🚨 [security] [ruby] Update octokit: 4.21.0 → 4.25.1 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ octokit (indirect, 4.21.0 → 4.25.1) · Repo · Changelog

Security Advisories 🚨

🚨 Octokit gem published with world-writable files

Impact

Versions 4.23.0
and 4.24.0 of the octokit gem
were published containing world-writeable files.

Specifically, the gem was packed
with files having their permissions set to -rw-rw-rw- (i.e. 0666) instead of rw-r--r--
(i.e. 0644). This means everyone who is not the owner (Group and Public) with access
to the instance where this release had been installed could modify the world-writable
files from this gem.

Malicious code already present and running on your machine,
separate from this package, could modify the gem’s files and change its behavior
during runtime.

Patches

• octokit 4.25.0

Workarounds

Users can use the previous version of the gem v4.22.0.
Alternatively, users can modify the file permissions manually until they are able
to upgrade to the latest version.

Release Notes

4.25.1

• Stop configuring Faraday's retry middleware twice (@Edouard-chin)
• Fix various Ruby warnings (e.g. missing parentheses) (@coryf)

4.25.0

✅ NOTE: This remediates A security advisory was published on versions 4.23.0 and 4.24.0 of this gem. You can read more about this in the published security advisory. ✅

DX Improvements

• Rubocop improvements by @timrogers in #1441
• Require multi-factor authentication to push new releases to RubyGems by @timrogers in #1443

CI Improvements

Updates all build scripts to be more durable and adds details on how to run a manual file integrity check by @nickfloyd in #1446

Housekeeping

• Drop support for Ruby 1.9.2 in Octokit::Client::Contents#create_contents by @timrogers in #1442

Full Changelog: v4.24.0...v4.25.0

4.24.0

Known issues

Note: This release fixes the issue around autoloading modules causing some modules to not load before use #1428

---

Code improvements

• #1354, #1426 Enabling Ruby's immutable ("frozen") string literals i.e. --enable-frozen-string-literal via @timrogers and @olleolleolle

---

CI Improvements

• Adds Code QL analysis to octokit.rb via @nickfloyd

---

Bug fixes

• #1428 Fixes module loading issue with autoloading (this reverts #1351 ) - more information here via @collinsauve. @waiting-for-dev, @etiennebarrie, @timrogers, and @nickfloyd

---

Full Changelog: v4.23.0...v4.24.0

4.23.0

Code improvements

• #1382 Correctly raise Octokit::TooManyRequests when hitting secondary rate limit via @jasonopslevel
• #1411 Adds support for Faraday v2 usage via @skryukov

---

CI Improvements

• #1395 Adds Ruby 3.1 to CI via @petergoldstein

---

Performance improvements

• #1351 Make clients autoload via @gmcgibbon

---

Bug fixes

• #1297 Escape label names with URL characters via @Fryguy
• #1375 Escape ref in archive_link via @max611
• #1117 & #1419 Ensures that any nil parameters being passed in will initialize with Octokit's defaults instead of nil via @akerl, @nickfloyd
• #1321 & #1415 Fixed total_count calculation when paginating results for check runs and check suites via @a2ikm, @matiasalbarello
• #1121 Fixes service status methods via @vierarb

---

Documentation

• #1414 replace git.io link in source docs via @wonda-tea-coffee
• #1412 Document how and when the SDK raises exceptions via @timrogers
• #1356 Fixes grammar and style via @nikoandpiko

---

Full Changelog: v4.22.0...v4.23.0

4.22.0

Deprecation Fix

• #1359 Fix Faraday deprecation warning @ybiquitous

Code Improvements

• #1336 Update regex for create ref @thepwagner
• #1350 Support pagination in compare api @mrpinsky

CI and dependency updates

• #1353 Add Ruby 3.0 support for CI builds @olleolleolle
• #1387 Update pry-byebug requirement @ashishkeshan

Documentation

• #1376 Update example README code with token filtering @bencolon
• #1381 Update organization migration documentation links @rzhade3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ faraday (indirect, 1.5.0 → 2.3.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ faraday-net_http (indirect, 1.0.1 → 2.0.3) · Repo · Changelog

Release Notes

2.0.3

What's Changed

• Add Errno::EALREADY to list of Net::HTTP exceptions by @iMacTia in #21

Full Changelog: v2.0.2...v2.0.3

2.0.2

What's Changed

• Add Ruby 3.1 to CI by @petergoldstein in #15
• Anchor Encoding references to avoid faraday-encoding conflicts by @nbibler in #18

New Contributors

• @petergoldstein made their first contribution in #15
• @nbibler made their first contribution in #18

Full Changelog: v2.0.1...v2.0.2

2.0.1

Fixes

• Add back support for Faraday 1.0

2.0.0

What's Changed

• Test on Ruby 3 by @tricknotes in #3
• Update gem to be compatible with Faraday 2.0 by @iMacTia in #9
• chore: Move development deps to Gemfile by @olleolleolle in #10
• refactor: CI: Inline scripts, cache gems by @olleolleolle in #11
• fix: gemspec metadata for changelog notes by @olleolleolle in #12
• Honor Content-Type charset by @xkwd in #13

New Contributors

• @tricknotes made their first contribution in #3
• @xkwd made their first contribution in #13

Full Changelog: v1.0.1...v2.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 18 commits:

• Version bump to 2.0.3
• Add `Errno::EALREADY` to list of Net::HTTP exceptions
• Fix incorrect customization block in README
• Version bump to 2.0.2
• Anchor Encoding references to avoid faraday-encoding conflicts (#18)
• Add Ruby 3.1 to CI (#15)
• Version bump to 2.0.1
• Make faraday a development dependency again.
• Bump Faraday and gem version to 2.0.
• Move documentation from Faraday website to README
• Version bump to 2.0.0.alpha-2
• Honor Content-Type charset (#13)
• fix: gemspec metadata for changelog notes
• refactor: CI: Inline scripts, cache gems
• chore: Move development deps to Gemfile
• Version bump to 2.0.0.alpha-1
• Update gem to be compatible with Faraday 2.0 (#9)
• Improve CI and test against Ruby 3 (#3)

↗️ public_suffix (indirect, 4.0.6 → 4.0.7) · Repo · Changelog

Release Notes

4.0.7 (from changelog)

Fixes

• Fixed YARD rake task (GH-179)

Changed

• Updated definitions.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 18 commits:

• Release 4.0.7
• Update year
• Update definitions
• Update data list (#186)
• Fixed YARD rake task
• Add release workflow
• Add Ruby 3.1 to CI (#185)
• Delete .travis.yml
• Replace Travis with GitHub Actions
• Format
• CI: Remove EOL versions
• Test with Ruby 3
• Disable Coverage
• Use instance_of? instead of comparing classes
• Create Dependabot config file (#178)
• Disable Lint/ConstantDefinitionInBlock in Rakefile
• Disable Lint/ConstantDefinitionInBlock in specs
• Add definitions section to README.md (#176)

↗️ ruby2_keywords (indirect, 0.0.4 → 0.0.5) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ sawyer (indirect, 0.8.2 → 0.9.2) · Repo

Release Notes

0.9.1

What's Changed

• Specify correct minimal Faraday version by @skryukov in #73

New Contributors

• @skryukov made their first contribution in #73

Full Changelog: v0.9.0...v0.9.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

• Release 0.9.2
• Version bump to 0.9.2
• Add `dig` and `fetch` to `Sawyer::Resource` (#74)
• Version bump to 0.9.1
• Specify correct minimal Faraday version (#73)
• Version bump to 0.9.0
• Enhance Faraday Support (#72)
• Allow closing underlying connection. (#67)

🗑️ faraday-em_http (removed)

🗑️ faraday-em_synchrony (removed)

🗑️ faraday-excon (removed)

🗑️ faraday-httpclient (removed)

🗑️ faraday-net_http_persistent (removed)

🗑️ faraday-patron (removed)

🗑️ multipart-post (removed)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)