Merge pull request #339 from cyberark/bump-deps

CONJSE-1833: Upgrade Puma to 6.4.2

CHANGELOG.md

@@ -6,6 +6,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+## [1.2.11] - 2024-02-09
+### Security
+- Upgrade Puma to 6.4.2
+  [cyberark/conjur-service-broker#339](https://github.com/cyberark/conjur-service-broker/pull/339)
+
 ## [1.2.10] - 2023-06-21
 ### Security
 - Upgrade ruby to 3.2, Go image to 1.20-alpine, and golang.org/x/sys to v0.8.0

CONTRIBUTING.md

@@ -11,11 +11,9 @@ environment.
 
 1. [git][get-git] to manage source code
 2. [Docker][get-docker] to manage dependencies and runtime environments
-3. [Docker Compose][get-docker-compose] to orchestrate Docker environments
 
 [get-docker]: https://docs.docker.com/engine/installation
 [get-git]: https://git-scm.com/downloads
-[get-docker-compose]: https://docs.docker.com/compose/install
 
 To test the usage of the Conjur Service Broker within a CF deployment, you can
 follow the demo scripts in the [Cloud Foundry demo repo](https://github.com/conjurinc/cloudfoundry-conjur-demo).
@@ -101,7 +99,7 @@ Then, run the tests with the following command:
 _Note: The integration tests rely on having built `conjur-service-broker`
 and `conjur-service-broker-test`. If you make changes to your local repository
 and would like to see those changes reflected in the test containers, either
-re-run `./dev/build` or run `docker-compose build <service_name>` to rebuild
+re-run `./dev/build` or run `docker compose build <service_name>` to rebuild
 the source image(s) before running the tests._
 
 ### End-to-End (E2E) Integration Testing
@@ -138,7 +136,7 @@ To detect if there are any known security vulnerabilities in gem
 dependencies, run the following:
 
    ```
-   docker-compose run tests bundle audit
+   docker compose run tests bundle audit
    ```
 
 If any known security vulnerabilities are discovered, you will see
@@ -167,35 +165,35 @@ Some examples, ranging from least conservative to most conservative:
 1. To update the vulnerable gem and all of its dependencies.
 
    ```
-   docker-compose run tests bundle update <vulnerable-gem>
+   docker compose run tests bundle update <vulnerable-gem>
    ```
 
 1. To update only the vulnerable gem (i.e. not its dependencies):
 
    ```
-   docker-compose run tests bundle update --conservative <vulnerable-gem>
+   docker compose run tests bundle update --conservative <vulnerable-gem>
    ```
 
 1. To update only the vulnerable gem's patch version:
 
    ```
-   docker-compose run tests bundle update --patch --conservative <vulnerable-gem>
+   docker compose run tests bundle update --patch --conservative <vulnerable-gem>
    ```
 
 After running any of the above commands, you will want to test
 Service Broker functionality as described in the
 [Testing Functionality After Dependency Version Changes](#testing-functionality-after-dependency-version-changes)
 section below.
 
-### Updating One Dependency at a Time
+### Updating All Dependencies at Once
 
 If you are feeling especially lucky, you might be tempted to update
 all dependencies (direct and indirect), and then build and test to
 verify that Service Broker functionality has not been broken.
 This would be done as follows:
 
    ```
-   docker-compose run tests bundle update
+   docker compose run tests bundle update
    ```
 
 However, the chances that such a sweeping change will not break
@@ -224,13 +222,13 @@ Service Broker functionality using this method may be high.
 For example, to update `development` dependencies for the Service Broker:
 
    ```
-   docker-compose run tests bundle update --group development
+   docker compose run tests bundle update --group development
    ```
 
 Or, to update `test` and `development` dependencies:
 
    ```
-   docker-compose run tests bundle update --group test development
+   docker compose run tests bundle update --group test development
    ```
 
 After any gem versions have been updated, you will want to test

Gemfile

@@ -16,7 +16,7 @@ gem 'json-schema', '2.8.0'
 gem 'listen', '>= 3.0.5', '< 3.2'
 
 # Use Puma as the app server
-gem 'puma', '5.6.4'
+gem 'puma', '6.4.2'
 
 # Use Rack CORS for handling Cross-Origin Resource Sharing (CORS), making cross-origin AJAX possible
 # gem 'rack-cors'

Gemfile.lock

@@ -1,26 +1,26 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    actionpack (6.1.7.3)
-      actionview (= 6.1.7.3)
-      activesupport (= 6.1.7.3)
+    actionpack (6.1.7.6)
+      actionview (= 6.1.7.6)
+      activesupport (= 6.1.7.6)
       rack (~> 2.0, >= 2.0.9)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actionview (6.1.7.3)
-      activesupport (= 6.1.7.3)
+    actionview (6.1.7.6)
+      activesupport (= 6.1.7.6)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activesupport (6.1.7.3)
+    activesupport (6.1.7.6)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
       tzinfo (~> 2.0)
       zeitwerk (~> 2.3)
-    addressable (2.8.1)
+    addressable (2.8.6)
       public_suffix (>= 2.0.2, < 6.0)
     aruba (2.1.0)
       bundler (>= 1.17, < 3.0)
@@ -42,7 +42,7 @@ GEM
       ci_reporter (~> 2.0)
       rspec (>= 2.14, < 4)
     coderay (1.1.3)
-    concurrent-ruby (1.2.2)
+    concurrent-ruby (1.2.3)
     conjur-api (5.3.7)
       activesupport (>= 4.2)
       addressable (~> 2.0)
@@ -79,15 +79,14 @@ GEM
     cucumber-wire (6.2.1)
       cucumber-core (~> 10.1, >= 10.1.0)
       cucumber-cucumber-expressions (~> 14.0, >= 14.0.0)
-    diff-lcs (1.5.0)
-    domain_name (0.5.20190701)
-      unf (>= 0.0.5, < 1.0.0)
+    diff-lcs (1.5.1)
+    domain_name (0.6.20240107)
     erubi (1.12.0)
-    ffi (1.15.5)
+    ffi (1.16.3)
     http-accept (1.7.0)
     http-cookie (1.0.5)
       domain_name (~> 0.5)
-    i18n (1.12.0)
+    i18n (1.14.1)
       concurrent-ruby (~> 1.0)
     json-schema (2.8.0)
       addressable (>= 2.4)
@@ -104,47 +103,47 @@ GEM
     listen (3.0.8)
       rb-fsevent (~> 0.9, >= 0.9.4)
       rb-inotify (~> 0.9, >= 0.9.7)
-    loofah (2.19.1)
+    loofah (2.22.0)
       crass (~> 1.0.2)
-      nokogiri (>= 1.5.9)
+      nokogiri (>= 1.12.0)
     method_source (1.0.0)
-    mime-types (3.4.1)
+    mime-types (3.5.2)
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2023.0218.1)
-    mini_portile2 (2.8.1)
-    minitest (5.18.0)
+    mime-types-data (3.2024.0206)
+    minitest (5.22.2)
     multi_json (1.15.0)
     multi_test (0.1.2)
     netrc (0.11.0)
-    nio4r (2.5.8)
-    nokogiri (1.14.3)
-      mini_portile2 (~> 2.8.0)
+    nio4r (2.7.0)
+    nokogiri (1.16.2-x86_64-linux)
       racc (~> 1.4)
     pry (0.14.2)
       coderay (~> 1.1)
       method_source (~> 1.0)
     pry-byebug (3.10.1)
       byebug (~> 11.0)
       pry (>= 0.13, < 0.15)
-    public_suffix (5.0.1)
-    puma (5.6.4)
+    public_suffix (5.0.4)
+    puma (6.4.2)
       nio4r (~> 2.0)
-    racc (1.6.2)
-    rack (2.2.6.4)
-    rack-test (2.0.2)
+    racc (1.7.3)
+    rack (2.2.8)
+    rack-test (2.1.0)
       rack (>= 1.3)
-    rails-dom-testing (2.0.3)
-      activesupport (>= 4.2.0)
+    rails-dom-testing (2.2.0)
+      activesupport (>= 5.0.0)
+      minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.5.0)
-      loofah (~> 2.19, >= 2.19.1)
-    railties (6.1.7.3)
-      actionpack (= 6.1.7.3)
-      activesupport (= 6.1.7.3)
+    rails-html-sanitizer (1.6.0)
+      loofah (~> 2.21)
+      nokogiri (~> 1.14)
+    railties (6.1.7.6)
+      actionpack (= 6.1.7.6)
+      activesupport (= 6.1.7.6)
       method_source
       rake (>= 12.2)
       thor (~> 1.0)
-    rake (13.0.6)
+    rake (13.1.0)
     rb-fsevent (0.11.2)
     rb-inotify (0.10.1)
       ffi (~> 1.0)
@@ -153,51 +152,48 @@ GEM
       http-cookie (>= 1.0.2, < 2.0)
       mime-types (>= 1.16, < 4.0)
       netrc (~> 0.8)
-    rexml (3.2.5)
-    rspec (3.12.0)
-      rspec-core (~> 3.12.0)
-      rspec-expectations (~> 3.12.0)
-      rspec-mocks (~> 3.12.0)
-    rspec-core (3.12.1)
-      rspec-support (~> 3.12.0)
-    rspec-expectations (3.12.2)
+    rexml (3.2.6)
+    rspec (3.13.0)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.0)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-mocks (3.12.3)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.12.0)
-    rspec-rails (6.0.1)
+      rspec-support (~> 3.13.0)
+    rspec-rails (6.1.1)
       actionpack (>= 6.1)
       activesupport (>= 6.1)
       railties (>= 6.1)
-      rspec-core (~> 3.11)
-      rspec-expectations (~> 3.11)
-      rspec-mocks (~> 3.11)
-      rspec-support (~> 3.11)
-    rspec-support (3.12.0)
+      rspec-core (~> 3.12)
+      rspec-expectations (~> 3.12)
+      rspec-mocks (~> 3.12)
+      rspec-support (~> 3.12)
+    rspec-support (3.13.0)
     rspec_junit_formatter (0.6.0)
       rspec-core (>= 2, < 4, != 2.12.0)
     rubyzip (2.3.2)
     spring (2.1.1)
     spring-watcher-listen (2.0.1)
       listen (>= 2.7, < 4.0)
       spring (>= 1.2, < 3.0)
-    sys-uname (1.2.2)
+    sys-uname (1.2.3)
       ffi (~> 1.1)
-    thor (1.2.1)
+    thor (1.3.0)
     tomlrb (2.0.3)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unf (0.1.4)
-      unf_ext
-    unf_ext (0.0.8.2)
     with_env (1.1.0)
     xml-simple (1.1.9)
       rexml
-    zeitwerk (2.6.7)
+    zeitwerk (2.6.13)
 
 PLATFORMS
-  ruby
+  x86_64-linux
 
 DEPENDENCIES
   actionview (~> 6.1)
@@ -213,7 +209,7 @@ DEPENDENCIES
   license_finder
   listen (>= 3.0.5, < 3.2)
   pry-byebug
-  puma (= 5.6.4)
+  puma (= 6.4.2)
   rack (~> 2.2.6)
   railties (~> 6.1)
   rest-client
@@ -224,7 +220,7 @@ DEPENDENCIES
   spring-watcher-listen (~> 2.0.0)
 
 RUBY VERSION
-   ruby 3.1.3p185
+   ruby 3.2.3p157
 
 BUNDLED WITH
-   2.4.6
+   2.5.6

Jenkinsfile

@@ -67,9 +67,9 @@ pipeline {
     }
 
     // The End-to-End test needs to be run separately from the integration
-    // tests because both use the default docker-compose network, and
+    // tests because both use the default docker compose network, and
     // both cause this network to be deleted when they clean up with
-    // 'docker-compose down ...'.
+    // 'docker compose down ...'.
     stage('End-to-End Testing') {
       steps {
         allocateTas('isv_ci_tas_srt_5_0')

NOTICES.txt

@@ -12,7 +12,7 @@ SECTION 1: Apache-2.0
 
 SECTION 2: BSD-3-Clause
 
->>> https://rubygems.org/gems/puma/versions/5.6.4
+>>> https://rubygems.org/gems/puma/versions/6.4.2
 
 SECTION 3: MIT
 
@@ -56,7 +56,7 @@ limitations under the License.
 
 BSD-3-Clause License is applicable to the following component(s).
 
->>> https://rubygems.org/gems/puma/versions/5.6.4
+>>> https://rubygems.org/gems/puma/versions/6.4.2
 
 Copyright (c) 2019, Evan Phoenix. Some code by Zed Shaw, (c) 2005.
 All rights reserved.

VERSION

@@ -1 +1 @@
-1.2.10
+1.2.11

dev/build

@@ -8,13 +8,13 @@ cd "$(dirname "$0")/.." || (echo "Could not cd to parent dir"; exit 1)
 TAG="$(< VERSION)-$(git rev-parse --short HEAD)"
 
 announce "Getting updated images (this may take a few minutes)..."
-docker-compose pull -q conjur_5
+docker compose pull -q conjur_5
 echo "Done!"
 
 announce "Building Buildpack Health Check executable"
 rm -rf bin/buildpack-health-check
-docker-compose -f buildpack-health-check/docker-compose.yml build
-docker-compose -f buildpack-health-check/docker-compose.yml \
+docker compose -f buildpack-health-check/docker-compose.yml build
+docker compose -f buildpack-health-check/docker-compose.yml \
   run --rm buildpack-health-check-builder
 echo "Done!"