licensed 4.5.0 → 5.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d7d2ea0e055fe77e271036b11cc0494a3258e4a7f912bea4b135da327f7c6b16
-  data.tar.gz: eba319d54b8bc1865e25c325113b85fe3e151f5dfe52fe17059400bfbff4d6ea
+  metadata.gz: a22bd24126e9a99d7a60f24fa920d02064d5c004c84324da503b6042f638b92d
+  data.tar.gz: e7842f4ae50ad4ef0b597121b11b9275818ad6ce70015ddce7bde900ce9024ee
 SHA512:
-  metadata.gz: cb1676bd29d609faf6bab6b32a8c54599ab7a3b508e0ade9c59ca6f6538923420540b78ac2074af343bc3dc8eceb611a74f4f3dc921ea0fef95eefc596f77395
-  data.tar.gz: 26ca34201fe2c44c1dfe2bf2168720b885b051aca5e143225348febfc34d24d5e3b17845224fb543e5187aea370bcbf2c446f5e37e3d5c8028054f3cc3e061c3
+  metadata.gz: c2564fe6cd8182d85c735621fb92aa449f4465cbffc23fe7ed00760b07437f8b3a6d32720277472906926d8b579152f0a3b6fe6be62b99ae61b87dabb81c68fb
+  data.tar.gz: '038682180f0bffbe7582ef0fbaaf5d7847173fd8af06d5354e4adbc6916f5702116fb1483b645ca2956b85908140340b27fb39371d371d4b553804fcba67d1d8'

data/CHANGELOG.md

@@ -6,6 +6,28 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+
+## 5.0.1
+
+- Updated dependencies as needed for security fixes
+
+## 5.0.0
+
+### Breaking change
+
+- Only supports Ruby 3.0+ due to nokogiri upgrade
+
+### Changed
+
+- Ensure homepage string is not too long in cabal.rb to avoid DOS attack
+- Update dependencies
+
+## 4.5.0
+
+### Changed
+
+- Bumped a number of dependencies for security fixes
+
 ## 4.4.0
 
 ### Added
@@ -132,7 +154,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ### Fixed
 
 - Comparing dependency license contents now finds matching contents regardless of the order of the licenses (https://github.com/github/licensed/pull/516)
-- Fixed typo in a link in README.md (https://github.com/github/licensed/pull/514) 
+- Fixed typo in a link in README.md (https://github.com/github/licensed/pull/514)
 
 ### Changed
 

data/Gemfile.lock

@@ -1,12 +1,12 @@
 PATH
   remote: .
   specs:
-    licensed (4.5.0)
+    licensed (5.0.1)
       json (~> 2.6)
       licensee (~> 9.16)
       parallel (~> 1.22)
       pathname-common_prefix (~> 0.0.1)
-      reverse_markdown (~> 2.1)
+      reverse_markdown (>= 2.1, < 4.0)
       ruby-xxHash (~> 0.4.0)
       thor (~> 1.2)
       tomlrb (~> 2.0)
@@ -24,56 +24,60 @@ GEM
       minitest (>= 5.1)
       mutex_m
       tzinfo (~> 2.0)
-    addressable (2.8.1)
-      public_suffix (>= 2.0.2, < 6.0)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
     ast (2.4.2)
     base64 (0.2.0)
     bigdecimal (3.1.7)
     byebug (11.1.3)
     concurrent-ruby (1.2.3)
     connection_pool (2.4.1)
-    dotenv (2.8.1)
+    dotenv (3.1.4)
     drb (2.2.1)
-    faraday (2.7.4)
-      faraday-net_http (>= 2.0, < 3.1)
-      ruby2_keywords (>= 0.0.4)
-    faraday-net_http (3.0.2)
+    faraday (2.12.1)
+      faraday-net_http (>= 2.0, < 3.5)
+      json
+      logger
+    faraday-net_http (3.4.0)
+      net-http (>= 0.5.0)
     i18n (1.14.4)
       concurrent-ruby (~> 1.0)
-    json (2.7.2)
-    licensee (9.16.0)
-      dotenv (~> 2.0)
-      octokit (>= 4.20, < 7.0)
-      reverse_markdown (>= 1, < 3)
+    json (2.8.2)
+    licensee (9.18.0)
+      dotenv (>= 2, < 4)
+      octokit (>= 4.20, < 10.0)
+      reverse_markdown (>= 1, < 4)
       rugged (>= 0.24, < 2.0)
       thor (>= 0.19, < 2.0)
-    mini_portile2 (2.8.1)
-    minitest (5.24.1)
-    minitest-hooks (1.5.1)
+    logger (1.6.1)
+    mini_portile2 (2.8.8)
+    minitest (5.25.1)
+    minitest-hooks (1.5.2)
       minitest (> 5.3)
-    mocha (2.4.5)
+    mocha (2.6.1)
       ruby2_keywords (>= 0.0.5)
     mutex_m (0.2.0)
-    nokogiri (1.15.6)
-      mini_portile2 (~> 2.8.0)
+    net-http (0.5.0)
+      uri
+    nokogiri (1.16.7)
+      mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
-    octokit (6.1.0)
+    octokit (9.2.0)
       faraday (>= 1, < 3)
       sawyer (~> 0.9)
-    parallel (1.25.1)
+    parallel (1.26.3)
     parser (3.2.0.0)
       ast (~> 2.4.1)
     pathname-common_prefix (0.0.2)
-    public_suffix (5.0.1)
-    racc (1.6.2)
+    public_suffix (6.0.1)
+    racc (1.8.1)
     rack (3.0.9.1)
     rainbow (3.1.1)
     rake (13.2.1)
     regexp_parser (2.6.2)
-    reverse_markdown (2.1.1)
+    reverse_markdown (3.0.0)
       nokogiri
-    rexml (3.3.3)
-      strscan
+    rexml (3.3.9)
     rubocop (1.45.1)
       json (~> 2.3)
       parallel (~> 1.10)
@@ -100,16 +104,16 @@ GEM
     ruby-progressbar (1.11.0)
     ruby-xxHash (0.4.0.2)
     ruby2_keywords (0.0.5)
-    rugged (1.5.1)
+    rugged (1.7.2)
     sawyer (0.9.2)
       addressable (>= 2.3.5)
       faraday (>= 0.17.3, < 3)
-    strscan (3.1.0)
-    thor (1.3.1)
+    thor (1.3.2)
     tomlrb (2.0.3)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     unicode-display_width (2.4.2)
+    uri (1.0.2)
 
 PLATFORMS
   ruby

data/README.md

@@ -21,7 +21,7 @@ Licensed v3 includes a breaking change if both of the following are true:
 1. a project uses bundler to manage ruby dependencies
 2. a project uses the self-contained executable build of licensed
 
-All other usages of licensed should not encounter any major changes migrating from the latest 2.x build to 3.0.  
+All other usages of licensed should not encounter any major changes migrating from the latest 2.x build to 3.0.
 
 See [CHANGELOG.md](./CHANGELOG.md) for more details on what's changed.
 See the [v3 migration documentation](./docs/migrations/v3.md) for more info on migrating to v3.
@@ -94,7 +94,7 @@ To get started after checking out the repo, run
 
 You can also run `script/console` for an interactive prompt that will allow you to experiment.
 
-To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then create a release on GitHub.
 
 ### Adding a new source
 

data/lib/licensed/sources/cabal.rb

@@ -71,6 +71,12 @@ module Licensed
       # Returns a homepage url that enforces https and removes url fragments
       def safe_homepage(homepage)
         return unless homepage
+        # Ensure there's no denial of service issue with a long homepage
+        # 1000 characters is likely enough for any real project homepage
+        # See https://github.com/github/licensed/security/code-scanning/1
+        if homepage.length > 1000
+          raise ArgumentError, "Input too long"
+        end
         # use https and remove url fragment
         homepage.gsub(/http:/, "https:")
                 .gsub(/#[^?]*\z/, "")

data/lib/licensed/version.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Licensed
-  VERSION = "4.5.0".freeze
+  VERSION = "5.0.1".freeze
 
   def self.previous_major_versions
     major_version = Gem::Version.new(Licensed::VERSION).segments.first

data/licensed.gemspec

@@ -21,7 +21,7 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.required_ruby_version = ">= 2.7.0"
+  spec.required_ruby_version = ">= 3.0.0"
 
   spec.add_dependency "licensee", "~> 9.16"
   spec.add_dependency "thor", "~> 1.2"
@@ -29,7 +29,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "tomlrb", "~> 2.0"
   spec.add_dependency "ruby-xxHash", "~> 0.4.0"
   spec.add_dependency "parallel", "~> 1.22"
-  spec.add_dependency "reverse_markdown", "~> 2.1"
+  spec.add_dependency "reverse_markdown", ">= 2.1", "< 4.0"
   spec.add_dependency "json", "~> 2.6"
 
   spec.add_development_dependency "rake", "~> 13.0"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: licensed
 version: !ruby/object:Gem::Version
-  version: 4.5.0
+  version: 5.0.1
 platform: ruby
 authors:
 - GitHub
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2024-08-06 00:00:00.000000000 Z
+date: 2024-12-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: licensee
@@ -98,16 +98,22 @@ dependencies:
   name: reverse_markdown
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
         version: '2.1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '4.0'
 - !ruby/object:Gem::Dependency
   name: json
   requirement: !ruby/object:Gem::Requirement
@@ -335,14 +341,14 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 2.7.0
+      version: 3.0.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.19
+rubygems_version: 3.3.26
 signing_key: 
 specification_version: 4
 summary: Extract and validate the licenses of dependencies.