build(deps): bump the bundler group across 1 directory with 5 updates

[dependabot]

Bumps the bundler group with 4 updates in the /src/email directory: puma, sinatra, google-protobuf and net-imap.

Updates puma from 6.4.0 to 6.4.3

Release notes

Sourced from puma's releases.

6.4.3

• Security
  • Discards any headers using underscores if the non-underscore version also exists. Without this, an attacker could overwrite values set by intermediate proxies (e.g. X-Forwarded-For). (CVE-2024-45614/GHSA-9hf4-67fc-4vf4)

6.4.2

• Security
  • Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. (GHSA-c2f4-cvqm-65w2)

6.4.1

• Bugfixes

  • DSL#warn_if_in_single_mode - fixup when workers set via CLI (#3256)
  • Fix idle-timeout not working in cluster mode (#3235, #3228, #3282, #3283)
  • Fix worker 0 timing out during phased restart (#3225, #2786)
  • context_builder.rb - require openssl if verify_mode != 'none' (#3179)
  • Make puma cluster process suitable as PID 1 (#3255)
  • Improve Puma::NullIO consistency with real IO (#3276)
  • extconf.rb - fixup to detect openssl info in Ruby build (#3271, #3266)
  • MiniSSL.java - set serialVersionUID, fix RaiseException deprecation (#3270)
  • dsl.rb - fix warn_if_in_single_mode when WEB_CONCURRENCY is set (#3265, #3264)

• Maintenance

  • LOTS of test refactoring to make tests more stable and easier to write - thanks to @​MSP-Greg!
  • Fix bug in tests re: TestPuma::HOST4 (#3254)
  • Dockerfile for minimal repros: use Ruby 3.2, expect bundler installed (#3245)
  • fix define_method calls, use Symbol parameter instead of String (#3293)

• Docs

  • README.md - add the puma-acme plugin (#3301)
  • Remove --keep-file-descriptors flag from systemd docs (#3248)
  • Note symlink mechanism in restart documentation for hot restart (#3298)

Changelog

Sourced from puma's changelog.

6.4.3 / 2024-09-19

• Security
  • Discards any headers using underscores if the non-underscore version also exists. Without this, an attacker could overwrite values set by intermediate proxies (e.g. X-Forwarded-For). (CVE-2024-45614/GHSA-9hf4-67fc-4vf4)

6.4.2 / 2024-01-08

• Security
  • Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. (GHSA-c2f4-cvqm-65w2)

6.4.1 / 2024-01-03

• Bugfixes

  • DSL#warn_if_in_single_mode - fixup when workers set via CLI (#3256)
  • Fix idle-timeout not working in cluster mode (#3235, #3228, #3282, #3283)
  • Fix worker 0 timing out during phased restart (#3225, #2786)
  • context_builder.rb - require openssl if verify_mode != 'none' (#3179)
  • Make puma cluster process suitable as PID 1 (#3255)
  • Improve Puma::NullIO consistency with real IO (#3276)
  • extconf.rb - fixup to detect openssl info in Ruby build (#3271, #3266)
  • MiniSSL.java - set serialVersionUID, fix RaiseException deprecation (#3270)
  • dsl.rb - fix warn_if_in_single_mode when WEB_CONCURRENCY is set (#3265, #3264)

• Maintenance

  • LOTS of test refactoring to make tests more stable and easier to write - thanks to @​MSP-Greg!
  • Fix bug in tests re: TestPuma::HOST4 (#3254)
  • Dockerfile for minimal repros: use Ruby 3.2, expect bundler installed (#3245)
  • fix define_method calls, use Symbol parameter instead of String (#3293)

• Docs

  • README.md - add the puma-acme plugin (#3301)
  • Remove --keep-file-descriptors flag from systemd docs (#3248)
  • Note symlink mechanism in restart documentation for hot restart (#3298)

Commits

• e867e53 6.4.3
• 63a27b5 5.6.9 release note [ci skip]
• cac3fd1 Merge commit from fork
• 5fc43d7 5.6.8 and 6.4.2
• dfbba22 6.4.2
• 60d5ee3 Merge pull request from GHSA-c2f4-cvqm-65w2
• a287025 6.4.1 version tick!
• 32a629d 6.4.1
• 7e17826 [Fix #3282] idle-timeout not waiting on all workers in cluster mode (#3283)
• 437142e README.md - add the puma-acme plugin (#3301)
• Additional commits viewable in compare view

Updates sinatra from 3.1.0 to 4.1.0

Changelog

Sourced from sinatra's changelog.

4.1.0 / 2024-11-18

• New: Add host_authorization setting (#2053)
  • Defaults to .localhost, .test and any IP address in development mode.
  • Security: addresses CVE-2024-21510.
• Fix: Return an instance of Sinatra::IndifferentHash when calling #except (#2044)
• Fix: Address warning from URI for Ruby 3.4 (#2060)
• Fix: rackup no longer depends on WEBrick, recommend Puma instead (4a558503)
• Fix: Zeitwerk 2.7.0+ compatibility (#2050)
• Fix: Address warning about Hash construction for Ruby 3.4 (#2028)
• Fix: Declare missing dependencies for Ruby 3.5 (#2032)
• Fix: Compatibility with --enable-frozen-string-literal (#2033)
• Fix: Rack 3.1 compatibility (#2035)
  • Don't depend on Rack::Logger
  • Don't delete content-length header when Rack::Files is used

4.0.0. / 2024-01-19

• New: Add support for Rack 3 (#1857)

  • Note: you may want to read the [Rack 3 Upgrade Guide]

• Require Ruby 2.7.8 as minimum Ruby version (#1993)

• Breaking change: Drop support for Rack 2 (#1857)

  • Note: when using Sinatra to start the web server, you now need the rackup gem installed

• Breaking change: Remove the IndifferentHash initializer (#1982)

• Breaking change: Disable session_hijacking protection by default (#1984)

• Breaking change: Remove Rack::Protection::EncryptedCookie (#1989)

  • Note: cookies are still encrypted (by [Rack::Session::Cookie])

#1857: sinatra/sinatra#1857 #1993: sinatra/sinatra#1993 #1982: sinatra/sinatra#1982 #1984: sinatra/sinatra#1984 #1989: sinatra/sinatra#1989 [Rack::Session::Cookie]: https://github.com/rack/rack-session [Rack 3 Upgrade Guide]: https://github.com/rack/rack/blob/main/UPGRADE-GUIDE.md

3.2.0 / 2023-12-29

• New: Add #except method to Sinatra::IndifferentHash (#1940)

• New: Use Exception#detailed_message to show backtrace (#1952)

• New: Add Sinatra::HamlHelpers to sinatra-contrib (#1960)

• Fix: Add base64 to rack-protection runtime dependencies (#1946)

... (truncated)

Commits

• 73f3291 4.1.0 release (#2063)
• cd3e00d Add HostAuthorization rack-protection middleware (#2053)
• 8c4cd0b Return an instance of Sinatra::IndifferentHash when calling #except (#2044)
• 3c888f7 Address URI depreciation (#2060)
• 0d33ef8 CI: don't test falcon on Ruby 2.7
• 4a55850 Remove WEBrick
• 955682e CI: unset RUBYOPT for JRuby jobs
• 2d0b347 Support Zeitwerk 2.7.0+ (#2050)
• 6569ff8 Revert "CI: document the console gem issue"
• 77df658 CI: document the console gem issue
• Additional commits viewable in compare view

Updates google-protobuf from 3.25.0 to 3.25.5

Commits

• 70e85ae Updating version.json and repo version numbers to: 25.5-dev
• 489aba5 Merge pull request #15984 from mkruskal-google/staleness-fix-25
• 367c7be Regen stale files
• bbbd2de Updating version.json and repo version numbers to: 25.4-dev
• fc222b9 Updating version.json and repo version numbers to: 25.3-dev
• 6ac0447 Updating version.json and repo version numbers to: 25.2-dev
• 7f94235 Updating version.json and repo version numbers to: 25.1
• e4b00c7 Add support for extensions in CRuby, JRuby, and FFI Ruby (#14703) (#14756)
• 2495d4f Add support for options in CRuby, JRuby and FFI (#14594) (#14739)
• See full diff in compare view

Updates net-imap from 0.3.6 to 0.3.8

Release notes

Sourced from net-imap's releases.

v0.3.8

What's Changed

🔒 Security Fix

Mitigates CVE-2025-25186 (GHSA-7fc5-f82f-cx69): A malicious server can exhaust client memory by sending APPENDUID or COPYUID responses with very large uid-set ranges. Net::IMAP::UIDPlusData expands these ranges into arrays of integers.

Fix with minor API changes

For v0.3.8, this option is not available. Upgrade to v0.4.19, v0.5.6, or higher to replace UIDPlusData with AppendUIDData and CopyUIDData. These classes store their UIDs as Net::IMAP::SequenceSet objects (not expanded into arrays of integers).

Mitigate with backward compatible API

This release mitigates the attack by crashing if a server tries to send a uid-set that represents more than 10,000 numbers. This should be larger than almost all legitimate COPYUID or APPENDUID responses and would limit the array to only 80KB (on a 64 bit system).

For v0.3.8, this option is not configurable. Upgrade to v0.4.19, v0.5.6, or higher to configure this limit.

Please Note: unhandled responses

If the client does not add response handlers to prune unhandled responses, a malicious server can still eventually exhaust all client memory, by repeatedly sending malicious responses. However, net-imap has always retained unhandled responses, and it has always been necessary for long-lived connections to prune these responses. This is not significantly different from connecting to a trusted server with a long-lived connection. To limit the maximum number of retained responses, a simple handler might look something like the following:

limit = 1000
imap.add_response_handler do |resp|
  name = resp.name
  code = resp.data.code&.name if resp.data.in?(Net::IMAP::ResponseText)
  # before 0.4.0:
  imap.responses[name].slice!(0...-limit)
  imap.responses[code].slice!(0...-limit)
  # since 0.4.0:
  imap.responses(name) { _1.slice!(0...-limit) }
  imap.responses(code) { _1.slice!(0...-limit) }
end

Miscellaneous

• ✅ Renew test certificates for CI by @​sorah in ruby/net-imap#259

Full Changelog: ruby/net-imap@v0.3.7...v0.3.8

v0.3.7

What's Changed

• 🔒️ Backport: Fix for Digest MD5 bad challenges by @​nobu in ruby/net-imap#160
  • PR for backport is ruby/net-imap#161

Full Changelog: ruby/net-imap@v0.3.6...v0.3.7

Commits

• 38ce681 🔖 Bump version to 0.3.8
• cb92191 Merge commit from fork
• 524f2a8 Renew test certificates
• 0dbb8eb 🔒 Prevent runaway memory use when parsing uid-set
• 4681194 🏷️ Bump version to 0.3.7
• 8159e82 🔀 Merge pull request #161 from ruby/backport-digest_md5-bad-challenge
• bd68174 ✅ Mark assert_linear_performance test as pending
• c92ed92 Remove nested quantifier
• 2a85ac1 Fix NoMethodError when "qop" is not present
• 63ebe2f Add test for bad challenge
• See full diff in compare view

Updates rack from 2.2.8 to 3.1.9

Release notes

Sourced from rack's releases.

v3.0.9.1

What's Changed

• Fixed ReDoS in Accept header parsing [CVE-2024-26146]
• Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
• Reject Range headers which are too large [CVE-2024-26141]

Full Changelog: rack/rack@v3.0.9...v3.0.9.1

v3.0.9

What's Changed

• Fix content-length calcuation in Rack:Response#write #2150

Full Changelog: rack/rack@v3.0.8...v3.0.9

v3.0.8

What's Changed

• Backport "Fix some unused variable verbose warnings" by @​skipkayhil in rack/rack#2084

New Contributors

• @​skipkayhil made their first contribution in rack/rack#2084

Full Changelog: rack/rack@v3.0.7...v3.0.8

v3.0.7

What's Changed

• Backport "Make query parameters without = have nil values". by @​jeremyevans in rack/rack#2060

Full Changelog: rack/rack@v3.0.6.1...v3.0.7

v3.0.6.1

No release notes provided.

v3.0.4.1

Full Changelog: rack/rack@v3.0.4...v3.0.4.1

v3.0.4

Full Changelog: rack/rack@v3.0.3...v3.0.4

v3.0.3

What's Changed

• Release v3.0.3 by @​ioquatix in rack/rack#2000

Full Changelog: rack/rack@v3.0.2...v3.0.3

v3.0.2

Full Changelog: rack/rack@v3.0.1...v3.0.2

... (truncated)

Changelog

Sourced from rack's changelog.

[3.1.9] - 2025-01-31

Fixed

• Rack::MediaType#params now handles parameters without values. (#2263, @​AllyMarthaJ)

[3.1.8] - 2024-10-14

Fixed

• Resolve deprecation warnings about uri DEFAULT_PARSER. (#2249, [@​earlopain])

[3.1.7] - 2024-07-11

Fixed

• Do not remove escaped opening/closing quotes for content-disposition filenames. (#2229, [@​jeremyevans])
• Fix encoding setting for non-binary IO-like objects in MockRequest#env_for. (#2227, [@​jeremyevans])
• Rack::Response should not generate invalid content-length header. (#2219, [@​ioquatix])
• Allow empty PATH_INFO. (#2214, [@​ioquatix])

[3.1.6] - 2024-07-03

Fixed

• Fix several edge cases in Rack::Request#parse_http_accept_header's implementation. (#2226, [@​ioquatix])

[3.1.5] - 2024-07-02

Security

• Fix potential ReDoS attack in Rack::Request#parse_http_accept_header. (GHSA-cj83-2ww7-mvq7, @​dwisiswant0)

[3.1.4] - 2024-06-22

Fixed

• Fix Rack::Lint matching some paths incorrectly as authority form. (#2220, [@​ioquatix])

[3.1.3] - 2024-06-12

Fixed

• Fix passing non-strings to Rack::Utils.escape_html. (#2202, [@​earlopain])
• Rack::MockResponse gracefully handles empty cookies (#2203 [@​wynksaiddestroy])

[3.1.2] - 2024-06-11

• Rack::Response will take in to consideration chunked encoding responses (#2204, [@​tenderlove])

... (truncated)

Commits

• e217a39 Bump patch version.
• 3383cf2 Update changelog.
• edb0869 fix: malformed charset param (#2263) (#2277)
• 09de82f Update test versions.
• 890db46 Fix permissions for external tests. (#2244)
• b2aebc7 Fix title level.
• b441049 Add Fixed section.
• 0eabeb7 Bump patch version.
• f4f7103 Resolve deprecation warnings about uri DEFAULT_PARSER (#2242) (#2249)
• 4bb2f72 Bump patch version.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.