Bump puma from 5.1.1 to 6.0.0

[dependabot[bot]]

Bumps puma from 5.1.1 to 6.0.0.

Release notes

Sourced from puma's releases.

5.6.5 / 2022-08-23

• Bugfixes
  • NullIO#closed should return false (#2883)
  • Puma::ControlCLI - allow refork command to be sent as a request (#2868, #2866)
  • [jruby] Fix TLS verification hang (#2890, #2729)
  • extconf.rb - don't use pkg_config('openssl') if '--with-openssl-dir' is used (#2885, #2839)
  • MiniSSL - detect SSL_CTX_set_dh_auto (#2864, #2863)
  • Fix rack.after_reply exceptions breaking connections (#2861, #2856)
  • Escape SSL cert and filenames (#2855)
  • Fail hard if SSL certs or keys are invalid (#2848)
  • Fail hard if SSL certs or keys cannot be read by user (#2847)
  • Fix build with Opaque DH in LibreSSL 3.5. (#2838)
  • Pre-existing socket file removed when TERM is issued after USR2 (if puma is running in cluster mode) (#2817)
  • Fix Puma::StateFile#load incompatibility (#2810)

5.6.4

• Security
  • Close several HTTP Request Smuggling exploits (CVE-2022-24790)

The 5.6.3 release was a mistake (released the wrong branch), 5.6.4 is correct.

5.6.2 / 2022-02-11

• Bugfix/Security
  • Response body will always be closed. (GHSA-rmj8-8hhh-gv5h, related to #2809)

5.6.1

Bugfixes

• Reverted a commit which appeared to be causing occasional blank header values (see issue #2808) (#2809)

Full Changelog: https://github.com/puma/puma/compare/v5.6.0...v5.6.1

5.6.0 - Birdie's Version

Maintainer @​nateberkopec had a daughter, nicknamed Birdie:

5.6.0 / 2022-01-25

• Features

  • Support localhost integration in ssl_bind (#2764, #2708)
  • Allow backlog parameter to be set with ssl_bind DSL (#2780)
  • Remove yaml (psych) requirement in StateFile (#2784)
  • Allow culling of oldest workers, previously was only youngest (#2773, #2794)
  • Add worker_check_interval configuration option (#2759)
  • Always send lowlevel_error response to client (#2731, #2341)
  • Support for cert_pem and key_pem with ssl_bind DSL (#2728)

• Bugfixes

... (truncated)

Changelog

Sourced from puma's changelog.

6.0.0 / 2022-10-XX

• Breaking Changes

  • Dropping Ruby 2.2 and 2.3 support (now 2.4+) (#2919)
  • Remote_addr functionality has changed (#2652, #2653)
  • No longer supporting Java 1.7 or below (JRuby 9.1 was the last release to support this) (#2849)
  • Remove nakayoshi GC (#2933, #2925)
  • wait_for_less_busy_worker is now default on (#2940)
  • Prefix all environment variables with PUMA_ (#2924, #2853)
  • Removed some constants (#2957, #2958, #2959, #2960)
  • The following classes are now part of Puma's private API: Client, Cluster::Worker, Cluster::Worker, HandleRequest. (#2988)

• Features

  • Increase throughput on large (100kb+) response bodies by 3-10x (#2896, #2892)
  • Increase throughput on file responses (#2923)
  • Add support for streaming bodies in Rack. (#2740)
  • Allow OpenSSL session reuse via a 'reuse' ssl_bind method or bind string query parameter (#2845)
  • Allow run_hooks to pass a hash to blocks for use later (#2917, #2915)
  • Allow using preload_app! with fork_worker (#2907)
  • Support request_body_wait metric with higher precision (#2953)
  • Allow header values to be arrays (Rack 3) (#2936, #2931)
  • Export Puma/Ruby versions in /stats (#2875)
  • Allow configuring request uri max length & request path max length (#2840)
  • Add a couple of public accessors (#2774)
  • Log entire backtrace when worker start fails (#2891)
  • [jruby] Enable TLSv1.3 support (#2886)
  • [jruby] support setting TLS protocols + rename ssl_cipher_list (#2899)
  • [jruby] Support a truststore option (#2849, #2904, #2884)

• Bugfixes

  • Load the configuration before passing it to the binder (#2897)
  • Do not raise error raised on HTTP methods we don't recognize or support, like CONNECT (#2932, #1441)
  • Fixed a memory leak when creating a new SSL listener (#2956)

• Refactor

  • log_writer.rb - add internal_write method (#2888)
  • [WIP] Refactor: Split out LogWriter from Events (no logic change) (#2798)
  • Extract prune_bundler code into it's own class. (#2797)
  • Refactor Launcher#run to increase readability (no logic change) (#2795)
  • Ruby 3.2 will have native IO#wait_* methods, don't require io/wait (#2903)
  • Various internal API refactorings (#2942, #2921, #2922, #2955)

5.6.5 / 2022-08-23

• Feature

  • Puma::ControlCLI - allow refork command to be sent as a request (#2868, #2866)

• Bugfixes

  • NullIO#closed should return false (#2883)
  • [jruby] Fix TLS verification hang (#2890, #2729)

... (truncated)

Commits

• 32d9997 6.0.0 (#2918)
• 8159aa4 Use :nodoc: to limit public API (#2988)
• 2719585 Rework low level error tests (#2980)
• ebeb8b4 require securerandom for all tests (#2982)
• dd2fb5a CONTRIBUTING: spell out how to change ulimit (#2983)
• 5d5bcb1 [CI] test files - use unlink in ensure when appropriate (#2984)
• 838c136 [CI] misc updates to test files (#2979)
• 9770678 [CI] PR #2976 - Fix RuboCop mistake - test/test_integration_cluster.rb (#2978)
• fa65cf7 103 RuboCop fixes (#2976)
• 673a9e7 [CI] fixup test_plugin.rb, change IO.select to IO#wait_* (#2975)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)