🚨 [security] Update rubocop-rails 2.24.1 → 2.34.2 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ rubocop-rails (2.24.1 → 2.34.2) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ rubocop-performance (1.23.1 → 1.25.0) · Repo · Changelog

Release Notes

1.25.0

New features

• #496: Support it block parameter in Performance cops. (@koic)

Bug fixes

• #494: Fix Performance/FixedSize false positive when count is called with a numblock. (@dvandersluis)
• #492: Fix false positives for Performance/StringIdentifierArgument when using interpolated string argument. (@koic)

Changes

• #482: Change Performance/CollectionLiteralInLoop to not register offenses for Array#include? that are optimized directly in Ruby. (@earlopain)

1.24.0

New features

• #490: Pluginfy RuboCop Performance. (@koic)
• #462: Add new Performance/ZipWithoutBlock cop that checks patterns like .map { |id| [id] } or .map { [_1] } and can replace them with .zip. (@corsonknowles)

Bug fixes

• #484: Fix Performance/CaseWhenSplat cop error on when node without body. (@viralpraxis)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ standard (1.45.0 → 1.52.0) · Repo · Changelog

Release Notes

1.52.0 (from changelog)

• Updates rubocop to 1.81.7

1.51.1 (from changelog)

• Fixes Layout/EmptyLineAfterGuardClause back to false after #750

1.51.0 (from changelog)

• Updates rubocop to 1.81.2

1.50.0 (from changelog)

• Updates rubocop to 1.75.5

1.49.0 (from changelog)

• Updates standard performance to 1.8.0

1.48.0 (from changelog)

• Updates rubocop to 1.75.2

1.47.0 (from changelog)

• Updates standard performance to 1.7.0

1.46.0 (from changelog)

• Updates rubocop to 1.73.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ast (indirect, 2.4.2 → 2.4.3) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ benchmark (indirect, 0.4.1 → 0.5.0) · Repo

Release Notes

0.5.0

What's Changed

• Add Benchmark.ms method and enhance realtime with unit parameter by @nvasilevski in #38

New Contributors

• @nvasilevski made their first contribution in #38

Full Changelog: v0.4.1...v0.5.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ bigdecimal (indirect, 3.2.2 → 3.3.1) · Repo · Changelog

Release Notes

3.3.1

What's Changed

• Fix modulo/remainder of negative zero by @tompng in #441
• Unify all precision validation to be consistent with BigDecimal#add by @tompng in #442
• Bump version to 3.3.1 by @tompng in #443

Full Changelog: v3.3.0...v3.3.1

3.3.0

What's Changed

• Allow calling Rational#to_d without arguments by @fsateler in #421
• Fix test_no_memory_leak failure by @tompng in #424
• Change BigMath.sin and cos to always calculate in relative precision. by @tompng in #422
• Faster exp calculation by @tompng in #399
• Rename assert_relative_precision to assert_converge_in_precision by @tompng in #425
• Add support for tangent function by @rhannequin in #231
• Make bigdecimal.rb work in JRuby by @tompng in #420
• BigMath methods common interface: coerce x, validate prec, check nan error by @tompng in #415
• Round result of sqrt and BigMath methods by @tompng in #427
• Update example calculation result in BigMath document by @tompng in #428
• BigMath.log(0,n)==-Infinity just like Math.log(0) by @tompng in #430
• Fix divmod and modulo by infinity to match Float#divmod and Float#modulo by @tompng in #429
• Bump step-security/harden-runner from 2.13.0 to 2.13.1 by @dependabot[bot] in #431
• Make internal BigMath method a private method by @tompng in #432
• Improve performance of x**y when y is a huge value by @tompng in #438
• Fix precision of x.power(y, prec) when the result is nearly infinity by @tompng in #439
• Bump version to 3.3.0 by @tompng in #437

New Contributors

• @fsateler made their first contribution in #421

Full Changelog: v3.2.3...v3.3.0

3.2.3

What's Changed

• Fix sign of bigdecimal**bigint by @tompng in #341
• Fix BigMath.atan precision safe margin by @tompng in #320
• Fix typo in BigDecimal#scale comment by @timcraft in #348
• Allow BigDecimal accept Float without precision by @mrzasa in #314
• Fix edgecase segfault of BigDecimal#remainder by @tompng in #349
• Fix precision of BigMath.sin(x,prec) and BigMath.cos(x,prec) for large x by @tompng in #346
• Fix wrong converge check in VpSqrt by @tompng in #353
• Bump step-security/harden-runner from 2.12.0 to 2.12.1 by @dependabot[bot] in #356
• Ensure BigMath.sin and BigMath.cos to be within -1..1 by @tompng in #317
• Remove BigDecimal_divremain(which has a bug) and use BigDecimal_DoDivmod instead by @tompng in #351
• Bump step-security/harden-runner from 2.12.1 to 2.12.2 by @dependabot[bot] in #359
• Remove back pointer from Real to VALUE by @tompng in #344
• Update docs for #to_d core extensions by @dduugg in #360
• Fix compiling issue (when BIGDECIMAL_DEBUG is 1) by @tompng in #363
• Use a correct term: engineering notation -> scientific notation by @mame in #365
• Fix to_f underflow check when DECDIG is uint16_t by @tompng in #364
• Fix VpNumOfChars calculation for the longest case by @tompng in #366
• Fix a bug that exponent overflow is ignored in add, sub, mult and div operation by @tompng in #367
• Fix dump/load bigdecimal with few or large precs by @tompng in #362
• Refactor AddExponent overflow/underflow check by @tompng in #368
• Strict BigDecimal("0.1e#{exponent}") exponent overflow/underflow check by @tompng in #369
• Add DECDIG=16bit CI workflow by @tompng in #370
• Fix wrong multiplying BASE_FIG in precision calculation by @tompng in #372
• Remove debug print by @tompng in #375
• Remove unused #define macros by @tompng in #376
• VpDivd bugfix by @tompng in #374
• Fix VpDivd to fully use quotient array by @tompng in #377
• Add RB_GC_GUARD to test-only methods by @tompng in #378
• Use minimum necessary division precision in BigDecimal_DoDivmod by @tompng in #371
• Remove dead code and ineffective optimization path form VpDivd by @tompng in #379
• Implement exp, log, power and ** in ruby by @tompng in #347
• Remove unused "# define" macros by @tompng in #382
• Bump step-security/harden-runner from 2.12.2 to 2.13.0 by @dependabot[bot] in #383
• VpFormatSt O(n^2) to O(n) by @tompng in #384
• Ignore ndigits passed to BigDecimal(string, ndigits) by @tompng in #385
• Better error message for negative**intinite and zero-converge case fix by @tompng in #386
• Refactor truncate floor and ceil duplicated part by @tompng in #387
• Fix exp log power to raise "Computation results in Infinity/NaN" in EXCEPTION_INFINITY/EXCEPTION_NaN mode by @tompng in #389
• Reduce guard obj by @tompng in #390
• Remove ENTER and GUARD_OBJ macro by @tompng in #391
• Coerce to bigdecimal refactor by @tompng in #392
• Coerce rational with the given prec in exp, log and power calculation by @tompng in #393
• Unify coerce prec calculation by @tompng in #394
• Use bool instead of Qtrue/Qfalse for normal c boolish value by @tompng in #395
• Fix adjusting x to 0.3..3 in log calculation by @tompng in #397
• missing.h cleanup by @tompng in #396
• Hide internal method of BigMath into BigDecimal::Internal by @tompng in #400
• Remove gc_compaction test by @tompng in #401
• Bump actions/checkout from 4 to 5 by @dependabot[bot] in #402
• Fix VpMult result size calculation by @tompng in #403
• Fix GetAddSubPrec calculation by @tompng in #406
• Fix PrecLimit not restored on exception by @tompng in #405
• Fix div,modulo,remainder and divmod precision when prec limit is specified by @tompng in #408
• Fix x.fix and x.frac affected by prec limit, Stop -x and x.abs round with prec limit by @tompng in #409
• Don't use ZeroWrapLimited. Use unlimited version instead. by @tompng in #410
• Fix x / y precision when prec limit is huge by @tompng in #412
• Calculate exp, log, pow with the given prec even if prec limit is set by @tompng in #411
• Simplify to_i logic by @tompng in #413
• Add BigMath::E and BigMath::PI precision test by @tompng in #414
• Rewrite BigDecimal#sqrt in ruby with improved Newton's method by @tompng in #381
• Update bigdecimal version used in benchmark from 3.0.0 to 3.1.1 by @tompng in #416
• Implement BigDecimal#_decimal_shift for internal use by @tompng in #324
• In JRuby, don't add sqrt, exp, log, power implemented in ruby by @tompng in #417
• Add JRuby minimum ci by @tompng in #418
• Bump version to 3.2.3 by @tompng in #419

New Contributors

• @timcraft made their first contribution in #348
• @dduugg made their first contribution in #360

Full Changelog: v3.2.2...v3.2.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ connection_pool (indirect, 2.5.3 → 2.5.5) · Repo · Changelog

Release Notes

2.5.5 (from changelog)

• Support ConnectionPool::TimedStack#pop(exception: false) [#207] to avoid using exceptions as control flow.

2.5.4 (from changelog)

• Add ability to remove a broken connection from the pool [#204, womblep]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ json (indirect, 2.10.2 → 2.16.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ language_server-protocol (indirect, 3.17.0.4 → 3.17.0.5) · Repo · Changelog

Release Notes

3.17.0.5 (from changelog)

• Use JSON.generate() instead to improve performance (#115)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.25.5 → 5.26.2) · Repo · Changelog

Release Notes

5.26.2 (from changelog)

• 5 bug fixes:

  • Bumped minimum ruby to 3.1.

  • Alias Spec#name to #inspect for cleaner output in repls.

  • Fix pathing for Hoe::Minitest initialization to be more generic.

  • Fixed refute_in_epsilon to use min of abs values. (wtn)

  • Improved options processing and usage output to be more clear.

5.26.1 (from changelog)

The Ocean Shores, Slightly Less Tipsy Edition!

• 3 bug fixes:

  • Add links to API doco in README.

  • Add missing require thread.

  • Bumped ruby version to include 4.0 (trunk). (hsbt) (see also 5.14.2)

5.26.0 (from changelog)

The Seattle.rb Nerd Party, Slightly Tipsy Edition!

• 2 minor enhancements:

  • Added extra documentation to Minitest::TestTask options.

  • Make parallelize_me! a no-op when n_threads=1.

• 9 bug fixes:

  • Bypass parallel_executor entirely when n_threads=1.

  • Don’t require rubygems in Rakefile… it is 2025.

  • Ensure that minitest exits non-zero on Interrupt. (tavianator)

  • Fix Minitest.run sequence rdoc to include loop vars and read consistently.

  • Fix call to parallel_executor.shutdown when it isn’t defined.

  • Removed some 1.8/1.9-based code from the assertions and expectations.

  • Still fighting with rdoc? Yup. Still fighting with rdoc…

  • Switched assert_equal’s diff from Tempfile.open to Tempfile.create.

  • Use Regexp.escape for BASE_RE in case pwd has special chars. (astra_1993)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ parallel (indirect, 1.26.3 → 1.27.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ parser (indirect, 3.3.7.1 → 3.3.10.0) · Repo · Changelog

Release Notes

3.3.10.0 (from changelog)

API modifications:

• Bump maintenance branches to 3.3.10 (#1083) (Koichi ITO)

3.3.9.0 (from changelog)

API modifications:

• Bump maintenance branches to 3.3.9 (#1080) (Koichi ITO)
• Bump maintenance branches to 3.2.9 (#1079) (Koichi ITO)

3.3.8.0 (from changelog)

API modifications:

• Bump maintenance branches to 3.3.8 (#1077) (Koichi ITO)
• YARD docs for Parser::CurrentRuby and Parser::Base#version (#1076) (Vince Broz)

3.3.7.4 (from changelog)

Bugs fixed:

• lexer-strings.rb: Avoid an exception on utf8 surrogate pair codepoints (#1051) (Earlopain)
• builder.rb: emit kwargs node for indexasgn when opted in (#1053) (Earlopain)
• builder.rb: correctly handle ... forwarding to super with explicit block (#1049) (Earlopain)
• numbered parameters are valid for pattern matching pinning (#1060) (Earlopain)

3.3.7.3 (from changelog)

API modifications:

• Bump maintenance branches to 3.2.8 and 3.1.7 (#1074) (Koichi ITO)

3.3.7.2 (from changelog)

Features implemented:

• add prism-specific node types (#1071) (Earlopain)

Bugs fixed:

• builder.rb: fix hash value omission considering some local vars as constants (#1064) (Earlopain)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rack (indirect, 3.2.0 → 3.2.4) · Repo · Changelog

Security Advisories 🚨

🚨 Rack has a Possible Information Disclosure Vulnerability

Summary

A possible information disclosure vulnerability existed in Rack::Sendfile when running behind a proxy that supports x-sendfile headers (such as Nginx). Specially crafted headers could cause Rack::Sendfile to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.

Details

When Rack::Sendfile received untrusted x-sendfile-type or x-accel-mapping headers from a client, it would interpret them as proxy configuration directives. This could cause the middleware to send a "redirect" response to the proxy, prompting it to reissue a new internal request that was not subject to the proxy's access controls.

An attacker could exploit this by:

1. Setting a crafted x-sendfile-type: x-accel-redirect header.
2. Setting a crafted x-accel-mapping header.
3. Requesting a path that qualifies for proxy-based acceleration.

Impact

Attackers could bypass proxy-enforced restrictions and access internal endpoints intended to be protected (such as administrative pages). The vulnerability did not allow arbitrary file reads but could expose sensitive application routes.

This issue only affected systems meeting all of the following conditions:

• The application used Rack::Sendfile with a proxy that supports x-accel-redirect (e.g., Nginx).
• The proxy did not always set or remove the x-sendfile-type and x-accel-mapping headers.
• The application exposed an endpoint that returned a body responding to .to_path.

Mitigation

• Upgrade to a fixed version of Rack which requires explicit configuration to enable x-accel-redirect:

  use Rack::Sendfile, "x-accel-redirect"

• Alternatively, configure the proxy to always set or strip the headers (you should be doing this!):

  proxy_set_header x-sendfile-type x-accel-redirect;
  proxy_set_header x-accel-mapping /var/www/=/files/;

• Or in Rails applications, disable sendfile completely:

  config.action_dispatch.x_sendfile_header = nil

🚨 Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing

Summary

Rack::Request#POST reads the entire request body into memory for Content-Type: application/x-www-form-urlencoded, calling rack.input.read(nil) without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.

Details

When handling non-multipart form submissions, Rack’s request parser performs:

form_vars = get_header(RACK_INPUT).read

Since read is called with no argument, the entire request body is loaded into a Ruby String. This occurs before query parameter parsing or enforcement of any params_limit. As a result, Rack applications without an upstream body-size limit can experience unbounded memory allocation proportional to request size.

Impact

Attackers can send large application/x-www-form-urlencoded bodies to consume process memory, causing slowdowns or termination by the operating system (OOM). The effect scales linearly with request size and concurrency. Even with parsing limits configured, the issue occurs before those limits are enforced.

Mitigation

• Update to a patched version of Rack that enforces form parameter limits using query_parser.bytesize_limit, preventing unbounded reads of application/x-www-form-urlencoded bodies.
• Enforce strict maximum body size at the proxy or web server layer (e.g., Nginx client_max_body_size, Apache LimitRequestBody).

🚨 Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)

Summary

Rack::Multipart::Parser buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.

Details

While searching for the first boundary, the parser appends incoming data into a shared buffer (@sbuf.concat(content)) and scans for the boundary pattern:

@sbuf.scan_until(@body_regex)

If the boundary is not yet found, the parser continues buffering data indefinitely. There is no trimming or size cap on the preamble, allowing attackers to send arbitrary amounts of data before the first boundary.

Impact

Remote attackers can trigger large transient memory spikes by including a long preamble in multipart/form-data requests. The impact scales with allowed request sizes and concurrency, potentially causing worker crashes or severe slowdown due to garbage collection.

Mitigation

• Upgrade: Use a patched version of Rack that enforces a preamble size limit (e.g., 16 KiB) or discards preamble data entirely per RFC 2046 § 5.1.1.
• Workarounds:
  • Limit total request body size at the proxy or web server level.
  • Monitor memory and set per-process limits to prevent OOM conditions.

🚨 Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)

Summary

Rack::Multipart::Parser stores non-file form fields (parts without a filename) entirely in memory as Ruby String objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS).

Details

During multipart parsing, file parts are streamed to temporary files, but non-file parts are buffered into memory:

body = String.new  # non-file → in-RAM buffer
@mime_parts[mime_index].body << content

There is no size limit on these in-memory buffers. As a result, any large text field—while technically valid—will be loaded fully into process memory before being added to params.

Impact

Attackers can send large non-file fields to trigger excessive memory usage. Impact scales with request size and concurrency, potentially leading to worker crashes or severe garbage-collection overhead. All Rack applications processing multipart form submissions are affected.

Mitigation

• Upgrade: Use a patched version of Rack that enforces a reasonable size cap for non-file fields (e.g., 2 MiB).
• Workarounds:
  • Restrict maximum request body size at the web-server or proxy layer (e.g., Nginx client_max_body_size).
  • Validate and reject unusually large form fields at the application level.

🚨 Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)

Summary

Rack::Multipart::Parser can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (CRLFCRLF). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).

Details

While reading multipart headers, the parser waits for CRLFCRLF using:

@sbuf.scan_until(/(.*?\r\n)\r\n/m)

If the terminator never appears, it continues appending data (@sbuf.concat(content)) indefinitely. There is no limit on accumulated header bytes, so a single malformed part can consume memory proportional to the request body size.

Impact

Attackers can send incomplete multipart headers to trigger high memory use, leading to process termination (OOM) or severe slowdown. The effect scales with request size limits and concurrency. All applications handling multipart uploads may be affected.

Mitigation

• Upgrade to a patched Rack version that caps per-part header size (e.g., 64 KiB).
• Until then, restrict maximum request sizes at the proxy or web server layer (e.g., Nginx client_max_body_size).

Release Notes

3.2.4 (from changelog)

Fixed

• Multipart parser: limit MIME header size check to the unread buffer region to avoid false multipart mime part header too large errors when previously read data accumulates in the scan buffer. (#2392, @alpaca-tc, @willnet, @krororo)

3.2.2 (from changelog)

Security

• CVE-2025-61772 Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
• CVE-2025-61771 Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
• CVE-2025-61770 Unbounded multipart preamble buffering enables DoS (memory exhaustion)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ regexp_parser (indirect, 2.10.0 → 2.11.3) · Repo · Changelog

Release Notes

2.11.3 (from changelog)

Fixed

• correctly emit backslash-escaped UTF8 characters in character classes as one token (#104)
  • thanks to Earlopain for the report and fix

2.11.2 (from changelog)

Added

• enable frozen string literals (#98)
  • thanks to Geremia Taglialatela

Fixed

• scan with correct encoding when passing regopt individually (#102)
  • thanks to Earlopain for the report

2.11.1 (from changelog)

Fixed

• restored compatibility with Ruby < 2.6, broken in regexp_parser v2.11.0
  • thanks to DanielFinkWoven for the report

2.11.0 (from changelog)

Added

• a new token :escape, :utf8_hex and expression EscapeSequence::UTF8Hex
  • used for UTF-8 hex escapes, e.g. \xE2\x82\xAC representing U+20AC "€"

Fixed

• detection of numeric backrefs > 9, e.g. ((((((((((foo))))))))))\10
  • these are only backrefs in Ruby if sufficient groups have been opened
  • they were previously always scanned as octal or literal escapes

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rubocop (indirect, 1.71.2 → 1.81.7) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rubocop-ast (indirect, 1.38.1 → 1.48.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ standard-performance (indirect, 1.6.0 → 1.8.0) · Repo · Changelog

Release Notes

1.8.0 (from changelog)

• Updates rubocop-performance from 1.24.0 to 1.25.0

1.7.0 (from changelog)

• Updates rubocop-performance from 1.23.0 to 1.24.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ unicode-display_width (indirect, 3.1.4 → 3.2.0) · Repo · Changelog

Release Notes

3.2.0 (from changelog)

• Unicode 17.0

3.1.5 (from changelog)

• Cache Emoji support level for performance reasons #30, patch by @Earlopain:

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ unicode-emoji (indirect, 4.0.4 → 4.1.0) · Repo · Changelog

Release Notes

4.1.0 (from changelog)

• Unicode 17
• Update valid subdivisions to CLDR 47 (no changes)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 prism (added, 1.6.0)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

Go to the Depfu Dashboard to see the state of your dependencies and to customize how Depfu works.

[depfu]

Closed in favor of #854.