Bump addressable from 2.5.2 to 2.8.0 in /jekyll

[dependabot]

Bumps addressable from 2.5.2 to 2.8.0.

Changelog

Sourced from addressable's changelog.

Addressable 2.8.0

• fixes ReDoS vulnerability in Addressable::Template#match
• no longer replaces + with spaces in queries for non-http(s) schemes
• fixed encoding ipv6 literals
• the :compacted flag for normalized_query now dedupes parameters
• fix broken escape_component alias
• dropping support for Ruby 2.0 and 2.1
• adding Ruby 3.0 compatibility for development tasks
• drop support for rack-mount and remove Addressable::Template#generate
• performance improvements
• switch CI/CD to GitHub Actions

Addressable 2.7.0

• added :compacted flag to normalized_query
• heuristic_parse handles mailto: more intuitively
• dropped explicit support for JRuby 9.0.5.0
• compatibility w/ public_suffix 4.x
• performance improvements

Addressable 2.6.0

• added tld= method to allow assignment to the public suffix
• most heuristic_parse patterns are now case-insensitive
• heuristic_parse handles more file:// URI variations
• fixes bug in heuristic_parse when uri starts with digit
• fixes bug in request_uri= with query strings
• fixes template issues with nil and ? operator
• frozen_string_literal pragmas added
• minor performance improvements in regexps
• fixes to eliminate warnings

Commits

• 6469a23 Updating gemspec again
• 2433638 Merge branch 'main' of github.com:sporkmonger/addressable into main
• e9c76b8 Merge pull request #378 from ashmaroli/flat-map
• 56c5cf7 Update the gemspec
• c1fed1c Require a non-vulnerable rake
• 0d8a312 Adding note about ReDoS vulnerability
• 89c7613 Merge branch 'template-regexp' into main
• cf8884f Note about alias fix
• bb03f71 Merge pull request #371 from charleystran/add_missing_encode_component_doc_entry
• 6d1d809 Adding note about :compacted normalization
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

[MadLittleMods]

Can we remove the whole jekyll directory? Seems like it's all in gatsby now

[afranke]

Can we remove the whole jekyll directory? Seems like it's all in gatsby now

I was wondering the same thing half an hour ago and just found your comment. I’ll open an issue to discuss this because it looks slightly more complicated than that.

[afranke]

Filed #1047

[richvdh]

we may as well merge this though, right?

[afranke]

we may as well merge this though, right?

I’m slightly worried about that “Compatibility: unkown” from dependabot. More specifically, I see dropping support for Ruby 2.0 and 2.1 in the changelog, and I have no clue which version of Ruby we rely on. Considering this is the (most) legacy part of the codebase, this is worth checking I guess? I am not familiar enough with that ecosystem to know how much possible breakage we’re dealing with here.

Why are there 0 checks for this PR by the way?

[richvdh]

@dependabot rebase

[richvdh]

Why are there 0 checks for this PR by the way?

because we didn't have GHA set up back in July

[richvdh]

ah, I think we might just have found out why you want your netlify upload in a separate pipeline to the main build: it doesn't get run correctly for this sort of PR.

Anyway the jekyll step stems to have run correctly.

I have no clue which version of Ruby we rely on.

The jekyll step of the build pipeline runs in a docker container based on debian stretch, which has ruby 2.3.3.

[afranke]

because we didn't have GHA set up back in July

Right, but we did have Buildkite (and e.g. #825 still shows the BK results).

ah, I think we might just have found out why you want your netlify upload in a separate pipeline to the main build: it doesn't get run correctly for this sort of PR.

I don’t understand what that 403 comes from.

The jekyll step of the build pipeline runs in a docker container based on debian stretch, which has ruby 2.3.3.

Fair enough. I guess we can indeed merge then.

[richvdh]

because we didn't have GHA set up back in July

Right, but we did have Buildkite (and e.g. #825 still shows the BK results).

yes, but the BK pipeline was not set up to run on "contributor" PRs (ie, those made from outside the team), due to the risk of abuse.

I don’t understand what that 403 comes from.

Nor do I really, though again I think it's probably something to do with the PR being opened by dependabot. But the real problem is that the Netlify secrets aren't getting passed to the build (which is a good thing, since otherwise contributors could exfiltrate our netlify creds), hence:

Netlify credentials not provided, not deployable

[afranke]

But the real problem is that the Netlify secrets aren't getting passed to the build

This should only be the case for forks. Dependabot pushes to a branch in the upstream repository as far as I can tell. Weird that it fails like this.