Sourced from rack's changelog.

Changelog

All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference Keep A Changelog.

Unreleased

Note: There are many unreleased changes in Rack (master is around 300 commits ahead of 2-0-stable), and below is not an exhaustive list. If you would like to help out and document some of the unreleased changes, PRs are welcome.

Added

Changed

• Use Time#httpdate format for Expires, as proposed by RFC 7231. (@​nanaya)
• Make Utils.status_code raise an error when the status symbol is invalid instead of 500.
• Rename Request::SCHEME_WHITELIST to Request::ALLOWED_SCHEMES.
• Make Multipart::Parser.get_filename accept files with + in their name.
• Add Falcon to the default handler fallbacks. (@​ioquatix)
• Update codebase to avoid string mutations in preparation for frozen_string_literals. (@​pat)
• Change MockRequest#env_for to rely on the input optionally responding to #size instead of #length. (@​janko)
• Rename Rack::File -> Rack::Files and add deprecation notice. (@​postmodern).

Removed

Documentation

• Update broken example in Session::Abstract::ID documentation. (tonytonyjan)
• Add Padrino to the list of frameworks implmenting Rack. (@​wikimatze)
• Remove Mongrel from the suggested server options in the help output. (@​tricknotes)
• Replace HISTORY.md and NEWS.md with CHANGELOG.md. (@​twitnithegirl)
• Backfill CHANGELOG.md from 2.0.1 to 2.0.7 releases. (@​drenmi)

[2.0.7] - 2019-04-02

Fixed

• Remove calls to #eof? on Rack input in Multipart::Parser, as this breaks the specification. (@​matthewd)
• Preserve forwarded IP addresses for trusted proxy chains. (@​SamSaffron)

[2.0.6] - 2018-11-05

Fixed

• [CVE-2018-16470] Reduce buffer size of Multipart::Parser to avoid pathological parsing. (@​tenderlove)
• Fix a call to a non-existing method #accepts_html in the ShowExceptions middleware. (@​tomelm)
• [CVE-2018-16471] Whitelist HTTP and HTTPS schemes in Request#scheme to prevent a possible XSS attack. (@​PatrickTulskie)

• e7ee459 Bumping version
• f1a79b2 Introduce a new base class to avoid breaking when upgrading
• 5b1cab6 Add a version prefix to the private id to make easier to migrate old values
• 1e96e0f Fallback to the public id when reading the session in the pool adapter
• 3ba123d Also drop the session with the public id when destroying sessions
• 6a04bbf Fallback to the legacy id when the new id is not found
• dc45a06 Add the private id
• 73a5f79 revert conditionals to master
• 4e32262 remove NullSession
• 1c7e3b2 remove || raise and get closer to master
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from redcarpet's releases.

Redcarpet v3.5.1

Fix a security vulnerability using :quote in combination with the :escape_html option.

Reported by Johan Smits.

v3.5.0

This release mostly ships with bug fixes and tiny improvements.

Improvements

• Avoid mutating the options hash passed to a render object (See #663).

• Automatically enable the fenced_code_blocks option passing a HTML_TOC object to the Markdown object's constructor since some languages rely on the sharp to comment code (See #451).

• Remove the rel and rev attributes from the output generated for footnotes as they don't pass the HTML 5 validation (See #536).

• Allow passing Range objects to the nesting_level option to have a higher level of customization for table of contents (See #519):

  Redcarpet::Render::HTML_TOC.new(nesting_level: 2..5)
  

Bug fixes

• Fix a segfault rendering quotes using StripDown and the :quote option.

• Fix SmartyPants single quotes right after a link. For example:

  [John](http://john.doe)'s cat
  

  Will now properly converts ' to a right single quote (i.e. ’).

Sourced from redcarpet's changelog.

Version 3.5.1 (Security)

• Fix a security vulnerability using :quote in combination with the :escape_html option.

  Reported by Johan Smits.

Version 3.5.0

• Avoid mutating the options hash passed to a render object.

  Refs #663.

  Max Schwenk

• Fix a segfault rendering quotes using StripDown and the :quote option.

  Fixes #639.

• Fix warning: instance variable @options not initialized when running under verbose mode (-w, $VERBOSE = true).

• Fix SmartyPants single quotes right after a link. For example:

  [John](http://john.doe)'s cat
  

  Will now properly converts ' to a right single quote (i.e. ’).

  Fixes #624.

• Remove the rel and rev attributes from the output generated for footnotes as they don't pass the HTML 5 validation.

  Fixes #536.

• Automatically enable the fenced_code_blocks option passing a HTML_TOC object to the Markdown object's constructor since some languages rely on the sharp to comment code.

  Fixes #451.

• Allow passing Range objects to the nesting_level option to have a higher level of customization for table of contents:

  Redcarpet::Render::HTML_TOC.new(nesting_level: 2..5)
  

... (truncated)

• a699c82 Fix a security issue using :quote with :escape_html
• 6270d6b Redcarpet v3.5.0
• 94f6e27 Tiny follow-up to #663
• 3100f65 Merge pull request #663 from maschwenk/dont-mutate-options
• fc52d9c Add regression test
• 03e7997 Don't mutated passed options
• 92a7b3a Fix a segfault with StripDown and the :quote option
• 7352162 Merge pull request #649 from rbalint/master
• e23383e Merge pull request #650 from kolen/fix-warning-options-not-initialized
• 6b86656 Fix "instance variable @options not initialized" warning
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from tzinfo's releases.

v1.2.10

• Fixed a relative path traversal bug that could cause arbitrary files to be loaded with require when used with RubyDataSource. Please refer to https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx for details. CVE-2022-31163.
• Ignore the SECURITY file from Arch Linux's tzdata package. #134.

TZInfo v1.2.10 on RubyGems.org

v1.2.9

• Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

TZInfo v1.2.9 on RubyGems.org

v1.2.8

• Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. The 64-bit section is now always used regardless of whether Time has support for 64-bit times. #120.
• Rubinius is no longer supported.

TZInfo v1.2.8 on RubyGems.org

v1.2.7

• Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
• Fixed warnings when running on Ruby 2.8. #112.

TZInfo v1.2.7 on RubyGems.org

v1.2.6

• Timezone#strftime('%s', time) will now return the correct number of seconds since the epoch. #91.
• Removed the unused TZInfo::RubyDataSource::REQUIRE_PATH constant.
• Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode.
• Fixed warnings when running on Ruby 2.7. #106 and #111.

TZInfo v1.2.6 on RubyGems.org

Sourced from tzinfo's changelog.

Version 1.2.10 - 19-Jul-2022

• Fixed a relative path traversal bug that could cause arbitrary files to be loaded with require when used with RubyDataSource. Please refer to https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx for details. CVE-2022-31163.
• Ignore the SECURITY file from Arch Linux's tzdata package. #134.

Version 1.2.9 - 16-Dec-2020

• Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

Version 1.2.8 - 8-Nov-2020

• Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. The 64-bit section is now always used regardless of whether Time has support for 64-bit times. #120.
• Rubinius is no longer supported.

Version 1.2.7 - 2-Apr-2020

• Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
• Fixed warnings when running on Ruby 2.8. #112.

Version 1.2.6 - 24-Dec-2019

• Timezone#strftime('%s', time) will now return the correct number of seconds since the epoch. #91.
• Removed the unused TZInfo::RubyDataSource::REQUIRE_PATH constant.
• Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode.
• Fixed warnings when running on Ruby 2.7. #106 and #111.

• 0814dcd Fix the release date.
• fd05e2a Preparing v1.2.10.
• b98c32e Merge branch 'fix-directory-traversal-1.2' into 1.2
• ac3ee68 Remove unnecessary escaping of + within regex character classes.
• 9d49bf9 Fix relative path loading tests.
• 394c381 Remove private_constant for consistency and compatibility.
• 5e9f990 Exclude Arch Linux's SECURITY file from the time zone index.
• 17fc9e1 Workaround for 'Permission denied - NUL' errors with JRuby on Windows.
• 6bd7a51 Update copyright years.
• 9905ca9 Fix directory traversal in Timezone.get when using Ruby data source
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from cocoapods-downloader's releases.

1.6.3

Enhancements

• None.

Bug Fixes

• None.

1.6.2

Enhancements

• None.

Bug Fixes

• None.

1.6.1

Enhancements

• None.

Bug Fixes

• None.

1.6.0

Enhancements

• None.

Bug Fixes

• Adds a check for command injections in the input for hg and git.
  orta #124

1.5.1

Enhancements

• None.

Bug Fixes

• Fix "can't modify frozen string" errors when pods are integrated using the branch option
  buju77 #10920

1.5.0

... (truncated)

Sourced from cocoapods-downloader's changelog.

1.6.3 (2022-04-01)

Enhancements

• None.

Bug Fixes

• None.

1.6.2 (2022-03-28)

Enhancements

• None.

Bug Fixes

• None.

1.6.1 (2022-03-23)

Enhancements

• None.

Bug Fixes

• None.

1.6.0 (2022-03-22)

Enhancements

• None.

Bug Fixes

• Adds a check for command injections in the input for hg and git.
  orta #124

1.5.1 (2021-09-07)

Enhancements

• None.

... (truncated)

• c03e2ed Release 1.6.3
• f75bccc Disable Bazaar tests due to macOS 12.3 not including python2
• 52a0d54 Merge pull request #128 from CocoaPods/validate_before_dl
• d27c983 Ensure that the git pre-processor doesn't accidentally bail also
• 3adfe1f [CHANGELOG] Add empty Master section
• 591167a Release 1.6.2
• d2564c3 Merge pull request #127 from CocoaPods/validate_before_dl
• 99fec61 Switches where we check for invalid input, to move it inside the download fun...
• 96679f2 [CHANGELOG] Add empty Master section
• 3a7c54b Release 1.6.1
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Sourced from rack's changelog.

Changelog

All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference Keep A Changelog.

[3.0.0] - Unreleased

Changed

• BREAKING CHANGE: Require status to be an Integer. (#1662, @olleolleolle)
• Relax validations around Rack::Request#host and Rack::Request#hostname. (#1606, @pvande)
• Removed antiquated handlers: FCGI, LSWS, SCGI, Thin. (#1658, @ioquatix)
• Removed options from Rack::Builder.parse_file and Rack::Builder.load_file. (#1663, @ioquatix)

Fixed

• Fix using Rack::Session::Cookie with coder: Rack::Session::Cookie::Base64::{JSON,Zip}. (#1666, @jeremyevans)
• Avoid NoMethodError when accessing Rack::Session::Cookie without requiring delegate first. (#1610, @onigra)
• Handle cookies with values that end in '=' (#1645, @lukaso)

[2.2.2] - 2020-02-11

Fixed

• Fix incorrect Rack::Request#host value. (#1591, @ioquatix)
• Revert Rack::Handler::Thin implementation. (#1583, @jeremyevans)
• Double assignment is still needed to prevent an "unused variable" warning. (#1589, @kamipo)
• Fix to handle same_site option for session pool. (#1587, @kamipo)

[2.2.1] - 2020-02-09

Fixed

• Rework Rack::Request#ip to handle empty forwarded_for. (#1577, @ioquatix)

[2.2.0] - 2020-02-08

SPEC Changes

• rack.session request environment entry must respond to to_hash and return unfrozen Hash. (@jeremyevans)
• Request environment cannot be frozen. (@jeremyevans)
• CGI values in the request environment with non-ASCII characters must use ASCII-8BIT encoding. (@jeremyevans)
• Improve SPEC/lint relating to SERVER_NAME, SERVER_PORT and HTTP_HOST. (#1561, @ioquatix)

Added

• rackup supports multiple -r options and will require all arguments. (@jeremyevans)
• Server supports an array of paths to require for the :require option. (@khotta)
• Files supports multipart range requests. (@fatkodima)
• Multipart::UploadedFile supports an IO-like object instead of using the filesystem, using :filename and :io options. (@jeremyevans)
• Multipart::UploadedFile supports keyword arguments :path, :content_type, and :binary in addition to positional arguments. (@jeremyevans)

• 1741c58 bump version
• 5ccca47 When parsing cookies, only decode the values
• a5e80f0 Bump version.
• b0de37d Remove trailing whitespace.
• 1a784e5 Prepare CHANGELOG for next patch release.
• a0d57d4 Fix to handle same_site option for session pool
• a9b223b Ensure full match. Fixes #1590.
• f4c5645 Double assignment is still needed to prevent an "unused variable" warning
• 5c121dd Revert "Update Thin handler to better handle more options"
• 961d976 Prepare point release.
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.