🚨 [security] Update sinatra 4.0.0 → 4.1.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ sinatra (4.0.0 → 4.1.0) · Repo · Changelog

Security Advisories 🚨

🚨 Sinatra vulnerable to Reliance on Untrusted Inputs in a Security Decision

Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.

Commits

See the full diff on Github. The new version differs by 26 commits:

• 4.1.0 release (#2063)
• Add `HostAuthorization` rack-protection middleware (#2053)
• Return an instance of `Sinatra::IndifferentHash` when calling `#except` (#2044)
• Address `URI` depreciation (#2060)
• CI: don't test falcon on Ruby 2.7
• Remove WEBrick
• CI: unset `RUBYOPT` for JRuby jobs
• Support Zeitwerk 2.7.0+ (#2050)
• Revert "CI: document the `console` gem issue"
• CI: document the `console` gem issue
• CI: run tests on the old rackup for now
• CI: use latest (available) rubygems for 3.1
• Fix `Sinatra::HamlHelpers` docs (#2046)
• CI: Avoid Zeitwerk 2.7.0+ for testes, for now (#2048)
• Fix compatibility with `--enable-frozen-string-literal` (#2033)
• Declare missing dependencies for Ruby 3.5 (#2032)
• Fix warning about Hash construction. (#2028)
• CI: use Rack 3.1 (stable) for most jobs
• Don't delete `content-length` header when `Rack::Files` is used
• Don't depend on `Rack::Logger`
• Adjust `CookieTossing` spec for Rack 3.1+
• CI: allow JRuby to fail, can be flaky
• CI: run against both Rack 3.0 and Rack 3.1
• Fix typos in changelog, readme and code comments (#2006)
• README: the minimal example needs `rackup` (#2009)
• CI: allow `truffleruby` to fail (#2008)

↗️ mustermann (indirect, 3.0.0 → 3.0.3) · Repo

Commits

See the full diff on Github. The new version differs by 24 commits:

• Prepare for v3.0.3
• Add benchmark for parser object
• Fix performance issue for Mustermann::AST::Translator#escape (#142)
• CI: remove Coveralls
• Fix release date in README
• Prepare for v3.0.2
• CI: tweak job name
• CI: use the correct ENV 🤦‍♀️
• CI: install gems
• CI: avoid caching gems
• CI: sinatra 4.x require Ruby >= 2.7
• Test against prev, current and next Sinatra release
• Use rfc2396 parser (#139)
• No need to build gems twice in the release workflow
• Need to use `bundle exec` in release workflow
• Prepare for v3.0.1
• Add description to rake tasks
• CI: use `actions/checkout@v4`
• README: Mustermann does not depend on tool
• Merge pull request #138 from hsbt/fix-uri-default-parser-change
• Use URI::RFC2396_Parser#regex explicitly.
• CI: add Ruby 3.3 and JRuby 9.4
• Merge pull request #136 from petergoldstein/feature/add_ruby_3_2_to_ci
• Adds Ruby 3.2 to the CI matrix.

↗️ rack-protection (indirect, 4.0.0 → 4.1.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 26 commits:

• 4.1.0 release (#2063)
• Add `HostAuthorization` rack-protection middleware (#2053)
• Return an instance of `Sinatra::IndifferentHash` when calling `#except` (#2044)
• Address `URI` depreciation (#2060)
• CI: don't test falcon on Ruby 2.7
• Remove WEBrick
• CI: unset `RUBYOPT` for JRuby jobs
• Support Zeitwerk 2.7.0+ (#2050)
• Revert "CI: document the `console` gem issue"
• CI: document the `console` gem issue
• CI: run tests on the old rackup for now
• CI: use latest (available) rubygems for 3.1
• Fix `Sinatra::HamlHelpers` docs (#2046)
• CI: Avoid Zeitwerk 2.7.0+ for testes, for now (#2048)
• Fix compatibility with `--enable-frozen-string-literal` (#2033)
• Declare missing dependencies for Ruby 3.5 (#2032)
• Fix warning about Hash construction. (#2028)
• CI: use Rack 3.1 (stable) for most jobs
• Don't delete `content-length` header when `Rack::Files` is used
• Don't depend on `Rack::Logger`
• Adjust `CookieTossing` spec for Rack 3.1+
• CI: allow JRuby to fail, can be flaky
• CI: run against both Rack 3.0 and Rack 3.1
• Fix typos in changelog, readme and code comments (#2006)
• README: the minimal example needs `rackup` (#2009)
• CI: allow `truffleruby` to fail (#2008)

↗️ tilt (indirect, 2.3.0 → 2.4.0) · Repo · Changelog

Release Notes

2.4.0 (from changelog)

• Support commonmarker 1.0+ API (unasuke) (#10)
• Make etanni template work with frozen string literals (jeremyevans)
• Deprecate erubis, wikicloth, and maruku templates as they require modifying frozen string literals (jeremyevans)
• Make SassTemplate ignore unsupported options when using sass-embedded (jeremyevans)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 15 commits:

• Bump version to 2.4.0
• Add nocov markings around old commonmarker template
• Adjust CI gemfile to fix issues
• Fix ScssTemplate#sass_options when using sass-embedded
• Make SassTemplate ignore unsupported options when using sass-embedded
• Don't test Maruku in CI on JRuby 9.2
• Simplify prawn test checking now that checked_describe can take multiple arguments
• Remove modification of string literals in tests
• Deprecate erubis, wikicloth, and maruku templates as they require modifying string literals
• Make etanni template work with frozen string literals
• Update CHANGELOG
• Support Commonmarker v1 api
• Limit markaby version to < 0.9.1 in CI on Ruby <2.7
• Limit commonmarker in CI to < 1
• Add Ruby 3.3 to CI and bump actions/checkout to v4

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)