The Slack `files.upload` API endpoint is deprecated and will stop
functioning on March 11, 2025. In this PR, we have implemented the
changes for the [new file
upload](https://api.slack.com/messaging/files#uploading_files) method.
## Description
Hi! I've recently started helping maintain this gem as we use it heavily
in our app as well. It's been updated to work with newer versions of
nokogiri and has a few important fixes too.
## How Has This Been Tested?
Assuming you already have test coverage that would cover this.
## Checklist:
- [x] My code follows the style guidelines of this project
- [x] I have performed a self-review of my code
- [x] I have commented on my code, particularly in hard-to-understand
areas
- [x] I have made corresponding changes to the documentation
- [x] My changes generate no new warnings
- [x] I have added tests that prove my fix is effective or that my
feature works
- [x] New and existing unit tests pass locally with my changes
- [x] Any dependent changes have been merged and published in downstream
modules
Co-authored-by: Sojan Jose <sojan@pepalo.com>
Bumps [rack](https://github.com/rack/rack) from 2.2.10 to 2.2.11.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/rack/rack/blob/main/CHANGELOG.md">rack's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<p>All notable changes to this project will be documented in this file.
For info on how to format all future additions to this file please
reference <a href="https://keepachangelog.com/en/1.0.0/">Keep A
Changelog</a>.</p>
<h2>Unreleased</h2>
<h3>Added</h3>
<ul>
<li>Introduce <code>Rack::VERSION</code> constant. (<a
href="https://redirect.github.com/rack/rack/pull/2199">#2199</a>, [<a
href="https://github.com/ioquatix"><code>@ioquatix</code></a>])</li>
<li>ISO-2022-JP encoded parts within MIME Multipart sections of an HTTP
request body will now be converted to UTF-8. (<a
href="https://redirect.github.com/rack/rack/pull/2245">#2245</a>, [<a
href="https://github.com/nappa"><code>@nappa</code></a>])</li>
</ul>
<h3>Changed</h3>
<ul>
<li>Invalid cookie keys will now raise an error. (<a
href="https://redirect.github.com/rack/rack/pull/2193">#2193</a>, [<a
href="https://github.com/ioquatix"><code>@ioquatix</code></a>])</li>
<li><code>Rack::MediaType#params</code> now handles empty strings. (<a
href="https://redirect.github.com/rack/rack/pull/2229">#2229</a>, [<a
href="https://github.com/jeremyevans"><code>@jeremyevans</code></a>])</li>
</ul>
<h3>Deprecated</h3>
<ul>
<li><code>Rack::Auth::AbstractRequest#request</code> is deprecated
without replacement. (<a
href="https://redirect.github.com/rack/rack/pull/2229">#2229</a>, [<a
href="https://github.com/jeremyevans"><code>@jeremyevans</code></a>])</li>
<li><code>Rack::Request#parse_multipart</code> (private method designed
to be overridden in subclasses) is deprecated without replacement. (<a
href="https://redirect.github.com/rack/rack/pull/2229">#2229</a>, [<a
href="https://github.com/jeremyevans"><code>@jeremyevans</code></a>])</li>
</ul>
<h3>Removed</h3>
<ul>
<li><code>Rack::Request#values_at</code> is removed. (<a
href="https://redirect.github.com/rack/rack/pull/2200">#2200</a>, [<a
href="https://github.com/ioquatix"><code>@ioquatix</code></a>])</li>
<li><code>Rack::Logger</code> is removed with no replacement. (<a
href="https://redirect.github.com/rack/rack/pull/2196">#2196</a>, [<a
href="https://github.com/ioquatix"><code>@ioquatix</code></a>])</li>
<li>Automatic cache invalidation in
<code>Rack::Request#{GET,POST}</code> has been removed. (<a
href="https://redirect.github.com/rack/rack/pull/2230">#2230</a>, [<a
href="https://github.com/jeremyevans"><code>@jeremyevans</code></a>])</li>
</ul>
<h3>Fixed</h3>
<ul>
<li><code>Rack::RewindableInput::Middleware</code> no longer wraps a nil
input. (<a
href="https://redirect.github.com/rack/rack/pull/2259">#2259</a>, <a
href="https://github.com/tt"><code>@tt</code></a>)</li>
</ul>
<h2>[3.1.9] - 2025-01-31</h2>
<h3>Fixed</h3>
<ul>
<li><code>Rack::MediaType#params</code> now handles parameters without
values. (<a
href="https://redirect.github.com/rack/rack/pull/2263">#2263</a>, <a
href="https://github.com/AllyMarthaJ"><code>@AllyMarthaJ</code></a>)</li>
</ul>
<h2>[3.1.8] - 2024-10-14</h2>
<h3>Fixed</h3>
<ul>
<li>Resolve deprecation warnings about uri <code>DEFAULT_PARSER</code>.
(<a href="https://redirect.github.com/rack/rack/pull/2249">#2249</a>,
[<a
href="https://github.com/earlopain"><code>@earlopain</code></a>])</li>
</ul>
<h2>[3.1.7] - 2024-07-11</h2>
<h3>Fixed</h3>
<ul>
<li>Do not remove escaped opening/closing quotes for content-disposition
filenames. (<a
href="https://redirect.github.com/rack/rack/pull/2229">#2229</a>, [<a
href="https://github.com/jeremyevans"><code>@jeremyevans</code></a>])</li>
<li>Fix encoding setting for non-binary IO-like objects in
MockRequest#env_for. (<a
href="https://redirect.github.com/rack/rack/pull/2227">#2227</a>, [<a
href="https://github.com/jeremyevans"><code>@jeremyevans</code></a>])</li>
<li><code>Rack::Response</code> should not generate invalid
<code>content-length</code> header. (<a
href="https://redirect.github.com/rack/rack/pull/2219">#2219</a>, [<a
href="https://github.com/ioquatix"><code>@ioquatix</code></a>])</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="aa5a0f532a"><code>aa5a0f5</code></a>
Bump patch version.</li>
<li><a
href="f8b41c1dba"><code>f8b41c1</code></a>
Escape non-printable characters when logging.</li>
<li>See full diff in <a
href="https://github.com/rack/rack/compare/v2.2.10...v2.2.11">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/chatwoot/chatwoot/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [net-imap](https://github.com/ruby/net-imap) from 0.4.17 to
0.4.19.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/ruby/net-imap/releases">net-imap's
releases</a>.</em></p>
<blockquote>
<h2>v0.4.19</h2>
<h2>What's Changed</h2>
<h3>🔒 Security Fix</h3>
<p>Fixes CVE-2025-25186 (GHSA-7fc5-f82f-cx69): A malicious server can
exhaust client memory by sending <code>APPENDUID</code> or
<code>COPYUID</code> responses with very large <code>uid-set</code>
ranges. <code>Net::IMAP::UIDPlusData</code> expands these ranges into
arrays of integers.</p>
<h4>Fix with minor API changes</h4>
<p>Set <code>config.parser_use_deprecated_uidplus_data</code> to
<code>false</code> to replace <code>UIDPlusData</code> with
<code>AppendUIDData</code> and <code>CopyUIDData</code>. These classes
store their UIDs as <code>Net::IMAP::SequenceSet</code> objects
(<em>not</em> expanded into arrays of integers). Code that does not
handle <code>APPENDUID</code> or <code>COPYUID</code> responses should
not see any difference. Code that does handle these responses
<em>may</em> need to be updated.</p>
<p>For v0.3.8, this option is not available
For v0.4.19, the default value is <code>true</code>.
For v0.5.6, the default value is <code>:up_to_max_size</code>.
For v0.6.0, the only allowed value will be <code>false</code>
<em>(<code>UIDPlusData</code> will be removed from v0.6)</em>.</p>
<h4>Mitigate with backward compatible API</h4>
<p>Adjust <code>config.parser_max_deprecated_uidplus_data_size</code> to
limit the maximum <code>UIDPlusData</code> UID set size.
When <code>config.parser_use_deprecated_uidplus_data == true</code>,
larger sets will crash.
When <code>config.parser_use_deprecated_uidplus_data ==
:up_to_max_size</code>, larger sets will use <code>AppendUIDData</code>
or <code>CopyUIDData</code>.</p>
<p>For v0.3,8, this limit is <em>hard-coded</em> to 10,000.
For v0.4.19, this limit defaults to 1000.
For v0.5.6, this limit defaults to 100.
For v0.6.0, the only allowed value will be <code>0</code>
<em>(<code>UIDPlusData</code> will be removed from v0.6)</em>.</p>
<h4>Please Note: unhandled responses</h4>
<p>If the client does not add response handlers to prune unhandled
responses, a malicious server can still eventually exhaust all client
memory, by repeatedly sending malicious responses. However,
<code>net-imap</code> has always retained unhandled responses, and it
has always been necessary for long-lived connections to prune these
responses. This is not significantly different from connecting to a
trusted server with a long-lived connection. To limit the maximum number
of retained responses, a simple handler might look something like the
following:</p>
<pre lang="ruby"><code>limit = 1000
imap.add_response_handler do |resp|
next unless resp.respond_to?(:name) && resp.respond_to?(:data)
name = resp.name
code = resp.data.code&.name if
resp.data.in?(Net::IMAP::ResponseText)
imap.responses(name) { _1.slice!(0...-limit) }
imap.responses(code) { _1.slice!(0...-limit) }
end
</code></pre>
<h3>Added</h3>
<ul>
<li>🔧 ResponseParser config is mutable and non-global (backports <a
href="https://redirect.github.com/ruby/net-imap/issues/381">#381</a>) by
<a href="https://github.com/nevans"><code>@nevans</code></a> in <a
href="https://redirect.github.com/ruby/net-imap/pull/382">ruby/net-imap#382</a></li>
<li>✨ SequenceSet ordered entries methods (backports to v0.4-stable) by
<a href="https://github.com/nevans"><code>@nevans</code></a> in <a
href="https://redirect.github.com/ruby/net-imap/pull/402">ruby/net-imap#402</a>
Backports the following:
<ul>
<li>✨ Add SequenceSet methods for querying about duplicates by <a
href="https://github.com/nevans"><code>@nevans</code></a> in <a
href="https://redirect.github.com/ruby/net-imap/pull/384">ruby/net-imap#384</a></li>
<li>✨ Add <code>SequenceSet#each_ordered_number</code> by <a
href="https://github.com/nevans"><code>@nevans</code></a> in <a
href="https://redirect.github.com/ruby/net-imap/pull/386">ruby/net-imap#386</a></li>
<li>✨ Add <code>SequenceSet#find_ordered_index</code> by <a
href="https://github.com/nevans"><code>@nevans</code></a> in <a
href="https://redirect.github.com/ruby/net-imap/pull/396">ruby/net-imap#396</a></li>
<li>✨ Add <code>SequenceSet#ordered_at</code> by <a
href="https://github.com/nevans"><code>@nevans</code></a> in <a
href="https://redirect.github.com/ruby/net-imap/pull/397">ruby/net-imap#397</a></li>
</ul>
</li>
<li>✨ Backport UIDPlusData, AppendUIDData, CopyUIDData to v0.4 by <a
href="https://github.com/nevans"><code>@nevans</code></a> in <a
href="https://redirect.github.com/ruby/net-imap/pull/404">ruby/net-imap#404</a>
Backports the following:
<ul>
<li>✨ Add AppendUIDData and CopyUIDData classes by <a
href="https://github.com/nevans"><code>@nevans</code></a> in <a
href="https://redirect.github.com/ruby/net-imap/pull/400">ruby/net-imap#400</a></li>
</ul>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="4c4ed09997"><code>4c4ed09</code></a>
🔖 Bump version to 0.4.19</li>
<li><a
href="c8c5a64373"><code>c8c5a64</code></a>
Merge commit from fork</li>
<li><a
href="abff00fd70"><code>abff00f</code></a>
🔧 Add <code>:up_to_max_size</code> config for UIDPlusData</li>
<li><a
href="34a1f27a45"><code>34a1f27</code></a>
🔧 Add config option for max UIDPlusData size</li>
<li><a
href="6613d57e8e"><code>6613d57</code></a>
🔒 Limit exponential memory usage to parse uid-set</li>
<li><a
href="e4d57b1e00"><code>e4d57b1</code></a>
🔀 Merge pull request <a
href="https://redirect.github.com/ruby/net-imap/issues/404">#404</a>
from ruby/backport-0.4-uidplus-deprecation</li>
<li><a
href="d32320a749"><code>d32320a</code></a>
🐛 Fix missing <code>Data.define</code> for new classes</li>
<li><a
href="3c592fc98c"><code>3c592fc</code></a>
🔧🗑️ Deprecate UIDPlusData, with config to upgrade</li>
<li><a
href="7e58ef35fa"><code>7e58ef3</code></a>
✨ Add CopyUIDData (to replace UIDPlusData)</li>
<li><a
href="4c601c3a84"><code>4c601c3</code></a>
✨ Add AppendUIDData (to replace UIDPlusData)</li>
<li>Additional commits viewable in <a
href="https://github.com/ruby/net-imap/compare/v0.4.17...v0.4.19">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/chatwoot/chatwoot/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Migration Guide: https://chwt.app/v4/migration
This PR imports all the work related to Captain into the EE codebase. Captain represents the AI-based features in Chatwoot and includes the following key components:
- Assistant: An assistant has a persona, the product it would be trained on. At the moment, the data at which it is trained is from websites. Future integrations on Notion documents, PDF etc. This PR enables connecting an assistant to an inbox. The assistant would run the conversation every time before transferring it to an agent.
- Copilot for Agents: When an agent is supporting a customer, we will be able to offer additional help to lookup some data or fetch information from integrations etc via copilot.
- Conversation FAQ generator: When a conversation is resolved, the Captain integration would identify questions which were not in the knowledge base.
- CRM memory: Learns from the conversations and identifies important information about the contact.
---------
Co-authored-by: Vishnu Narayanan <vishnu@chatwoot.com>
Co-authored-by: Sojan <sojan@pepalo.com>
Co-authored-by: iamsivin <iamsivin@gmail.com>
Co-authored-by: Sivin Varghese <64252451+iamsivin@users.noreply.github.com>
Bumps [actionpack](https://github.com/rails/rails) from 7.0.8.5 to
7.0.8.7.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/rails/rails/releases">actionpack's
releases</a>.</em></p>
<blockquote>
<h2>7.0.8.7</h2>
<h2>Active Support</h2>
<ul>
<li>No changes.</li>
</ul>
<h2>Active Model</h2>
<ul>
<li>No changes.</li>
</ul>
<h2>Active Record</h2>
<ul>
<li>No changes.</li>
</ul>
<h2>Action View</h2>
<ul>
<li>No changes.</li>
</ul>
<h2>Action Pack</h2>
<ul>
<li>
<p>Add validation to content security policies to disallow spaces and
semicolons.
Developers should use multiple arguments, and different directive
methods instead.</p>
<p>[CVE-2024-54133]</p>
<p><em>Gannon McGibbon</em></p>
</li>
</ul>
<h2>Active Job</h2>
<ul>
<li>No changes.</li>
</ul>
<h2>Action Mailer</h2>
<ul>
<li>No changes.</li>
</ul>
<h2>Action Cable</h2>
<ul>
<li>No changes.</li>
</ul>
<h2>Active Storage</h2>
<ul>
<li>No changes.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="778eab8265"><code>778eab8</code></a>
Preparing for 7.0.8.7 release</li>
<li><a
href="cb16a3bb51"><code>cb16a3b</code></a>
Add CSP directive validation</li>
<li><a
href="bc979c5cf4"><code>bc979c5</code></a>
Preparing for 7.0.8.6 release</li>
<li>See full diff in <a
href="https://github.com/rails/rails/compare/v7.0.8.5...v7.0.8.7">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/chatwoot/chatwoot/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps
[rails-html-sanitizer](https://github.com/rails/rails-html-sanitizer)
from 1.6.0 to 1.6.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/rails/rails-html-sanitizer/releases">rails-html-sanitizer's
releases</a>.</em></p>
<blockquote>
<h2>1.6.1 / 2024-12-02</h2>
<p>This is a performance and security release which addresses several
possible XSS vulnerabilities.</p>
<ul>
<li>
<p>The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.</p>
<p>This change addresses CVE-2024-53985 (<a
href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x">https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x</a>).</p>
<p><em>Mike Dalessio</em></p>
</li>
<li>
<p>Disallowed tags will be pruned when they appear in foreign content
(i.e. SVG or MathML content),
regardless of the <code>prune:</code> option value. Previously,
disallowed tags were "stripped" unless the
gem was configured with the <code>prune: true</code> option.</p>
<p>The CVEs addressed by this change are:</p>
<ul>
<li>CVE-2024-53986 (<a
href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-638j-pmjw-jq48">https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-638j-pmjw-jq48</a>)</li>
<li>CVE-2024-53987 (<a
href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-2x5m-9ch4-qgrr">https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-2x5m-9ch4-qgrr</a>)</li>
</ul>
<p><em>Mike Dalessio</em></p>
</li>
<li>
<p>The tags "noscript", "mglyph", and
"malignmark" will not be allowed, even if explicitly added to
the allowlist. If applications try to allow any of these tags, a warning
is emitted and the tags
are removed from the allow-list.</p>
<p>The CVEs addressed by this change are:</p>
<ul>
<li>CVE-2024-53988 (<a
href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5">https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5</a>)</li>
<li>CVE-2024-53989 (<a
href="https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rxv5-gxqc-xx8g">https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rxv5-gxqc-xx8g</a>)</li>
</ul>
<p>Please note that we <em>may</em> restore support for allowing
"noscript" in a future release. We do not
expect to ever allow "mglyph" or "malignmark",
though, especially since browser support is minimal
for these tags.</p>
<p><em>Mike Dalessio</em></p>
</li>
<li>
<p>Improve performance by eliminating needless operations on attributes
that are being removed. <a
href="https://redirect.github.com/rails/rails-html-sanitizer/issues/188">#188</a></p>
<p><em>Mike Dalessio</em></p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/rails/rails-html-sanitizer/blob/main/CHANGELOG.md">rails-html-sanitizer's
changelog</a>.</em></p>
<blockquote>
<h2>1.6.1 / 2024-12-02</h2>
<p>This is a performance and security release which addresses several
possible XSS vulnerabilities.</p>
<ul>
<li>
<p>The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.</p>
<p>This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).</p>
<p><em>Mike Dalessio</em></p>
</li>
<li>
<p>Disallowed tags will be pruned when they appear in foreign content
(i.e. SVG or MathML content),
regardless of the <code>prune:</code> option value. Previously,
disallowed tags were "stripped" unless the
gem was configured with the <code>prune: true</code> option.</p>
<p>The CVEs addressed by this change are:</p>
<ul>
<li>CVE-2024-53986 (GHSA-638j-pmjw-jq48)</li>
<li>CVE-2024-53987 (GHSA-2x5m-9ch4-qgrr)</li>
</ul>
<p><em>Mike Dalessio</em></p>
</li>
<li>
<p>The tags "noscript", "mglyph", and
"malignmark" will not be allowed, even if explicitly added to
the allowlist. If applications try to allow any of these tags, a warning
is emitted and the tags
are removed from the allow-list.</p>
<p>The CVEs addressed by this change are:</p>
<ul>
<li>CVE-2024-53988 (GHSA-cfjx-w229-hgx5)</li>
<li>CVE-2024-53989 (GHSA-rxv5-gxqc-xx8g)</li>
</ul>
<p>Please note that we <em>may</em> restore support for allowing
"noscript" in a future release. We do not
expect to ever allow "mglyph" or "malignmark",
though, especially since browser support is minimal
for these tags.</p>
<p><em>Mike Dalessio</em></p>
</li>
<li>
<p>Improve performance by eliminating needless operations on attributes
that are being removed. <a
href="https://redirect.github.com/rails/rails-html-sanitizer/issues/188">#188</a></p>
<p><em>Mike Dalessio</em></p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="5e96b19bbb"><code>5e96b19</code></a>
version bump to v1.6.1</li>
<li><a
href="383cc7c17f"><code>383cc7c</code></a>
doc: update CHANGELOG with assigned CVEs</li>
<li><a
href="a7b0cfe103"><code>a7b0cfe</code></a>
Combine the noscript/mglyph prevention blocks</li>
<li><a
href="5658335ede"><code>5658335</code></a>
Merge branch 'h1-2509647-noscript' into
flavorjones-2024-security-fixes</li>
<li><a
href="65fb72f07e"><code>65fb72f</code></a>
Merge branch 'h1-2519936-mglyph-foster-parenting' into
flavorjones-2024-secur...</li>
<li><a
href="3fe22a8b89"><code>3fe22a8</code></a>
Merge branch 'h1-2519936-foreign-ns-confusion' into
flavorjones-2024-security...</li>
<li><a
href="d7a94c1252"><code>d7a94c1</code></a>
Merge branch 'h1-2503220-nokogiri-serialization' into
flavorjones-2024-securi...</li>
<li><a
href="3fd6e650f9"><code>3fd6e65</code></a>
doc: update CHANGELOG</li>
<li><a
href="16251735e3"><code>1625173</code></a>
fix: disallow 'noscript' from safe lists</li>
<li><a
href="a0a3e8b76b"><code>a0a3e8b</code></a>
fix: disallow 'mglyph' and 'malignmark' from safe lists</li>
<li>Additional commits viewable in <a
href="https://github.com/rails/rails-html-sanitizer/compare/v1.6.0...v1.6.1">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/chatwoot/chatwoot/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Pranav <pranav@chatwoot.com>
- add judoscaler gem to allow judoscale use in heroku environments
- This will allow auto scaling for both web and worker dynos across both
standard-1x/2x and performance dynos
- This will scaling in response to queue time rather than response
time(heroku default)
- This also allows you to scale multiple dynos in and out at once,
rather than scaling them one at a time, as is the default.
Ref
----
1. https://judoscale.com/
2. https://devcenter.heroku.com/articles/judoscale
Bumps [actionmailer](https://github.com/rails/rails) from 7.0.8.4 to
7.0.8.5.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/rails/rails/releases">actionmailer's
releases</a>.</em></p>
<blockquote>
<h2>7.0.8.5</h2>
<h2>Active Support</h2>
<ul>
<li>No changes.</li>
</ul>
<h2>Active Model</h2>
<ul>
<li>No changes.</li>
</ul>
<h2>Active Record</h2>
<ul>
<li>No changes.</li>
</ul>
<h2>Action View</h2>
<ul>
<li>No changes.</li>
</ul>
<h2>Action Pack</h2>
<ul>
<li>
<p>Avoid regex backtracking in HTTP Token authentication</p>
<p>[CVE-2024-47887]</p>
</li>
<li>
<p>Avoid regex backtracking in query parameter filtering</p>
<p>[CVE-2024-41128]</p>
</li>
</ul>
<h2>Active Job</h2>
<ul>
<li>No changes.</li>
</ul>
<h2>Action Mailer</h2>
<ul>
<li>
<p>Avoid regex backtracking in <code>block_format</code> helper</p>
<p>[CVE-2024-47889]</p>
</li>
</ul>
<h2>Action Cable</h2>
<ul>
<li>No changes.</li>
</ul>
<h2>Active Storage</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="f61f4ef957"><code>f61f4ef</code></a>
Preparing for 7.0.8.5 release</li>
<li><a
href="d666c965e3"><code>d666c96</code></a>
Update CHANGELOGs</li>
<li><a
href="30abd6bd71"><code>30abd6b</code></a>
Merge pull request <a
href="https://redirect.github.com/rails/rails/issues/52962">#52962</a>
from rails/rm-releser</li>
<li><a
href="0e5694f4d3"><code>0e5694f</code></a>
Avoid backtracking in ActionMailer block_format</li>
<li><a
href="40d8b920e3"><code>40d8b92</code></a>
Merge pull request <a
href="https://redirect.github.com/rails/rails/issues/51510">#51510</a>
from fatkodima/remove-ostruct</li>
<li>See full diff in <a
href="https://github.com/rails/rails/compare/v7.0.8.4...v7.0.8.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/chatwoot/chatwoot/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [actiontext](https://github.com/rails/rails) from 7.0.8.4 to
7.0.8.5.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/rails/rails/releases">actiontext's
releases</a>.</em></p>
<blockquote>
<h2>7.0.8.5</h2>
<h2>Active Support</h2>
<ul>
<li>No changes.</li>
</ul>
<h2>Active Model</h2>
<ul>
<li>No changes.</li>
</ul>
<h2>Active Record</h2>
<ul>
<li>No changes.</li>
</ul>
<h2>Action View</h2>
<ul>
<li>No changes.</li>
</ul>
<h2>Action Pack</h2>
<ul>
<li>
<p>Avoid regex backtracking in HTTP Token authentication</p>
<p>[CVE-2024-47887]</p>
</li>
<li>
<p>Avoid regex backtracking in query parameter filtering</p>
<p>[CVE-2024-41128]</p>
</li>
</ul>
<h2>Active Job</h2>
<ul>
<li>No changes.</li>
</ul>
<h2>Action Mailer</h2>
<ul>
<li>
<p>Avoid regex backtracking in <code>block_format</code> helper</p>
<p>[CVE-2024-47889]</p>
</li>
</ul>
<h2>Action Cable</h2>
<ul>
<li>No changes.</li>
</ul>
<h2>Active Storage</h2>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="f61f4ef957"><code>f61f4ef</code></a>
Preparing for 7.0.8.5 release</li>
<li><a
href="d666c965e3"><code>d666c96</code></a>
Update CHANGELOGs</li>
<li><a
href="30abd6bd71"><code>30abd6b</code></a>
Merge pull request <a
href="https://redirect.github.com/rails/rails/issues/52962">#52962</a>
from rails/rm-releser</li>
<li><a
href="727b0946c3"><code>727b094</code></a>
ActionText: Avoid backtracing in plain_text_for_blockquote_node</li>
<li>See full diff in <a
href="https://github.com/rails/rails/compare/v7.0.8.4...v7.0.8.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/chatwoot/chatwoot/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Fixes https://github.com/chatwoot/chatwoot/issues/9935
Fixes https://github.com/chatwoot/chatwoot/issues/8213
The articles were grouped by category, with locale being a derived
attribute from the category. If a category was deleted, the article
wouldn't appear on the dashboard. However, due to a bug, it would show
up in the uncategorized section on the public portal, leaving agents
unable to edit or update the article.
To address this issue, I've added a locale attribute directly to the
article. This attribute is automatically set from the category or the
portal's default locale if not supplied. The API parameters now use this
attribute to filter articles. As a result, the dashboard will display
articles even if they're not associated with a category, improving the
overall workflow.
**Main updates:**
- Add locale attribute to the Article model. Add db migration to back
fill the data based on the above logic.
- Add a new scope search_by_locale and use it instead of
search_by_category_locale.
- Update the ERB template to include the locale filter.
- Move from `joins` to `left_outer_joins` to include the articles with
no categories.
---------
Co-authored-by: Sojan <sojan@pepalo.com>
Bumps [puma](https://github.com/puma/puma) from 6.4.2 to 6.4.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/puma/puma/releases">puma's
releases</a>.</em></p>
<blockquote>
<h2>6.4.3</h2>
<ul>
<li>Security
<ul>
<li>Discards any headers using underscores if the non-underscore version
also exists. Without this, an attacker could overwrite values set by
intermediate proxies (e.g. X-Forwarded-For). (<a
href="https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4">CVE-2024-45614</a>/GHSA-9hf4-67fc-4vf4)</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/puma/puma/blob/master/History.md">puma's
changelog</a>.</em></p>
<blockquote>
<h2>6.4.3 / 2024-09-19</h2>
<ul>
<li>Security
<ul>
<li>Discards any headers using underscores if the non-underscore version
also exists. Without this, an attacker could overwrite values set by
intermediate proxies (e.g. X-Forwarded-For). (<a
href="https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4">CVE-2024-45614</a>/GHSA-9hf4-67fc-4vf4)</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e867e53aa4"><code>e867e53</code></a>
6.4.3</li>
<li><a
href="63a27b5b5b"><code>63a27b5</code></a>
5.6.9 release note [ci skip]</li>
<li><a
href="cac3fd18cf"><code>cac3fd1</code></a>
Merge commit from fork</li>
<li>See full diff in <a
href="https://github.com/puma/puma/compare/v6.4.2...v6.4.3">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/chatwoot/chatwoot/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
### Snyk has created this PR to fix 1 vulnerabilities in the rubygems
dependencies of this project.
#### Snyk changed the following file(s):
- `Gemfile`
<details>
<summary>⚠️ <b>Warning</b></summary>
```
Failed to update the Gemfile.lock, please update manually before merging.
```
</details>
#### Vulnerabilities that will be fixed with an upgrade:
| | Issue | Score |
:-------------------------:|:-------------------------|:-------------------------
 | Web Cache Poisoning
<br/>[SNYK-RUBY-RACK-1061917](https://snyk.io/vuln/SNYK-RUBY-RACK-1061917)
| **616**
---
> [!IMPORTANT]
>
> - Check the changes in this PR to ensure they won't cause issues with
your project.
> - Max score is 1000. Note that the real score may have changed since
the PR was raised.
> - This PR was automatically created by Snyk using the credentials of a
real user.
---
**Note:** _You are seeing this because you or someone else with access
to this repository has authorized Snyk to open fix PRs._
For more information: <img
src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiJhMWE2MzkzZS03ODdhLTRmYWItOGY1MS0zZjdmN2YzNzVlZDYiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6ImExYTYzOTNlLTc4N2EtNGZhYi04ZjUxLTNmN2Y3ZjM3NWVkNiJ9fQ=="
width="0" height="0"/>
🧐 [View latest project
report](https://app.snyk.io/org/chatwoot/project/b7197bbd-6200-4f23-931d-c39928584360?utm_source=github&utm_medium=referral&page=fix-pr)
📜 [Customise PR
templates](https://docs.snyk.io/scan-using-snyk/pull-requests/snyk-fix-pull-or-merge-requests/customize-pr-templates)
🛠 [Adjust project
settings](https://app.snyk.io/org/chatwoot/project/b7197bbd-6200-4f23-931d-c39928584360?utm_source=github&utm_medium=referral&page=fix-pr/settings)
📚 [Read about Snyk's upgrade
logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities)
---
**Learn how to fix vulnerabilities with free interactive lessons:**
🦉 [Learn about vulnerability in an interactive lesson of Snyk
Learn.](https://learn.snyk.io/?loc=fix-pr)
[//]: #
'snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"rspec-rails","from":"6.1.4","to":"6.1.5"}],"env":"prod","issuesToFix":[{"exploit_maturity":"Proof
of
Concept","id":"SNYK-RUBY-RACK-1061917","priority_score":616,"priority_score_factors":[{"type":"exploit","label":"Proof
of
Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.9","score":295},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Web
Cache Poisoning"},{"exploit_maturity":"Proof of
Concept","id":"SNYK-RUBY-RACK-1061917","priority_score":616,"priority_score_factors":[{"type":"exploit","label":"Proof
of
Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.9","score":295},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Web
Cache Poisoning"},{"exploit_maturity":"Proof of
Concept","id":"SNYK-RUBY-RACK-1061917","priority_score":616,"priority_score_factors":[{"type":"exploit","label":"Proof
of
Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.9","score":295},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Web
Cache Poisoning"},{"exploit_maturity":"Proof of
Concept","id":"SNYK-RUBY-RACK-1061917","priority_score":616,"priority_score_factors":[{"type":"exploit","label":"Proof
of
Concept","score":107},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.9","score":295},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Web
Cache
Poisoning"}],"prId":"a1a6393e-787a-4fab-8f51-3f7f7f375ed6","prPublicId":"a1a6393e-787a-4fab-8f51-3f7f7f375ed6","packageManager":"rubygems","priorityScoreList":[616],"projectPublicId":"b7197bbd-6200-4f23-931d-c39928584360","projectUrl":"https://app.snyk.io/org/chatwoot/project/b7197bbd-6200-4f23-931d-c39928584360?utm_source=github&utm_medium=referral&page=fix-pr","prType":"fix","templateFieldSources":{"branchName":"default","commitMessage":"default","description":"default","title":"default"},"templateVariants":["updated-fix-title","pr-warning-shown","priorityScore"],"type":"auto","upgrade":["SNYK-RUBY-RACK-1061917"],"vulns":["SNYK-RUBY-RACK-1061917"],"patch":[],"isBreakingChange":false,"remediationStrategy":"vuln"}'
---------
Co-authored-by: snyk-bot <snyk-bot@snyk.io>
Bumps [rexml](https://github.com/ruby/rexml) from 3.3.4 to 3.3.6.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/ruby/rexml/releases">rexml's
releases</a>.</em></p>
<blockquote>
<h2>REXML 3.3.6 - 2024-08-22</h2>
<h3>Improvements</h3>
<ul>
<li>
<p>Removed duplicated entity expansions for performance.</p>
<ul>
<li><a
href="https://redirect.github.com/ruby/rexml/issues/194">GH-194</a></li>
<li>Patch by Viktor Ivarsson.</li>
</ul>
</li>
<li>
<p>Improved namespace conflicted attribute check performance. It was
too slow for deep elements.</p>
<ul>
<li>Reported by l33thaxor.</li>
</ul>
</li>
</ul>
<h3>Fixes</h3>
<ul>
<li>
<p>Fixed a bug that default entity expansions are counted for
security check. Default entity expansions should not be counted
because they don't have a security risk.</p>
<ul>
<li><a
href="https://redirect.github.com/ruby/rexml/issues/198">GH-198</a></li>
<li><a
href="https://redirect.github.com/ruby/rexml/issues/199">GH-199</a></li>
<li>Patch Viktor Ivarsson</li>
</ul>
</li>
<li>
<p>Fixed a parser bug that parameter entity references in internal
subsets are expanded. It's not allowed in the XML specification.</p>
<ul>
<li><a
href="https://redirect.github.com/ruby/rexml/issues/191">GH-191</a></li>
<li>Patch by NAITOH Jun.</li>
</ul>
</li>
<li>
<p>Fixed a stream parser bug that user-defined entity references in
text aren't expanded.</p>
<ul>
<li><a
href="https://redirect.github.com/ruby/rexml/issues/200">GH-200</a></li>
<li>Patch by NAITOH Jun.</li>
</ul>
</li>
</ul>
<h3>Thanks</h3>
<ul>
<li>
<p>Viktor Ivarsson</p>
</li>
<li>
<p>NAITOH Jun</p>
</li>
<li>
<p>l33thaxor</p>
</li>
</ul>
<h2>REXML 3.3.5 - 2024-08-12</h2>
<h3>Fixes</h3>
<ul>
<li>Fixed a bug that
<code>REXML::Security.entity_expansion_text_limit</code>
check has wrong text size calculation in SAX and pull parsers.
<ul>
<li><a
href="https://redirect.github.com/ruby/rexml/issues/193">GH-193</a></li>
<li><a
href="https://redirect.github.com/ruby/rexml/issues/195">GH-195</a></li>
<li>Reported by Viktor Ivarsson.</li>
<li>Patch by NAITOH Jun.</li>
</ul>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/ruby/rexml/blob/master/NEWS.md">rexml's
changelog</a>.</em></p>
<blockquote>
<h2>3.3.6 - 2024-08-22 {#version-3-3-6}</h2>
<h3>Improvements</h3>
<ul>
<li>
<p>Removed duplicated entity expansions for performance.</p>
<ul>
<li><a
href="https://redirect.github.com/ruby/rexml/issues/194">GH-194</a></li>
<li>Patch by Viktor Ivarsson.</li>
</ul>
</li>
<li>
<p>Improved namespace conflicted attribute check performance. It was
too slow for deep elements.</p>
<ul>
<li>Reported by l33thaxor.</li>
</ul>
</li>
</ul>
<h3>Fixes</h3>
<ul>
<li>
<p>Fixed a bug that default entity expansions are counted for
security check. Default entity expansions should not be counted
because they don't have a security risk.</p>
<ul>
<li><a
href="https://redirect.github.com/ruby/rexml/issues/198">GH-198</a></li>
<li><a
href="https://redirect.github.com/ruby/rexml/issues/199">GH-199</a></li>
<li>Patch Viktor Ivarsson</li>
</ul>
</li>
<li>
<p>Fixed a parser bug that parameter entity references in internal
subsets are expanded. It's not allowed in the XML specification.</p>
<ul>
<li><a
href="https://redirect.github.com/ruby/rexml/issues/191">GH-191</a></li>
<li>Patch by NAITOH Jun.</li>
</ul>
</li>
<li>
<p>Fixed a stream parser bug that user-defined entity references in
text aren't expanded.</p>
<ul>
<li><a
href="https://redirect.github.com/ruby/rexml/issues/200">GH-200</a></li>
<li>Patch by NAITOH Jun.</li>
</ul>
</li>
</ul>
<h3>Thanks</h3>
<ul>
<li>
<p>Viktor Ivarsson</p>
</li>
<li>
<p>NAITOH Jun</p>
</li>
<li>
<p>l33thaxor</p>
</li>
</ul>
<h2>3.3.5 - 2024-08-12 {#version-3-3-5}</h2>
<h3>Fixes</h3>
<ul>
<li>Fixed a bug that
<code>REXML::Security.entity_expansion_text_limit</code>
check has wrong text size calculation in SAX and pull parsers.
<ul>
<li><a
href="https://redirect.github.com/ruby/rexml/issues/193">GH-193</a></li>
<li><a
href="https://redirect.github.com/ruby/rexml/issues/195">GH-195</a></li>
<li>Reported by Viktor Ivarsson.</li>
<li>Patch by NAITOH Jun.</li>
</ul>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="95871f399e"><code>95871f3</code></a>
Add 3.3.6 entry</li>
<li><a
href="7cb5eaeb22"><code>7cb5eae</code></a>
parser tree: improve namespace conflicted attribute check
performance</li>
<li><a
href="6109e0183c"><code>6109e01</code></a>
Fix a bug that Stream parser doesn't expand the user-defined entity
reference...</li>
<li><a
href="cb158582f1"><code>cb15858</code></a>
parser: keep the current namespaces instead of stack of Set</li>
<li><a
href="2b47b161db"><code>2b47b16</code></a>
parser: move duplicated end tag check to BaseParser</li>
<li><a
href="35e1681a17"><code>35e1681</code></a>
test tree-parser: move common method to base class</li>
<li><a
href="6e00a14daf"><code>6e00a14</code></a>
test: fix indent</li>
<li><a
href="df3a0cc830"><code>df3a0cc</code></a>
test: fix indent</li>
<li><a
href="fdbffe744b"><code>fdbffe7</code></a>
Use loop instead of recursive call for Element#namespace</li>
<li><a
href="6422fa3449"><code>6422fa3</code></a>
Use loop instead of recursive call for Element#root</li>
<li>Additional commits viewable in <a
href="https://github.com/ruby/rexml/compare/v3.3.4...v3.3.6">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/chatwoot/chatwoot/network/alerts).
</details>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This PR would update the logos for the integrations (also add the dark mode variants to be used in the future) and updates the logic for enabled / active attributes in the apps.
The following error starting is shown on the console after the ruby
upgrade.
csv.rb was loaded from the standard library, but will no longer be part
of the default gems since Ruby 3.4.0. Add csv to your Gemfile or
gemspec. Also contact author of csv-safe-3.2.1 to add csv into its
gemspec.
Csv-safe has already added a patch via
https://github.com/zvory/csv-safe/pull/20.
This PR updates the version to the latest version of csv-safe (3.3.1)
<p>This PR was automatically created by Snyk using the credentials of a
real user.</p><br
/>
### Snyk has created this PR to fix 2 vulnerabilities in the rubygems
dependencies of this project.
#### Snyk changed the following file(s):
- `Gemfile`
- `Gemfile.lock`
#### Vulnerabilities that will be fixed with an upgrade:
| | Issue | Score |
:-------------------------:|:-------------------------|:-------------------------
 | Improper Input Validation
<br/>[SNYK-RUBY-ACTIONPACK-7210237](https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-7210237)
| **496**
 | Missing Cryptographic Step
<br/>[SNYK-RUBY-OPENSSL-6036190](https://snyk.io/vuln/SNYK-RUBY-OPENSSL-6036190)
| **479**
---
> [!IMPORTANT]
>
> - Check the changes in this PR to ensure they won't cause issues with
your project.
> - Max score is 1000. Note that the real score may have changed since
the PR was raised.
> - This PR was automatically created by Snyk using the credentials of a
real user.
---
**Note:** _You are seeing this because you or someone else with access
to this repository has authorized Snyk to open fix PRs._
For more information: <img
src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiJmMDU0MzI0Yy1kZjU0LTQ2OTMtYTY1NC1kY2MyZGRmODU1MTIiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6ImYwNTQzMjRjLWRmNTQtNDY5My1hNjU0LWRjYzJkZGY4NTUxMiJ9fQ=="
width="0" height="0"/>
🧐 [View latest project
report](https://app.snyk.io/org/chatwoot/project/b7197bbd-6200-4f23-931d-c39928584360?utm_source=github&utm_medium=referral&page=fix-pr)
📜 [Customise PR
templates](https://docs.snyk.io/scan-using-snyk/pull-requests/snyk-fix-pull-or-merge-requests/customize-pr-templates)
🛠 [Adjust project
settings](https://app.snyk.io/org/chatwoot/project/b7197bbd-6200-4f23-931d-c39928584360?utm_source=github&utm_medium=referral&page=fix-pr/settings)
📚 [Read about Snyk's upgrade
logic](https://support.snyk.io/hc/en-us/articles/360003891078-Snyk-patches-to-fix-vulnerabilities)
---
**Learn how to fix vulnerabilities with free interactive lessons:**
🦉 [Improper Input
Validation](https://learn.snyk.io/lesson/improper-input-validation/?loc=fix-pr)
[//]: #
'snyk:metadata:{"customTemplate":{"variablesUsed":[],"fieldsUsed":[]},"dependencies":[{"name":"dotenv-rails","from":"2.8.1","to":"3.0.0"},{"name":"rails","from":"7.0.8.3","to":"7.0.8.4"},{"name":"rspec-rails","from":"6.0.2","to":"6.0.3"},{"name":"web-push","from":"3.0.0","to":"3.0.1"}],"env":"prod","issuesToFix":[{"exploit_maturity":"No
Known
Exploit","id":"SNYK-RUBY-ACTIONPACK-7210237","priority_score":496,"priority_score_factors":[{"type":"freshness","label":true,"score":71},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"4.2","score":210},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Improper
Input Validation"},{"exploit_maturity":"No Known
Exploit","id":"SNYK-RUBY-ACTIONPACK-7210237","priority_score":496,"priority_score_factors":[{"type":"freshness","label":true,"score":71},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"4.2","score":210},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Improper
Input Validation"},{"exploit_maturity":"No Known
Exploit","id":"SNYK-RUBY-ACTIONPACK-7210237","priority_score":496,"priority_score_factors":[{"type":"freshness","label":true,"score":71},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"4.2","score":210},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Improper
Input Validation"},{"exploit_maturity":"No Known
Exploit","id":"SNYK-RUBY-ACTIONPACK-7210237","priority_score":496,"priority_score_factors":[{"type":"freshness","label":true,"score":71},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"4.2","score":210},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Improper
Input Validation"},{"exploit_maturity":"No Known
Exploit","id":"SNYK-RUBY-ACTIONPACK-7210237","priority_score":496,"priority_score_factors":[{"type":"freshness","label":true,"score":71},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"4.2","score":210},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Improper
Input Validation"},{"exploit_maturity":"No Known
Exploit","id":"SNYK-RUBY-ACTIONPACK-7210237","priority_score":496,"priority_score_factors":[{"type":"freshness","label":true,"score":71},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"4.2","score":210},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Improper
Input Validation"},{"exploit_maturity":"No Known
Exploit","id":"SNYK-RUBY-ACTIONPACK-7210237","priority_score":496,"priority_score_factors":[{"type":"freshness","label":true,"score":71},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"4.2","score":210},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Improper
Input Validation"},{"exploit_maturity":"No Known
Exploit","id":"SNYK-RUBY-ACTIONPACK-7210237","priority_score":496,"priority_score_factors":[{"type":"freshness","label":true,"score":71},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"4.2","score":210},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Improper
Input Validation"},{"exploit_maturity":"No Known
Exploit","id":"SNYK-RUBY-ACTIONPACK-7210237","priority_score":496,"priority_score_factors":[{"type":"freshness","label":true,"score":71},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"4.2","score":210},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Improper
Input Validation"},{"exploit_maturity":"No Known
Exploit","id":"SNYK-RUBY-ACTIONPACK-7210237","priority_score":496,"priority_score_factors":[{"type":"freshness","label":true,"score":71},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"4.2","score":210},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Improper
Input Validation"},{"exploit_maturity":"No Known
Exploit","id":"SNYK-RUBY-ACTIONPACK-7210237","priority_score":496,"priority_score_factors":[{"type":"freshness","label":true,"score":71},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"4.2","score":210},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Improper
Input Validation"},{"exploit_maturity":"No Known
Exploit","id":"SNYK-RUBY-ACTIONPACK-7210237","priority_score":496,"priority_score_factors":[{"type":"freshness","label":true,"score":71},{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"4.2","score":210},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Improper
Input Validation"},{"exploit_maturity":"No Known
Exploit","id":"SNYK-RUBY-OPENSSL-6036190","priority_score":479,"priority_score_factors":[{"type":"fixability","label":true,"score":214},{"type":"cvssScore","label":"5.3","score":265},{"type":"scoreVersion","label":"v1","score":1}],"severity":"medium","title":"Missing
Cryptographic
Step"}],"prId":"f054324c-df54-4693-a654-dcc2ddf85512","prPublicId":"f054324c-df54-4693-a654-dcc2ddf85512","packageManager":"rubygems","priorityScoreList":[496,479],"projectPublicId":"b7197bbd-6200-4f23-931d-c39928584360","projectUrl":"https://app.snyk.io/org/chatwoot/project/b7197bbd-6200-4f23-931d-c39928584360?utm_source=github&utm_medium=referral&page=fix-pr","prType":"fix","templateFieldSources":{"branchName":"default","commitMessage":"default","description":"default","title":"default"},"templateVariants":["priorityScore"],"type":"auto","upgrade":["SNYK-RUBY-ACTIONPACK-7210237","SNYK-RUBY-OPENSSL-6036190"],"vulns":["SNYK-RUBY-ACTIONPACK-7210237","SNYK-RUBY-OPENSSL-6036190"],"patch":[],"isBreakingChange":true,"remediationStrategy":"vuln"}'
Co-authored-by: snyk-bot <snyk-bot@snyk.io>
