Skip to content

Update dependency sinatra to '~> 2.2.0' [SECURITY]#132

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/rubygems-sinatra-vulnerability
Open

Update dependency sinatra to '~> 2.2.0' [SECURITY]#132
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/rubygems-sinatra-vulnerability

Conversation

@renovate
Copy link

@renovate renovate bot commented May 15, 2022
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Update Change
sinatra minor '~> 2.1.0' -> '~> 2.2.0'

GitHub Vulnerability Alerts

CVE-2022-29970

Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.

CVE-2022-45442

Description

An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input.

References

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate
Copy link
Author

renovate bot commented May 15, 2022

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Gemfile.lock
Installing legacy tool bundler v1.16.6
Successfully installed bundler-1.16.6
1 gem installed
Bundler version 1.16.6
ruby 2.7.6p219 (2022-04-12 revision c9c2245c0a) [x86_64-linux]
Could not find gem 'undefined'.

@renovate renovate bot changed the title Update dependency sinatra to ~> 2.2.0 [SECURITY] Update dependency sinatra to '~> 2.2.0' [SECURITY] Sep 25, 2022
@renovate
Copy link
Author

renovate bot commented Mar 23, 2023
edited
Loading

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@renovate-bot