Update dependency rack to v3
This MR contains the following updates:
Package | Update | Change |
---|---|---|
rack (changelog) | major |
'~> 2.2.9' -> '~> 3.1.0'
|
MR created with the help of gitlab-org/frontend/renovate-gitlab-bot
Release Notes
rack/rack (rack)
v3.1.8
Fixed
- Resolve deprecation warnings about uri
DEFAULT_PARSER
. (#2249, [@earlopain])
v3.1.7
Fixed
- Do not remove escaped opening/closing quotes for content-disposition filenames. (#2229, [@jeremyevans])
- Fix encoding setting for non-binary IO-like objects in MockRequest#env_for. (#2227, [@jeremyevans])
-
Rack::Response
should not generate invalidcontent-length
header. (#2219, [@ioquatix]) - Allow empty PATH_INFO. (#2214, [@ioquatix])
v3.1.6
Fixed
- Fix several edge cases in
Rack::Request#parse_http_accept_header
's implementation. (#2226, [@ioquatix])
v3.1.5
Security
- Fix potential ReDoS attack in
Rack::Request#parse_http_accept_header
. (GHSA-cj83-2ww7-mvq7, @dwisiswant0)
v3.1.4
Fixed
- Fix
Rack::Lint
matching some paths incorrectly as authority form. (#2220, [@ioquatix])
v3.1.3
Fixed
- Fix passing non-strings to
Rack::Utils.escape_html
. (#2202, [@earlopain]) -
Rack::MockResponse
gracefully handles empty cookies (#2203 [@wynksaiddestroy])
v3.1.2
-
Rack::Response
will take in to consideration chunked encoding responses (#2204, [@tenderlove])
v3.1.1
- Oops! I shouldn't have shipped that
v3.1.0
Rack v3.1 is primarily a maintenance release that removes features deprecated in Rack v3.0. Alongside these removals, there are several improvements to the Rack SPEC, mainly focused on enhancing input and output handling. These changes aim to make Rack more efficient and align better with the requirements of server implementations and relevant HTTP specifications.
SPEC Changes
-
rack.input
is now optional. (#1997, #2018, [@ioquatix]) -
PATH_INFO
is now validated according to the HTTP/1.1 specification. (#2117, #2181, [@ioquatix])-
OPTIONS *
is now accepted. (#2114, @doriantaylor)
-
- Introduce optional
rack.protocol
request and response header for handling connection upgrades. (#1954, [@ioquatix])
Added
- Introduce
Rack::Multipart::MissingInputError
for improved handling of missing input in#parse_multipart
. (#2018, [@ioquatix]) - Introduce
module Rack::BadRequest
which is included in multipart and query parser errors. (#2019, [@ioquatix]) - Add
.mjs
MIME type (#2057, @axilleas) -
set_cookie_header
utility now supports thepartitioned
cookie attribute. This is required by Chrome in some embedded contexts. (#2131, @flavio-b) - Introduce
rack.early_hints
for sending103 Early Hints
informational responses. (#1831, @casperisfine, [@jeremyevans])
Changed
- MIME type for JavaScript files (
.js
) changed fromapplication/javascript
totext/javascript
(1bd0f15
, [@ioquatix]) - Update MIME types associated to
.ttf
,.woff
,.woff2
and.otf
extensions to use mondernfont/*
types. (#2065, [@davidstosik]) -
Rack::Utils.escape_html
is now delegated toCGI.escapeHTML
.'
is escaped to#​39;
instead of#x27;
. (decimal vs hexadecimal) (#2099, @JunichiIto) - Clarify use of
@buffered
and only updatecontent-length
whenRack::Response#finish
is invoked. (#2149, [@ioquatix])
Deprecated
- Deprecate automatic cache invalidation in
Request#{GET,POST}
(#2073, [@jeremyevans]) - Only cookie keys that are not valid according to the HTTP specifications are escaped. We are planning to deprecate this behaviour, so now a deprecation message will be emitted in this case. In the future, invalid cookie keys may not be accepted. (#2191, [@ioquatix])
-
Rack::Logger
is deprecated. (#2197, [@ioquatix]) - Add fallback lookup and deprecation warning for obsolete status symbols. (#2137, @wtn)
- Deprecate
Rack::Request#values_at
, userequest.params.values_at
instead (#2183, [@ioquatix])
Removed
- Remove deprecated
Rack::Auth::Digest
with no replacement. (#1966, [@ioquatix]) - Remove deprecated
Rack::Cascade::NotFound
with no replacement. (#1966, [@ioquatix]) - Remove deprecated
Rack::Chunked
with no replacement. (#1966, [@ioquatix]) - Remove deprecated
Rack::File
, useRack::Files
instead. (#1966, [@ioquatix]) - Remove deprecated
Rack::QueryParser
key_space_limit
parameter with no replacement. (#1966, [@ioquatix]) - Remove deprecated
Rack::Response#header
, useRack::Response#headers
instead. (#1966, [@ioquatix]) - Remove deprecated cookie methods from
Rack::Utils
:add_cookie_to_header
,make_delete_cookie_header
,add_remove_cookie_to_header
. (#1966, [@ioquatix]) - Remove deprecated
Rack::Utils::HeaderHash
. (#1966, [@ioquatix]) - Remove deprecated
Rack::VERSION
,Rack::VERSION_STRING
,Rack.version
, useRack.release
instead. (#1966, [@ioquatix]) - Remove non-standard status codes 306, 509, & 510 and update descriptions for 413, 422, & 451. (#2137, @wtn)
- Remove any dependency on
transfer-encoding: chunked
. (#2195, [@ioquatix]) - Remove deprecated
Rack::Request#[]
, userequest.params[key]
instead (#2183, [@ioquatix])
Fixed
v3.0.11
- Backport #2062 to 3-0-stable: Do not allow
BodyProxy
to respond toto_str
, maketo_ary
call close . (#2062, @jeremyevans)
v3.0.10
- Backport #2104 to 3-0-stable: Return empty when parsing a multi-part POST with only one end delimiter. (#2164, @JoeDupuis)
v3.0.9.1
Security
- CVE-2024-26146 Fixed ReDoS in Accept header parsing
- CVE-2024-25126 Fixed ReDoS in Content Type header parsing
- CVE-2024-26141 Reject Range headers which are too large
v3.0.9
Security
- CVE-2024-26146 Fixed ReDoS in Accept header parsing
- CVE-2024-25126 Fixed ReDoS in Content Type header parsing
- CVE-2024-26141 Reject Range headers which are too large
v3.0.8
- Fix some unused variable verbose warnings. (#2084, [@jeremyevans], @skipkayhil)
v3.0.7
- Make query parameters without
=
havenil
values. (#2059, [@jeremyevans])
v3.0.6.1
Security
- [CVE-2023-27539] Avoid ReDoS in header parsing
v3.0.6
Security
- [CVE-2023-27539] Avoid ReDoS in header parsing
v3.0.5
- Split form/query parsing into two steps. (#2038, @matthewd)
v3.0.4.2
Security
- [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
v3.0.4.1
Security
- [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
- [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
- [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)
v3.0.4
Security
- [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts
v3.0.3
Fixed
-
Rack::URLMap
uses non-deprecated form ofRegexp.new
. (#1998, @weizheheng)
v3.0.2
Fixed
-
Utils.build_nested_query
URL-encodes nested field names including the square brackets. - Allow
Rack::Response
to pass through streaming bodies. (#1993, [@ioquatix])
v3.0.1
- Backport #2062 to 3-0-stable: Do not allow
BodyProxy
to respond toto_str
, maketo_ary
call close . (#2062, @jeremyevans)
v3.0.0
- No changes
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.