbers within the Web UI \u003ca href=\"https://redirect.github.com/sidekiq/sidekiq/issues/6080\"\u003e#6080\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAdd explicit error if user code tries to nest test modes \u003ca href=\"https://redirect.github.com/sidekiq/sidekiq/issues/6078\"\u003e#6078\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cpre lang=\"ruby\"\u003e\u003ccode\u003eSidekiq::Testing.inline! # global setting\nSidekiq::Testing.fake! do # override within block\n  # ok\n  Sidekiq::Testing.inline! do # can't override the override\n\u0026lt;/tr\u0026gt;\u0026lt;/table\u0026gt; \n\u003c/code\u003e\u003c/pre\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sidekiq/sidekiq/commit/f67a7abccffc9337f144e7be96bb1ed4b0fee49a\"\u003e\u003ccode\u003ef67a7ab\u003c/code\u003e\u003c/a\u003e Cherry pick:\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sidekiq/sidekiq/commit/101435c5a73095ca62b610d5d6456e7e5dc7f81a\"\u003e\u003ccode\u003e101435c\u003c/code\u003e\u003c/a\u003e Merge 62c90d7\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sidekiq/sidekiq/commit/022c059c7b417d24cf1f892fa71f8e98d19ca93f\"\u003e\u003ccode\u003e022c059\u003c/code\u003e\u003c/a\u003e bump, prep\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/sidekiq/sidekiq/commit/fa6723e20131f6d8ca990fc44ca056a351376f2e\"\u003e\u003ccode\u003efa6723e\u003c/code\u003e\u003c/a\u003e formatting, ensure environment is updated in Sidekiq.options\u003c/li\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/sidekiq/sidekiq/compare/v6.5.8...v6.5.10\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `rack` from 2.2.6.4 to 2.2.8.1\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rack/rack/releases\"\u003erack's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev2.2.8.1\u003c/h2\u003e\n\u003ch2\u003eWhat's Changed\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eFixed ReDoS in Accept header parsing [CVE-2024-26146]\u003c/li\u003e\n\u003cli\u003eFixed ReDoS in Content Type header parsing [CVE-2024-25126]\u003c/li\u003e\n\u003cli\u003eReject Range headers which are too large [CVE-2024-26141]\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eFull Changelog\u003c/strong\u003e: \u003ca href=\"https://github.com/rack/rack/compare/v2.2.8...v2.2.8.1\"\u003ehttps://github.com/rack/rack/compare/v2.2.8...v2.2.8.1\u003c/a\u003e\u003c/p\u003e\n\u003ch2\u003ev2.2.8\u003c/h2\u003e\n\u003ch2\u003eWhat's Changed\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eLimit file extension length of multipart tempfiles (2.2 backport) by \u003ca href=\"https://github.com/dentarg\"\u003e\u003ccode\u003e@​dentarg\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2075\"\u003erack/rack#2075\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eCHANGELOG: Add missing 2.2.7 by \u003ca href=\"https://github.com/tisba\"\u003e\u003ccode\u003e@​tisba\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2081\"\u003erack/rack#2081\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eUpdate cookie.rb by \u003ca href=\"https://github.com/dchandekstark\"\u003e\u003ccode\u003e@​dchandekstark\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2092\"\u003erack/rack#2092\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003ePrefer ubuntu-latest for testing. by \u003ca href=\"https://github.com/ioquatix\"\u003e\u003ccode\u003e@​ioquatix\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2095\"\u003erack/rack#2095\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eFix inefficient assert pattern in Rack::Lint [2-2-stable] by \u003ca href=\"https://github.com/skipkayhil\"\u003e\u003ccode\u003e@​skipkayhil\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2101\"\u003erack/rack#2101\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eRegenerate SPEC [2-2-stable] by \u003ca href=\"https://github.com/skipkayhil\"\u003e\u003ccode\u003e@​skipkayhil\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2102\"\u003erack/rack#2102\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eNew Contributors\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/tisba\"\u003e\u003ccode\u003e@​tisba\u003c/code\u003e\u003c/a\u003e made their first contribution in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2081\"\u003erack/rack#2081\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/dchandekstark\"\u003e\u003ccode\u003e@​dchandekstark\u003c/code\u003e\u003c/a\u003e made their first contribution in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2092\"\u003erack/rack#2092\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eFull Changelog\u003c/strong\u003e: \u003ca href=\"https://github.com/rack/rack/compare/v2.2.7...v2.2.8\"\u003ehttps://github.com/rack/rack/compare/v2.2.7...v2.2.8\u003c/a\u003e\u003c/p\u003e\n\u003ch2\u003ev2.2.7\u003c/h2\u003e\n\u003ch2\u003eWhat's Changed\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eCorrect the year number in the changelog by \u003ca href=\"https://github.com/kimulab\"\u003e\u003ccode\u003e@​kimulab\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2015\"\u003erack/rack#2015\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eSupport underscore in host names for Rack 2.2 (Fixes \u003ca href=\"https://redirect.github.com/rack/rack/issues/2070\"\u003e#2070\u003c/a\u003e) by \u003ca href=\"https://github.com/jeremyevans\"\u003e\u003ccode\u003e@​jeremyevans\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2071\"\u003erack/rack#2071\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eNew Contributors\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/kimulab\"\u003e\u003ccode\u003e@​kimulab\u003c/code\u003e\u003c/a\u003e made their first contribution in \u003ca href=\"https://redirect.github.com/rack/rack/pull/2015\"\u003erack/rack#2015\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eFull Changelog\u003c/strong\u003e: \u003ca href=\"https://github.com/rack/rack/compare/v2.2.6.4...v2.2.7\"\u003ehttps://github.com/rack/rack/compare/v2.2.6.4...v2.2.7\u003c/a\u003e\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rack/rack/commit/e83001100ad9dd24e1744b13669dcb2736a13ebd\"\u003e\u003ccode\u003ee830011\u003c/code\u003e\u003c/a\u003e bump version\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49\"\u003e\u003ccode\u003ed9c163a\u003c/code\u003e\u003c/a\u003e Avoid 2nd degree polynomial regexp in MediaType\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b\"\u003e\u003ccode\u003e6245768\u003c/code\u003e\u003c/a\u003e Return an empty array when ranges are too large\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd\"\u003e\u003ccode\u003ee4c1177\u003c/code\u003e\u003c/a\u003e Fixing ReDoS in header parsing\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rack/rack/commit/f169ff75b0a0b84c031960ffc5fcd0414eb64a2e\"\u003e\u003ccode\u003ef169ff7\u003c/code\u003e\u003c/a\u003e Bump patch version.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rack/rack/commit/0a4648773ecab7437c52d04de071b5bf65b63058\"\u003e\u003ccode\u003e0a46487\u003c/code\u003e\u003c/a\u003e Regenerate SPEC (\u003ca href=\"https://redirect.github.com/rack/rack/issues/2102\"\u003e#2102\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rack/rack/commit/cee73b3a0e7b195dd3304f6c2e4c1cf9e4a4ad9e\"\u003e\u003ccode\u003ecee73b3\u003c/code\u003e\u003c/a\u003e Fix inefficient assert pattern in Rack::Lint (\u003ca href=\"https://redirect.github.com/rack/rack/issues/2101\"\u003e#2101\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rack/rack/commit/1fdcf1fcfa08a64c9916281f2ff0996e6d50e0b3\"\u003e\u003ccode\u003e1fdcf1f\u003c/code\u003e\u003c/a\u003e Prefer ubuntu-latest for testing. (\u003ca href=\"https://redirect.github.com/rack/rack/issues/2095\"\u003e#2095\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rack/rack/commit/287fe435720b4612d4908c3216cfe2b82ad666da\"\u003e\u003ccode\u003e287fe43\u003c/code\u003e\u003c/a\u003e Update cookie.rb (\u003ca href=\"https://redirect.github.com/rack/rack/issues/2092\"\u003e#2092\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rack/rack/commit/e7f486987d25be2c726576309951053ec1fe1738\"\u003e\u003ccode\u003ee7f4869\u003c/code\u003e\u003c/a\u003e adds missing 2.2.7 to CHANGELOG.md (\u003ca href=\"https://redirect.github.com/rack/rack/issues/2081\"\u003e#2081\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rack/rack/compare/v2.2.6.4...v2.2.8.1\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `yard` from 0.9.28 to 0.9.36\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/lsegal/yard/releases\"\u003eyard's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003eRelease v0.9.36\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eFurther XSS fixes for generated frameset pages (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1538\"\u003e#1538\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eImprove tests for Ruby 3.3 compatibility (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1519\"\u003e#1519\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1531\"\u003e#1531\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eDocumentation improvements (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1524\"\u003e#1524\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eRelease v0.9.35\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eFix possible XSS on generated YARD frameset pages (thanks to \u003ca href=\"https://github.com/RedYetiDev\"\u003e\u003ccode\u003e@​RedYetiDev\u003c/code\u003e\u003c/a\u003e for finding and patching) (2069e2b).\u003c/li\u003e\n\u003cli\u003eFix errors when using \u003ccode\u003e@option\u003c/code\u003e on non-method objects (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1508\"\u003e#1508\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eSupport Ruby 3.3 changes in Ripper parser (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1510\"\u003e#1510\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eRelease v0.9.34\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eAdd changelog to yard.gemspec\u003c/li\u003e\n\u003cli\u003eFix fork behavior in \u003ccode\u003eyard server --fork\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eRelease v0.9.33\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure .yardopts is present in gem package (internal YARD documentation change)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eRelease v0.9.32\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eFix issue with custom Rack::Request attributes in \u003ccode\u003eyard server\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eRelease v0.9.31\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eRemove dependency on webrick in YARD::Server::Commands::StaticFileHelpers\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eRelease v0.9.30\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eHot release fix to correct issue with gem packaging missing templates (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1490\"\u003e#1490\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eRelease v0.9.29\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable table support for CommonMarker (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1443\"\u003e#1443\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eParser performance improvements (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1452\"\u003e#1452\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1453\"\u003e#1453\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1454\"\u003e#1454\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1455\"\u003e#1455\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eFix autoload of RipperParser (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1460\"\u003e#1460\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eRemove dependency on webrick for better Ruby 3.1+ support\u003c/li\u003e\n\u003cli\u003eImprovements for mixin resolution (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1467\"\u003e#1467\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1468\"\u003e#1468\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/lsegal/yard/blob/main/CHANGELOG.md\"\u003eyard's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch1\u003e\u003ca href=\"https://github.com/lsegal/yard/compare/v0.9.35...v0.9.36\"\u003e0.9.36\u003c/a\u003e - February 29th, 2024\u003c/h1\u003e\n\u003cul\u003e\n\u003cli\u003eFurther XSS fixes for generated frameset pages (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1538\"\u003e#1538\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eImprove tests for Ruby 3.3 compatibility (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1519\"\u003e#1519\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1531\"\u003e#1531\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eDocumentation improvements (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1524\"\u003e#1524\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch1\u003e\u003ca href=\"https://github.com/lsegal/yard/compare/v0.9.34...v0.9.35\"\u003e0.9.35\u003c/a\u003e - February 28th, 2024\u003c/h1\u003e\n\u003cul\u003e\n\u003cli\u003eFix possible XSS on generated YARD frameset pages (thanks to \u003ca href=\"https://github.com/RedYetiDev\"\u003e\u003ccode\u003e@​RedYetiDev\u003c/code\u003e\u003c/a\u003e for finding and patching) (2069e2b).\u003c/li\u003e\n\u003cli\u003eFix errors when using \u003ccode\u003e@option\u003c/code\u003e on non-method objects (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1508\"\u003e#1508\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eSupport Ruby 3.3 changes in Ripper parser (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1510\"\u003e#1510\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch1\u003e\u003ca href=\"https://github.com/lsegal/yard/compare/v0.9.33...v0.9.34\"\u003e0.9.34\u003c/a\u003e - April 12nd, 2023\u003c/h1\u003e\n\u003cul\u003e\n\u003cli\u003eAdd changelog to yard.gemspec\u003c/li\u003e\n\u003cli\u003eFix fork behavior in \u003ccode\u003eyard server --fork\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch1\u003e\u003ca href=\"https://github.com/lsegal/yard/compare/v0.9.32...v0.9.33\"\u003e0.9.33\u003c/a\u003e - April 11st, 2023\u003c/h1\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure .yardopts is present in gem package (internal YARD documentation change)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch1\u003e0.9.32 - April 9th, 2023\u003c/h1\u003e\n\u003cul\u003e\n\u003cli\u003eFix issue with custom Rack::Request attributes in \u003ccode\u003eyard server\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch1\u003e\u003ca href=\"https://github.com/lsegal/yard/compare/v0.9.30...v0.9.31\"\u003e0.9.31\u003c/a\u003e - April 9th, 2023\u003c/h1\u003e\n\u003cul\u003e\n\u003cli\u003eRemove dependency on webrick in YARD::Server::Commands::StaticFileHelpers\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch1\u003e\u003ca href=\"https://github.com/lsegal/yard/compare/v0.9.29...v0.9.30\"\u003e0.9.30\u003c/a\u003e - April 9th, 2023\u003c/h1\u003e\n\u003cul\u003e\n\u003cli\u003eHot release fix to correct issue with gem packaging missing templates (\u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1490\"\u003e#1490\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch1\u003e\u003ca href=\"https://github.com/lsegal/yard/compare/v0.9.28...v0.9.29\"\u003e0.9.29\u003c/a\u003e - April 8th, 2023\u003c/h1\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lsegal/yard/commit/e833aac7a01510245dd4ae1d1d18b046c8293c2d\"\u003e\u003ccode\u003ee833aac\u003c/code\u003e\u003c/a\u003e Tag release v0.9.36\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lsegal/yard/commit/1fcb2d8b316caf8779cfdcf910715e9ab583f0aa\"\u003e\u003ccode\u003e1fcb2d8\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1538\"\u003e#1538\u003c/a\u003e from RedYetiDev/patch-2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lsegal/yard/commit/a831a596b2a7cabdd2e17855dd179af2ebf3d559\"\u003e\u003ccode\u003ea831a59\u003c/code\u003e\u003c/a\u003e Fix semicolon\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lsegal/yard/commit/2a0b9990b64ceeeb0456177c593e36e204a06df1\"\u003e\u003ccode\u003e2a0b999\u003c/code\u003e\u003c/a\u003e assign url_for_main to a variable\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lsegal/yard/commit/305901723e75bb8027a656aef8888557c1d1488b\"\u003e\u003ccode\u003e3059017\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1519\"\u003e#1519\u003c/a\u003e from mtasaka/ruby33_test_fix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lsegal/yard/commit/c88406e4b78f8dd4ba38c79eea0bcec716dbbef8\"\u003e\u003ccode\u003ec88406e\u003c/code\u003e\u003c/a\u003e Update frames.erb\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lsegal/yard/commit/7cb3fc5b3e1c71dcc368f4a25a5acd0674e44b48\"\u003e\u003ccode\u003e7cb3fc5\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1524\"\u003e#1524\u003c/a\u003e from frsantos/fix_tuple_docs\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lsegal/yard/commit/04e4c9a2fa770768a7eb724030cc6e434fdbd0ce\"\u003e\u003ccode\u003e04e4c9a\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/lsegal/yard/issues/1531\"\u003e#1531\u003c/a\u003e from rafaelfranca/rm-ruby-3.3\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lsegal/yard/commit/ebf5005e282475d51732eca16e9a2d9f1e769941\"\u003e\u003ccode\u003eebf5005\u003c/code\u003e\u003c/a\u003e Tag release v0.9.35\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/lsegal/yard/commit/62e18b472beb0c7245ed52fee2993ab7477c49ab\"\u003e\u003ccode\u003e62e18b4\u003c/code\u003e\u003c/a\u003e Prepare changelog\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/lsegal/yard/compare/v0.9.28...v0.9.36\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `puma` from 6.2.1 to 6.4.2\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/puma/puma/releases\"\u003epuma's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e6.4.1\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eBugfixes\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDSL#warn_if_in_single_mode - fixup when workers set via CLI (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3256\"\u003e#3256\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eFix \u003ccode\u003eidle-timeout\u003c/code\u003e not working in cluster mode (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3235\"\u003e#3235\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3228\"\u003e#3228\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3282\"\u003e#3282\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3283\"\u003e#3283\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eFix worker 0 timing out during phased restart (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3225\"\u003e#3225\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/2786\"\u003e#2786\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003econtext_builder.rb - require openssl if verify_mode != 'none' (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3179\"\u003e#3179\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eMake puma cluster process suitable as PID 1 (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3255\"\u003e#3255\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eImprove Puma::NullIO consistency with real IO (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3276\"\u003e#3276\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eextconf.rb - fixup to detect openssl info in Ruby build (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3271\"\u003e#3271\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3266\"\u003e#3266\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eMiniSSL.java - set serialVersionUID, fix RaiseException deprecation (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3270\"\u003e#3270\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003edsl.rb - fix warn_if_in_single_mode when WEB_CONCURRENCY is set (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3265\"\u003e#3265\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3264\"\u003e#3264\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eMaintenance\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eLOTS of test refactoring to make tests more stable and easier to write - thanks to \u003ca href=\"https://github.com/MSP-Greg\"\u003e\u003ccode\u003e@​MSP-Greg\u003c/code\u003e\u003c/a\u003e!\u003c/li\u003e\n\u003cli\u003eFix bug in tests re: TestPuma::HOST4 (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3254\"\u003e#3254\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eDockerfile for minimal repros: use Ruby 3.2, expect bundler installed (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3245\"\u003e#3245\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix define_method calls, use Symbol parameter instead of String (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3293\"\u003e#3293\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eDocs\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eREADME.md - add the puma-acme plugin (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3301\"\u003e#3301\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eRemove \u003ccode\u003e--keep-file-descriptors\u003c/code\u003e flag from systemd docs (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3248\"\u003e#3248\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eNote symlink mechanism in restart documentation for hot restart (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3298\"\u003e#3298\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.4.0 - The Eagle of Durango\u003c/h2\u003e\n\u003cp\u003e\u003cimg src=\"https://github.com/puma/puma/assets/845662/8702eb06-b397-4c6b-a3a4-251186fe4513\" alt=\"image\" /\u003e\u003c/p\u003e\n\u003cp\u003eAmerica is \u003ca href=\"https://redirect.github.com/puma/puma/issues/1\"\u003e#1\u003c/a\u003e in professional cycling, baby!\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eFeatures\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eon_thread_exit hook (\u003ca href=\"https://redirect.github.com/puma/puma/issues/2920\"\u003e#2920\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eon_thread_start_hook (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3195\"\u003e#3195\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eShutdown on idle (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3209\"\u003e#3209\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/2580\"\u003e#2580\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eNew error message when control server port taken (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3204\"\u003e#3204\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eRefactor\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eRemove \u003ccode\u003eForwardable\u003c/code\u003e dependency (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3191\"\u003e#3191\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3190\"\u003e#3190\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eUpdate URLMap Regexp usage for Ruby v3.3 (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3165\"\u003e#3165\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eBugfixes\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eBring the cert_pem: parameter into parity with the cert: parameter to ssl_bind. (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3174\"\u003e#3174\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eFix using control server with IPv6 host (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3181\"\u003e#3181\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003econtrol_cli.rb - add require_relative 'log_writer' (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3187\"\u003e#3187\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eFix cases where fallback Rack response wasn't sent to the client (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3094\"\u003e#3094\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.3.1\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eSecurity\n\u003cul\u003e\n\u003cli\u003eAddress HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields (\u003ca href=\"https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8\"\u003eGHSA-68xg-gqqm-vgj8\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.3.0 - Mugi No Toki Itaru\u003c/h2\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/puma/puma/blob/master/History.md\"\u003epuma's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e6.4.2 / 2024-01-08\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eSecurity\n\u003cul\u003e\n\u003cli\u003eLimit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. (\u003ca href=\"https://github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2\"\u003eGHSA-c2f4-cvqm-65w2\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.4.1 / 2024-01-03\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eBugfixes\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eDSL#warn_if_in_single_mode - fixup when workers set via CLI (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3256\"\u003e#3256\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eFix \u003ccode\u003eidle-timeout\u003c/code\u003e not working in cluster mode (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3235\"\u003e#3235\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3228\"\u003e#3228\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3282\"\u003e#3282\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3283\"\u003e#3283\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eFix worker 0 timing out during phased restart (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3225\"\u003e#3225\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/2786\"\u003e#2786\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003econtext_builder.rb - require openssl if verify_mode != 'none' (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3179\"\u003e#3179\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eMake puma cluster process suitable as PID 1 (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3255\"\u003e#3255\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eImprove Puma::NullIO consistency with real IO (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3276\"\u003e#3276\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eextconf.rb - fixup to detect openssl info in Ruby build (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3271\"\u003e#3271\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3266\"\u003e#3266\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eMiniSSL.java - set serialVersionUID, fix RaiseException deprecation (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3270\"\u003e#3270\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003edsl.rb - fix warn_if_in_single_mode when WEB_CONCURRENCY is set (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3265\"\u003e#3265\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3264\"\u003e#3264\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eMaintenance\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eLOTS of test refactoring to make tests more stable and easier to write - thanks to \u003ca href=\"https://github.com/MSP-Greg\"\u003e\u003ccode\u003e@​MSP-Greg\u003c/code\u003e\u003c/a\u003e!\u003c/li\u003e\n\u003cli\u003eFix bug in tests re: TestPuma::HOST4 (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3254\"\u003e#3254\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eDockerfile for minimal repros: use Ruby 3.2, expect bundler installed (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3245\"\u003e#3245\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003efix define_method calls, use Symbol parameter instead of String (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3293\"\u003e#3293\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eDocs\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eREADME.md - add the puma-acme plugin (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3301\"\u003e#3301\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eRemove \u003ccode\u003e--keep-file-descriptors\u003c/code\u003e flag from systemd docs (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3248\"\u003e#3248\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eNote symlink mechanism in restart documentation for hot restart (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3298\"\u003e#3298\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.4.0 / 2023-09-21\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eFeatures\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eon_thread_exit hook (\u003ca href=\"https://redirect.github.com/puma/puma/issues/2920\"\u003e#2920\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eon_thread_start_hook (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3195\"\u003e#3195\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eShutdown on idle (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3209\"\u003e#3209\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/2580\"\u003e#2580\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eNew error message when control server port taken (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3204\"\u003e#3204\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eRefactor\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eRemove \u003ccode\u003eForwardable\u003c/code\u003e dependency (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3191\"\u003e#3191\u003c/a\u003e, \u003ca href=\"https://redirect.github.com/puma/puma/issues/3190\"\u003e#3190\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eUpdate URLMap Regexp usage for Ruby v3.3 (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3165\"\u003e#3165\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eBugfixes\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eBring the cert_pem: parameter into parity with the cert: parameter to ssl_bind. (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3174\"\u003e#3174\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eFix using control server with IPv6 host (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3181\"\u003e#3181\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003econtrol_cli.rb - add require_relative 'log_writer' (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3187\"\u003e#3187\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eFix cases where fallback Rack response wasn't sent to the client (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3094\"\u003e#3094\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.3.1 / 2023-08-18\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eSecurity\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93\"\u003e\u003ccode\u003e5fc43d7\u003c/code\u003e\u003c/a\u003e 5.6.8 and 6.4.2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/puma/puma/commit/dfbba22216f34a60bb55e1e007b1ad5951934cb8\"\u003e\u003ccode\u003edfbba22\u003c/code\u003e\u003c/a\u003e 6.4.2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/puma/puma/commit/60d5ee3734adc8cee85c3f0561af392448fe19b7\"\u003e\u003ccode\u003e60d5ee3\u003c/code\u003e\u003c/a\u003e Merge pull request from GHSA-c2f4-cvqm-65w2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/puma/puma/commit/a2870252e3c525f6529358807faee1169f28270e\"\u003e\u003ccode\u003ea287025\u003c/code\u003e\u003c/a\u003e 6.4.1 version tick!\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/puma/puma/commit/32a629dc3cffb2b3299df12d86f0ade98099dc4e\"\u003e\u003ccode\u003e32a629d\u003c/code\u003e\u003c/a\u003e 6.4.1\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/puma/puma/commit/7e17826da540019940a8e1a95fabe00883332d1a\"\u003e\u003ccode\u003e7e17826\u003c/code\u003e\u003c/a\u003e [Fix \u003ca href=\"https://redirect.github.com/puma/puma/issues/3282\"\u003e#3282\u003c/a\u003e] \u003ccode\u003eidle-timeout\u003c/code\u003e not waiting on all workers in cluster mode (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3283\"\u003e#3283\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/puma/puma/commit/437142e01d60531a86708dd446873ac9e0f3a03c\"\u003e\u003ccode\u003e437142e\u003c/code\u003e\u003c/a\u003e README.md - add the puma-acme plugin (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3301\"\u003e#3301\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/puma/puma/commit/e9125faa5633362b69cde3170b6002aaf7ac618f\"\u003e\u003ccode\u003ee9125fa\u003c/code\u003e\u003c/a\u003e [CI] Change all workflow file extensions to '.yml' (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3300\"\u003e#3300\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/puma/puma/commit/d49dec941ea603e68cdcba6f88d030cc9254c2ed\"\u003e\u003ccode\u003ed49dec9\u003c/code\u003e\u003c/a\u003e [CI] Add Ruby 3.3, use 'rubygems: latest' in tests.yaml MRI (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3299\"\u003e#3299\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/puma/puma/commit/2d27225e44e3b2110d39e7832f33c8314ae22bd9\"\u003e\u003ccode\u003e2d27225\u003c/code\u003e\u003c/a\u003e Note symlink mechanism in restart documentation for hot restart (\u003ca href=\"https://redirect.github.com/puma/puma/issues/3298\"\u003e#3298\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/puma/puma/compare/v6.2.1...v6.4.2\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `rotp` from 6.2.2 to 6.3.0\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/mdp/rotp/releases\"\u003erotp's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev6.3.0\u003c/h2\u003e\n\u003ch2\u003e\u003ca href=\"https://github.com/mdp/rotp/compare/v6.2.2...v6.3.0\"\u003e6.3.0\u003c/a\u003e (2023-08-30)\u003c/h2\u003e\n\u003ch3\u003eFeatures\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eAllow for non-standard provisioning URI params, eg. image/icon (\u003ca href=\"https://redirect.github.com/mdp/rotp/issues/91\"\u003e#91\u003c/a\u003e) (\u003ca href=\"https://github.com/mdp/rotp/commit/45d8aac8356424897faf3a0dbda59f88b22df775\"\u003e45d8aac\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/mdp/rotp/blob/main/CHANGELOG.md\"\u003erotp's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e\u003ca href=\"https://github.com/mdp/rotp/compare/v6.2.2...v6.3.0\"\u003e6.3.0\u003c/a\u003e (2023-08-30)\u003c/h2\u003e\n\u003ch3\u003eFeatures\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eAllow for non-standard provisioning URI params, eg. image/icon (\u003ca href=\"https://redirect.github.com/mdp/rotp/issues/91\"\u003e#91\u003c/a\u003e) (\u003ca href=\"https://github.com/mdp/rotp/commit/45d8aac8356424897faf3a0dbda59f88b22df775\"\u003e45d8aac\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/mdp/rotp/commit/131d2c325ba5f94887b27eefe24a214bdbcd0a5c\"\u003e\u003ccode\u003e131d2c3\u003c/code\u003e\u003c/a\u003e chore(main): release 6.3.0 (\u003ca href=\"https://redirect.github.com/mdp/rotp/issues/132\"\u003e#132\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/mdp/rotp/commit/45d8aac8356424897faf3a0dbda59f88b22df775\"\u003e\u003ccode\u003e45d8aac\u003c/code\u003e\u003c/a\u003e feat: Allow for non-standard provisioning URI params, eg. image/icon (\u003ca href=\"https://redirect.github.com/mdp/rotp/issues/91\"\u003e#91\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/mdp/rotp/commit/3908511dee95f52e7d7d56255709f7683bcd2d47\"\u003e\u003ccode\u003e3908511\u003c/code\u003e\u003c/a\u003e chore: bootstrap releases for path: . (\u003ca href=\"https://redirect.github.com/mdp/rotp/issues/131\"\u003e#131\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/mdp/rotp/commit/06581e7f09354d9eea82497e5642ec25a1d05915\"\u003e\u003ccode\u003e06581e7\u003c/code\u003e\u003c/a\u003e Chore: run CI on all pull requests (\u003ca href=\"https://redirect.github.com/mdp/rotp/issues/130\"\u003e#130\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/mdp/rotp/commit/9a48b390fb972d7ed9e0abdc7d527fa8f9cbe9b1\"\u003e\u003ccode\u003e9a48b39\u003c/code\u003e\u003c/a\u003e chore: docker-compose.yml: Use ruby-3.0 (\u003ca href=\"https://redirect.github.com/mdp/rotp/issues/128\"\u003e#128\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/mdp/rotp/commit/b38a738eb53c06b67ba0bab0730092d34abbf260\"\u003e\u003ccode\u003eb38a738\u003c/code\u003e\u003c/a\u003e Chore: CI Update for please release and Devcontainer addition of \u003ccode\u003eact\u003c/code\u003e (\u003ca href=\"https://redirect.github.com/mdp/rotp/issues/127\"\u003e#127\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/mdp/rotp/commit/242591141a7bac910d93b0d30ad5b118500417f1\"\u003e\u003ccode\u003e2425911\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/mdp/rotp/issues/126\"\u003e#126\u003c/a\u003e from mdp/mdp/pr_rollup\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/mdp/rotp/commit/9b5390ea4aadf093bcb39bea716bf4da9b74d858\"\u003e\u003ccode\u003e9b5390e\u003c/code\u003e\u003c/a\u003e Merge branch 'main' into mdp/pr_rollup\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/mdp/rotp/commit/be137f1af7d7d2e5cbc57c8d15dba4a3ff11e65e\"\u003e\u003ccode\u003ebe137f1\u003c/code\u003e\u003c/a\u003e Add Ruby 3.2 to CI.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/mdp/rotp/commit/5b609123d344c30a350c85628be29acaaff70fa6\"\u003e\u003ccode\u003e5b60912\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/mdp/rotp/issues/116\"\u003e#116\u003c/a\u003e from gogainda/patch-1\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/mdp/rotp/compare/v6.2.2...v6.3.0\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `sanitize` from 6.0.1 to 6.0.2\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev6.0.2\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eCVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS (cross-site scripting). This issue affects Sanitize versions 3.0.0 through 6.0.1.\u003c/p\u003e\n\u003cp\u003eWhen using Sanitize's relaxed config or a custom config that allows \u003ccode\u003e\u0026lt;style\u0026gt;\u003c/code\u003e elements and one or more CSS at-rules, carefully crafted input could be used to sneak arbitrary HTML through Sanitize.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7\"\u003eGHSA-f5ww-cq3m-q3g7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to \u003ca href=\"https://github.com/cure53\"\u003e\u003ccode\u003e@​cure53\u003c/code\u003e\u003c/a\u003e for finding this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/HISTORY.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e6.0.2 (2023-07-06)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eCVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS\n(cross-site scripting). This issue affects Sanitize versions 3.0.0 through\n6.0.1.\u003c/p\u003e\n\u003cp\u003eWhen using Sanitize's relaxed config or a custom config that allows \u003ccode\u003e\u0026lt;style\u0026gt;\u003c/code\u003e\nelements and one or more CSS at-rules, carefully crafted input could be used\nto sneak arbitrary HTML through Sanitize.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details:\n\u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7\"\u003eGHSA-f5ww-cq3m-q3g7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to \u003ca href=\"https://github.com/cure53\"\u003e\u003ccode\u003e@​cure53\u003c/code\u003e\u003c/a\u003e for finding this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/76ed46e6dc70820f38efe27de8dabd54dddb5220\"\u003e\u003ccode\u003e76ed46e\u003c/code\u003e\u003c/a\u003e Merge pull request from GHSA-f5ww-cq3m-q3g7\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/3481ac3f1255c6584c67fad2f9e44d809273125d\"\u003e\u003ccode\u003e3481ac3\u003c/code\u003e\u003c/a\u003e Release 6.0.2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/773d927bc457f5cae21edc059654abc98101413c\"\u003e\u003ccode\u003e773d927\u003c/code\u003e\u003c/a\u003e Update history\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/041c068cec516474d61862faf3910b26c7e10073\"\u003e\u003ccode\u003e041c068\u003c/code\u003e\u003c/a\u003e Escape \u003ccode\u003e\u0026lt;/\u003c/code\u003e to prevent a style element from being closed prematurely\u003c/li\u003e\n\u003cli\u003eSee full diff in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v6.0.1...v6.0.2\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `rexml` from 3.2.5 to 3.2.8\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/ruby/rexml/releases\"\u003erexml's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003eREXML 3.2.8 - 2024-05-16\u003c/h2\u003e\n\u003ch3\u003eFixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eSuppressed a warning\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eREXML 3.2.7 - 2024-05-16\u003c/h2\u003e\n\u003ch3\u003eImprovements\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eImprove parse performance by using \u003ccode\u003eStringScanner\u003c/code\u003e.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/106\"\u003eGH-106\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/107\"\u003eGH-107\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/108\"\u003eGH-108\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/109\"\u003eGH-109\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/112\"\u003eGH-112\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/113\"\u003eGH-113\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/114\"\u003eGH-114\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/115\"\u003eGH-115\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/116\"\u003eGH-116\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/117\"\u003eGH-117\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/118\"\u003eGH-118\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/119\"\u003eGH-119\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/121\"\u003eGH-121\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePatch by NAITOH Jun.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eImproved parse performance when an attribute has many \u003ccode\u003e\u0026lt;\u003c/code\u003es.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/124\"\u003eGH-124\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eFixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eXPath: Fixed a bug of \u003ccode\u003enormalize_space(array)\u003c/code\u003e.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/110\"\u003eGH-110\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/111\"\u003eGH-111\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePatch by flatisland.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eXPath: Fixed a bug that wrong position is used with nested path.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/110\"\u003eGH-110\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/122\"\u003eGH-122\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eReported by jcavalieri.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePatch by NAITOH Jun.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed a bug that an exception message can't be generated for\ninvalid encoding XML.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/ruby/rexml/blob/master/NEWS.md\"\u003erexml's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e3.2.8 - 2024-05-16 {#version-3-2-8}\u003c/h2\u003e\n\u003ch3\u003eFixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eSuppressed a warning\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e3.2.7 - 2024-05-16 {#version-3-2-7}\u003c/h2\u003e\n\u003ch3\u003eImprovements\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eImprove parse performance by using \u003ccode\u003eStringScanner\u003c/code\u003e.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/106\"\u003eGH-106\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/107\"\u003eGH-107\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/108\"\u003eGH-108\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/109\"\u003eGH-109\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/112\"\u003eGH-112\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/113\"\u003eGH-113\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/114\"\u003eGH-114\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/115\"\u003eGH-115\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/116\"\u003eGH-116\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/117\"\u003eGH-117\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/118\"\u003eGH-118\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/119\"\u003eGH-119\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/121\"\u003eGH-121\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePatch by NAITOH Jun.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eImproved parse performance when an attribute has many \u003ccode\u003e\u0026lt;\u003c/code\u003es.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/124\"\u003eGH-124\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch3\u003eFixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eXPath: Fixed a bug of \u003ccode\u003enormalize_space(array)\u003c/code\u003e.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/110\"\u003eGH-110\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/111\"\u003eGH-111\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePatch by flatisland.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eXPath: Fixed a bug that wrong position is used with nested path.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/110\"\u003eGH-110\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003e\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/122\"\u003eGH-122\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eReported by jcavalieri.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003ePatch by NAITOH Jun.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed a bug that an exception message can't be generated for\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/rexml/commit/1cf37bab79d61d6183bbda8bf525ed587012b718\"\u003e\u003ccode\u003e1cf37ba\u003c/code\u003e\u003c/a\u003e Add 3.2.8 entry\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/rexml/commit/b67081caa807fad48d31983137b7ed8711e7f0df\"\u003e\u003ccode\u003eb67081c\u003c/code\u003e\u003c/a\u003e Remove an unused variable (\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/128\"\u003e#128\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/rexml/commit/94e180e939baff8f7e328a287bb96ebbd99db6eb\"\u003e\u003ccode\u003e94e180e\u003c/code\u003e\u003c/a\u003e Suppress a warning\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/rexml/commit/d574ba5fe1c40adbafbf16e47533f4eb32b43e60\"\u003e\u003ccode\u003ed574ba5\u003c/code\u003e\u003c/a\u003e ci: install only gems required for running tests (\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/129\"\u003e#129\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/rexml/commit/4670f8fc187c89d0504d027ea997959287143453\"\u003e\u003ccode\u003e4670f8f\u003c/code\u003e\u003c/a\u003e Add missing Thanks section\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/rexml/commit/9ba35f9f032c07c39b8c86536ac13a9cb313bef2\"\u003e\u003ccode\u003e9ba35f9\u003c/code\u003e\u003c/a\u003e Bump version\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/rexml/commit/085def07425561862d8329001168d8bc9c75ae8f\"\u003e\u003ccode\u003e085def0\u003c/code\u003e\u003c/a\u003e Add 3.2.7 entry\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/rexml/commit/4325835f92f3f142ebd91a3fdba4e1f1ab7f1cfb\"\u003e\u003ccode\u003e4325835\u003c/code\u003e\u003c/a\u003e Read quoted attributes in chunks (\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/126\"\u003e#126\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/rexml/commit/e77365e2d1c9cdb822c7e09b05fc5a4903d92c23\"\u003e\u003ccode\u003ee77365e\u003c/code\u003e\u003c/a\u003e Exclude older than 2.6 on macos-14\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/rexml/commit/bf2c8edb5facb206c25a62952aa37218793283e6\"\u003e\u003ccode\u003ebf2c8ed\u003c/code\u003e\u003c/a\u003e Move development dependencies to Gemfile (\u003ca href=\"https://redirect.github.com/ruby/rexml/issues/124\"\u003e#124\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/ruby/rexml/compare/v3.2.5...v3.2.8\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\nUpdates `uri` from 0.12.1 to 0.13.0\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/ruby/uri/releases\"\u003euri's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev0.13.0\u003c/h2\u003e\n\u003ch2\u003eWhat's Changed\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e[DOC] Enhanced RDoc for common methods by \u003ca href=\"https://github.com/BurdetteLamar\"\u003e\u003ccode\u003e@​BurdetteLamar\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/48\"\u003eruby/uri#48\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e[DOC] Common methods rdoc by \u003ca href=\"https://github.com/BurdetteLamar\"\u003e\u003ccode\u003e@​BurdetteLamar\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/49\"\u003eruby/uri#49\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e[DOC] Enhanced RDoc for common methods by \u003ca href=\"https://github.com/BurdetteLamar\"\u003e\u003ccode\u003e@​BurdetteLamar\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/50\"\u003eruby/uri#50\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAdd Ruby 3.2 to CI matrix by \u003ca href=\"https://github.com/tricknotes\"\u003e\u003ccode\u003e@​tricknotes\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/51\"\u003eruby/uri#51\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e[DOC] Common rdoc by \u003ca href=\"https://github.com/BurdetteLamar\"\u003e\u003ccode\u003e@​BurdetteLamar\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/52\"\u003eruby/uri#52\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e[DOC] Enhanced RDoc for URI.decode_www_form by \u003ca href=\"https://github.com/BurdetteLamar\"\u003e\u003ccode\u003e@​BurdetteLamar\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/53\"\u003eruby/uri#53\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e[DOC] Enhanced RDoc for URI by \u003ca href=\"https://github.com/BurdetteLamar\"\u003e\u003ccode\u003e@​BurdetteLamar\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/55\"\u003eruby/uri#55\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eGenerate rdoc document by GitHub Pages Action by \u003ca href=\"https://github.com/hsbt\"\u003e\u003ccode\u003e@​hsbt\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/59\"\u003eruby/uri#59\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eAdd documentation links by \u003ca href=\"https://github.com/AlexWayfer\"\u003e\u003ccode\u003e@​AlexWayfer\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/58\"\u003eruby/uri#58\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eUpdate test libraries from ruby/ruby 2023-03-24 by \u003ca href=\"https://github.com/hsbt\"\u003e\u003ccode\u003e@​hsbt\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/65\"\u003eruby/uri#65\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eSwitch to use callable workflow for Actions by \u003ca href=\"https://github.com/hsbt\"\u003e\u003ccode\u003e@​hsbt\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/67\"\u003eruby/uri#67\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eRefine tests by \u003ca href=\"https://github.com/nobu\"\u003e\u003ccode\u003e@​nobu\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/71\"\u003eruby/uri#71\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eDrop support for 2.4 by \u003ca href=\"https://github.com/nobu\"\u003e\u003ccode\u003e@​nobu\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/77\"\u003eruby/uri#77\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eUpdate test libraries from ruby/ruby 2023-06-02 by \u003ca href=\"https://github.com/nobu\"\u003e\u003ccode\u003e@​nobu\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/78\"\u003eruby/uri#78\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eUse released version of test-unit-ruby-core by \u003ca href=\"https://github.com/hsbt\"\u003e\u003ccode\u003e@​hsbt\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/79\"\u003eruby/uri#79\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eRefactor RFC3986 regexps to make more readable by \u003ca href=\"https://github.com/nobu\"\u003e\u003ccode\u003e@​nobu\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/46\"\u003eruby/uri#46\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eFix RFC3986 regexps by \u003ca href=\"https://github.com/nobu\"\u003e\u003ccode\u003e@​nobu\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/81\"\u003eruby/uri#81\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eFix host part in relative referece by \u003ca href=\"https://github.com/nobu\"\u003e\u003ccode\u003e@​nobu\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/84\"\u003eruby/uri#84\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eString literals are frozen now by \u003ca href=\"https://github.com/nobu\"\u003e\u003ccode\u003e@​nobu\u003c/code\u003e\u003c/a\u003e in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/85\"\u003eruby/uri#85\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003eNew Contributors\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/BurdetteLamar\"\u003e\u003ccode\u003e@​BurdetteLamar\u003c/code\u003e\u003c/a\u003e made their first contribution in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/48\"\u003eruby/uri#48\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/AlexWayfer\"\u003e\u003ccode\u003e@​AlexWayfer\u003c/code\u003e\u003c/a\u003e made their first contribution in \u003ca href=\"https://redirect.github.com/ruby/uri/pull/58\"\u003eruby/uri#58\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003e\u003cstrong\u003eFull Changelog\u003c/strong\u003e: \u003ca href=\"https://github.com/ruby/uri/compare/v0.12.0...v0.13.0\"\u003ehttps://github.com/ruby/uri/compare/v0.12.0...v0.13.0\u003c/a\u003e\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/uri/commit/b50d37f7a193991c56bda7f94e8dd6fec0bb3f7f\"\u003e\u003ccode\u003eb50d37f\u003c/code\u003e\u003c/a\u003e Bump up 0.13.0\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/uri/commit/5c17cd20930c2ac5c288c6aaeb470c7dc7547d8c\"\u003e\u003ccode\u003e5c17cd2\u003c/code\u003e\u003c/a\u003e add #to_str to URI::Generic\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/uri/commit/f4999b61daa40f2c99fdc7159e2c85c036b22c67\"\u003e\u003ccode\u003ef4999b6\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/ruby/uri/issues/88\"\u003e#88\u003c/a\u003e from ruby/dependabot/github_actions/actions/checkout-4\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/uri/commit/b0b029ce34465766f351b511693fc573ea0a509c\"\u003e\u003ccode\u003eb0b029c\u003c/code\u003e\u003c/a\u003e Bump actions/checkout from 3 to 4\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/uri/commit/bec5ef95cf6e378560f55fd6b0e9f1c139626670\"\u003e\u003ccode\u003ebec5ef9\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/ruby/uri/issues/86\"\u003e#86\u003c/a\u003e from ruby/dependabot/github_actions/actions/upload-pag...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/uri/commit/5a626d6a2f9a702ebd8de4d630c408616a346412\"\u003e\u003ccode\u003e5a626d6\u003c/code\u003e\u003c/a\u003e Bump actions/upload-pages-artifact from 1 to 2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/uri/commit/e18e657ea8eedb851e8ba187229c7d0b0bcef20c\"\u003e\u003ccode\u003ee18e657\u003c/code\u003e\u003c/a\u003e Bump up v0.12.2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/uri/commit/9d7bcef1e6ad23c9c6e4932f297fb737888144c8\"\u003e\u003ccode\u003e9d7bcef\u003c/code\u003e\u003c/a\u003e Fix quadratic backtracking on invalid port number\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/uri/commit/9010ee2536adda10a0555ae1ed6fe2f5808e6bf1\"\u003e\u003ccode\u003e9010ee2\u003c/code\u003e\u003c/a\u003e Fix quadratic backtracking on invalid relative URI\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/ruby/uri/commit/fd2146558b4e9882613b320705ca82e8fc777383\"\u003e\u003ccode\u003efd21465\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/ruby/uri/issues/85\"\u003e#85\u003c/a\u003e from nobu/frozen-literals\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/ruby/uri/compare/v0.12.1...v0.13.0\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore \u003cdependency name\u003e major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)\n- `@dependabot ignore \u003cdependency name\u003e` will close this group update PR and ...\n\n_Description has been truncated_","html_url":"https://github.com/MNDL-27/discourse/pull/8","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/MNDL-27%2Fdiscourse/issues/8","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/8/packages"}},{"old_version":"6.0.0","new_version":"6.1.0","update_type":"minor","path":null,"pr_created_at":"2023-09-18T12:09:06.000Z","version_change":"6.0.0 → 6.1.0","issue":{"uuid":"1900796776","node_id":"PR_kwDOHFui2c5aj91s","number":845,"state":"closed","title":"Bump sanitize from 6.0.0 to 6.1.0","user":"dependabot[bot]","labels":["dependencies","ruby"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2025-09-03T18:22:35.000Z","author_association":"NONE","state_reason":null,"created_at":"2023-09-18T12:09:06.000Z","updated_at":"2025-09-03T18:22:36.000Z","time_to_close":61884809,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"6.0.0","new_version":"6.1.0","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 6.0.0 to 6.1.0.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev6.1.0\u003c/h2\u003e\n\u003ch3\u003eFeatures\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eAdded the \u003ccode\u003etext-decoration-skip-ink\u003c/code\u003e and \u003ccode\u003etext-decoration-thickness\u003c/code\u003e CSS properties to the relaxed config. [\u003ca href=\"https://github.com/martineriksson\"\u003e\u003ccode\u003e@​martineriksson\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/228\"\u003e#228\u003c/a\u003e]\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/228\"\u003e228\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.0.2\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eCVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS (cross-site scripting). This issue affects Sanitize versions 3.0.0 through 6.0.1.\u003c/p\u003e\n\u003cp\u003eWhen using Sanitize's relaxed config or a custom config that allows \u003ccode\u003e\u0026lt;style\u0026gt;\u003c/code\u003e elements and one or more CSS at-rules, carefully crafted input could be used to sneak arbitrary HTML through Sanitize.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7\"\u003eGHSA-f5ww-cq3m-q3g7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to \u003ca href=\"https://github.com/cure53\"\u003e\u003ccode\u003e@​cure53\u003c/code\u003e\u003c/a\u003e for finding this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.0.1\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even when \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed by a custom allowlist. In this scenario, carefully crafted input could sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not vulnerable. This issue only affects users who are using a custom config that adds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled in the user agent. Nokogiri doesn't support scripting so it follows the \u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will follow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably make the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled browsers, so the safest thing to do is to remove the element and its contents entirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such as \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was allowlisted and was also inside an allowlisted \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\n\u003cp\u003eThe only way to encounter this situation was to ignore multiple warnings in the readme and create a custom config that allowlisted all the elements involved, including \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e. If you're using a default config or if you heeded the warnings about MathML and SVG not being supported, you're not affected by this issue.\u003c/p\u003e\n\u003cp\u003ePlease let this be a reminder that Sanitize cannot safely sanitize MathML or SVG content and does not support this use case. The default configs don't allow MathML or SVG elements, and allowlisting MathML or SVG elements in a custom config may create a security vulnerability in your application.\u003c/p\u003e\n\u003cp\u003eDocumentation has been updated to add more warnings and to make the existing warnings about this more prominent.\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/HISTORY.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e6.1.0 (2023-09-14)\u003c/h2\u003e\n\u003ch3\u003eFeatures\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eAdded the \u003ccode\u003etext-decoration-skip-ink\u003c/code\u003e and \u003ccode\u003etext-decoration-thickness\u003c/code\u003e CSS properties to the relaxed config. [\u003ca href=\"https://github.com/martineriksson\"\u003e\u003ccode\u003e@​martineriksson\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/228\"\u003e#228\u003c/a\u003e]\u003ca href=\"https://redirect.github.com/rgrove/sanitize/pull/228\"\u003e228\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.0.2 (2023-07-06)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eCVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS\n(cross-site scripting). This issue affects Sanitize versions 3.0.0 through\n6.0.1.\u003c/p\u003e\n\u003cp\u003eWhen using Sanitize's relaxed config or a custom config that allows \u003ccode\u003e\u0026lt;style\u0026gt;\u003c/code\u003e\nelements and one or more CSS at-rules, carefully crafted input could be used\nto sneak arbitrary HTML through Sanitize.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details:\n\u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-f5ww-cq3m-q3g7\"\u003eGHSA-f5ww-cq3m-q3g7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to \u003ca href=\"https://github.com/cure53\"\u003e\u003ccode\u003e@​cure53\u003c/code\u003e\u003c/a\u003e for finding this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e6.0.1 (2023-01-27)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even\nwhen \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed\nby a custom allowlist. In this scenario, carefully crafted input could sneak\narbitrary HTML through Sanitize, potentially enabling an XSS (cross-site\nscripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not\nvulnerable. This issue only affects users who are using a custom config that\nadds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of\na \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled\nin the user agent. Nokogiri doesn't support scripting so it follows the\n\u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will\nfollow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably\nmake the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled\nbrowsers, so the safest thing to do is to remove the element and its contents\nentirely.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/7194dca84a1238fa3294c2eb08a6062b9f60e7f8\"\u003e\u003ccode\u003e7194dca\u003c/code\u003e\u003c/a\u003e Release 6.1.0\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/1bba64eae268d34eb6616f637755668af727ad17\"\u003e\u003ccode\u003e1bba64e\u003c/code\u003e\u003c/a\u003e Add a couple of CSS properties to relaxed config\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/d76c8aa8f91d259751fd57da2faeabad82d8334c\"\u003e\u003ccode\u003ed76c8aa\u003c/code\u003e\u003c/a\u003e Merge pull request \u003ca href=\"https://redirect.github.com/rgrove/sanitize/issues/225\"\u003e#225\u003c/a\u003e from igor-drozdov/igor-drozdov-patch-1\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/cf84bfe24e1a984929f5aa59a2b86fbc3a4d4051\"\u003e\u003ccode\u003ecf84bfe\u003c/code\u003e\u003c/a\u003e Add 3.2 to the list of Ruby CI versions\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/76ed46e6dc70820f38efe27de8dabd54dddb5220\"\u003e\u003ccode\u003e76ed46e\u003c/code\u003e\u003c/a\u003e Merge pull request from GHSA-f5ww-cq3m-q3g7\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/3481ac3f1255c6584c67fad2f9e44d809273125d\"\u003e\u003ccode\u003e3481ac3\u003c/code\u003e\u003c/a\u003e Release 6.0.2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/773d927bc457f5cae21edc059654abc98101413c\"\u003e\u003ccode\u003e773d927\u003c/code\u003e\u003c/a\u003e Update history\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/041c068cec516474d61862faf3910b26c7e10073\"\u003e\u003ccode\u003e041c068\u003c/code\u003e\u003c/a\u003e Escape \u003ccode\u003e\u0026lt;/\u003c/code\u003e to prevent a style element from being closed prematurely\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/a92f21cd223a32a1737262d68e56a4fb8b9470f9\"\u003e\u003ccode\u003ea92f21c\u003c/code\u003e\u003c/a\u003e Release 6.0.1\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/7ac1dfb413f85bc15130435d64326576a345fe8a\"\u003e\u003ccode\u003e7ac1dfb\u003c/code\u003e\u003c/a\u003e Update links\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v6.0.0...v6.1.0\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=6.0.0\u0026new-version=6.1.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot show \u003cdependency name\u003e ignore conditions` will show all of the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/Izorkin/mastodon/pull/845","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/Izorkin%2Fmastodon/issues/845","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/845/packages"}},{"old_version":"6.0.0","new_version":"6.0.1","update_type":"patch","path":null,"pr_created_at":"2023-01-30T22:31:48.000Z","version_change":"6.0.0 → 6.0.1","issue":{"uuid":"1563314910","node_id":"PR_kwDOBWzxzs5I3I2h","number":781,"state":"closed","title":"Bump sanitize from 6.0.0 to 6.0.1","user":"dependabot[bot]","labels":["dependencies","ruby","rebase needed :construction:"],"assignees":[],"locked":false,"comments_count":2,"pull_request":true,"closed_at":"2026-01-24T06:44:56.000Z","author_association":null,"state_reason":null,"created_at":"2023-01-30T22:31:48.000Z","updated_at":"2026-01-24T06:45:04.000Z","time_to_close":94119188,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"6.0.0","new_version":"6.0.1","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 6.0.0 to 6.0.1.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev6.0.1\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even when \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed by a custom allowlist. In this scenario, carefully crafted input could sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not vulnerable. This issue only affects users who are using a custom config that adds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled in the user agent. Nokogiri doesn't support scripting so it follows the \u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will follow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably make the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled browsers, so the safest thing to do is to remove the element and its contents entirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such as \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was allowlisted and was also inside an allowlisted \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\n\u003cp\u003eThe only way to encounter this situation was to ignore multiple warnings in the readme and create a custom config that allowlisted all the elements involved, including \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e. If you're using a default config or if you heeded the warnings about MathML and SVG not being supported, you're not affected by this issue.\u003c/p\u003e\n\u003cp\u003ePlease let this be a reminder that Sanitize cannot safely sanitize MathML or SVG content and does not support this use case. The default configs don't allow MathML or SVG elements, and allowlisting MathML or SVG elements in a custom config may create a security vulnerability in your application.\u003c/p\u003e\n\u003cp\u003eDocumentation has been updated to add more warnings and to make the existing warnings about this more prominent.\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/HISTORY.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e6.0.1 (2023-01-27)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even\nwhen \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed\nby a custom allowlist. In this scenario, carefully crafted input could sneak\narbitrary HTML through Sanitize, potentially enabling an XSS (cross-site\nscripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not\nvulnerable. This issue only affects users who are using a custom config that\nadds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of\na \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled\nin the user agent. Nokogiri doesn't support scripting so it follows the\n\u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will\nfollow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably\nmake the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled\nbrowsers, so the safest thing to do is to remove the element and its contents\nentirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details:\n\u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e\n(\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such\nas \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was\nallowlisted and was also inside an allowlisted \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\n\u003cp\u003eThe only way to encounter this situation was to ignore multiple warnings in\nthe readme and create a custom config that allowlisted all the elements\ninvolved, including \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e. If you're using a default config or\nif you heeded the warnings about MathML and SVG not being supported, you're\nnot affected by this issue.\u003c/p\u003e\n\u003cp\u003ePlease let this be a reminder that Sanitize cannot safely sanitize MathML or\nSVG content and does not support this use case. The default configs don't\nallow MathML or SVG elements, and allowlisting MathML or SVG elements in a\ncustom config may create a security vulnerability in your application.\u003c/p\u003e\n\u003cp\u003eDocumentation has been updated to add more warnings and to make the existing\nwarnings about this more prominent.\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/a92f21cd223a32a1737262d68e56a4fb8b9470f9\"\u003e\u003ccode\u003ea92f21c\u003c/code\u003e\u003c/a\u003e Release 6.0.1\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/7ac1dfb413f85bc15130435d64326576a345fe8a\"\u003e\u003ccode\u003e7ac1dfb\u003c/code\u003e\u003c/a\u003e Update links\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/784e78915a8fa9decbc67a06b85664432a3d14ab\"\u003e\u003ccode\u003e784e789\u003c/code\u003e\u003c/a\u003e Remove outdated comparison\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22\"\u003e\u003ccode\u003eec14265\u003c/code\u003e\u003c/a\u003e Always remove \u003ccode\u003e\\\u0026lt;noscript\u0026gt;\u003c/code\u003e elements\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/b4ee521df0d0616340c9648444be488381c238b1\"\u003e\u003ccode\u003eb4ee521\u003c/code\u003e\u003c/a\u003e Forcibly escape content in \u0026quot;unescaped text\u0026quot; elements inside math or svg names...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/94d5c220cd5f22f3865ed448b44215733a6976dc\"\u003e\u003ccode\u003e94d5c22\u003c/code\u003e\u003c/a\u003e Add Ruby 3.1 to the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/55f766e7a7857efeead30792f4646d10c693e819\"\u003e\u003ccode\u003e55f766e\u003c/code\u003e\u003c/a\u003e Simplify the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/69b4597a6e08600459bb925ebb4fabb166573784\"\u003e\u003ccode\u003e69b4597\u003c/code\u003e\u003c/a\u003e Use actions/checkout@v3\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/2924038559e7ea3ce52c0d968bda8022fcb58149\"\u003e\u003ccode\u003e2924038\u003c/code\u003e\u003c/a\u003e Add Ruby 3.1 to the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/ce1af491a9b36eed4cdc38e8ea3c85743b804129\"\u003e\u003ccode\u003ece1af49\u003c/code\u003e\u003c/a\u003e Update the online demo link\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v6.0.0...v6.0.1\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=6.0.0\u0026new-version=6.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/koba-lab/mastodon/pull/781","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/koba-lab%2Fmastodon/issues/781","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/781/packages"}},{"old_version":"6.0.0","new_version":"6.0.1","update_type":"patch","path":null,"pr_created_at":"2023-01-30T12:10:14.000Z","version_change":"6.0.0 → 6.0.1","issue":{"uuid":"1562324235","node_id":"PR_kwDOB6Ga_s5IzxMA","number":1509,"state":"closed","title":"Bump sanitize from 6.0.0 to 6.0.1","user":"dependabot[bot]","labels":["dependencies","ruby","rebase needed :construction:"],"assignees":[],"locked":false,"comments_count":2,"pull_request":true,"closed_at":"2026-03-01T05:11:29.000Z","author_association":null,"state_reason":null,"created_at":"2023-01-30T12:10:14.000Z","updated_at":"2026-03-01T06:24:02.000Z","time_to_close":97261275,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"6.0.0","new_version":"6.0.1","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 6.0.0 to 6.0.1.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev6.0.1\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even when \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed by a custom allowlist. In this scenario, carefully crafted input could sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not vulnerable. This issue only affects users who are using a custom config that adds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled in the user agent. Nokogiri doesn't support scripting so it follows the \u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will follow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably make the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled browsers, so the safest thing to do is to remove the element and its contents entirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such as \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was allowlisted and was also inside an allowlisted \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\n\u003cp\u003eThe only way to encounter this situation was to ignore multiple warnings in the readme and create a custom config that allowlisted all the elements involved, including \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e. If you're using a default config or if you heeded the warnings about MathML and SVG not being supported, you're not affected by this issue.\u003c/p\u003e\n\u003cp\u003ePlease let this be a reminder that Sanitize cannot safely sanitize MathML or SVG content and does not support this use case. The default configs don't allow MathML or SVG elements, and allowlisting MathML or SVG elements in a custom config may create a security vulnerability in your application.\u003c/p\u003e\n\u003cp\u003eDocumentation has been updated to add more warnings and to make the existing warnings about this more prominent.\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/HISTORY.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e6.0.1 (2023-01-27)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even\nwhen \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed\nby a custom allowlist. In this scenario, carefully crafted input could sneak\narbitrary HTML through Sanitize, potentially enabling an XSS (cross-site\nscripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not\nvulnerable. This issue only affects users who are using a custom config that\nadds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of\na \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled\nin the user agent. Nokogiri doesn't support scripting so it follows the\n\u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will\nfollow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably\nmake the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled\nbrowsers, so the safest thing to do is to remove the element and its contents\nentirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details:\n\u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e\n(\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such\nas \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was\nallowlisted and was also inside an allowlisted \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\n\u003cp\u003eThe only way to encounter this situation was to ignore multiple warnings in\nthe readme and create a custom config that allowlisted all the elements\ninvolved, including \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e. If you're using a default config or\nif you heeded the warnings about MathML and SVG not being supported, you're\nnot affected by this issue.\u003c/p\u003e\n\u003cp\u003ePlease let this be a reminder that Sanitize cannot safely sanitize MathML or\nSVG content and does not support this use case. The default configs don't\nallow MathML or SVG elements, and allowlisting MathML or SVG elements in a\ncustom config may create a security vulnerability in your application.\u003c/p\u003e\n\u003cp\u003eDocumentation has been updated to add more warnings and to make the existing\nwarnings about this more prominent.\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/a92f21cd223a32a1737262d68e56a4fb8b9470f9\"\u003e\u003ccode\u003ea92f21c\u003c/code\u003e\u003c/a\u003e Release 6.0.1\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/7ac1dfb413f85bc15130435d64326576a345fe8a\"\u003e\u003ccode\u003e7ac1dfb\u003c/code\u003e\u003c/a\u003e Update links\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/784e78915a8fa9decbc67a06b85664432a3d14ab\"\u003e\u003ccode\u003e784e789\u003c/code\u003e\u003c/a\u003e Remove outdated comparison\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22\"\u003e\u003ccode\u003eec14265\u003c/code\u003e\u003c/a\u003e Always remove \u003ccode\u003e\\\u0026lt;noscript\u0026gt;\u003c/code\u003e elements\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/b4ee521df0d0616340c9648444be488381c238b1\"\u003e\u003ccode\u003eb4ee521\u003c/code\u003e\u003c/a\u003e Forcibly escape content in \u0026quot;unescaped text\u0026quot; elements inside math or svg names...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/94d5c220cd5f22f3865ed448b44215733a6976dc\"\u003e\u003ccode\u003e94d5c22\u003c/code\u003e\u003c/a\u003e Add Ruby 3.1 to the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/55f766e7a7857efeead30792f4646d10c693e819\"\u003e\u003ccode\u003e55f766e\u003c/code\u003e\u003c/a\u003e Simplify the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/69b4597a6e08600459bb925ebb4fabb166573784\"\u003e\u003ccode\u003e69b4597\u003c/code\u003e\u003c/a\u003e Use actions/checkout@v3\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/2924038559e7ea3ce52c0d968bda8022fcb58149\"\u003e\u003ccode\u003e2924038\u003c/code\u003e\u003c/a\u003e Add Ruby 3.1 to the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/ce1af491a9b36eed4cdc38e8ea3c85743b804129\"\u003e\u003ccode\u003ece1af49\u003c/code\u003e\u003c/a\u003e Update the online demo link\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v6.0.0...v6.0.1\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=6.0.0\u0026new-version=6.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n\n\n\u003c/details\u003e","html_url":"https://github.com/wd-shiroma/mastodon/pull/1509","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/wd-shiroma%2Fmastodon/issues/1509","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/1509/packages"}},{"old_version":"6.0.0","new_version":"6.0.1","update_type":"patch","path":null,"pr_created_at":"2023-01-28T01:20:57.000Z","version_change":"6.0.0 → 6.0.1","issue":{"uuid":"1220084913","node_id":"PR_kwDOAEW1wM5IuQSx","number":87,"state":"closed","title":"Bump sanitize from 6.0.0 to 6.0.1","user":"dependabot[bot]","labels":["dependencies"],"assignees":[],"locked":false,"comments_count":2,"pull_request":true,"closed_at":"2025-09-28T06:19:04.000Z","author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2023-01-28T01:20:57.000Z","updated_at":"2025-09-28T06:19:04.000Z","time_to_close":84171487,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"6.0.0","new_version":"6.0.1","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 6.0.0 to 6.0.1.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev6.0.1\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even when \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed by a custom allowlist. In this scenario, carefully crafted input could sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not vulnerable. This issue only affects users who are using a custom config that adds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled in the user agent. Nokogiri doesn't support scripting so it follows the \u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will follow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably make the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled browsers, so the safest thing to do is to remove the element and its contents entirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such as \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was allowlisted and was also inside an allowlisted \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\n\u003cp\u003eThe only way to encounter this situation was to ignore multiple warnings in the readme and create a custom config that allowlisted all the elements involved, including \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e. If you're using a default config or if you heeded the warnings about MathML and SVG not being supported, you're not affected by this issue.\u003c/p\u003e\n\u003cp\u003ePlease let this be a reminder that Sanitize cannot safely sanitize MathML or SVG content and does not support this use case. The default configs don't allow MathML or SVG elements, and allowlisting MathML or SVG elements in a custom config may create a security vulnerability in your application.\u003c/p\u003e\n\u003cp\u003eDocumentation has been updated to add more warnings and to make the existing warnings about this more prominent.\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/HISTORY.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e6.0.1 (2023-01-27)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even\nwhen \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed\nby a custom allowlist. In this scenario, carefully crafted input could sneak\narbitrary HTML through Sanitize, potentially enabling an XSS (cross-site\nscripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not\nvulnerable. This issue only affects users who are using a custom config that\nadds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of\na \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled\nin the user agent. Nokogiri doesn't support scripting so it follows the\n\u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will\nfollow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably\nmake the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled\nbrowsers, so the safest thing to do is to remove the element and its contents\nentirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details:\n\u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e\n(\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such\nas \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was\nallowlisted and was also inside an allowlisted \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\n\u003cp\u003eThe only way to encounter this situation was to ignore multiple warnings in\nthe readme and create a custom config that allowlisted all the elements\ninvolved, including \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e. If you're using a default config or\nif you heeded the warnings about MathML and SVG not being supported, you're\nnot affected by this issue.\u003c/p\u003e\n\u003cp\u003ePlease let this be a reminder that Sanitize cannot safely sanitize MathML or\nSVG content and does not support this use case. The default configs don't\nallow MathML or SVG elements, and allowlisting MathML or SVG elements in a\ncustom config may create a security vulnerability in your application.\u003c/p\u003e\n\u003cp\u003eDocumentation has been updated to add more warnings and to make the existing\nwarnings about this more prominent.\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/a92f21cd223a32a1737262d68e56a4fb8b9470f9\"\u003e\u003ccode\u003ea92f21c\u003c/code\u003e\u003c/a\u003e Release 6.0.1\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/7ac1dfb413f85bc15130435d64326576a345fe8a\"\u003e\u003ccode\u003e7ac1dfb\u003c/code\u003e\u003c/a\u003e Update links\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/784e78915a8fa9decbc67a06b85664432a3d14ab\"\u003e\u003ccode\u003e784e789\u003c/code\u003e\u003c/a\u003e Remove outdated comparison\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22\"\u003e\u003ccode\u003eec14265\u003c/code\u003e\u003c/a\u003e Always remove \u003ccode\u003e\\\u0026lt;noscript\u0026gt;\u003c/code\u003e elements\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/b4ee521df0d0616340c9648444be488381c238b1\"\u003e\u003ccode\u003eb4ee521\u003c/code\u003e\u003c/a\u003e Forcibly escape content in \u0026quot;unescaped text\u0026quot; elements inside math or svg names...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/94d5c220cd5f22f3865ed448b44215733a6976dc\"\u003e\u003ccode\u003e94d5c22\u003c/code\u003e\u003c/a\u003e Add Ruby 3.1 to the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/55f766e7a7857efeead30792f4646d10c693e819\"\u003e\u003ccode\u003e55f766e\u003c/code\u003e\u003c/a\u003e Simplify the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/69b4597a6e08600459bb925ebb4fabb166573784\"\u003e\u003ccode\u003e69b4597\u003c/code\u003e\u003c/a\u003e Use actions/checkout@v3\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/2924038559e7ea3ce52c0d968bda8022fcb58149\"\u003e\u003ccode\u003e2924038\u003c/code\u003e\u003c/a\u003e Add Ruby 3.1 to the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/ce1af491a9b36eed4cdc38e8ea3c85743b804129\"\u003e\u003ccode\u003ece1af49\u003c/code\u003e\u003c/a\u003e Update the online demo link\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v6.0.0...v6.0.1\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=6.0.0\u0026new-version=6.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language\n- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language\n- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language\n- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language\n\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/TechnoDann/PPC-board-2.0/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/TechnoDann/PPC-board-2.0/pull/87","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/TechnoDann%2FPPC-board-2.0/issues/87","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/87/packages"}},{"old_version":"5.2.1","new_version":"6.0.1","update_type":"major","path":null,"pr_created_at":"2023-01-28T01:19:27.000Z","version_change":"5.2.1 → 6.0.1","issue":{"uuid":"1560619941","node_id":"PR_kwDOABcwys5IuQJ2","number":1286,"state":"closed","title":"Bump sanitize from 5.2.1 to 6.0.1","user":"dependabot[bot]","labels":["dependencies","ruby"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2025-05-20T14:36:22.000Z","author_association":"CONTRIBUTOR","state_reason":null,"created_at":"2023-01-28T01:19:27.000Z","updated_at":"2025-05-20T14:36:31.000Z","time_to_close":72883015,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"5.2.1","new_version":"6.0.1","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 5.2.1 to 6.0.1.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev6.0.1\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even when \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed by a custom allowlist. In this scenario, carefully crafted input could sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not vulnerable. This issue only affects users who are using a custom config that adds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled in the user agent. Nokogiri doesn't support scripting so it follows the \u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will follow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably make the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled browsers, so the safest thing to do is to remove the element and its contents entirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such as \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was allowlisted and was also inside an allowlisted \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\n\u003cp\u003eThe only way to encounter this situation was to ignore multiple warnings in the readme and create a custom config that allowlisted all the elements involved, including \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e. If you're using a default config or if you heeded the warnings about MathML and SVG not being supported, you're not affected by this issue.\u003c/p\u003e\n\u003cp\u003ePlease let this be a reminder that Sanitize cannot safely sanitize MathML or SVG content and does not support this use case. The default configs don't allow MathML or SVG elements, and allowlisting MathML or SVG elements in a custom config may create a security vulnerability in your application.\u003c/p\u003e\n\u003cp\u003eDocumentation has been updated to add more warnings and to make the existing warnings about this more prominent.\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e (\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev6.0.0\u003c/h2\u003e\n\u003ch3\u003ePotentially Breaking Changes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eRuby 2.5.0 is now the oldest officially supported Ruby version.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now requires Nokogiri 1.12.0 or higher, which includes Nokogumbo. The separate dependency on Nokogumbo has been removed. [\u003ca href=\"https://github.com/lis2\"\u003e\u003ccode\u003e@​lis2\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/211\"\u003e#211\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/211\"\u003e211\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev5.2.3\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure protocol sanitization is applied to data attributes. [\u003ca href=\"https://github.com/ccutrer\"\u003e\u003ccode\u003e@​ccutrer\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/207\"\u003e#207\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/207\"\u003e207\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev5.2.2\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eFixed a deprecation warning in Ruby 2.7+ when using keyword arguments in a custom transformer. [\u003ca href=\"https://github.com/mscrivo\"\u003e\u003ccode\u003e@​mscrivo\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/206\"\u003e#206\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/206\"\u003e206\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/blockquote\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/HISTORY.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e6.0.1 (2023-01-27)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eSanitize now always removes \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and their contents, even\nwhen \u003ccode\u003enoscript\u003c/code\u003e is in the allowlist.\u003c/p\u003e\n\u003cp\u003eThis fixes a sanitization bypass that could occur when \u003ccode\u003enoscript\u003c/code\u003e was allowed\nby a custom allowlist. In this scenario, carefully crafted input could sneak\narbitrary HTML through Sanitize, potentially enabling an XSS (cross-site\nscripting) attack.\u003c/p\u003e\n\u003cp\u003eSanitize's default configs don't allow \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e elements and are not\nvulnerable. This issue only affects users who are using a custom config that\nadds \u003ccode\u003enoscript\u003c/code\u003e to the element allowlist.\u003c/p\u003e\n\u003cp\u003eThe root cause of this issue is that HTML parsing rules treat the contents of\na \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element differently depending on whether scripting is enabled\nin the user agent. Nokogiri doesn't support scripting so it follows the\n\u0026quot;scripting disabled\u0026quot; rules, but a web browser with scripting enabled will\nfollow the \u0026quot;scripting enabled\u0026quot; rules. This means that Sanitize can't reliably\nmake the contents of a \u003ccode\u003e\u0026lt;noscript\u0026gt;\u003c/code\u003e element safe for scripting enabled\nbrowsers, so the safest thing to do is to remove the element and its contents\nentirely.\u003c/p\u003e\n\u003cp\u003eSee the following security advisory for additional details:\n\u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7\"\u003eGHSA-fw3g-2h3j-qmm7\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e\n(\u003ca href=\"https://github.com/leeN\"\u003e\u003ccode\u003e@​leeN\u003c/code\u003e\u003c/a\u003e) for reporting this issue.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an edge case in which the contents of an \u0026quot;unescaped text\u0026quot; element (such\nas \u003ccode\u003e\u0026lt;noembed\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;xmp\u0026gt;\u003c/code\u003e) were not properly escaped if that element was\nallowlisted and was also inside an allowlisted \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element.\u003c/p\u003e\n\u003cp\u003eThe only way to encounter this situation was to ignore multiple warnings in\nthe readme and create a custom config that allowlisted all the elements\ninvolved, including \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e. If you're using a default config or\nif you heeded the warnings about MathML and SVG not being supported, you're\nnot affected by this issue.\u003c/p\u003e\n\u003cp\u003ePlease let this be a reminder that Sanitize cannot safely sanitize MathML or\nSVG content and does not support this use case. The default configs don't\nallow MathML or SVG elements, and allowlisting MathML or SVG elements in a\ncustom config may create a security vulnerability in your application.\u003c/p\u003e\n\u003cp\u003eDocumentation has been updated to add more warnings and to make the existing\nwarnings about this more prominent.\u003c/p\u003e\n\u003cp\u003eThanks to David Klein from \u003ca href=\"https://www.tu-braunschweig.de/en/ias\"\u003eTU Braunschweig\u003c/a\u003e\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/a92f21cd223a32a1737262d68e56a4fb8b9470f9\"\u003e\u003ccode\u003ea92f21c\u003c/code\u003e\u003c/a\u003e Release 6.0.1\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/7ac1dfb413f85bc15130435d64326576a345fe8a\"\u003e\u003ccode\u003e7ac1dfb\u003c/code\u003e\u003c/a\u003e Update links\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/784e78915a8fa9decbc67a06b85664432a3d14ab\"\u003e\u003ccode\u003e784e789\u003c/code\u003e\u003c/a\u003e Remove outdated comparison\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22\"\u003e\u003ccode\u003eec14265\u003c/code\u003e\u003c/a\u003e Always remove \u003ccode\u003e\\\u0026lt;noscript\u0026gt;\u003c/code\u003e elements\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/b4ee521df0d0616340c9648444be488381c238b1\"\u003e\u003ccode\u003eb4ee521\u003c/code\u003e\u003c/a\u003e Forcibly escape content in \u0026quot;unescaped text\u0026quot; elements inside math or svg names...\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/94d5c220cd5f22f3865ed448b44215733a6976dc\"\u003e\u003ccode\u003e94d5c22\u003c/code\u003e\u003c/a\u003e Add Ruby 3.1 to the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/55f766e7a7857efeead30792f4646d10c693e819\"\u003e\u003ccode\u003e55f766e\u003c/code\u003e\u003c/a\u003e Simplify the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/69b4597a6e08600459bb925ebb4fabb166573784\"\u003e\u003ccode\u003e69b4597\u003c/code\u003e\u003c/a\u003e Use actions/checkout@v3\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/2924038559e7ea3ce52c0d968bda8022fcb58149\"\u003e\u003ccode\u003e2924038\u003c/code\u003e\u003c/a\u003e Add Ruby 3.1 to the test matrix\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/ce1af491a9b36eed4cdc38e8ea3c85743b804129\"\u003e\u003ccode\u003ece1af49\u003c/code\u003e\u003c/a\u003e Update the online demo link\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v5.2.1...v6.0.1\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=5.2.1\u0026new-version=6.0.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/railsbridge/bridge_troll/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/railsbridge/bridge_troll/pull/1286","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/railsbridge%2Fbridge_troll/issues/1286","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/1286/packages"}},{"old_version":"5.0.0","new_version":"5.2.3","update_type":"minor","path":null,"pr_created_at":"2021-02-08T14:58:23.000Z","version_change":"5.0.0 → 5.2.3","issue":{"uuid":"569535143","node_id":"MDExOlB1bGxSZXF1ZXN0NTY5NTM1MTQz","number":1,"state":"closed","title":"Bump sanitize from 5.0.0 to 5.2.3","user":"dependabot[bot]","labels":["dependencies"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2025-07-29T12:37:29.000Z","author_association":"NONE","state_reason":null,"created_at":"2021-02-08T14:58:23.000Z","updated_at":"2025-07-29T12:37:29.000Z","time_to_close":140996346,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"5.0.0","new_version":"5.2.3","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 5.0.0 to 5.2.3.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev5.2.3\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure protocol sanitization is applied to data attributes. [\u003ca href=\"https://github.com/ccutrer\"\u003e\u003ccode\u003e@ccutrer\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/207\"\u003e#207\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/207\"\u003e207\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev5.2.2\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eFixed a deprecation warning in Ruby 2.7+ when using keyword arguments in a custom transformer. [\u003ca href=\"https://github.com/mscrivo\"\u003e\u003ccode\u003e@mscrivo\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/206\"\u003e#206\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/206\"\u003e206\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev5.2.1\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an HTML sanitization bypass that could allow XSS. This issue affects Sanitize versions 3.0.0 through 5.2.0.\u003c/p\u003e\n\u003cp\u003eWhen HTML was sanitized using the \u0026quot;relaxed\u0026quot; config or a custom config that allows certain elements, some content in a \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element may not have beeen sanitized correctly even if \u003ccode\u003emath\u003c/code\u003e and \u003ccode\u003esvg\u003c/code\u003e were not in the allowlist. This could allow carefully crafted input to sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack.\u003c/p\u003e\n\u003cp\u003eYou are likely to be vulnerable to this issue if you use Sanitize's relaxed config or a custom config that allows one or more of the following HTML elements:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eiframe\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emath\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoembed\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoframes\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoscript\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eplaintext\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003escript\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003estyle\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esvg\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003exmp\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eSee the security advisory for more details, including a workaround if you're not able to upgrade: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m\"\u003eGHSA-p4x4-rw2p-8j8m\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eMany thanks to Michał Bentkowski of Securitum for reporting this issue and helping to verify the fix.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev5.2.0\u003c/h2\u003e\n\u003ch3\u003eChanges\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eThe term \u0026quot;whitelist\u0026quot; has been replaced with \u0026quot;allowlist\u0026quot; throughout Sanitize's source and documentation.\u003c/p\u003e\n\u003cp\u003eWhile the etymology of \u0026quot;whitelist\u0026quot; may not be explicitly racist in origin or intent, there are inherent racial connotations in the implication that white is good and black (as in \u0026quot;blacklist\u0026quot;) is not.\u003c/p\u003e\n\u003cp\u003eThis is a change I should have made long ago, and I apologize for not making it sooner.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eIn transformer input, the \u003ccode\u003e:is_whitelisted\u003c/code\u003e and \u003ccode\u003e:node_whitelist\u003c/code\u003e keys are now deprecated. New \u003ccode\u003e:is_allowlisted\u003c/code\u003e and \u003ccode\u003e:node_allowlist\u003c/code\u003e keys have been added. The old keys will continue to work in order to avoid breaking existing code, but they are no longer documented and may be removed in a future semver major release.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/HISTORY.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e5.2.3 (2021-01-11)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure protocol sanitization is applied to data attributes.\n[\u003ca href=\"https://github.com/ccutrer\"\u003e\u003ccode\u003e@ccutrer\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/207\"\u003e#207\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/207\"\u003e207\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e5.2.2 (2021-01-06)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eFixed a deprecation warning in Ruby 2.7+ when using keyword arguments in a\ncustom transformer. [\u003ca href=\"https://github.com/mscrivo\"\u003e\u003ccode\u003e@mscrivo\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/206\"\u003e#206\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/206\"\u003e206\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e5.2.1 (2020-06-16)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an HTML sanitization bypass that could allow XSS. This issue affects\nSanitize versions 3.0.0 through 5.2.0.\u003c/p\u003e\n\u003cp\u003eWhen HTML was sanitized using the \u0026quot;relaxed\u0026quot; config or a custom config that\nallows certain elements, some content in a \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element may not\nhave beeen sanitized correctly even if \u003ccode\u003emath\u003c/code\u003e and \u003ccode\u003esvg\u003c/code\u003e were not in the\nallowlist. This could allow carefully crafted input to sneak arbitrary HTML\nthrough Sanitize, potentially enabling an XSS (cross-site scripting) attack.\u003c/p\u003e\n\u003cp\u003eYou are likely to be vulnerable to this issue if you use Sanitize's relaxed\nconfig or a custom config that allows one or more of the following HTML\nelements:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eiframe\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emath\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoembed\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoframes\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoscript\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eplaintext\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003escript\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003estyle\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esvg\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003exmp\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eSee the security advisory for more details, including a workaround if you're\nnot able to upgrade: [GHSA-p4x4-rw2p-8j8m]\u003c/p\u003e\n\u003cp\u003eMany thanks to Michał Bentkowski of Securitum for reporting this issue and\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/9b8b55b6b90895a232f4243eaf5a4e6454136e20\"\u003e\u003ccode\u003e9b8b55b\u003c/code\u003e\u003c/a\u003e Release 5.2.3\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/eaaaa9d1dd3714c8467b9169edf2ecd1e2a3e277\"\u003e\u003ccode\u003eeaaaa9d\u003c/code\u003e\u003c/a\u003e Clarify comments\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/fac1a2ea3750630d5cb482b9c19fdac703356580\"\u003e\u003ccode\u003efac1a2e\u003c/code\u003e\u003c/a\u003e ensure protocol processing happens on data attributes\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/4f6858ff9f6e3e7ed6d0fba85a2a8fd1d37594df\"\u003e\u003ccode\u003e4f6858f\u003c/code\u003e\u003c/a\u003e Link the Tests badge to the workflow page\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/1c661dc15ad5872f07988e5aced68c68a328c099\"\u003e\u003ccode\u003e1c661dc\u003c/code\u003e\u003c/a\u003e Remove Travis\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/cd68389b041405e47bc5c400ea5c0c63cd5786da\"\u003e\u003ccode\u003ecd68389\u003c/code\u003e\u003c/a\u003e Add GitHub Actions workflow\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/4ea3d8ec48563f19c0927153ae1217fd9aa3d962\"\u003e\u003ccode\u003e4ea3d8e\u003c/code\u003e\u003c/a\u003e Release 5.2.2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/7a7dd3ed42145de137cee2c987d1667ce428837f\"\u003e\u003ccode\u003e7a7dd3e\u003c/code\u003e\u003c/a\u003e Add Ruby 3.0 to the Travis matrix.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/361cc0515aea77de9905140f6fc2546812b5dc05\"\u003e\u003ccode\u003e361cc05\u003c/code\u003e\u003c/a\u003e Fix warning in Ruby 2.7+\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/b032474dbc5a567e41c12d8481e8d4265b51588e\"\u003e\u003ccode\u003eb032474\u003c/code\u003e\u003c/a\u003e Merge branch 'ajmalmsali-patch-1'\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v5.0.0...v5.2.3\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=5.0.0\u0026new-version=5.2.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language\n- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language\n- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language\n- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language\n\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/uklibraries/jester/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/uklibraries/jester/pull/1","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/uklibraries%2Fjester/issues/1","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/1/packages"}},{"old_version":"5.0.0","new_version":"5.2.3","update_type":"minor","path":null,"pr_created_at":"2021-01-21T21:46:37.000Z","version_change":"5.0.0 → 5.2.3","issue":{"uuid":"791516882","node_id":"MDExOlB1bGxSZXF1ZXN0NTU5NTYyNTA3","number":33,"state":"closed","title":"Bump sanitize from 5.0.0 to 5.2.3","user":"dependabot[bot]","labels":["dependencies"],"assignees":[],"locked":false,"comments_count":1,"pull_request":true,"closed_at":"2026-04-01T21:28:07.000Z","author_association":null,"state_reason":null,"created_at":"2021-01-21T21:46:37.000Z","updated_at":"2026-04-01T21:28:10.000Z","time_to_close":163813290,"merged_at":null,"merged_by":null,"closed_by":null,"dependency_metadata":{"prefix":"Bump","packages":[{"name":"sanitize","old_version":"5.0.0","new_version":"5.2.3","repository_url":"https://github.com/rgrove/sanitize"}],"path":null,"ecosystem":"rubygems"},"body":"Bumps [sanitize](https://github.com/rgrove/sanitize) from 5.0.0 to 5.2.3.\n\u003cdetails\u003e\n\u003csummary\u003eRelease notes\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/releases\"\u003esanitize's releases\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003ev5.2.3\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure protocol sanitization is applied to data attributes. [\u003ca href=\"https://github.com/ccutrer\"\u003e\u003ccode\u003e@ccutrer\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/207\"\u003e#207\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/207\"\u003e207\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev5.2.2\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eFixed a deprecation warning in Ruby 2.7+ when using keyword arguments in a custom transformer. [\u003ca href=\"https://github.com/mscrivo\"\u003e\u003ccode\u003e@mscrivo\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/206\"\u003e#206\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/206\"\u003e206\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev5.2.1\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an HTML sanitization bypass that could allow XSS. This issue affects Sanitize versions 3.0.0 through 5.2.0.\u003c/p\u003e\n\u003cp\u003eWhen HTML was sanitized using the \u0026quot;relaxed\u0026quot; config or a custom config that allows certain elements, some content in a \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element may not have beeen sanitized correctly even if \u003ccode\u003emath\u003c/code\u003e and \u003ccode\u003esvg\u003c/code\u003e were not in the allowlist. This could allow carefully crafted input to sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack.\u003c/p\u003e\n\u003cp\u003eYou are likely to be vulnerable to this issue if you use Sanitize's relaxed config or a custom config that allows one or more of the following HTML elements:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eiframe\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emath\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoembed\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoframes\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoscript\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eplaintext\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003escript\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003estyle\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esvg\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003exmp\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eSee the security advisory for more details, including a workaround if you're not able to upgrade: \u003ca href=\"https://github.com/rgrove/sanitize/security/advisories/GHSA-p4x4-rw2p-8j8m\"\u003eGHSA-p4x4-rw2p-8j8m\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eMany thanks to Michał Bentkowski of Securitum for reporting this issue and helping to verify the fix.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003ev5.2.0\u003c/h2\u003e\n\u003ch3\u003eChanges\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eThe term \u0026quot;whitelist\u0026quot; has been replaced with \u0026quot;allowlist\u0026quot; throughout Sanitize's source and documentation.\u003c/p\u003e\n\u003cp\u003eWhile the etymology of \u0026quot;whitelist\u0026quot; may not be explicitly racist in origin or intent, there are inherent racial connotations in the implication that white is good and black (as in \u0026quot;blacklist\u0026quot;) is not.\u003c/p\u003e\n\u003cp\u003eThis is a change I should have made long ago, and I apologize for not making it sooner.\u003c/p\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp\u003eIn transformer input, the \u003ccode\u003e:is_whitelisted\u003c/code\u003e and \u003ccode\u003e:node_whitelist\u003c/code\u003e keys are now deprecated. New \u003ccode\u003e:is_allowlisted\u003c/code\u003e and \u003ccode\u003e:node_allowlist\u003c/code\u003e keys have been added. The old keys will continue to work in order to avoid breaking existing code, but they are no longer documented and may be removed in a future semver major release.\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eChangelog\u003c/summary\u003e\n\u003cp\u003e\u003cem\u003eSourced from \u003ca href=\"https://github.com/rgrove/sanitize/blob/main/HISTORY.md\"\u003esanitize's changelog\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cblockquote\u003e\n\u003ch2\u003e5.2.3 (2021-01-11)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eEnsure protocol sanitization is applied to data attributes.\n[\u003ca href=\"https://github.com/ccutrer\"\u003e\u003ccode\u003e@ccutrer\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/207\"\u003e#207\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/207\"\u003e207\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e5.2.2 (2021-01-06)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003eFixed a deprecation warning in Ruby 2.7+ when using keyword arguments in a\ncustom transformer. [\u003ca href=\"https://github.com/mscrivo\"\u003e\u003ccode\u003e@mscrivo\u003c/code\u003e\u003c/a\u003e - \u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/issues/206\"\u003e#206\u003c/a\u003e]\u003ca href=\"https://github-redirect.dependabot.com/rgrove/sanitize/pull/206\"\u003e206\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2\u003e5.2.1 (2020-06-16)\u003c/h2\u003e\n\u003ch3\u003eBug Fixes\u003c/h3\u003e\n\u003cul\u003e\n\u003cli\u003e\n\u003cp\u003eFixed an HTML sanitization bypass that could allow XSS. This issue affects\nSanitize versions 3.0.0 through 5.2.0.\u003c/p\u003e\n\u003cp\u003eWhen HTML was sanitized using the \u0026quot;relaxed\u0026quot; config or a custom config that\nallows certain elements, some content in a \u003ccode\u003e\u0026lt;math\u0026gt;\u003c/code\u003e or \u003ccode\u003e\u0026lt;svg\u0026gt;\u003c/code\u003e element may not\nhave beeen sanitized correctly even if \u003ccode\u003emath\u003c/code\u003e and \u003ccode\u003esvg\u003c/code\u003e were not in the\nallowlist. This could allow carefully crafted input to sneak arbitrary HTML\nthrough Sanitize, potentially enabling an XSS (cross-site scripting) attack.\u003c/p\u003e\n\u003cp\u003eYou are likely to be vulnerable to this issue if you use Sanitize's relaxed\nconfig or a custom config that allows one or more of the following HTML\nelements:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ccode\u003eiframe\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emath\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoembed\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoframes\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003enoscript\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eplaintext\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003escript\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003estyle\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003esvg\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003exmp\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eSee the security advisory for more details, including a workaround if you're\nnot able to upgrade: [GHSA-p4x4-rw2p-8j8m]\u003c/p\u003e\n\u003cp\u003eMany thanks to Michał Bentkowski of Securitum for reporting this issue and\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c!-- raw HTML omitted --\u003e\n\u003c/blockquote\u003e\n\u003cp\u003e... (truncated)\u003c/p\u003e\n\u003c/details\u003e\n\u003cdetails\u003e\n\u003csummary\u003eCommits\u003c/summary\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/9b8b55b6b90895a232f4243eaf5a4e6454136e20\"\u003e\u003ccode\u003e9b8b55b\u003c/code\u003e\u003c/a\u003e Release 5.2.3\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/eaaaa9d1dd3714c8467b9169edf2ecd1e2a3e277\"\u003e\u003ccode\u003eeaaaa9d\u003c/code\u003e\u003c/a\u003e Clarify comments\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/fac1a2ea3750630d5cb482b9c19fdac703356580\"\u003e\u003ccode\u003efac1a2e\u003c/code\u003e\u003c/a\u003e ensure protocol processing happens on data attributes\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/4f6858ff9f6e3e7ed6d0fba85a2a8fd1d37594df\"\u003e\u003ccode\u003e4f6858f\u003c/code\u003e\u003c/a\u003e Link the Tests badge to the workflow page\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/1c661dc15ad5872f07988e5aced68c68a328c099\"\u003e\u003ccode\u003e1c661dc\u003c/code\u003e\u003c/a\u003e Remove Travis\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/cd68389b041405e47bc5c400ea5c0c63cd5786da\"\u003e\u003ccode\u003ecd68389\u003c/code\u003e\u003c/a\u003e Add GitHub Actions workflow\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/4ea3d8ec48563f19c0927153ae1217fd9aa3d962\"\u003e\u003ccode\u003e4ea3d8e\u003c/code\u003e\u003c/a\u003e Release 5.2.2\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/7a7dd3ed42145de137cee2c987d1667ce428837f\"\u003e\u003ccode\u003e7a7dd3e\u003c/code\u003e\u003c/a\u003e Add Ruby 3.0 to the Travis matrix.\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/361cc0515aea77de9905140f6fc2546812b5dc05\"\u003e\u003ccode\u003e361cc05\u003c/code\u003e\u003c/a\u003e Fix warning in Ruby 2.7+\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/rgrove/sanitize/commit/b032474dbc5a567e41c12d8481e8d4265b51588e\"\u003e\u003ccode\u003eb032474\u003c/code\u003e\u003c/a\u003e Merge branch 'ajmalmsali-patch-1'\u003c/li\u003e\n\u003cli\u003eAdditional commits viewable in \u003ca href=\"https://github.com/rgrove/sanitize/compare/v5.0.0...v5.2.3\"\u003ecompare view\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/details\u003e\n\u003cbr /\u003e\n\n\n[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=sanitize\u0026package-manager=bundler\u0026previous-version=5.0.0\u0026new-version=5.2.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n\u003cdetails\u003e\n\u003csummary\u003eDependabot commands and options\u003c/summary\u003e\n\u003cbr /\u003e\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge and block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually\n- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)\n- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language\n- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language\n- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language\n- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language\n\nYou can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/upenn-libraries/sdbmss/network/alerts).\n\n\u003c/details\u003e","html_url":"https://github.com/upenn-libraries/sdbmss/pull/33","url":"https://dependabot.ecosyste.ms/api/v1/hosts/GitHub/repositories/upenn-libraries%2Fsdbmss/issues/33","packages_url":"https://dependabot.ecosyste.ms/api/v1/issues/33/packages"}}]}