Update dependency rails to v6.1.7.3 (main) - autoclosed

[mend-for-github-com]

This PR contains the following updates:

Package	Update	Change
rails (source, changelog)	patch	6.1.3.2 -> 6.1.7.3

By merging this PR, the issue #124 will be automatically resolved and closed:

Severity	CVSS Score	Vulnerability	Reachability
Medium	6.3	CVE-2023-23913

---

Release Notes

rails/rails (rails)

v6.1.7.3

Compare Source

Active Support

• Implement SafeBuffer#bytesplice

  [CVE-2023-28120]

Active Model

• No changes.

Active Record

• No changes.

Action View

• Ignore certain data-* attributes in rails-ujs when element is contenteditable

  [CVE-2023-23913]

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.7.2

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix domain: :all for two letter TLD

  This fixes a compatibility issue introduced in our previous security
  release when using domain: :all with a two letter but single level top
  level domain domain (like .ca, rather than .co.uk).

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.7.1

Compare Source

Active Support

• Avoid regex backtracking in Inflector.underscore

  [CVE-2023-22796]

Active Model

• No changes.

Active Record

• Make sanitize_as_sql_comment more strict

  Though this method was likely never meant to take user input, it was
  attempting sanitization. That sanitization could be bypassed with
  carefully crafted input.

  This commit makes the sanitization more robust by replacing any
  occurrances of "/" or "/" with "/ " or " /". It also performs a
  first pass to remove one surrounding comment to avoid compatibility
  issues for users relying on the existing removal.

  This also clarifies in the documentation of annotate that it should not
  be provided user input.

  [CVE-2023-22794]

• Added integer width check to PostgreSQL::Quoting

  Given a value outside the range for a 64bit signed integer type
  PostgreSQL will treat the column type as numeric. Comparing
  integer values against numeric values can result in a slow
  sequential scan.

  This behavior is configurable via
  ActiveRecord::Base.raise_int_wider_than_64bit which defaults to true.

  [CVE-2022-44566]

Action View

• No changes.

Action Pack

• Avoid regex backtracking on If-None-Match header

  [CVE-2023-22795]

• Use string#split instead of regex for domain parts

  [CVE-2023-22792]

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.7

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Symbol is allowed by default for YAML columns

  Étienne Barrié

• Fix ActiveRecord::Store to serialize as a regular Hash

  Previously it would serialize as an ActiveSupport::HashWithIndifferentAccess
  which is wasteful and cause problem with YAML safe_load.

  Jean Boussier

• Fix PG.connect keyword arguments deprecation warning on ruby 2.7

  Fixes #​44307.

  Nikita Vasilevsky

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Respect Active Record's primary_key_type in Active Storage migrations. Backported from 7.0.

  fatkodima

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.6.1: 6.1.6.1

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Change ActiveRecord::Coders::YAMLColumn default to safe_load

  This adds two new configuration options The configuration options are as
  follows:

  • config.active_storage.use_yaml_unsafe_load

  When set to true, this configuration option tells Rails to use the old
  "unsafe" YAML loading strategy, maintaining the existing behavior but leaving
  the possible escalation vulnerability in place. Setting this option to true
  is not recommended, but can aid in upgrading.

  • config.active_record.yaml_column_permitted_classes

  The "safe YAML" loading method does not allow all classes to be deserialized
  by default. This option allows you to specify classes deemed "safe" in your
  application. For example, if your application uses Symbol and Time in
  serialized data, you can add Symbol and Time to the allowed list as follows:

  config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
  

  [CVE-2022-32224]

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.6: 6.1.6

Compare Source

Active Support

• Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

  Add the method ERB::Util.xml_name_escape to escape dangerous characters
  in names of tags and names of attributes, following the specification of XML.

  Álvaro Martín Fraguas

Active Model

• No changes.

Active Record

• No changes.

Action View

• Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

  Escape dangerous characters in names of tags and names of attributes in the
  tag helpers, following the XML specification. Rename the option
  :escape_attributes to :escape, to simplify by applying the option to the
  whole tag.

  Álvaro Martín Fraguas

Action Pack

• Allow Content Security Policy DSL to generate for API responses.

  Tim Wade

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.5.1: 6.1.5.1

Compare Source

Active Support

• Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

  Add the method ERB::Util.xml_name_escape to escape dangerous characters
  in names of tags and names of attributes, following the specification of XML.

  Álvaro Martín Fraguas

Active Model

• No changes.

Active Record

• No changes.

Action View

• Fix and add protections for XSS in ActionView::Helpers and ERB::Util.

  Escape dangerous characters in names of tags and names of attributes in the
  tag helpers, following the XML specification. Rename the option
  :escape_attributes to :escape, to simplify by applying the option to the
  whole tag.

  Álvaro Martín Fraguas

Action Pack

• Allow Content Security Policy DSL to generate for API responses.

  Tim Wade

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• No changes.

v6.1.5: 6.1.5

Compare Source

Active Support

• Fix ActiveSupport::Duration.build to support negative values.

  The algorithm to collect the parts of the ActiveSupport::Duration
  ignored the sign of the value and accumulated incorrect part values. This
  impacted ActiveSupport::Duration#sum (which is dependent on parts) but
  not ActiveSupport::Duration#eql? (which is dependent on value).

  Caleb Buxton, Braden Staudacher

• Time#change and methods that call it (eg. Time#advance) will now
  return a Time with the timezone argument provided, if the caller was
  initialized with a timezone argument.

  Fixes #​42467.

  Alex Ghiculescu

• Clone to keep extended Logger methods for tagged logger.

  Orhan Toy

• assert_changes works on including ActiveSupport::Assertions module.

  Pedro Medeiros

Active Model

• Clear secure password cache if password is set to nil

  Before:

  user.password = 'something'
  user.password = nil

  user.password # => 'something'

  Now:

  user.password = 'something'
  user.password = nil

  user.password # => nil

  Markus Doits

• Fix delegation in ActiveModel::Type::Registry#lookup and ActiveModel::Type.lookup

  Passing a last positional argument {} would be incorrectly considered as keyword argument.

  Benoit Daloze

• Fix to_json after changes_applied for ActiveModel::Dirty object.

  Ryuta Kamizono

Active Record

• Fix ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate for Ruby 2.6.

  Ruby 2.6 and 2.7 have slightly different implementations of the String#@​- method.
  In Ruby 2.6, the receiver of the String#@​- method is modified under certain circumstances.
  This was later identified as a bug (https://bugs.ruby-lang.org/issues/15926) and only
  fixed in Ruby 2.7.

  Before the changes in this commit, the
  ActiveRecord::ConnectionAdapters::SchemaCache#deep_deduplicate method, which internally
  calls the String#@​- method, could also modify an input string argument in Ruby 2.6 --
  changing a tainted, unfrozen string into a tainted, frozen string.

  Fixes #​43056

  Eric O'Hanlon

• Fix migration compatibility to create SQLite references/belongs_to column as integer when
  migration version is 6.0.

  reference/belongs_to in migrations with version 6.0 were creating columns as
  bigint instead of integer for the SQLite Adapter.

  Marcelo Lauxen

• Fix dbconsole for 3-tier config.

  Eileen M. Uchitelle

• Better handle SQL queries with invalid encoding.

  Post.create(name: "broken \xC8 UTF-8")

  Would cause all adapters to fail in a non controlled way in the code
  responsible to detect write queries.

  The query is now properly passed to the database connection, which might or might
  not be able to handle it, but will either succeed or failed in a more correct way.

  Jean Boussier

• Ignore persisted in-memory records when merging target lists.

  Kevin Sjöberg

• Fix regression bug that caused ignoring additional conditions for preloading
  has_many through relations.

  Fixes #​43132

  Alexander Pauly

• Fix ActiveRecord::InternalMetadata to not be broken by
  config.active_record.record_timestamps = false

  Since the model always create the timestamp columns, it has to set them, otherwise it breaks
  various DB management tasks.

  Fixes #​42983

  Jean Boussier

• Fix duplicate active record objects on inverse_of.

  Justin Carvalho

• Fix duplicate objects stored in has many association after save.

  Fixes #​42549.

  Alex Ghiculescu

• Fix performance regression in CollectionAssocation#build.

  Alex Ghiculescu

• Fix retrieving default value for text column for MariaDB.

  fatkodima

Action View

• preload_link_tag properly inserts as attributes for files with image MIME
  types, such as JPG or SVG.

  Nate Berkopec

• Add autocomplete="off" to all generated hidden fields.

  Fixes #​42610.

  Ryan Baumann

• Fix current_page? when URL has trailing slash.

  This fixes the current_page? helper when the given URL has a trailing slash,
  and is an absolute URL or also has query params.

  Fixes #​33956.

  Jonathan Hefner

Action Pack

• Fix content_security_policy returning invalid directives.

  Directives such as self, unsafe-eval and few others were not
  single quoted when the directive was the result of calling a lambda
  returning an array.

  content_security_policy do |policy|
    policy.frame_ancestors lambda { [:self, "https://example.com"] }
  end

  With this fix the policy generated from above will now be valid.

  Edouard Chin

• Update HostAuthorization middleware to render debug info only
  when config.consider_all_requests_local is set to true.

  Also, blocked host info is always logged with level error.

  Fixes #​42813.

  Nikita Vyrko

• Dup arrays that get "converted".

  Fixes #​43681.

  Aaron Patterson

• Don't show deprecation warning for equal paths.

  Anton Rieder

• Fix crash in ActionController::Instrumentation with invalid HTTP formats.

  Fixes #​43094.

  Alex Ghiculescu

• Add fallback host for SystemTestCase driven by RackTest.

  Fixes #​42780.

  Petrik de Heus

• Add more detail about what hosts are allowed.

  Alex Ghiculescu

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• The Action Cable client now ensures successful channel subscriptions:

  • The client maintains a set of pending subscriptions until either
    the server confirms the subscription or the channel is torn down.
  • Rectifies the race condition where an unsubscribe is rapidly followed
    by a subscribe (on the same channel identifier) and the requests are
    handled out of order by the ActionCable server, thereby ignoring the
    subscribe command.

  Daniel Spinosa

• Truncate broadcast logging messages.

  J Smith

Active Storage

• Attachments can be deleted after their association is no longer defined.

  Fixes #​42514

  Don Sisco

Action Mailbox

• Add attachments to the list of permitted parameters for inbound emails conductor.

  When using the conductor to test inbound emails with attachments, this prevents an
  unpermitted parameter warning in default configurations, and prevents errors for
  applications that set:

  config.action_controller.action_on_unpermitted_parameters = :raise

  David Jones, Dana Henke

Action Text

• Fix Action Text extra trix content wrapper.

  Alexandre Ruban

Railties

• In zeitwerk mode, setup the once autoloader first, and the main autoloader after it.
  This order plays better with shared namespaces.

  Xavier Noria

• Handle paths with spaces when editing credentials.

  Alex Ghiculescu

• Support Psych 4 when loading secrets.

  Nat Morcos

v6.1.4.7: 6.1.4.7

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• Added image transformation validation via configurable allow-list.

  Variant now offers a configurable allow-list for
  transformation methods in addition to a configurable deny-list for arguments.

  [CVE-2022-21831]

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.4.6: 6.1.4.6

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix Reloader method signature to work with the new Executor signature

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.4.5: 6.1.4.5

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Under certain circumstances, the middleware isn't informed that the
  response body has been fully closed which result in request state not
  being fully reset before the next request

  [CVE-2022-23633]

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.4.4: 6.1.4.4

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix issue with host protection not allowing host with port in development.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.4.3: 6.1.4.3

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• Allow localhost with a port by default in development

  [Fixes: #​43864]

v6.1.4.2: 6.1.4.2

Compare Source

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Fix X_FORWARDED_HOST protection. [CVE-2021-44528]

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Action Mailbox

• No changes.

Action Text

• No changes.

Railties

• No changes.

v6.1.4.1

Compare Source

v6.1.4: 6.1.4

Compare Source

Active Support

• MemCacheStore: convert any underlying value (including false) to an Entry.

  See #​42559.

  Alex Ghiculescu

• Fix bug in number_with_precision when using large BigDecimal values.

  Fixes #​42302.

  Federico Aldunate, Zachary Scott

• Check byte size instead of length on secure_compare.

  Tietew

• Fix Time.at to not lose :in option.

  Ryuta Kamizono

• Require a path for config.cache_store = :file_store.

  Alex Ghiculescu

• Avoid having to store complex object in the default translation file.

  Rafael Mendonça França

Active Model

• Fix to_json for ActiveModel::Dirty object.

  Exclude +mutations_from_database+ attribute from json as it lead to recursion.

  Anil Maurya

Active Record

• Do not try to rollback transactions that failed due to a ActiveRecord::TransactionRollbackError.

  Jamie McCarthy

• Raise an error if pool_config is nil in set_pool_config.

  Eileen M. Uchitelle

• Fix compatibility with psych >= 4.

  Starting in Psych 4.0.0 YAML.load behaves like YAML.safe_load. To preserve compatibility
  Active Record's schema cache loader and YAMLColumn now uses YAML.unsafe_load if available.

  Jean Boussier

• Support using replicas when using rails dbconsole.

  Christopher Thornton

• Restore connection pools after transactional tests.

  Eugene Kenny

• Change upsert_all to fails cleanly for MySQL when :unique_by is used.

  Bastian Bartmann

• Fix user-defined self.default_scope to respect table alias.

  Ryuta Kamizono

• Clear @cache_keys cache after update_all, delete_all, destroy_all.

  Ryuta Kamizono

• Changed Arel predications contains and overlaps to use
  quoted_node so that PostgreSQL arrays are quoted properly.

  Bradley Priest

• Fix merge when the where clauses have string contents.

  Ryuta Kamizono

• Fix rollback of parent destruction with nested dependent: :destroy.

  Jacopo Beschi

• Fix binds logging for "WHERE ... IN ..." statements.

  Ricardo Díaz

• Handle false in relation strict loading checks.

  Previously when a model had strict loading set to true and then had a
  relation set strict_loading to false the false wasn't considered when
  deciding whether to raise/warn about strict loading.

  class Dog < ActiveRecord::Base
    self.strict_loading_by_default = true
  
    has_many :treats, strict_loading: false
  end
  

  In the example, dog.treats would still raise even though
  strict_loading was set to false. This is a bug effecting more than
  Active Storage which is why I made this PR superceeding #​41461. We need
  to fix this for all applications since the behavior is a little
  surprising. I took the test from ##​41461 and the code suggestion from #​41453
  with some additions.

  Eileen M. Uchitelle, Radamés Roriz

• Fix numericality validator without precision.

  Ryuta Kamizono

• Fix aggregate attribute on Enum types.

  Ryuta Kamizono

• Fix CREATE INDEX statement generation for PostgreSQL.

  eltongo

• Fix where clause on enum attribute when providing array of strings.

  Ryuta Kamizono

• Fix unprepared_statement to work it when nesting.

  Ryuta Kamizono

Action View

• The translate helper now passes default values that aren't
  translation keys through I18n.translate for interpolation.

  Jonathan Hefner

• Don't attach UJS form submission handlers to Turbo forms.

  David Heinemeier Hansson

• Allow both current_page?(url_hash) and current_page?(**url_hash) on Ruby 2.7.

  Ryuta Kamizono

Action Pack

• Ignore file fixtures on db:fixtures:load

  Kevin Sjöberg

• Fix ActionController::Live controller test deadlocks by removing the body buffer size limit for tests.

  Dylan Thacker-Smith

• Correctly place optional path parameter booleans.

  Previously, if you specify a url parameter that is part of the path as false it would include that part
  of the path as parameter for example:

  get "(/optional/:optional_id)/things" => "foo#foo", as: :things
  things_path(optional_id: false) # => /things?optional_id=false
  

  After this change, true and false will be treated the same when used as optional path parameters. Meaning now:

  get '(this/:my_bool)/that' as: :that
  
  that_path(my_bool: true) # => `/this/true/that`
  that_path(my_bool: false) # => `/this/false/that`
  

  Adam Hess

• Add support for 'private, no-store' Cache-Control headers.

  Previously, 'no-store' was exclusive; no other directives could be specified.

  Alex Smith

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• Fix ArgumentError with ruby 3.0 on RemoteConnection#disconnect.

  Vladislav

Active Storage

• The parameters sent to ffmpeg for generating a video preview image are now
  configurable under config.active_storage.video_preview_arguments.

  Brendon Muir

• Fix Active Storage update task when running in an engine.

  Justin Malčić*

• Don't raise an error if the mime type is not recognized.

  Fixes #​41777.

  Alex Ghiculescu

• ActiveStorage::PreviewError is raised when a previewer is unable to generate a preview image.

  Alex Robbin

• respond with 404 given invalid variation key when asking for representations.

  George Claghorn

• Blob creation shouldn't crash if no service selected.

  Alex Ghiculescu

Action Mailbox

• No changes.

Action Text

• Always render attachment partials as HTML with :html format inside trix editor.

  James Brooks

Railties

• Fix compatibility with psych >= 4.

  Starting in Psych 4.0.0 YAML.load behaves like YAML.safe_load. To preserve compatibility
  Rails.application.config_for now uses YAML.unsafe_load if available.

  Jean Boussier

• Ensure Rails.application.config_for always cast hashes to ActiveSupport::OrderedOptions.

  Jean Boussier

• Fix create migration generator with --pretend option.

  euxx

---

• If you want to rebase/retry this PR, check this box

[mend-for-github-com]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Gemfile.lock

/opt/containerbase/tools/bundler/2.1.4/3.4.5/gems/bundler-2.1.4/lib/bundler/vendor/thor/lib/thor/error.rb:105:in '<class:Thor>': uninitialized constant DidYouMean::SPELL_CHECKERS (NameError)

    DidYouMean::SPELL_CHECKERS.merge!(
              ^^^^^^^^^^^^^^^^
Did you mean?  DidYouMean::SpellChecker
	from /opt/containerbase/tools/bundler/2.1.4/3.4.5/gems/bundler-2.1.4/lib/bundler/vendor/thor/lib/thor/error.rb:1:in '<top (required)>'
	from /opt/containerbase/tools/bundler/2.1.4/3.4.5/gems/bundler-2.1.4/lib/bundler/vendor/thor/lib/thor/base.rb:3:in 'Kernel#require_relative'
	from /opt/containerbase/tools/bundler/2.1.4/3.4.5/gems/bundler-2.1.4/lib/bundler/vendor/thor/lib/thor/base.rb:3:in '<top (required)>'
	from /opt/containerbase/tools/bundler/2.1.4/3.4.5/gems/bundler-2.1.4/lib/bundler/vendor/thor/lib/thor.rb:2:in 'Kernel#require_relative'
	from /opt/containerbase/tools/bundler/2.1.4/3.4.5/gems/bundler-2.1.4/lib/bundler/vendor/thor/lib/thor.rb:2:in '<top (required)>'
	from /opt/containerbase/tools/bundler/2.1.4/3.4.5/gems/bundler-2.1.4/lib/bundler/vendored_thor.rb:8:in 'Kernel#require_relative'
	from /opt/containerbase/tools/bundler/2.1.4/3.4.5/gems/bundler-2.1.4/lib/bundler/vendored_thor.rb:8:in '<top (required)>'
	from /opt/containerbase/tools/bundler/2.1.4/3.4.5/gems/bundler-2.1.4/lib/bundler/friendly_errors.rb:3:in 'Kernel#require_relative'
	from /opt/containerbase/tools/bundler/2.1.4/3.4.5/gems/bundler-2.1.4/lib/bundler/friendly_errors.rb:3:in '<top (required)>'
	from /opt/containerbase/tools/bundler/2.1.4/3.4.5/gems/bundler-2.1.4/exe/bundle:29:in 'Kernel#require_relative'
	from /opt/containerbase/tools/bundler/2.1.4/3.4.5/gems/bundler-2.1.4/exe/bundle:29:in '<top (required)>'
	from /opt/containerbase/tools/bundler/2.1.4/3.4.5/gems/bundler-2.1.4/exe/bundler:4:in 'Kernel#load'
	from /opt/containerbase/tools/bundler/2.1.4/3.4.5/gems/bundler-2.1.4/exe/bundler:4:in '<top (required)>'
	from /opt/containerbase/tools/bundler/2.1.4/3.4.5/bin/bundler:25:in 'Kernel#load'
	from /opt/containerbase/tools/bundler/2.1.4/3.4.5/bin/bundler:25:in '<main>'