Bump actionpack from 7.0.8.5 to 7.0.8.7 (#1078)

* Bump actionpack from 7.0.8.5 to 7.0.8.7 Bumps [actionpack](https://github.com/rails/rails) from 7.0.8.5 to 7.0.8.7. - [Release notes](https://github.com/rails/rails/releases) - [Changelog](https://github.com/rails/rails/blob/v8.0.1/actionpack/CHANGELOG.md) - [Commits](rails/rails@v7.0.8.5...v7.0.8.7) --- updated-dependencies: - dependency-name: actionpack dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> * pin concurrent ruby and update syntax for csp --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: K8Sewell <kait@notch8.com>
yalelibrary · Jan 29, 2025 · b4676f3 · b4676f3
1 parent b1da001
commit b4676f3
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 64 deletions.
diff --git a/Gemfile b/Gemfile
@@ -18,6 +18,8 @@ gem 'blacklight_range_limit'
 gem 'bootsnap', '>= 1.4.2', require: false
 gem 'bootstrap', '~> 4.6'
 gem 'citeproc-ruby'
+# pinned due to https://github.com/rails/rails/pull/54264
+gem 'concurrent-ruby', '< 1.3.5'
 gem 'csl-styles'
 gem 'devise'
 gem 'devise-guests', '~> 0.6'
@@ -26,6 +28,7 @@ gem 'honeybadger', '~> 4.0'
 gem 'iso-639'
 gem 'jbuilder', '~> 2.7'
 gem 'jquery-rails'
+gem 'logger'
 gem 'omniauth', '~> 2.1.0'
 gem 'omniauth_openid_connect'
 # This addresses CVE-2015-9284 https://github.com/advisories/GHSA-ww4x-rwq6-qpgf

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -20,69 +20,69 @@ GIT
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (7.0.8.5)
-      actionpack (= 7.0.8.5)
-      activesupport (= 7.0.8.5)
+    actioncable (7.0.8.7)
+      actionpack (= 7.0.8.7)
+      activesupport (= 7.0.8.7)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (7.0.8.5)
-      actionpack (= 7.0.8.5)
-      activejob (= 7.0.8.5)
-      activerecord (= 7.0.8.5)
-      activestorage (= 7.0.8.5)
-      activesupport (= 7.0.8.5)
+    actionmailbox (7.0.8.7)
+      actionpack (= 7.0.8.7)
+      activejob (= 7.0.8.7)
+      activerecord (= 7.0.8.7)
+      activestorage (= 7.0.8.7)
+      activesupport (= 7.0.8.7)
       mail (>= 2.7.1)
       net-imap
       net-pop
       net-smtp
-    actionmailer (7.0.8.5)
-      actionpack (= 7.0.8.5)
-      actionview (= 7.0.8.5)
-      activejob (= 7.0.8.5)
-      activesupport (= 7.0.8.5)
+    actionmailer (7.0.8.7)
+      actionpack (= 7.0.8.7)
+      actionview (= 7.0.8.7)
+      activejob (= 7.0.8.7)
+      activesupport (= 7.0.8.7)
       mail (~> 2.5, >= 2.5.4)
       net-imap
       net-pop
       net-smtp
       rails-dom-testing (~> 2.0)
-    actionpack (7.0.8.5)
-      actionview (= 7.0.8.5)
-      activesupport (= 7.0.8.5)
+    actionpack (7.0.8.7)
+      actionview (= 7.0.8.7)
+      activesupport (= 7.0.8.7)
       rack (~> 2.0, >= 2.2.4)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (7.0.8.5)
-      actionpack (= 7.0.8.5)
-      activerecord (= 7.0.8.5)
-      activestorage (= 7.0.8.5)
-      activesupport (= 7.0.8.5)
+    actiontext (7.0.8.7)
+      actionpack (= 7.0.8.7)
+      activerecord (= 7.0.8.7)
+      activestorage (= 7.0.8.7)
+      activesupport (= 7.0.8.7)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (7.0.8.5)
-      activesupport (= 7.0.8.5)
+    actionview (7.0.8.7)
+      activesupport (= 7.0.8.7)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (7.0.8.5)
-      activesupport (= 7.0.8.5)
+    activejob (7.0.8.7)
+      activesupport (= 7.0.8.7)
       globalid (>= 0.3.6)
-    activemodel (7.0.8.5)
-      activesupport (= 7.0.8.5)
-    activerecord (7.0.8.5)
-      activemodel (= 7.0.8.5)
-      activesupport (= 7.0.8.5)
+    activemodel (7.0.8.7)
+      activesupport (= 7.0.8.7)
+    activerecord (7.0.8.7)
+      activemodel (= 7.0.8.7)
+      activesupport (= 7.0.8.7)
     activerecord-nulldb-adapter (1.0.1)
       activerecord (>= 5.2.0, < 7.2)
-    activestorage (7.0.8.5)
-      actionpack (= 7.0.8.5)
-      activejob (= 7.0.8.5)
-      activerecord (= 7.0.8.5)
-      activesupport (= 7.0.8.5)
+    activestorage (7.0.8.7)
+      actionpack (= 7.0.8.7)
+      activejob (= 7.0.8.7)
+      activerecord (= 7.0.8.7)
+      activesupport (= 7.0.8.7)
       marcel (~> 1.0)
       mini_mime (>= 1.1.0)
-    activesupport (7.0.8.5)
+    activesupport (7.0.8.7)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
@@ -188,7 +188,7 @@ GEM
       csl (~> 2.0)
     coercible (1.0.0)
       descendants_tracker (~> 0.0.1)
-    concurrent-ruby (1.3.4)
+    concurrent-ruby (1.3.3)
     coveralls_reborn (0.28.0)
       simplecov (~> 0.22.0)
       term-ansicolor (~> 1.7)
@@ -226,7 +226,7 @@ GEM
       railties (>= 3.2)
     dumb_delegator (0.8.1)
     equalizer (0.0.11)
-    erubi (1.13.0)
+    erubi (1.13.1)
     execjs (2.9.1)
     factory_bot (6.4.5)
       activesupport (>= 5.0.0)
@@ -261,7 +261,7 @@ GEM
       domain_name (~> 0.5)
     http-form_data (2.3.0)
     httpclient (2.8.3)
-    i18n (1.14.6)
+    i18n (1.14.7)
       concurrent-ruby (~> 1.0)
     ice_nine (0.11.2)
     iiif-presentation (1.3.0)
@@ -325,7 +325,7 @@ GEM
     method_source (1.1.0)
     mini_mime (1.1.5)
     minitar (0.9)
-    minitest (5.25.1)
+    minitest (5.25.4)
     msgpack (1.7.2)
     namae (1.2.0)
       racc (~> 1.7)
@@ -402,22 +402,22 @@ GEM
       rack (~> 2.2, >= 2.2.4)
     rack-proxy (0.7.7)
       rack
-    rack-test (2.1.0)
+    rack-test (2.2.0)
       rack (>= 1.3)
-    rails (7.0.8.5)
-      actioncable (= 7.0.8.5)
-      actionmailbox (= 7.0.8.5)
-      actionmailer (= 7.0.8.5)
-      actionpack (= 7.0.8.5)
-      actiontext (= 7.0.8.5)
-      actionview (= 7.0.8.5)
-      activejob (= 7.0.8.5)
-      activemodel (= 7.0.8.5)
-      activerecord (= 7.0.8.5)
-      activestorage (= 7.0.8.5)
-      activesupport (= 7.0.8.5)
+    rails (7.0.8.7)
+      actioncable (= 7.0.8.7)
+      actionmailbox (= 7.0.8.7)
+      actionmailer (= 7.0.8.7)
+      actionpack (= 7.0.8.7)
+      actiontext (= 7.0.8.7)
+      actionview (= 7.0.8.7)
+      activejob (= 7.0.8.7)
+      activemodel (= 7.0.8.7)
+      activerecord (= 7.0.8.7)
+      activestorage (= 7.0.8.7)
+      activesupport (= 7.0.8.7)
       bundler (>= 1.15.0)
-      railties (= 7.0.8.5)
+      railties (= 7.0.8.7)
     rails-controller-testing (1.0.5)
       actionpack (>= 5.0.1.rc1)
       actionview (>= 5.0.1.rc1)
@@ -426,16 +426,16 @@ GEM
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.1)
+    rails-html-sanitizer (1.6.2)
       loofah (~> 2.21)
       nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
     rails_semantic_logger (4.14.0)
       rack
       railties (>= 5.1)
       semantic_logger (~> 4.13)
-    railties (7.0.8.5)
-      actionpack (= 7.0.8.5)
-      activesupport (= 7.0.8.5)
+    railties (7.0.8.7)
+      actionpack (= 7.0.8.7)
+      activesupport (= 7.0.8.7)
       method_source
       rake (>= 12.2)
       thor (~> 1.0)
@@ -649,6 +649,7 @@ DEPENDENCIES
   byebug
   capybara (>= 2.15)
   citeproc-ruby
+  concurrent-ruby (< 1.3.5)
   coveralls_reborn
   csl-styles
   devise
@@ -661,6 +662,7 @@ DEPENDENCIES
   jbuilder (~> 2.7)
   jquery-rails
   listen (~> 3.2)
+  logger
   omniauth (~> 2.1.0)
   omniauth-rails_csrf_protection (~> 1.0)
   omniauth_openid_connect

diff --git a/app/controllers/mirador_controller.rb b/app/controllers/mirador_controller.rb
@@ -4,8 +4,8 @@ class MiradorController < ApplicationController
 
   # Allows Mirador to use inline JS to open viewer in new tab
   content_security_policy(only: :show) do |policy|
-    policy.script_src_attr  :self, :unsafe_inline, 'siteimproveanalytics.com www.googletagmanager.com'
-    policy.script_src_elem  :self, :unsafe_inline, 'siteimproveanalytics.com www.googletagmanager.com'    # policy.style_src :self, :unsafe_inline
+    policy.script_src_attr  :self, :unsafe_inline, 'siteimproveanalytics.com', 'www.googletagmanager.com'
+    policy.script_src_elem  :self, :unsafe_inline, 'siteimproveanalytics.com', 'www.googletagmanager.com'    # policy.style_src :self, :unsafe_inline
     policy.style_src_attr :self, :unsafe_inline
     policy.style_src_elem :self, :unsafe_inline
   end

diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
@@ -11,13 +11,13 @@
       policy.font_src    :self, 'static.library.yale.edu'
       policy.img_src     :self, :https, :data, "#{ENV['IIIF_IMAGE_BASE_URL']}/"
       policy.object_src  :none
-      policy.script_src  :self, 'siteimproveanalytics.com www.googletagmanager.com'
+      policy.script_src  :self, 'siteimproveanalytics.com', 'www.googletagmanager.com'
       policy.script_src_attr  :self, :unsafe_inline, 'www.googletagmanager.com'
-      policy.script_src_elem  :self, :unsafe_inline, 'siteimproveanalytics.com www.googletagmanager.com'
+      policy.script_src_elem  :self, :unsafe_inline, 'siteimproveanalytics.com', 'www.googletagmanager.com'
       policy.style_src :self, :unsafe_inline
       policy.style_src_attr :self, :unsafe_inline
       policy.style_src_elem :self, :unsafe_inline, "#{ENV['IIIF_IMAGE_BASE_URL']}/"
-      policy.connect_src :self, "banner.library.yale.edu www.google-analytics.com region1.google-analytics.com #{ENV['IIIF_IMAGE_BASE_URL']}/"
+      policy.connect_src :self, "banner.library.yale.edu", 'www.google-analytics.com', 'region1.google-analytics.com', "#{ENV['IIIF_IMAGE_BASE_URL']}/"
 
       # Specify URI for violation reports
       unless ENV['CLUSTER_NAME'] == 'local'