From aa5736ddab4a9182d0c30ef5ba0efa9fd5c77b5d Mon Sep 17 00:00:00 2001 From: Dan Milne Date: Sun, 21 Jun 2026 13:51:23 +1000 Subject: [PATCH] Update gems and fix lint to clear CI failures Bumps dependencies (jwt 3.2.0, puma 8.0.2, net-imap 0.6.4.1 and others via bundle update) to resolve bundler-audit advisories, and applies standardrb autofixes so the lint job passes. Co-Authored-By: Claude Opus 4.8 (1M context) --- Gemfile.lock | 110 +++++++++--------- .../api/forward_auth_controller.rb | 4 +- app/controllers/concerns/authentication.rb | 2 +- app/helpers/application_helper.rb | 2 +- app/lib/private_address_check.rb | 2 +- app/mailers/totp_mailer.rb | 2 +- ...dd_oidc_authorization_code_id_to_tokens.rb | 4 +- .../admin/groups_controller_test.rb | 2 +- .../api/forward_auth_controller_test.rb | 4 +- test/test_helpers/session_test_helper.rb | 6 +- 10 files changed, 71 insertions(+), 67 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 9ee083d..702fd67 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,7 +1,7 @@ GEM remote: https://rubygems.org/ specs: - action_text-trix (2.1.18) + action_text-trix (2.1.19) railties actioncable (8.1.3) actionpack (= 8.1.3) @@ -85,9 +85,9 @@ GEM bigdecimal (4.1.2) bindata (2.5.1) bindex (0.8.1) - bootsnap (1.24.1) + bootsnap (1.24.6) msgpack (~> 1.2) - brakeman (8.0.4) + brakeman (8.0.5) racc builder (3.3.0) bundler-audit (0.9.3) @@ -102,11 +102,11 @@ GEM rack-test (>= 0.6.3) regexp_parser (>= 1.5, < 3.0) xpath (~> 3.2) - cbor (0.5.10.2) + cbor (0.5.10.3) childprocess (5.1.0) logger (~> 1.5) chunky_png (1.4.0) - concurrent-ruby (1.3.6) + concurrent-ruby (1.3.7) connection_pool (3.0.2) cose (1.3.1) cbor (~> 0.5.9) @@ -131,12 +131,12 @@ GEM ffi (1.17.4-arm64-darwin) ffi (1.17.4-x86_64-linux-gnu) ffi (1.17.4-x86_64-linux-musl) - fugit (1.12.1) + fugit (1.12.2) et-orbi (~> 1.4) raabro (~> 1.4) globalid (1.3.0) activesupport (>= 6.1) - i18n (1.14.8) + i18n (1.15.2) concurrent-ruby (~> 1.0) image_processing (1.14.0) mini_magick (>= 4.9.5, < 6) @@ -151,13 +151,13 @@ GEM prism (>= 1.3.0) rdoc (>= 4.0.0) reline (>= 0.4.2) - jbuilder (2.14.1) + jbuilder (2.15.1) actionview (>= 7.0.0) activesupport (>= 7.0.0) - json (2.19.4) - jwt (3.1.2) + json (2.19.9) + jwt (3.2.0) base64 - kamal (2.11.0) + kamal (2.12.0) activesupport (>= 7.0) base64 (~> 0.2) bcrypt_pbkdf (~> 1.0) @@ -186,14 +186,14 @@ GEM net-imap net-pop net-smtp - marcel (1.1.0) + marcel (1.2.1) matrix (0.4.3) mini_magick (5.3.1) logger mini_mime (1.1.5) minitest (5.27.0) - msgpack (1.8.0) - net-imap (0.6.4) + msgpack (1.8.3) + net-imap (0.6.4.1) date net-protocol net-pop (0.1.2) @@ -208,25 +208,25 @@ GEM net-protocol net-ssh (7.3.2) nio4r (2.7.5) - nokogiri (1.19.3-aarch64-linux-gnu) + nokogiri (1.19.4-aarch64-linux-gnu) racc (~> 1.4) - nokogiri (1.19.3-aarch64-linux-musl) + nokogiri (1.19.4-aarch64-linux-musl) racc (~> 1.4) - nokogiri (1.19.3-arm-linux-gnu) + nokogiri (1.19.4-arm-linux-gnu) racc (~> 1.4) - nokogiri (1.19.3-arm-linux-musl) + nokogiri (1.19.4-arm-linux-musl) racc (~> 1.4) - nokogiri (1.19.3-arm64-darwin) + nokogiri (1.19.4-arm64-darwin) racc (~> 1.4) - nokogiri (1.19.3-x86_64-linux-gnu) + nokogiri (1.19.4-x86_64-linux-gnu) racc (~> 1.4) - nokogiri (1.19.3-x86_64-linux-musl) + nokogiri (1.19.4-x86_64-linux-musl) racc (~> 1.4) - openssl (4.0.1) + openssl (4.0.2) openssl-signature_algorithm (1.3.0) openssl (> 2.0) ostruct (0.6.3) - parallel (1.28.0) + parallel (2.1.0) parser (3.3.11.1) ast (~> 2.4.1) racc @@ -238,11 +238,11 @@ GEM actionpack (>= 7.0.0) activesupport (>= 7.0.0) rack - psych (5.3.1) + psych (5.4.0) date stringio public_suffix (7.0.5) - puma (8.0.1) + puma (8.0.2) nio4r (~> 2.0) raabro (1.4.0) racc (1.8.1) @@ -299,11 +299,11 @@ GEM chunky_png (~> 1.0) rqrcode_core (~> 2.0) rqrcode_core (2.1.0) - rubocop (1.84.2) + rubocop (1.87.0) json (~> 2.3) language_server-protocol (~> 3.17.0.2) lint_roller (~> 1.1.0) - parallel (~> 1.10) + parallel (>= 1.10) parser (>= 3.3.0.2) rainbow (>= 2.2.2, < 4.0) regexp_parser (>= 2.9.3, < 3.0) @@ -321,20 +321,20 @@ GEM ruby-vips (2.3.0) ffi (~> 1.12) logger - rubyzip (3.2.2) + rubyzip (3.4.0) safety_net_attestation (0.5.0) jwt (>= 2.0, < 4.0) securerandom (0.4.1) - selenium-webdriver (4.43.0) + selenium-webdriver (4.45.0) base64 (~> 0.2) logger (~> 1.4) rexml (~> 3.2, >= 3.2.5) rubyzip (>= 1.2.2, < 4.0) websocket (~> 1.0) - sentry-rails (6.5.0) + sentry-rails (6.6.2) railties (>= 5.2.0) - sentry-ruby (~> 6.5.0) - sentry-ruby (6.5.0) + sentry-ruby (~> 6.6.2) + sentry-ruby (6.6.2) bigdecimal concurrent-ruby (~> 1.0, >= 1.0.2) logger @@ -344,7 +344,7 @@ GEM simplecov_json_formatter (~> 0.1) simplecov-html (0.13.2) simplecov_json_formatter (0.1.4) - solid_cable (3.0.12) + solid_cable (4.0.0) actioncable (>= 7.2) activejob (>= 7.2) activerecord (>= 7.2) @@ -360,13 +360,13 @@ GEM fugit (~> 1.11) railties (>= 7.1) thor (>= 1.3.1) - sqlite3 (2.9.3-aarch64-linux-gnu) - sqlite3 (2.9.3-aarch64-linux-musl) - sqlite3 (2.9.3-arm-linux-gnu) - sqlite3 (2.9.3-arm-linux-musl) - sqlite3 (2.9.3-arm64-darwin) - sqlite3 (2.9.3-x86_64-linux-gnu) - sqlite3 (2.9.3-x86_64-linux-musl) + sqlite3 (2.9.5-aarch64-linux-gnu) + sqlite3 (2.9.5-aarch64-linux-musl) + sqlite3 (2.9.5-arm-linux-gnu) + sqlite3 (2.9.5-arm-linux-musl) + sqlite3 (2.9.5-arm64-darwin) + sqlite3 (2.9.5-x86_64-linux-gnu) + sqlite3 (2.9.5-x86_64-linux-musl) sshkit (1.25.0) base64 logger @@ -374,10 +374,10 @@ GEM net-sftp (>= 2.1.2) net-ssh (>= 2.8.0) ostruct - standard (1.54.0) + standard (1.55.0) language_server-protocol (~> 3.17.0.2) lint_roller (~> 1.0) - rubocop (~> 1.84.0) + rubocop (~> 1.87.0) standard-custom (~> 1.0.0) standard-performance (~> 1.8) standard-custom (1.0.2) @@ -389,20 +389,20 @@ GEM stimulus-rails (1.3.4) railties (>= 6.0.0) stringio (3.2.0) - tailwindcss-rails (4.4.0) + tailwindcss-rails (4.6.0) railties (>= 7.0.0) tailwindcss-ruby (~> 4.0) - tailwindcss-ruby (4.2.4) - tailwindcss-ruby (4.2.4-aarch64-linux-gnu) - tailwindcss-ruby (4.2.4-aarch64-linux-musl) - tailwindcss-ruby (4.2.4-arm64-darwin) - tailwindcss-ruby (4.2.4-x86_64-linux-gnu) - tailwindcss-ruby (4.2.4-x86_64-linux-musl) + tailwindcss-ruby (4.3.1) + tailwindcss-ruby (4.3.1-aarch64-linux-gnu) + tailwindcss-ruby (4.3.1-aarch64-linux-musl) + tailwindcss-ruby (4.3.1-arm64-darwin) + tailwindcss-ruby (4.3.1-x86_64-linux-gnu) + tailwindcss-ruby (4.3.1-x86_64-linux-musl) thor (1.5.0) - thruster (0.1.20) - thruster (0.1.20-aarch64-linux) - thruster (0.1.20-arm64-darwin) - thruster (0.1.20-x86_64-linux) + thruster (0.1.21) + thruster (0.1.21-aarch64-linux) + thruster (0.1.21-arm64-darwin) + thruster (0.1.21-x86_64-linux) timeout (0.6.1) tpm-key_attestation (0.14.1) bindata (~> 2.4) @@ -432,13 +432,13 @@ GEM safety_net_attestation (~> 0.5.0) tpm-key_attestation (~> 0.14.0) websocket (1.2.11) - websocket-driver (0.8.0) + websocket-driver (0.8.1) base64 websocket-extensions (>= 0.1.0) websocket-extensions (0.1.5) xpath (3.2.0) nokogiri (~> 1.8) - zeitwerk (2.7.5) + zeitwerk (2.8.2) PLATFORMS aarch64-linux diff --git a/app/controllers/api/forward_auth_controller.rb b/app/controllers/api/forward_auth_controller.rb index 39b678a..c91e41d 100644 --- a/app/controllers/api/forward_auth_controller.rb +++ b/app/controllers/api/forward_auth_controller.rb @@ -156,7 +156,7 @@ module Api end def render_bearer_error(message) - render json: { error: message }, status: :unauthorized + render json: {error: message}, status: :unauthorized end def check_forward_auth_token @@ -207,7 +207,7 @@ module Api session[:return_to_after_authenticating] = original_url - login_params = { rd: original_url, rm: request.method } + login_params = {rd: original_url, rm: request.method} login_url = "#{base_url}/signin?#{login_params.to_query}" redirect_to login_url, allow_other_host: true, status: :found diff --git a/app/controllers/concerns/authentication.rb b/app/controllers/concerns/authentication.rb index 7251893..46971cd 100644 --- a/app/controllers/concerns/authentication.rb +++ b/app/controllers/concerns/authentication.rb @@ -191,7 +191,7 @@ module Authentication token = SecureRandom.urlsafe_base64(32) Rails.cache.write( "forward_auth_token:#{token}", - { session_id: session_obj.id, host: bound_host }, + {session_id: session_obj.id, host: bound_host}, expires_in: 60.seconds ) diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index 3cff4b7..7f94b4d 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -31,7 +31,7 @@ module ApplicationHelper end lines << "OIDC_DISCOVERY_URL=#{OidcJwtService.issuer_url}" lines << "OIDC_PROVIDER_NAME='Clinch'" - lines << "OIDC_REQUIRE_PKCE=#{application.requires_pkce? ? 'true' : 'false'}" + lines << "OIDC_REQUIRE_PKCE=#{application.requires_pkce? ? "true" : "false"}" lines end diff --git a/app/lib/private_address_check.rb b/app/lib/private_address_check.rb index 8bfafa1..5470f0f 100644 --- a/app/lib/private_address_check.rb +++ b/app/lib/private_address_check.rb @@ -35,7 +35,7 @@ module PrivateAddressCheck return [ip] if ip Resolv.getaddresses(host.to_s).filter_map { |a| parse_ip(a) } - rescue StandardError + rescue # Resolution failure: surface no addresses. Callers treat "can't resolve" as # not-provably-internal; the dial itself will then fail safely. [] diff --git a/app/mailers/totp_mailer.rb b/app/mailers/totp_mailer.rb index 0514186..bdb0d26 100644 --- a/app/mailers/totp_mailer.rb +++ b/app/mailers/totp_mailer.rb @@ -2,6 +2,6 @@ class TotpMailer < ApplicationMailer def enabled(user) @user = user mail subject: "Two-factor authentication enabled on your account", - to: user.email_address + to: user.email_address end end diff --git a/db/migrate/20260420073319_add_oidc_authorization_code_id_to_tokens.rb b/db/migrate/20260420073319_add_oidc_authorization_code_id_to_tokens.rb index 7232747..eca83d5 100644 --- a/db/migrate/20260420073319_add_oidc_authorization_code_id_to_tokens.rb +++ b/db/migrate/20260420073319_add_oidc_authorization_code_id_to_tokens.rb @@ -1,8 +1,8 @@ class AddOidcAuthorizationCodeIdToTokens < ActiveRecord::Migration[8.1] def change add_reference :oidc_access_tokens, :oidc_authorization_code, - null: true, foreign_key: true, index: true + null: true, foreign_key: true, index: true add_reference :oidc_refresh_tokens, :oidc_authorization_code, - null: true, foreign_key: true, index: true + null: true, foreign_key: true, index: true end end diff --git a/test/controllers/admin/groups_controller_test.rb b/test/controllers/admin/groups_controller_test.rb index 57fd2c8..9fa6593 100644 --- a/test/controllers/admin/groups_controller_test.rb +++ b/test/controllers/admin/groups_controller_test.rb @@ -27,7 +27,7 @@ module Admin @group.applications = [applications(:kavita_app)] patch admin_group_path(@group), params: { - group: { name: @group.name } + group: {name: @group.name} } assert_redirected_to admin_group_path(@group) diff --git a/test/controllers/api/forward_auth_controller_test.rb b/test/controllers/api/forward_auth_controller_test.rb index 822b8aa..a7d614d 100644 --- a/test/controllers/api/forward_auth_controller_test.rb +++ b/test/controllers/api/forward_auth_controller_test.rb @@ -186,7 +186,7 @@ module Api # Under default-deny the user must be in at least one group to access the app. # This rewritten test verifies that when an app's headers_config disables the # groups header, no x-remote-groups is sent regardless of memberships. - app = grant_everyone_access Application.create!( + grant_everyone_access Application.create!( name: "Headers Hidden", slug: "headers-hidden", app_type: "forward_auth", domain_pattern: "hidden.example.com", active: true, @@ -559,7 +559,7 @@ module Api end test "should track failed attempts and eventually rate limit" do - cache = Rails.application.config.forward_auth_cache + Rails.application.config.forward_auth_cache # Make 50 failed requests (no session = unauthorized) 50.times do diff --git a/test/test_helpers/session_test_helper.rb b/test/test_helpers/session_test_helper.rb index 47463db..e1ff136 100644 --- a/test/test_helpers/session_test_helper.rb +++ b/test/test_helpers/session_test_helper.rb @@ -17,7 +17,11 @@ module SessionTestHelper # written under the old "empty allowed_groups = public" rule keep working. # New tests should attach groups explicitly to model real access intent. def grant_everyone_access(app) - everyone = (groups(:everyone) rescue Group.find_by(auto_assign: true)) + everyone = begin + groups(:everyone) + rescue + Group.find_by(auto_assign: true) + end app.allowed_groups << everyone unless app.allowed_groups.include?(everyone) app end