Skip to content

๐Ÿšจ [security] Update html-proofer: 3.14.1 โ†’ 5.0.7 (major)#81

Closed
depfu[bot] wants to merge 1 commit intomasterfrom
depfu/update/html-proofer-5.0.7
Closed

๐Ÿšจ [security] Update html-proofer: 3.14.1 โ†’ 5.0.7 (major)#81
depfu[bot] wants to merge 1 commit intomasterfrom
depfu/update/html-proofer-5.0.7

Conversation

@depfu
Copy link
Copy Markdown

@depfu depfu bot commented Apr 25, 2023

Welcome to Depfu ๐Ÿ‘‹

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

๐Ÿšจ Your current dependencies have known security vulnerabilities ๐Ÿšจ

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

โœณ๏ธ html-proofer (3.14.1 โ†’ 5.0.7) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ addressable (indirect, 2.7.0 โ†’ 2.8.4) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ Regular Expression Denial of Service in Addressable templates

Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption,
leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input,
but nonetheless, no previous security advisory for Addressable has cautioned against doing this.
Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.

Release Notes

2.8.4 (from changelog)

  • Restore Addressable::IDNA.unicode_normalize_kc as a deprecated method (#504)

2.8.3 (from changelog)

  • Fix template expand level 2 hash support for non-string objects (#499, #498)

2.8.2 (from changelog)

  • Improve cache hits and JIT friendliness (#486)
  • Improve code style and test coverage (#482)
  • Ensure reset of deferred validation (#481)
  • Resolve normalization differences between IDNA::Native and IDNA::Pure (#408, #492)
  • Remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438) (accidentally reverted by #449 merge but added back in #492)

2.8.1 (from changelog)

  • refactor Addressable::URI.normalize_path to address linter offenses (#430)
  • remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438)
  • update gemspec to reflect supported Ruby versions (#466, #464, #463)
  • compatibility w/ public_suffix 5.x (#466, #465, #460)
  • fixes "invalid byte sequence in UTF-8" exception when unencoding URLs containing non UTF-8 characters (#459)
  • Ractor compatibility (#449)
  • use the whole string instead of a single line for template match (#431)
  • force UTF-8 encoding only if needed (#341)

2.8.0 (from changelog)

  • fixes ReDoS vulnerability in Addressable::Template#match
  • no longer replaces + with spaces in queries for non-http(s) schemes
  • fixed encoding ipv6 literals
  • the :compacted flag for normalized_query now dedupes parameters
  • fix broken escape_component alias
  • dropping support for Ruby 2.0 and 2.1
  • adding Ruby 3.0 compatibility for development tasks
  • drop support for rack-mount and remove Addressable::Template#generate
  • performance improvements
  • switch CI/CD to GitHub Actions

Does any of this look wrong? Please let us know.

โ†—๏ธ ethon (indirect, 0.12.0 โ†’ 0.16.0) ยท Repo ยท Changelog

Release Notes

0.15.0 (from changelog)

Full Changelog

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ ffi (indirect, 1.11.2 โ†’ 1.15.5) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ mini_portile2 (indirect, 2.4.0 โ†’ 2.8.1) ยท Repo ยท Changelog

Release Notes

2.8.1

2.8.1 / 2022-12-24

Fixed

  • Support applying patches via git apply even when the working directory resembles a git directory. [#119] (Thanks, @h0tw1r3!)

2.8.0

2.8.0 / 2022-02-20

Added

  • Support xz-compressed archives (recognized by an .xz file extension).
  • When downloading a source archive, default open_timeout and read_timeout to 10 seconds, but allow configuration via open_timeout and read_timeout config parameters.

2.7.1

2.7.1 / 2021-10-20

Packaging

A test artifact that has been included in the gem was being flagged by some users' security scanners because it wasn't a real tarball. That artifact has been updated to be a real tarball. [#108]

2.7.0

2.7.0 / 2021-08-31

Added

The commands used for "make", "compile", and "cmake" are configurable via keyword arguments. [#107] (Thanks, @cosmo0920!)

2.6.1

2.6.1 / 2021-05-31

Dependencies

Make net-ftp an optional dependency, since requiring it as a hard dependency in v2.5.2 caused warnings to be emitted by Ruby 2.7 and earlier. A warning message is emitted if FTP functionality is called and net-ftp isn't available; this should only happen in Ruby 3.1 and later.

2.6.0

2.6.0 / 2021-05-31

Added

Recipes may build against a local directory by specifying source_directory instead of files. In
particular, this may be useful for debugging problems with the upstream dependency (e.g., use git bisect in a local clone) or for continuous integration with upstream HEAD.

2.5.3

2.5.3 / 2021-05-31

Make net-ftp an optional dependency, since requiring it as a hard dependency in v2.5.2 caused warnings to be emitted by Ruby 2.7 and earlier. A warning message is emitted if FTP functionality is called and net-ftp isn't available; this should only happen in Ruby 3.1 and later.

2.5.2

2.5.2 / 2021-05-28

Dependencies

Add net-ftp as an explicit dependency to accommodate the upcoming Ruby 3.1 changes that move this and other gems out of the "default" gem set and into the "bundled" gem set. See https://bugs.ruby-lang.org/issues/17873 [#101]

2.5.1

2.5.1 / 2021-04-28

Dependencies

This release ends support for ruby < 2.3.0. If you're on 2.2.x or earlier, we strongly suggest that you find the time to upgrade, because official support for Ruby 2.2 ended on 2018-03-31.

Enhancements

  • MiniPortile.execute now takes an optional :env hash, which is merged into the environment variables for the subprocess. Likely this is only useful for specialized use cases. [#99]
  • Experimental support for cmake-based projects extended to Windows. (Thanks, @larskanis!)

2.5.0

2.5.0 / 2020-02-24

Enhancements

  • When verifying GPG signatures, remove all imported pubkeys from keyring [#90] (Thanks, @hanazuki!)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ nokogiri (indirect, 1.10.5 โ†’ 1.14.3) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ Update packaged libxml2 to v2.10.4 to resolve multiple CVEs

Summary

Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to
v2.10.4 from v2.10.3.

libxml2 v2.10.4 addresses the following known vulnerabilities:

  • CVE-2023-29469: Hashing of
    empty dict strings isn't deterministic
  • CVE-2023-28484: Fix null deref
    in xmlSchemaFixupComplexType
  • Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.14.3,
and only if the packaged libraries are being used. If you've overridden defaults at installation
time to use system libraries instead of packaged libraries, you should instead pay attention to
your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.14.3.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against external libraries libxml2 >= 2.10.4 which will also address these
same issues.

Impact

No public information has yet been published about the security-related issues other than the
upstream commits. Examination of those changesets indicate that the more serious issues relate to
libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.

The commits can be examined at:

๐Ÿšจ Unchecked return value from xmlTextReaderExpand

Summary

Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.

For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.

Mitigation

Upgrade to Nokogiri >= 1.13.10.

Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

Credit

This vulnerability was responsibly reported by @davidwilemski.

๐Ÿšจ Nokogiri contains libxml Out-of-bounds Write vulnerability

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.

Nokogiri prior to version 1.11.4 used a vulnerable version of libxml2. Nokogiri 1.11.4 updated libxml2 to version 2.9.11 to address this and other vulnerabilities in libxml2.

๐Ÿšจ Improper Handling of Unexpected Data Type in Nokogiri

Summary

Nokogiri < v1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers.
For CRuby users, this may allow specially crafted untrusted inputs to cause illegal
memory access errors (segfault) or reads from unrelated memory.

Severity

The Nokogiri maintainers have evaluated this as High 8.2 (CVSS3.1).

Mitigation

CRuby users should upgrade to Nokogiri >= 1.13.6.

JRuby users are not affected.

Workarounds

To avoid this vulnerability in affected applications, ensure the untrusted input is a
String by calling #to_s or equivalent.

๐Ÿšจ Integer Overflow or Wraparound in libxml2 affects Nokogiri

Summary

Nokogiri v1.13.5 upgrades the packaged version of its dependency libxml2 from
v2.9.13 to v2.9.14.

libxml2 v2.9.14 addresses CVE-2022-29824.
This version also includes several security-related bug fixes for which CVEs were not created,
including a potential double-free, potential memory leaks, and integer-overflow.

Please note that this advisory only applies to the CRuby implementation of Nokogiri
< 1.13.5, and only if the packaged libraries are being used. If you've overridden
defaults at installation time to use system libraries instead of packaged libraries,
you should instead pay attention to your distro's libxml2 and libxslt release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.5.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation:
compile and link Nokogiri against external libraries libxml2 >= 2.9.14 which will also
address these same issues.

Impact

libxml2 CVE-2022-29824

  • CVSS3 score:
  • Type: Denial of service, information disclosure
  • Description: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
  • Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a24

All versions of libml2 prior to v2.9.14 are affected.

Applications parsing or serializing multi-gigabyte documents (in excess of INT_MAX bytes) may be vulnerable to an integer overflow bug in buffer handling that could lead to exposure of confidential data, modification of unrelated data, or a segmentation fault resulting in a denial-of-service.

References

๐Ÿšจ Denial of Service (DoS) in Nokogiri on JRuby

Summary

Nokogiri v1.13.4 updates the vendored org.cyberneko.html library to
1.9.22.noko2 which addresses CVE-2022-24839.
That CVE is rated 7.5 (High Severity).

See GHSA-9849-p7jc-9rmv
for more information.

Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

Impact

CVE-2022-24839 in nekohtml

  • Severity: High 7.5
  • Type: CWE-400 Uncontrolled Resource Consumption
  • Description: The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a
    java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup.
  • See also: GHSA-9849-p7jc-9rmv

๐Ÿšจ Inefficient Regular Expression Complexity in Nokogiri

Summary

Nokogiri < v1.13.4 contains an inefficient regular expression that is
susceptible to excessive backtracking when attempting to detect encoding
in HTML documents.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

๐Ÿšจ Out-of-bounds Write in zlib affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored zlib from 1.2.11
to 1.2.12, which addresses CVE-2018-25032.
That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.

Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.13.4, and only if the packaged version of zlib is being used.
Please see this document
for a complete description of which platform gems vendor zlib. If you've
overridden defaults at installation time to use system libraries instead of
packaged libraries, you should instead pay attention to your distro's zlib
release announcements.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2018-25032 in zlib

  • Severity: High
  • Type: CWE-787
    Out of bounds write
  • Description: zlib before 1.2.12 allows memory corruption when
    deflating (i.e., when compressing) if the input has many distant matches.

๐Ÿšจ XML Injection in Xerces Java affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored xerces:xercesImpl from 2.12.0 to
2.12.2, which addresses CVE-2022-23437.
That CVE is scored as CVSS 6.5 "Medium" on the NVD record.

Please note that this advisory only applies to the JRuby implementation
of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2022-23437 in xerces-J

  • Severity: Medium
  • Type: CWE-91 XML Injection (aka Blind XPath Injection)
  • Description: There's a vulnerability within the Apache Xerces Java
    (XercesJ) XML parser when handling specially crafted XML document payloads.
    This causes, the XercesJ XML parser to wait in an infinite loop, which may
    sometimes consume system resources for prolonged duration. This vulnerability
    is present within XercesJ version 2.12.1 and the previous versions.
  • See also: GHSA-h65f-jvqw-m9fj

๐Ÿšจ Update packaged libxml2 (2.9.12 โ†’ 2.9.13) and libxslt (1.1.34 โ†’ 1.1.35)

Summary

Nokogiri v1.13.2 upgrades two of its packaged dependencies:

  • vendored libxml2 from v2.9.12 to v2.9.13
  • vendored libxslt from v1.1.34 to v1.1.35

Those library versions address the following upstream CVEs:

Those library versions also address numerous other issues including performance
improvements, regression fixes, and bug fixes, as well as memory leaks and other
use-after-free issues that were not assigned CVEs.

Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.13.2, and only if the packaged libraries are being used. If you've
overridden defaults at installation time to use system libraries instead of
packaged libraries, you should instead pay attention to your distro's libxml2
and libxslt release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated
mitigation: compile and link an older version Nokogiri against external libraries
libxml2 >= 2.9.13 and libxslt >= 1.1.35, which will also address these same CVEs.

Impact

Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c

All versions of libxslt prior to v1.1.35 are affected.

Applications using untrusted XSL stylesheets to transform XML are vulnerable to
a denial-of-service attack and should be upgraded immediately.

libxml2 CVE-2022-23308

The upstream commit and the explanation linked above indicate that an application
may be vulnerable to a denial of service, memory disclosure, or code execution if
it parses an untrusted document with parse options DTDVALID set to true, and NOENT
set to false.

An analysis of these parse options:

  • While NOENT is off by default for Document, DocumentFragment, Reader, and
    Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri
    v1.12.0 and later.
  • DTDVALID is an option that Nokogiri does not set for any operations, and so
    this CVE applies only to applications setting this option explicitly.

It seems reasonable to assume that any application explicitly setting the parse
option DTDVALID when parsing untrusted documents is vulnerable and should be
upgraded immediately.

๐Ÿšจ Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.0) for JRuby users. (This security advisory does not apply to CRuby users.)

Impact

In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default.

Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected:

  • Nokogiri::XML::SAX::Parser
  • Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser
  • Nokogiri::XML::SAX::PushParser
  • Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser

Mitigation

JRuby users should upgrade to Nokogiri v1.12.5 or later. There are no workarounds available for v1.12.4 or earlier.

CRuby users are not affected.

๐Ÿšจ Update packaged dependency libxml2 from 2.9.10 to 2.9.12

Summary

Nokogiri v1.11.4 updates the vendored libxml2 from v2.9.10 to v2.9.12 which addresses:

Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.11.4, and only if the packaged version of libxml2 is being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.11.4.

Impact

I've done a brief analysis of the published CVEs that are addressed in this upstream release. The libxml2 maintainers have not released a canonical set of CVEs, and so this list is pieced together from secondary sources and may be incomplete.

All information below is sourced from security.archlinux.org, which appears to have the most up-to-date information as of this analysis.

CVE-2019-20388

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2020-7595

This has been patched in Nokogiri since v1.10.8 (see #1992).

CVE-2020-24977

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3516

Verified that the fix commit first appears in v2.9.11. This vector does not exist within Nokogiri, which does not ship xmllint.

CVE-2021-3517

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3518

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3537

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3541

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4, however Nokogiri's default parse options prevent the attack from succeeding (it is necessary to opt into DTDLOAD which is off by default).

For more details supporting this analysis of this CVE, please visit #2233.

๐Ÿšจ Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability

Description

In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema
are trusted by default, allowing external resources to be accessed over the
network, potentially enabling XXE or SSRF attacks.

This behavior is counter to
the security policy followed by Nokogiri maintainers, which is to treat all input
as untrusted by default whenever possible.

Please note that this security
fix was pushed into a new minor version, 1.11.x, rather than a patch release to
the 1.10.x branch, because it is a breaking change for some schemas and the risk
was assessed to be "Low Severity".

Affected Versions

Nokogiri <= 1.10.10 as well as prereleases 1.11.0.rc1, 1.11.0.rc2, and 1.11.0.rc3

Mitigation

There are no known workarounds for affected versions. Upgrade to Nokogiri
1.11.0.rc4 or later.

If, after upgrading to 1.11.0.rc4 or later, you wish
to re-enable network access for resolution of external resources (i.e., return to
the previous behavior):

  1. Ensure the input is trusted. Do not enable this option
    for untrusted input.
  2. When invoking the Nokogiri::XML::Schema constructor,
    pass as the second parameter an instance of Nokogiri::XML::ParseOptions with the
    NONET flag turned off.

So if your previous code was:

# in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network
# but in v1.11.0.rc4 and later, this call will disallow network access for external resources
schema = Nokogiri::XML::Schema.new(schema)

# in v1.11.0.rc4 and later, the following is equivalent to the code above

# (the second parameter is optional, and this demonstrates its default value)

schema = Nokogiri::XML::Schema.new(schema, Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA)

Then you can add the second parameter to indicate that the input is trusted by changing it to:

# in v1.11.0.rc3 and earlier, this would raise an ArgumentError
# but in v1.11.0.rc4 and later, this allows resources to be accessed over the network
schema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet)

๐Ÿšจ xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.

Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in #1992. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ rainbow (indirect, 3.0.0 โ†’ 3.1.1) ยท Repo ยท Changelog

Release Notes

3.1.1 (from changelog)

  • fix: Ensure files directive in gemspec adds all files

3.1.0 (from changelog)

  • Bad release: superseded by 3.1.1.
  • added cross_out aka strike
  • hexadecimal color names supported better, see #83
  • gemspec: list files using a Ruby expression, avoiding git

(2020-08-26 was the planned release date, but the real release date is reflected in the heading.)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 29 commits:

โ†—๏ธ typhoeus (indirect, 1.3.1 โ†’ 1.4.0) ยท Repo ยท Changelog

Release Notes

1.4.0 (from changelog)

Full Changelog

1 feature

  • Faraday adapter exceptions namespace compatibility with Faraday v1 (@iMacTia in #616)

3 Others

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 26 commits:

โ†—๏ธ yell (indirect, 2.2.0 โ†’ 2.2.2) ยท Repo

Sorry, we couldn't find anything useful about this release.

๐Ÿ†• Ascii85 (added, 1.1.0)

๐Ÿ†• afm (added, 0.2.2)

๐Ÿ†• async (added, 2.5.0)

๐Ÿ†• console (added, 1.16.2)

๐Ÿ†• fiber-local (added, 1.0.0)

๐Ÿ†• hashery (added, 2.1.2)

๐Ÿ†• io-event (added, 1.1.7)

๐Ÿ†• pdf-reader (added, 2.11.0)

๐Ÿ†• racc (added, 1.6.2)

๐Ÿ†• ruby-rc4 (added, 0.1.5)

๐Ÿ†• timers (added, 4.3.5)

๐Ÿ†• ttfunk (added, 1.7.0)

๐Ÿ†• zeitwerk (added, 2.6.7)

๐Ÿ—‘๏ธ parallel (removed)

๐Ÿ‘‰ No CI detected

You don't seem to have any Continuous Integration service set up!

Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.

This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:

* [Circle CI](https://circleci.com), [Semaphore ](https://semaphoreci.com) and [Github Actions](https://docs.github.com/actions) are all excellent options. * If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github. * If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you donโ€™t want it to run on every branch, you can whitelist branches starting with `depfu/`.

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@โ€‹depfu rebase
Rebases against your default branch and redoes this update
@โ€‹depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@โ€‹depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@โ€‹depfu close
Closes this PR and deletes the branch
@โ€‹depfu reopen
Restores the branch and reopens this PR (if it's closed)
@โ€‹depfu pause
Ignores all future updates for this dependency and closes this PR
@โ€‹depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@โ€‹depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added the depfu label Apr 25, 2023
@depfu depfu bot requested a review from AnjaPrivat April 25, 2023 18:45
@depfu depfu bot mentioned this pull request Apr 25, 2023
Closed
@depfu
Copy link
Copy Markdown
Author

depfu bot commented Aug 13, 2023

Closed in favor of #85.

@depfu depfu bot closed this Aug 13, 2023
@depfu depfu bot deleted the depfu/update/html-proofer-5.0.7 branch August 13, 2023 23:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AnjaPrivat AnjaPrivat Awaiting requested review from AnjaPrivat

Assignees

@AnjaPrivat AnjaPrivat

Labels

depfu

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AnjaPrivat