GitLab

Bullet gem helps to detect N+1 problems for SQL queries. It mostly
recognized the simple cases, but even those are regularly encountered
in our code base.

In order to enable the gem, one should ENABLE_BULLET=1. Then bullet
notifications will appear in the js console. Unfortunately, js console
messages don't call to action.

What about putting the notifications in the Performance bar?

This adds support for the deflate encoding:
https://github.com/hsanson/asciidoctor-plantuml/pull/12

Currently this can only be changed by setting the `PLANTUML_ENCODING`
environment variable to `deflate`.

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/216587

This removes deprecated influxdb libraries and gem.

This version also requires rack-attack 6.3.0 or else Rails won't boot.

We also remove patches that are no longer needed

This upgrades the `json` gem but by default maintains the old way
of handling parsing as this is relied upon in a few places. This
also adds support for a `legacy_mode` flag when parsing, which will
be added manually to areas that require this in future. Currently
the legacy_mode is the default.

Fixes: gitlab-org/gitlab#216567

Use gsub instead of the liquid gem to perform variable substitution in
the Prometheus proxy API, and remove the liquid gem.

To render ReStructuredText files, the gitlab-markup gem spawns a python3
process via `Popen.open3`. If the stdout buffer exceeded the maximum
size, the pipe would be filled, causing a 60-second timeout on the
backend.

This version bump brings in the change in
https://gitlab.com/gitlab-org/gitlab-markup/-/merge_requests/23

Closes https://gitlab.com/gitlab-org/gitlab/-/issues/13244

The latest re2 library released on Homebrew does not compile with this
gem: https://github.com/mudge/re2/issues/40. Update this gem to make
that work.

Currently there is a mismatch between the email addresses
that are accepted by the Devise email regular expression and
what is an actual valid email address according to RFC 3696 and
what will therefore be sent reliably by most SMTP servers.

This commit replaces the use of Devise's default regex with
the valid_email gem which is stricter.

Related Issue: https://gitlab.com/gitlab-org/gitlab/-/issues/215919

The stable version is now released

This reverts merge request !27276

This upgrade fixes a problem that caused a single listener to monopolize
a Unicorn worker. By default, GitLab Omnibus configures Unicorn to
listen both on a UNIX domain socket and a TCP socket. One of those
sockets can be starved if many requests are queued
(https://yhbt.net/unicorn-public/20200416092457.GA5000@dcvr/).

Full list of changes:
https://github.com/defunkt/unicorn/compare/v5.4.1...v5.5.5

Closes https://gitlab.com/gitlab-org/gitlab/-/issues/213257

This brings in Ruby 2.7 suport and a number of fixes:
https://github.com/ruby-grape/grape/blob/master/CHANGELOG.md

1. Move all inherited Grape::API -> Grape::API::Instance
2. Remove use of Virtus since this has been removed from Grape.
3. Extract Rack::Response from API error
4. Grape v1.2.3 pulled in a fix used in SafeFile:
https://github.com/ruby-grape/grape/pull/1844, so we no longer need
to maintain our custom type.
5. Adapt WorkhorseFile with the latest changes to make custom types work
with Grape and dry-types.
6. Ensure Array[String] is coerced properly.

The change from Virtus to dry-types now requires all strings to be
coerced to arrays. Before this was done within Virtus.

7. Coerce Array[Integer] types to arrays of integers

The change from Virtus to dry-types now requires all strings to be
coerced to arrays of integers. Before this was done within Virtus.

This was already done in Gitaly
(https://gitlab.com/gitlab-org/gitaly/-/merge_requests/2090), so keep
this in sync to minimize disk space and install time.

This allows us to use `RequestStore.store=` in specs. Which we can use
to isolate values for sidekiq jobs.

This is a follow-up to the Rack v2.0.9 update. These changes should not
affect GitLab because we use the redis-store gem for storing cookies
instead of the built-in options (e.g. CacheStore, MemCacheStore,
etc.). We also don't use rails/ujs yet. Full list of changes in Rails:

https://github.com/rails/rails/compare/v6.0.2..v6.0.2.2

This reverts merge request !27741

NOTE: The upgrade is backwards compatible with existing sessions, but
the upgrade of redis-rack v2.1.2 changed Redis keys from
`session:gitlab:<random hex value>` to `session:gitlab:2::<hash of hex
value>`. If a session does not have a key in the new schema, it will be
created transparently. The old session key will eventually be expired
automatically.

To upgrade to rack 2.0.9, we need to do the following:

1. Fix ActiveSession to use new Rack::Session::SessionId
2. Add a monkey patch for ActionController::TestSessionPatch

Controller tests were failing without the changes in
https://github.com/rails/rails/pull/38063, which is available on the
Rails `6-0-stable` branch but not in Rails 6.0.2.2.

3. Remove CGI escaping of ActiveSession keys. This was not needed
because CGI escaping was already being done by Rails.

4. Fix deletion of Rack session keys with ActiveSession

redis-rack v2.1.2 changed the session key from one based on the public
ID to the private ID. We need to adapt ActiveSession to delete both
versions of the key to clear out old data and to make it work with the
redis-rack key name changes.

We don't need our custom fork anymore since the PR has been
accepted upstream

This brings extended `Include` folders for Rails/FindBy cop.

We've removed all instances of `set` and have moved them all over to
use `let_it_be`

This includes the new related_class field.

To be used for encrypting terraform state files. See
https://gitlab.com/gitlab-org/gitlab/issues/207401.

This contains Ruby 2.7 support, some bug fixes, and upstream support
sufficient to replace our TotalTimeFlatPrinter.

This reverts merge request !20521

- Fix how we call include_graphql_fields
from described_class.new to described_class
- Fix require_graphql_authorizations matcher
- Update have_graphql_type and have_graphql_resolver
- Fix how we call require_graphql_authorizations
from described_class.new to described_class
- Fix how we call have_graphql_fields
from described_class.new to described_class
- Fix how we call have_graphql_field
from described_class.new to described_class
- Add `field_with_params` graphql helper
- Fix how `field_type` determines type
- Use `resolve_field` instead of `resolve`
so that `extras` metadata is properly processed
- Fix returned error message check

We need to manually require stdlib classes and classes from gems
that don't get required by default in the Gemfile

Gitaly v1.84.0 removes the branch parameter from the UserSquash RPC in
https://gitlab.com/gitlab-org/gitaly/merge_requests/1786 because the
target branch isn't actually relevant to squash. Only the start and end
SHA matter here because squash is concerned primarily about collapsing
commits from the source, not target, branch.

- https://gitlab.com/gitlab-org/gitlab-puma/-/compare/v4.3.1.gitlab.2...v4.3.3.gitlab.2
- Fixes CVE-2020-5247

A new `field` parameter was added to the resolver initializers,
requiring several changes