[Security] Bump actionview from 5.2.3 to 6.0.3

[dependabot-preview]

Bumps actionview from 5.2.3 to 6.0.3. This update includes a security fix.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Possible XSS vulnerability in ActionView There is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the j or escape_javascript methods may be susceptible to XSS attacks.

Versions Affected: All. Not affected: None. Fixed Versions: 6.0.2.2, 5.2.4.2

Impact

There is a possible XSS vulnerability in the j and escape_javascript methods in ActionView. These methods are used for escaping JavaScript string literals. Impacted code will look something like this:

<script>let a = `<%= j unknown_input %>`</script>

or

... (truncated)

Patched versions: ~> 5.2.4, >= 5.2.4.2; >= 6.0.2.2 Unaffected versions: none

Release notes

Sourced from actionview's releases.

6.0.3

Active Support

• Array#to_sentence no longer returns a frozen string.

  Before:

  ['one', 'two'].to_sentence.frozen?
  # => true
  

  After:

  ['one', 'two'].to_sentence.frozen?
  # => false
  

  Nicolas Dular

• Update ActiveSupport::Messages::Metadata#fresh? to work for cookies with expiry set when ActiveSupport.parse_json_times = true.

  Christian Gregg

Active Model

• No changes.

Active Record

• Recommend applications don't use the database kwarg in connected_to

  The database kwarg in connected_to was meant to be used for one-off scripts but is often used in requests. This is really dangerous because it re-establishes a connection every time. It's deprecated in 6.1 and will be removed in 6.2 without replacement. This change soft deprecates it in 6.0 by removing documentation.

  Eileen M. Uchitelle

• Fix support for PostgreSQL 11+ partitioned indexes.

  Sebastián Palma

• Add support for beginless ranges, introduced in Ruby 2.7.

  Josh Goodall

• Fix insert_all with enum values

  Fixes #38716.

... (truncated)

Changelog

Sourced from actionview's changelog.

Rails 6.0.3 (May 06, 2020)

• annotated_source_code returns an empty array so TemplateErrors without a template in the backtrace are surfaced properly by DebugExceptions.

  Guilherme Mansur, Kasper Timm Hansen

• Add autoload for SyntaxErrorInTemplate so syntax errors are correctly raised by DebugExceptions.

  Guilherme Mansur, Gannon McGibbon

Rails 6.0.2.2 (March 19, 2020)

• Fix possible XSS vector in escape_javascript helper

  CVE-2020-5267

  Aaron Patterson

Rails 6.0.2.1 (December 18, 2019)

• No changes.

Rails 6.0.2 (December 13, 2019)

• No changes.

Rails 6.0.1 (November 5, 2019)

• UJS avoids Element.closest() for IE 9 compatibility.

  George Claghorn

Rails 6.0.0 (August 16, 2019)

• ActionView::Helpers::SanitizeHelper: support rails-html-sanitizer 1.1.0.

  Juanito Fatas

Rails 6.0.0.rc2 (July 22, 2019)

• Fix select_tag so that it doesn't change options when include_blank is present.

  Younes SERRAJ

... (truncated)

Commits

• b738f19 Preparing for 6.0.3 release
• 509b9da Preparing for 6.0.3.rc1 release
• b60571e Merge pull request #38864 from abhaynikam/replace-mailing-list-url
• 639e646 Add CHANGELOG entry to 6.0.2.2
• 4e3fd92 Merge pull request #37119 from jonathanhefner/fix-escaping-in-view-path-resolver
• ff380b5 Merge branch '6-2-sec' into 6-0-stable
• 157920a Preparing for 6.0.2.2 release
• 1251d88 Fix possible XSS vector in JS escape helper
• d2d4f8c Fix helper_method in ActionView::TestCase to allow keyword arguments
• 2691d41 Make localize helper takes keyword arguments the same with I18n.localize
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Dependabot tried to add @ervalhous as a reviewer to this PR, but received the following error from GitHub:

POST https://api.github.com/repos/autoforce/APIcasso/pulls/122/requested_reviewers: 422 - Reviews may only be requested from collaborators. One or more of the users or teams you specified is not a collaborator of the autoforce/APIcasso repository. // See: https://developer.github.com/v3/pulls/review_requests/#create-a-review-request

[codecov-io]

Codecov Report

Merging #122 into master will decrease coverage by 85.59%.
The diff coverage is n/a.

@@             Coverage Diff             @@
##           master     #122       +/-   ##
===========================================
- Coverage   96.99%   11.40%   -85.60%     
===========================================
  Files          24       15        -9     
  Lines         931      614      -317     
===========================================
- Hits          903       70      -833     
- Misses         28      544      +516     

Impacted Files	Coverage Δ
spec/requests/singularized/requests_spec.rb	1.87% <0.00%> (-97.50%)	⬇️
...equests/plurarized/requests_with_plurarize_spec.rb	1.87% <0.00%> (-97.50%)	⬇️
spec/token/token_spec.rb	4.23% <0.00%> (-95.77%)	⬇️
spec/requests/batch_spec.rb	6.12% <0.00%> (-93.88%)	⬇️
spec/requests/singularized/bad_requests_spec.rb	12.50% <0.00%> (-87.50%)	⬇️
...sts/plurarized/bad_requests_with_plurarize_spec.rb	12.50% <0.00%> (-87.50%)	⬇️
spec/models/used_model_spec.rb	41.17% <0.00%> (-58.83%)	⬇️
app/models/apicasso/key.rb	63.63% <0.00%> (-36.37%)	⬇️
spec/apicasso_spec.rb	66.66% <0.00%> (-33.34%)	⬇️
spec/dummy/app/models/used_model.rb	46.15% <0.00%> (-15.39%)	⬇️
... and 9 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a95b5fc...274f3b7. Read the comment docs.

[dependabot-preview]

Superseded by #128.