Skip to content

🚨 [security] Update thor 0.20.3 → 1.4.0 (major) #249

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

🚨 [security] Update thor 0.20.3 → 1.4.0 (major) #249

wants to merge 1 commit into from

Conversation

depfu[bot]
Copy link
Contributor

@depfu depfu bot commented Jul 21, 2025

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ thor (indirect, 0.20.3 → 1.4.0) · Repo · Changelog

Security Advisories 🚨

🚨 Thor can construct an unsafe shell command from library input.

Thor before 1.4.0 can construct an unsafe shell command from library input.

Release Notes

1.4.0

What's Changed

New Contributors

Full Changelog: v1.3.2...v1.4.0

1.3.2

What's Changed

New Contributors

Full Changelog: v1.3.1...v1.3.2

1.3.1

What's Changed

New Contributors

Full Changelog: v1.3.0...v1.3.1

1.3.0

What's Changed

  • use the correct class for shared namespaces by @Gerst20051 in #754
  • Allow to Override Order of Commands in Help by @alessio-signorini in #642
  • Add support for providing http headers to get by @dnlgrv in #801
  • Don't document negative boolean option named no_* by @BrentWheeldon in #797
  • CreateFile#identical? fixed for files containing multi-byte UTF-8 codepoints by @tomclose in #786
  • Drop support to Ruby 2.6 by @rafaelfranca in #821
  • Fix dashless option usage info by @sambostock in #800
  • Support Range in enum option by @phene in #775
  • Check if type: array values are in enum by @movermeyer in #784
  • Fix inject into file warning by @nicolas-brousse in #709
  • Support Thor::CoreExt::HashWithIndifferentAccess#slice method by @shuuuuun in #812
  • 🌧️ long_desc: new option to disable wrapping by @igneus in #739
  • Print default in help when option type is :boolean and default is false by @nevesenin in #849
  • Silence encoding warnings in specs by @p8 in #857
  • Validate arguments for method_option and class_option by @p8 in #856
  • Fix help for file_collision method without block by @shuuuuun in #858
  • Extract print methods to seperate classes by @p8 in #854
  • Add support for printing tables with borders by @p8 in #855
  • Fix printing tables with borders and indentation by @p8 in #861

New Contributors

Full Changelog: v1.2.2...v1.3.0

1.2.2

What's Changed

New Contributors

Full Changelog: v1.2.1...v1.2.2

1.2.1

What's Changed

  • Fix regressions with insert_into_file

Full Changelog: v1.2.0...v1.2.1

1.2.0

What's Changed

New Contributors

Full Changelog: v1.1.0...v1.2.0

1.1.0 (from changelog)

  • Don't use ANSI colors when terminal is dumb.
  • Ensure default option/argument is not erroneously aliased.
  • Fixes a bug in the calculation of the print_wrapped method.
  • Obey :mute and options[:quiet] in Shell#say.
  • Support Ruby 3.0.
  • Add force option to the gsub_file action.

1.0.1 (from changelog)

  • Fix thor when thor/base and thor/group are required without thor.rb.
  • Handle relative source path in create_link.

1.0.0 (from changelog)

  • Drop support to Ruby 1.8 and 1.9.

  • Deprecate relying on default exit_on_failure?. In preparation to make Thor commands exit when there is a failure we are deprecating defining a command without defining what behavior is expected when there is a failure.

    To fix the deprecation you need to define a class method called exit_on_failure? returning

    false if you want the current behavior or true if you want the new behavior.

  • Deprecate defining an option with the default value using a different type as defined in the option.

  • Allow options to be repeatable. See #674.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added the depfu label Jul 21, 2025
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
depfu
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants