chore(deps): update dependency jekyll to v3.6.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
jekyll (source, changelog)	"3.4.3" → "3.6.3"

---

Jekyll allows attackers to access arbitrary files by specifying a symlink

CVE-2018-17567 / GHSA-4xjh-m3qx-49wc

More information

Details

Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows attackers to access arbitrary files by specifying a symlink in the include key in the _config.yml file.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://nvd.nist.gov/vuln/detail/CVE-2018-17567
• https://github.com/jekyll/jekyll/pull/7224
• https://github.com/jekyll/jekyll
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jekyll/CVE-2018-17567.yml
• https://jekyllrb.com/news/2018/09/19/security-fixes-for-3-6-3-7-3-8
• https://lists.apache.org/thread.html/71da391f584b2fb301d2df0e491b279d87287e2fb4b11309f04ad984@​%3Ccommits.accumulo.apache.org%3E

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

jekyll/jekyll (jekyll)

v3.6.3

Compare Source

Bug Fixes

• 3.6.x: security: fix include bypass of EntryFilter#filter symlink check (#​7229)

v3.6.2

Compare Source

Development Fixes

• Update Rubocop to 0.51.0 (#​6444)
• Add test for layout as string (#​6445)

Bug Fixes

• Problematic UTF+bom files (#​6322)
• Always treat data.layout as a string (#​6442)

v3.6.1

Compare Source

Documentation

• Doc y_day in docs/permalinks (#​6244)
• Update frontmatter.md (#​6371)
• Elaborate on excluding items from processing (#​6136)
• Style lists in tables (#​6379)
• Remove duplicate "available" (#​6380)

Development Fixes

• Bump rubocop to use v0.50.x (#​6368)

v3.6.0

Compare Source

Minor Enhancements

• Ignore final newline in folded YAML string (#​6054)
• Add URL checks to Doctor (#​5760)
• Fix serving files that clash with directories (#​6222) (#​6231)
• Bump supported Ruby version to >= 2.1.0 (#​6220)
• set LiquidError#template_name for errors in included file (#​6206)
• Access custom config array throughout session (#​6200)
• Add support for Rouge 2, in addition to Rouge 1 (#​5919)
• Allow yield to logger methods & bail early on no-op messages (#​6315)
• Update mime-types. (#​6336)
• Use a Schwartzian transform with custom sorting (#​6342)
• Alias Drop#invoke_drop to Drop#[] (#​6338)

Bug Fixes

• Deprecator: fix typo for --serve command (#​6229)
• Reader#read_directories: guard against an entry not being a directory (#​6226)
• kramdown: symbolize keys in-place (#​6247)
• Call to_s on site.url before attempting to concatenate strings (#​6253)
• Enforce Style/FrozenStringLiteralComment (#​6265)
• Update theme-template README to note 'assets' directory (#​6257)
• Memoize the return value of Document#url (#​6266)
• delegate StaticFile#to_json to StaticFile#to_liquid (#​6273)
• Fix Drop#key? so it can handle a nil argument (#​6281)
• Guard against type error in absolute url (#​6280)
• Mutable drops should fallback to their own methods when a mutation isn't present (#​6350)
• Skip adding binary files as posts (#​6344)
• Don't break if bundler is not installed (#​6377)

Documentation

• Fix a typo in custom-404-page.md (#​6218)
• Docs: fix links to issues in History.markdown (#​6255)
• Update deprecated gems key to plugins. (#​6262)
• Fixes minor typo in post text (#​6283)
• Execute build command using bundle. (#​6274)
• name unification - buddy details (#​6317)
• name unification - application index (#​6318)
• trim and relocate plugin info across docs (#​6311)
• update Jekyll's README (#​6321)
• add SUPPORT file for GitHub (#​6324)
• Rename CODE_OF_CONDUCT to show in banner (#​6325)
• Docs : illustrate page.id for a collection's document (#​6329)
• Docs: post's date can be overridden in front matter (#​6334)
• Docs: site.url behavior on development and production environments (#​6270)
• Fix typo in site.url section of variables.md :-[ (#​6337)
• Docs: updates (#​6343)
• Fix precedence docs (#​6346)
• add note to contributing docs about script/console (#​6349)
• Docs: Fix permalink example (#​6375)

Site Enhancements

• Adding DevKit helpers (#​6225)
• Customizing url in collection elements clarified (#​6264)
• Plugins is the new gems (#​6326)

Development Fixes

• Strip unnecessary leading whitespace in template (#​6228)
• Users should be installing patch versions. (#​6198)
• Fix tests (#​6240)
• Define path with __dir__ (#​6087)
• exit site.process sooner (#​6239)
• make flakey test more robust (#​6277)
• Add a quick test for DataReader (#​6284)
• script/backport-pr: commit message no longer includes the # (#​6289)
• Add CODEOWNERS file to help automate reviews. (#​6320)
• Fix builds on codeclimate (#​6333)
• Bump rubies on Travis (#​6366)

v3.5.2

Compare Source

Bug Fixes

• Backport #​6281 for v3.5.x: Fix Drop#key? so it can handle a nil argument (#​6288)
• Backport #​6280 for v3.5.x: Guard against type error in absolute_url (#​6287)
• Backport #​6266 for v3.5.x: Memoize the return value of Document#url (#​6301)
• Backport #​6273 for v3.5.x: delegate StaticFile#to_json to StaticFile#to_liquid (#​6302)
• Backport #​6226 for v3.5.x: Reader#read_directories: guard against an entry not being a directory (#​6304)
• Backport #​6247 for v3.5.x: kramdown: symbolize keys in-place (#​6303)

v3.5.1

Compare Source

Minor Enhancements

• Use Warn for deprecation messages (#​6192)
• site template: Use plugins key instead of gems (#​6045)

Bug Fixes

• Backward compatibilize URLFilters module (#​6163)
• Static files contain front matter default keys when to_liquid'd (#​6162)
• Always normalize the result of the relative_url filter (#​6185)

Documentation

• Update reference to trouble with OS X/macOS (#​6139)
• added BibSonomy plugin (#​6143)
• add plugins for multiple page pagination (#​6055)
• Update minimum Ruby version in installation.md (#​6164)
• Add information about finding a collection in site.collections (#​6165)
• Add {% raw %} to Liquid example on site (#​6179)
• Added improved Pug plugin - removed 404 Jade plugin (#​6174)
• Linking the link (#​6210)
• Small correction in documentation for includes (#​6193)
• Fix docs site page margin (#​6214)

Development Fixes

• Add jekyll doctor to GitHub Issue Template (#​6169)
• Test with Ruby 2.4.1-1 on AppVeyor (#​6176)
• set minimum requirement for jekyll-feed (#​6184)

v3.5.0

Compare Source

Minor Enhancements

• Upgrade to Liquid v4 (#​4362)
• Convert StaticFile liquid representation to a Drop & add front matter defaults support to StaticFiles (#​5871)
• Add support for Tab-Separated Values data files (*.tsv) (#​5985)
• Specify version constraint in subcommand error message. (#​5974)
• Add a template for custom 404 page (#​5945)
• Require runtime_dependencies of a Gem-based theme from its .gemspec file (#​5914)
• Don't raise an error if URL contains a colon (#​5889)
• Date filters should never raise an exception (#​5722)
• add plugins config key as replacement for gems (#​5130)
• create configuration from options only once in the boot process (#​5487)
• Add option to fail a build with front matter syntax errors (#​5832)
• Disable default layouts for documents with a layout: none declaration (#​5933)
• In jekyll new, make copied site template user-writable (#​6072)
• Add top-level layout liquid variable to Documents (#​6073)
• Address reading non-binary static files in themes (#​5918)
• Allow filters to sort & select based on subvalues (#​5622)
• Add strip_index filter (#​6075)

Documentation

• Install troubleshooting on Ubuntu (#​5817)
• Add Termux section on troubleshooting (#​5837)
• fix ial css classes in theme doc (#​5876)
• Update installation.md (#​5880)
• Update Aerobatic docs (#​5883)
• Add note to collections doc on hard-coded collections. (#​5882)
• Makes uri_escape template docs more specific. (#​5887)
• Remove duplicate footnote_nr from default config (#​5891)
• Fixed tutorial for publishing gem to include repo. (#​5900)
• update broken links (#​5905)
• Fix typo in contribution information (#​5910)
• update plugin repo URL to reflect repo move (#​5916)
• Update exclude array in configuration.md (#​5947)
• Fixed path in "Improve this page" link in Tutorials section (#​5951)
• Corrected permalink (#​5949)
• Included more details about adding defaults to static files (#​5971)
• Create buddyworks (#​5962)
• added (buddyworks) to ci list (#​5965)
• Add a tutorial on serving custom Error 404 page (#​5946)
• add custom 404 to tutorial navigation (#​5978)
• Add link to order of interpretation tutorial in Tutorials nav (#​5952)
• Document Jekyll's Philosophy (#​5792)
• Require Ruby > 2.1.0 (#​5983)
• Fix broken link (#​5994)
• Default options for script/proof (#​5995)
• Mention Bash on Ubuntu on Windows (#​5960)
• Document --unpublished flag introduced in 91e9ecf (#​5959)
• Update upgrading.md to mention usage of bundle update (#​5604)
• Fix missing quotation mark (#​6002)
• New tutorial: Convert an HTML site to Jekyll (#​5881)
• Revamp Permalink section (#​5912)
• Fixup tutorial on creating theme from existing HTML templates (#​6006)
• Standardise on "URLs" without apostrophe in docs (#​6018)
• Added txtpen in tutorial (#​6021)
• fix typo using past participle (#​6026)
• changed formatting to fit the style of the documentation (#​6027)
• doc fix typo word usage (#​6028)
• corrected reference to layout in index.md (#​6032)
• (Minor) Update MathJax CDN (#​6013)
• Add MvvmCross to samples (#​6035)
• Update travis-ci.md to correct procedure (#​6043)
• fix sentence in documentation (#​6048)
• rephrase a sentence in posts.md to be more direct (#​6049)
• Compress Website Sass output (#​6009)
• doc correct spelling error (#​6050)
• adjusted date-format in sitemap (#​6053)
• Typo fix (welcomed change -> welcome change). (#​6070)
• Fixed documentation inconsistency (#​6068)
• Add own plugin -> Jekyll Brand Social Wall (#​6064)
• Added plugin jekyll-analytics (#​6042)
• Use more precise language when explaining links (#​6078)
• Update plugins.md (#​6088)
• windows 10 tutorial (#​6100)
• Explain how to override theme styles (#​6107)
• updated Bash on Ubuntu on Windows link in tutorial (#​6111)
• Fix wording in _docs/templates.md links section (#​6114)
• Update windows.md (#​6115)
• Added windows to docs.yml (#​6109)
• Be more specific on what to upload (#​6119)
• Remove Blank Newlines from "Jekyll on Windows" Page (#​6126)
• Link the troubleshooting page in the quickstart page (#​6134)
• add documentation about the "pinned" label (#​6147)
• docs(JekyllOnWindows): Add a new Installation way (#​6141)
• corrected windows.md (#​6149)
• Refine documentation for Windows (#​6153)

Development Fixes

• Rubocop: add missing comma (#​5835)
• Appease classifier-reborn (#​5934)
• Allow releases & development on *-stable branches (#​5926)
• Add script/backport-pr (#​5925)
• Prefer .yaml over .toml (#​5966)
• Fix Appveyor with DST-aware cucumber steps (#​5961)
• Use Rubocop v0.47.1 till we're ready for v0.48 (#​5989)
• Test against Ruby 2.4.0 (#​5687)
• rubocop: lib/jekyll/renderer.rb complexity fixes (#​5052)
• Use yajl-ruby 1.2.2 (now with 2.4 support) (#​6007)
• Bump Rubocop to v0.48 (#​5997)
• doc use example.com (#​6031)
• fix typo (#​6040)
• Fix CI (#​6044)
• Remove ruby RUBY_VERSION from generated Gemfile (#​5803)
• Test if hidden collections output a document with a future date (#​6103)
• Add test for uri_escape on reserved characters (#​6086)
• Allow you to specify the rouge version via an environment variable for testing (#​6138)
• Bump Rubocop to 0.49.1 (#​6093)
• Lock nokogiri to 1.7.x for Ruby 2.1 (#​6140)

Site Enhancements

• Corrected date for version 3.4.0 (#​5842)
• Add the correct year to the 3.4.0 release date (#​5858)
• Add documentation about order of interpretation (#​5834)
• Documentation on how to build navigation (#​5698)
• Navigation has been moved out from docs (#​5927)
• Make links in sidebar for current page more prominent (#​5820)
• Update normalize.css to v6.0.0 (#​6008)
• Docs: rename gems to plugins (#​6082)
• plugins -> gems (#​6110)
• Document difference between cgi_escape and uri_escape #​5970 (#​6081)

Bug Fixes

• Exclude Gemfile by default (#​5860)
• Convertible#validate_permalink!: ensure the return value of data["permalink"] is a string before asking if it is empty (#​5878)
• Allow abbreviated post dates (#​5920)
• Remove dependency on include from default about.md (#​5903)
• Allow colons in uri_escape filter (#​5957)
• Re-surface missing public methods in Jekyll::Document (#​5975)
• absolute_url should not mangle URL if called more than once (#​5789)
• patch URLFilters to prevent // (#​6058)
• add test to ensure variables work in where_exp condition (#​5315)
• Read explicitly included dot-files in collections. (#​6092)
• Default baseurl to nil instead of empty string (#​6137)
• Filters#time helper: Duplicate time before calling #localtime. (#​5996)

v3.4.5

Compare Source

• Backport #​6185 for v3.4.x: Always normalize the result of the relative_url filter (#​6186)

v3.4.4

Compare Source

• Backport #​6137 for v3.4.x: Default baseurl to nil instead of empty string (#​6146)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: docs/Gemfile.lock

Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/2.4.3/ruby-2.4.3-jammy-x86_64.tar.xz
Download failed, retrying
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/2.4.3/ruby-2.4.3-jammy-x86_64.tar.xz
Download failed, retrying
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/2.4.3/ruby-2.4.3-jammy-x86_64.tar.xz
Download failed: https://github.com/containerbase/ruby-prebuild/releases/download/2.4.3/ruby-2.4.3-jammy-x86_64.tar.xz
{"level":50,"time":1770107793402,"pid":1017,"hostname":"jr-microvm","msg":"Request failed with status code 404 (Not Found): GET https://github.com/containerbase/ruby-prebuild/releases/download/2.4.3/ruby-2.4.3-jammy-x86_64.tar.xz"}
{"level":60,"time":1770107793403,"pid":1017,"hostname":"jr-microvm","msg":"Download failed in 77ms."}
{"level":50,"time":1770107793466,"pid":946,"hostname":"jr-microvm","msg":"Command failed with exit code 1: bash /usr/local/containerbase/bin/v2-install-tool.sh install ruby 2.4.3"}
{"level":60,"time":1770107793467,"pid":946,"hostname":"jr-microvm","msg":"Install tool ruby failed in 2.1s."}