🚨 [security] Upgrade jekyll: 3.4.1 → 3.6.3 (minor)

[depfu]

---

🚨 Your version of jekyll has known security vulnerabilities 🚨

Advisory: CVE-2018-17567
Disclosed: September 28, 2018
URL: https://jekyllrb.com/news/2018/09/19/security-fixes-for-3-6-3-7-3-8/

Jekyll _config.yml privilege escalation

Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows attackers to access arbitrary files by specifying a symlink in the "include" key in the "_config.yml" file.

🚨 We recommend to merge and deploy this update as soon as possible! 🚨

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ jekyll (3.4.1 → 3.6.3) · Repo · Changelog

Release Notes

3.6.0

Minor Enhancements

• Ignore final newline in folded YAML string (#6054)
• Add URL checks to Doctor (#5760)
• Fix serving files that clash with directories (#6222) (#6231)
• Bump supported Ruby version to >= 2.1.0 (#6220)
• set LiquidError#template_name for errors in included file (#6206)
• Access custom config array throughout session (#6200)
• Add support for Rouge 2, in addition to Rouge 1 (#5919)
• Allow yield to logger methods & bail early on no-op messages (#6315)
• Update mime-types. (#6336)
• Use a Schwartzian transform with custom sorting (#6342)
• Alias Drop#invoke_drop to Drop#[] (#6338)

Bug Fixes

• Deprecator: fix typo for --serve command (#6229)
• Reader#read_directories: guard against an entry not being a directory (#6226)
• kramdown: symbolize keys in-place (#6247)
• Call to_s on site.url before attempting to concatenate strings (#6253)
• Enforce Style/FrozenStringLiteralComment (#6265)
• Update theme-template README to note 'assets' directory (#6257)
• Memoize the return value of Document#url (#6266)
• delegate StaticFile#to_json to StaticFile#to_liquid (#6273)
• Fix Drop#key? so it can handle a nil argument (#6281)
• Guard against type error in absolute url (#6280)
• Mutable drops should fallback to their own methods when a mutation isn't present (#6350)
• Skip adding binary files as posts (#6344)
• Don't break if bundler is not installed (#6377)

Documentation

• Fix a typo in custom-404-page.md (#6218)
• Docs: fix links to issues in History.markdown (#6255)
• Update deprecated gems key to plugins. (#6262)
• Fixes minor typo in post text (#6283)
• Execute build command using bundle. (#6274)
• name unification - buddy details (#6317)
• name unification - application index (#6318)
• trim and relocate plugin info across docs (#6311)
• update Jekyll's README (#6321)
• add SUPPORT file for GitHub (#6324)
• Rename CODE_OF_CONDUCT to show in banner (#6325)
• Docs : illustrate page.id for a collection's document (#6329)
• Docs: post's date can be overriden in YAML front matter (#6334)
• Docs: site.url behavior on development and production environments (#6270)
• Fix typo in site.url section of variables.md :-[ (#6337)
• Docs: updates (#6343)
• Fix precedence docs (#6346)
• add note to contributing docs about script/console (#6349)
• Docs: Fix permalink example (#6375)

Site Enhancements

• Adding DevKit helpers (#6225)
• Customizing url in collection elements clarified (#6264)
• Plugins is the new gems (#6326)

Development Fixes

• Strip unnecessary leading whitespace in template (#6228)
• Users should be installing patch versions. (#6198)
• Fix tests (#6240)
• Define path with __dir__ (#6087)
• exit site.process sooner (#6239)
• make flakey test more robust (#6277)
• Add a quick test for DataReader (#6284)
• script/backport-pr: commit message no longer includes the # (#6289)
• Add Add CODEOWNERS file to help automate reviews. (#6320)
• Fix builds on codeclimate (#6333)
• Bump rubies on Travis (#6366)

3.5.1

Minor Enhancements

• Use Warn for deprecation messages (#6192)
• site template: Use plugins key instead of gems (#6045)

Bug Fixes

• Backward compatiblize URLFilters module (#6163)
• Static files contain front matter default keys when to_liquid'd (#6162)
• Always normalize the result of the relative_url filter (#6185)

Documentation

• Update reference to trouble with OS X/macOS (#6139)
• added BibSonomy plugin (#6143)
• add plugins for multiple page pagination (#6055)
• Update minimum Ruby version in installation.md (#6164)
• [docs] Add information about finding a collection in site.collections (#6165)
• Add {%raw%} to Liquid example on site (#6179)
• Added improved Pug plugin - removed 404 Jade plugin (#6174)
• Linking the link (#6210)
• Small correction in documentation for includes (#6193)
• Fix docs site page margin (#6214)

Development Fixes

• Add jekyll doctor to GitHub Issue Template (#6169)
• Test with Ruby 2.4.1-1 on AppVeyor (#6176)
• set minimum requirement for jekyll-feed (#6184)

3.5.0

Minor Enhancements

• Upgrade to Liquid v4 (#4362)
• Convert StaticFile liquid representation to a Drop & add front matter defaults support to StaticFiles (#5871)
• Add support for Tab-Separated Values data files (*.tsv) (#5985)
• Specify version constraint in subcommand error message. (#5974)
• Add a template for custom 404 page (#5945)
• Require runtime_dependencies of a Gem-based theme from its .gemspec file (#5914)
• Don't raise an error if URL contains a colon (#5889)
• Date filters should never raise an exception (#5722)
• add plugins config key as replacement for gems (#5130)
• create configuration from options only once in the boot process (#5487)
• Add option to fail a build with front matter syntax errors (#5832)
• Disable default layouts for documents with a layout: none declaration (#5933)
• In jekyll new, make copied site template user-writable (#6072)
• Add top-level layout liquid variable to Documents (#6073)
• Address reading non-binary static files in themes (#5918)
• Allow filters to sort & select based on subvalues (#5622)
• Add strip_index filter (#6075)

Documentation

• Install troubleshooting on Ubuntu (#5817)
• Add Termux section on troubleshooting (#5837)
• fix ial css classes in theme doc (#5876)
• Update installation.md (#5880)
• Update Aerobatic docs (#5883)
• Add note to collections doc on hard-coded collections. (#5882)
• Makes uri_escape template docs more specific. (#5887)
• Remove duplicate footnote_nr from default config (#5891)
• Fixed tutorial for publishing gem to include repo. (#5900)
• update broken links (#5905)
• Fix typo in contribution information (#5910)
• update plugin repo URL to reflect repo move (#5916)
• Update exclude array in configuration.md (#5947)
• Fixed path in "Improve this page" link in Tutorials section (#5951)
• Corrected permalink (#5949)
• Included more details about adding defaults to static files (#5971)
• Create buddyworks (#5962)
• added (buddyworks) to ci list (#5965)
• Add a tutorial on serving custom Error 404 page (#5946)
• add custom 404 to tutorial navigation (#5978)
• Add link to order of interpretation tutorial in Tutorials nav (#5952)
• Document Jekyll's Philosophy (#5792)
• Require Ruby > 2.1.0 (#5983)
• Fix broken link (#5994)
• Default options for script/proof (#5995)
• Mention Bash on Ubuntu on Windows (#5960)
• Document --unpublished flag introduced in 91e9ecf (#5959)
• Update upgrading.md to mention usage of bundle update (#5604)
• Fix missing quotation mark (#6002)
• New tutorial: Convert an HTML site to Jekyll (#5881)
• Revamp Permalink section (#5912)
• Fixup tutorial on creating theme from existing HTML templates (#6006)
• Standardise on "URLs" without apostrophe in docs (#6018)
• Added txtpen in tutorial (#6021)
• fix typo using past participle (#6026)
• changed formatting to fit the style of the documentation (#6027)
• doc fix typo word usage (#6028)
• corrected reference to layout in index.md (#6032)
• (Minor) Update MathJax CDN (#6013)
• Add MvvmCross to samples (#6035)
• Update travis-ci.md to correct procedure (#6043)
• fix sentence in documentation (#6048)
• rephrase a sentence in posts.md to be more direct (#6049)
• Compress Website Sass output (#6009)
• doc correct spelling error (#6050)
• adjusted date-format in sitemap (#6053)
• Typo fix (welcomed change -> welcome change). (#6070)
• Fixed documentation inconsistency (#6068)
• Add own plugin -> Jekyll Brand Social Wall (#6064)
• Added plugin jekyll-analytics (#6042)
• Use more precise language when explaining links (#6078)
• Update plugins.md (#6088)
• windows 10 tutorial (#6100)
• Explain how to override theme styles (#6107)
• updated Bash on Ubuntu on Windows link in tutorial (#6111)
• Fix wording in _docs/templates.md links section (#6114)
• Update windows.md (#6115)
• Added windows to docs.yml (#6109)
• Be more specific on what to upload (#6119)
• Remove Blank Newlines from "Jekyll on Windows" Page (#6126)
• Link the troubleshooting page in the quickstart page (#6134)
• add documentation about the "pinned" label (#6147)
• docs(JekyllOnWindows): Add a new Installation way (#6141)
• corrected windows.md (#6149)
• Refine documentation for Windows (#6153)

Development Fixes

• [Rubocop] add missing comma (#5835)
• Appease classifier-reborn (#5934)
• Allow releases & development on *-stable branches (#5926)
• Add script/backport-pr (#5925)
• Prefer .yaml over .toml (#5966)
• Fix Appveyor with DST-aware cucumber steps (#5961)
• Use Rubocop v0.47.1 till we're ready for v0.48 (#5989)
• Test against Ruby 2.4.0 (#5687)
• rubocop: lib/jekyll/renderer.rb complexity fixes (#5052)
• Use yajl-ruby 1.2.2 (now with 2.4 support) (#6007)
• Bump Rubocop to v0.48 (#5997)
• doc use example.com (#6031)
• fix typo (#6040)
• Fix CI (#6044)
• Remove ruby RUBY_VERSION from generated Gemfile (#5803)
• Test if hidden collections output a document with a future date (#6103)
• Add test for uri_escape on reserved characters (#6086)
• Allow you to specify the rouge version via an environment variable for testing (#6138)
• Bump Rubocop to 0.49.1 (#6093)
• Lock nokogiri to 1.7.x for Ruby 2.1 (#6140)

Site Enhancements

• Corrected date for version 3.4.0 (#5842)
• Add the correct year to the 3.4.0 release date (#5858)
• Add documentation about order of interpretation (#5834)
• Documentation on how to build navigation (#5698)
• Navigation has been moved out from docs (#5927)
• Make links in sidebar for current page more prominent (#5820)
• Update normalize.css to v6.0.0 (#6008)
• Docs: rename gems to plugins (#6082)
• plugins -> gems (#6110)
• Document difference between cgi_escape and uri_escape #5970 (#6081)

Bug Fixes

• Exclude Gemfile by default (#5860)
• Convertible#validate_permalink!: ensure the return value of data["permalink"] is a string before asking if it is empty (#5878)
• Allow abbreviated post dates (#5920)
• Remove dependency on include from default about.md (#5903)
• Allow colons in uri_escape filter (#5957)
• Re-surface missing public methods in Jekyll::Document (#5975)
• absolute_url should not mangle URL if called more than once (#5789)
• patch URLFilters to prevent // (#6058)
• add test to ensure variables work in where_exp condition (#5315)
• Read explicitly included dot-files in collections. (#6092)
• Default baseurl to nil instead of empty string (#6137)
• Filters#time helper: Duplicate time before calling #localtime. (#5996)

3.4.5

• Backport #6185 for v3.4.x: Always normalize the result of the relative_url filter (#6186)

3.4.4

Backport #6137 for v3.4.x: Default baseurl to nil. (#6146)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ addressable (indirect, 2.5.2 → 2.6.0) · Repo · Changelog

Release Notes

2.6.0 (from changelog)

• added tld= method to allow assignment to the public suffix
• most heuristic_parse patterns are now case-insensitive
• heuristic_parse handles more file:// URI variations
• fixes bug in heuristic_parse when uri starts with digit
• fixes bug in request_uri= with query strings
• fixes template issues with nil and ? operator
• frozen_string_literal pragmas added
• minor performance improvements in regexps
• fixes to eliminate warnings

Does any of this look wrong? Please let us know.

↗️ ffi (indirect, 1.9.23 → 1.11.1) · Repo · Changelog

Release Notes

1.11.1 (from changelog)

Changed:

• Raise required ruby version to >=2.0. #699, #700
• Fix a possible linker error on ruby < 2.3 on Linux.

1.11.0 (from changelog)

Added:

• Add ability to disable or force use of system libffi. #669 Use like gem inst ffi -- --enable-system-libffi .
• Add ability to call FFI callbacks from outside of FFI call frame. #584
• Add proper documentation to FFI::Generator and ::Task
• Add gemspec metadata. #696, #698

Changed:

• Fix stdcall on Win32. #649, #669
• Fix load paths for FFI::Generator::Task
• Fix FFI::Pointer#read_string(0) to return a binary String. #692
• Fix benchmark suite so that it runs on ruby-2.x
• Move FFI::Platform::CPU from C to Ruby. #663
• Move FFI::StructByReference to Ruby. #681
• Move FFI::DataConverter to Ruby (#661)
• Various cleanups and improvements of specs and benchmarks

Removed:

• Remove ruby-1.8 and 1.9 compatibility code. #683
• Remove unused spec files. #684

1.10.0 (from changelog)

Added:

• Add /opt/local/lib/ to ffi's fallback library search path. #638
• Add binary gem support for ruby-2.6 on Windows
• Add FreeBSD on AArch64 and ARM support. #644
• Add FFI::LastError.winapi_error on Windows native or Cygwin. #633

Changed:

• Update to rake-compiler-dock-0.7.0
• Use 64-bit inodes on FreeBSD >= 12. #644
• Switch time_t and suseconds_t types to long on FreeBSD. #627
• Make register_t long_long on 64-bit FreeBSD. #644
• Fix Pointer#write_array_of_type #637

Removed:

• Drop binary gem support for ruby-2.0 and 2.1 on Windows

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-sass-converter (indirect, 1.5.0 → 1.5.2) · Repo · Changelog

Release Notes

1.5.2

Development Fixes

• Test against Ruby 2.5 (#68)

1.5.1

• Security: Bump Rubocop to 0.51
• Style: Define path with __dir__ (#60)
• Style: Inherit Jekyll's rubocop config for consistency (#61)
• Dev: Update Travis config (#62) - Drop support for Jekyll 2.x and Ruby 2.0
• Dev: Fix script/release

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 18 commits:

• Release :gem: v1.5.2
• Cleanup
• Move example to docs
• Run CI before releasing
• Update history to reflect merge of #68 [ci skip]
• Test against Ruby 2.5 (#68)
• Update LICENSE.txt
• Update Copyright notice
• Update History.markdown
• Fix script/release
• Release :gem: 1.5.1
• Security: Bump Rubocop
• Update history to reflect merge of #60 [ci skip]
• Define path with __dir__ (#60)
• Update history to reflect merge of #61 [ci skip]
• Inherit Jekyll's rubocop config for consistency (#61)
• Update history to reflect merge of #62 [ci skip]
• Modernize Travis config (#62)

↗️ jekyll-watch (indirect, 1.5.0 → 1.5.1) · Repo · Changelog

Release Notes

1.5.1

• Remove version lock for listen dependency #50
• Inherit Jekyll's Rubocop configuration #51
• Drop support for Jekyll 2.x and Ruby 2.0 #55
• Ouput fil path to terminal #57

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 18 commits:

• Release :gem: 1.5.1
• Add script/release
• Move version to its own file for easier bumping
• Security: Bump Rubocop
• Stick to Ruby 2.1
• Update history to reflect merge of #55 [ci skip]
• Drop support for old Ruby and old Jekyll (#55)
• Update history to reflect merge of #53 [ci skip]
• Update jekyll-watch (#53)
• Update history to reflect merge of #51 [ci skip]
• Inherit Jekyll's rubocop config for consistency (#51)
• Update history to reflect merge of #50 [ci skip]
• Remove version lock for dependency listen (#50)
• Update history to reflect merge of #48 [ci skip]
• Define path with __dir__ (#48)
• Update history to reflect merge of #43 [ci skip]
• Merge pull request #43 from ashmaroli/fix-travis
• update versions for Travis

↗️ kramdown (indirect, 1.14.0 → 1.17.0) · Repo · Changelog

↗️ liquid (indirect, 3.0.6 → 4.0.3) · Repo · Changelog

Release Notes

4.0.3 (from changelog)

Fixed

• Fix break and continue tags inside included templates in loops (#1072) [Justin Li]

4.0.2 (from changelog)

Changed

• Add where filter (#1026) [Samuel Doiron]
• Add ParseTreeVisitor to iterate the Liquid AST (#1025) [Stephen Paul Weber]
• Improve strip_html performance (#1032) [printercu]

Fixed

• Add error checking for invalid combinations of inputs to sort, sort_natural, where, uniq, map, compact filters (#1059) [Garland Zhang]
• Validate the character encoding in url_decode (#1070) [Clayton Smith]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ listen (indirect, 3.0.8 → 3.1.5) · Repo · Changelog

Release Notes

3.1.5

Bugfixes

• #394 prevent crashes when Listen is stopped too soon (e.g. before being started or initialized)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ pathutil (indirect, 0.14.0 → 0.16.2) · Repo

Commits

See the full diff on Github. The new version differs by 18 commits:

• :package: v0.16.2
• Bring back Ruby 2.5 compatibility.
• Fix Benchmarking.
• Update .travis.yml
• Add Pathname.
• Sync development files.
• Fix deprecation with RubyGems.
• Update the Gitignore.
• :package: v0.16.1
• Add Pathutil#[], so we are compatible with RSpec.
• :package: v0.16.0
• Reorganize some stuff.
• Pathutil added `#empty?` in 2.4.
• Update Copyright year.
• Do a little cleanup.
• Fix #3: Remove `luna-rubocop-formatters`.
• Drop CodeClimate.
• Fix the homepage URL in the gemspec. (#2)

↗️ public_suffix (indirect, 3.0.2 → 3.1.1) · Repo · Changelog

Release Notes

3.1.1 (from changelog)

• CHANGED: Updated definitions.
• CHANGED: Rolled back support for Ruby 2.3 (GH-161, GH-162)

IMPORTANT: 3.x is the latest version compatible with Ruby 2.1 and Ruby 2.2.

3.1.0 (from changelog)

• CHANGED: Updated definitions.
• CHANGED: Minimum Ruby version is 2.3
• CHANGED: Upgraded to Bundler 2.x

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 20 commits:

• Release 3.1.1
• Reinstate support to Ruby 2.1 and 2.2
• Update PSL
• Fix version in README
• Release 3.1.0
• Update definitions list (#160)
• Upgrade to Rubocop 0.70
• Fix version mismatch
• Minimum Ruby version is 2.3
• Upgrade Bundler
• Make Travis happy
• Fix typo in comment (#159)
• Fix offenses
• Switch to CodeCov
• Update .travis.yml
• Release 3.0.3
• Update definitions (#154)
• Fix Rubocop new warnings
• Update .rubocop_defaults.yml (#153)
• Update docblock

↗️ rb-fsevent (indirect, 0.10.2 → 0.10.3) · Repo

Release Notes

0.10.3

• Fix abnormal termination fails silently + burns cpu (#81)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

• version bump
• Merge pull request #81 from saluzafa/master
• Merge branch 'master' of github.com:saluzafa/rb-fsevent
• remove useless part rescue EOFError since it's being catched at line 82 (EOFError is a child class of IOError)
• remove useless part rescue EOFError since it's being catched at line 82 (EOFError is a child class of IOError)
• abnormal termination fails silently + burns cpu
• update information about HFS+ corruption bug
• RubyCocoa hasn't been a thing for many years now. It's no longer worth mentioning.

↗️ rb-inotify (indirect, 0.9.10 → 0.10.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rouge (indirect, 1.11.1 → 2.2.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ safe_yaml (indirect, 1.0.4 → 1.0.5) · Repo · Changelog

Release Notes

1.0.5 (from changelog)

• fixed #80: uninitialized constant DateTime

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

• Exclude built *.gem files from version control
• Bump version to 1.0.5
• Merge pull request #90 from elifoster/fix-80
• Fix uninitialized constant DateTime
• removed store.yaml from repo
• updated tests for SafeYAML::Store
• Merge pull request #68 from blackwinter/add-safe_yaml-store
• Add SafeYAML::Store, a YAML::Store variant that uses SafeYAML.load instead of YAML.load.

↗️ sass (indirect, 3.5.1 → 3.7.4) · Repo

Sorry, we couldn't find anything useful about this release.

🆕 ruby_dep (added, 1.5.0)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)