🚨 [security] [ruby] Update net-imap 0.5.9 → 0.5.15 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ net-imap (indirect, 0.5.9 → 0.5.15) · Repo · Changelog

Security Advisories 🚨

🚨 Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument

Several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing literals, it may still be possible to inject arbitrary IMAP commands inside non-synchronizing literals.

Details

Raw data arguments support embedded literal values, both synchronizing and non-synchronizing. Non-synchronizing literals can only be safely sent when the server advertises any of the LITERAL+, LITERAL-, or IMAP4rev2 capabilities. But raw data arguments do not verify server support for non-synchronizing literals prior to sending.

Servers without support for non-synchronizing literals could handle them in several different ways: If a server sees a "}\r\n" byte sequence but can't parse the literal bytesize, it may cautiously decide to close the connection, blocking any command injection attacks. However, a server without support for non-synchronizing literals may instead interpret the "+}\r\n" as the end of a malformed command line and respond with a tagged BAD. In that case, the contents of the literal will be interpreted as one or more new pipelined commands, allowing a CRLF command injection attack to succeed.

This affects the following commands' string arguments:

• criteria for #search and #uid_search
• search_keys for #sort, #thread, #uid_sort, and #uid_thread
• attr for #fetch and #uid_fetch

Prior to net-imap v0.6.4, v0.5.14, and v0.4.24, raw data arguments were not validated in any way, so they were also vulnerable to this attack. See CVE-2026-42257 (GHSA-hm49-wcqc-g2xg).

Impact

Fortunately, LITERAL- is supported by most modern IMAP servers. Even without support for non-synchronizing literals, cautious servers may handle invalid literal bytesize by closing the connection . However, servers which handle a non-synchronizing literal just like any other malformed command will enable this vulnerability.

If a developer passes an unvalidated user-controlled input for one of these method arguments, an attacker can append CRLF sequence followed by a new IMAP command (like DELETE mailbox). Although this does not directly enable data exfiltration, it could be combined with other attack vectors or knowledge of the target system's attributes, e.g.: shared mail folders or the application's installed response handlers.

Mitigation

Update to a version of net-imap which validates server support for non-synchronizing literals before sending them.

If upgrading net-imap is not possible:

• Explicitly validate user-controlled inputs to prevent embedded non-synchronizing literals unless the server supports them.
• For a simpler, more cautious approach: all embedded literals can be unconditionally prohibited, by checking that string inputs do not contain any CR or LF bytes.
• Verify that the server advertises any of the LITERAL+, LITERAL-, or IMAP4rev2 capabilities before using untrusted string inputs for the affected "raw data" arguments.

🚨 Net::IMAP: Denial of Service via incomplete raw argument validation

Summary

Several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will cause the first command to eventually fail, but also prevents it from returning until another command is sent (from another thread). That other command will not return until the connection is closed.

Details

Net::IMAP::RawData was hardened in v0.6.4, v0.5.14, and v0.4.24 to reject string arguments that would smuggle an invalid literal-continuation marker onto the wire (CVE-2026-42257, GHSA-hm49-wcqc-g2xg). But the trailing-marker check uses an incorrect regex which does not match {0} or {0+}, so an attacker-controlled seach criteria or fetch attr string ending in {0} or {0+} passes validation and is sent verbatim. Since these arguments are sent as the last argument in the command, they will be followed by CRLF. Although the CRLF was intended to end the command, the server will interpret it as part of a literal prefix. This consumes the next command the client puts on the socket as additional arguments to the current command.

This affects the following command's arguments:

• criteria for #search and #uid_search
• search_keys for #sort, #thread, #uid_sort, and #uid_thread
• attr for #fetch and #uid_fetch

The command which contained the attacker's raw data will not be able to complete until the next command is issued. If commands are only sent from single thread, the first command will hang until the connection times out (most likely by the server closing the connection).

If a second command is sent (from another thread), this would allow the server to respond to the first command. This combined command will be invalid:

• The {0}\r\n literal prohibits other arguments (such as a quoted string) from spanning both commands
• It will be sent without the space delimiter which is required between arguments.
• The second command's tag will not be a valid argument to any of the vulnerable commands.

So the server should respond to the first command with a BAD response, which will raise a BadResponseError.

But, since the server never saw a second command, the second command will never receive a tagged response and the thread that sent it will hang until the connection is closed.

Impact

This will result in unexpected crashes and timeouts, which could be used to create a simple denial of service attack. This attack will present very similarly to common network issues or server issues which also result in commands hanging or unexpectedly raising exceptions. By itself, this does not allow command injection. But the confusion caused by these errors could lead to other downstream issues, especially in a multi-threaded environment.

Mitigation

Update to a patched version of net-imap which validates that RawData arguments may not end with literal continuation markers.
If net-imap cannot be upgraded:

• Validate that user input to the affected command arguments does not end with "}".
• Use of Timeout or other standard strategies for slow connections and misbehaving servers will also mitigate the effects of this.

Extra caution is required when issuing commands from multiple threads. While net-imap does have rudimentary support for issuing commands from multiple threads, the user is responsible for synchronizing that commands are issued in a logically coherent order, and for ensuring that commands are only pipelined when it is safe to do so. Practically, this means that many commands cannot be safely pipelined together, and user code will often need to wait for state changing commands to successfully complete before issuing commands that rely on that state change.

🚨 Net::IMAP: Command Injection via ID command argument

Summary

Two Net::IMAP commands, #id and #enable, do not validate their arguments. Arguments to either command could be used by an attacker to inject arbitrary IMAP commands.

Please note that passing untrusted inputs to these commands is usually inappropriate and expected to be uncommon.

Details

When Net::IMAP#id is called with a hash argument, although the ID field value strings are correctly quoted (escaping quoted specials), they were not validated to prohibit CRLF sequences.

While Net::IMAP#enable does process its arguments for aliases, it does not validate them as valid atoms (or as a list of valid atoms). The #to_s value is sent verbatim.

Impact

This is expected to impact very few users: use of untrusted user input for either command is expected to be very uncommon.

The documentation for #enable explicitly warns that using any arguments that are not in the explicitly supported list may result in undocumented behavior. Using arbitrary untrusted user input for #enable will always be inappropriate.

Although client ID field values will most commonly be static and hardcoded, dynamic input sources may be used. For example, client ID fields may be set by configuration or version numbers. Using untrusted user inputs for client ID fields is expected to be uncommon. But any untrusted inputs to client ID can trivially exploit this vulnerability.

Untrusted inputs to either command may include a CRLF sequence followed by a new IMAP command (like DELETE mailbox). Although this does not directly enable data exfiltration, it could be combined with other attack vectors or knowledge of the target system's attributes, e.g.: shared mail folders or the application's installed response handlers.

Mitigation

Update to a version of net-imap which validates #id and #enable arguments.

Untrusted inputs should never be used for #enable arguments.

If net-imap cannot be upgraded:

• do not use untrusted inputs for client ID field values
• or add validation that client ID field values must not contain any CR or LF bytes.

🚨 net-imap vulnerable to command Injection via unvalidated Symbol inputs

Summary

Symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands.

Details

Symbol arguments represent IMAP "system flags", which are formatted as "atoms" (with no quoting) with a "\" prefix. Vulnerable versions of Net::IMAP sends the symbol name directly to the socket, with no validation.

Because the Symbol input is unvalidated, it could contain invalid flag characters, including SP and CRLF, which could be used to finish the current command and inject new commands.

Although IMAP flag arguments are only valid input for a few IMAP commands, most Net::IMAP commands use generic argument handling, and will allow Symbol (flag) inputs.

Note also that the list of valid symbol inputs should be restricted to an enumerated set of standard RFC defined flag types, which have each been given specific defined semantics. Any user-provided values outside of that list of standard "system flags" needs to use the IMAP keyword syntax, which are sent as atoms, i.e: string inputs. Under no circumstances should #to_sym ever be called on unvetted user-provided input: that will always be a bug in the calling code for the simple reason that user_input_atom is as \user_input_atom.

For forward compatibility with future IMAP extentions, Net::IMAP, does not restrict flag inputs to an enumerated list. That is the responsibility of the calling application code, which knows which flag semantics are valid for its context.

Impact

If a developer passes user-controlled input as a Symbol to most Net::IMAP commands, an attacker can append CRLF sequence followed by a new IMAP command (like DELETE mailbox).

Mitigation

• Upgrade to a version of Net::IMAP that validates Symbols are valid as an IMAP flag.

• User-provided input should never be able to control calling #to_sym on string arguments.

  For example, do not unsafely serialize and deserialize command arguments (e.g. with YAML or Marshal) in a way that could create unvetted Symbol arguments.

• For the few IMAP commands which do allow flag arguments, it may be appropriate to hard-code Symbol arguments or restrict them to an enumerated list which is valid for the calling application.

🚨 net-imap vulnerable to STARTTLS stripping via invalid response timing

Summary

A man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS.

Details

When using Net::IMAP#starttls to upgrade a plaintext connection to use TLS, a man-in-the-middle attacker can inject a tagged OK response with an easily predictable tag. By sending the response before the client finishes sending the command, the command completes "successfully" before the response handler is registered. This allows #starttls to return without error, but the response handler is never invoked, the TLS connection is never established, and the socket remains unencrypted.

This allows man-in-the-middle attackers to perform a STARTTLS stripping attack, unless the client code explicitly checks Net::IMAP#tls_verified?.

Impact

TLS bypass, leading to cleartext transmission of sensitive information.

Mitigation

• Upgrade to a patched version of net-imap that raises an exception whenever #starttls does not establish TLS.
• Connect to an implicit TLS port, rather than use STARTTLS with a cleartext port.
  This is strongly recommended anyway:
  • RFC 8314: Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access
  • NO STARTTLS: Why TLS is better without STARTTLS, A Security Analysis of STARTTLS in the Email Context
• Explicitly verify Net::IMAP#tls_verified? is true, before using the connection after #starttls.

🚨 net-imap vulnerable to command Injection via "raw" arguments to multiple commands

Summary

Several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands.

Details

Net::IMAP's generic argument handling, used by most command arguments, interprets string arguments as an IMAP astring. Depending on the string contents and the connection's UTF-8 support, this encodes strings as either a atom, quoted, or literal. These are safe from command or argument injection.

But the following commands transform specific String arguments to Net::IMAP::RawData, which bypasses normal argument validation and encoding and prints the string directly to the socket:

• #uid_search, #search
  • when criteria is a String, it is sent raw
• #uid_fetch, #fetch
  • when attr is a String, it is sent raw
  • when attr is an Array, each String in attr is sent raw
• #uid_store, #store
  • when attr is a String, it is sent raw
• #setquota:
  • limit is interpolated with #to_s and that string is sent raw

Because these string arguments are sent without any neutralization, they serve as a direct vector for command splitting. Any user controlled data interpolated into these strings can be used to break out of the intended command context.

Using "raw data" arguments for #uid_store, #store, and #setquota I both inappropriate and unnecessary. Net::IMAP's generic argument handling is sufficient to safely validate and encode their arguments. Users of the library probably do not expect arguments to these commands to be sent raw and might not be wary of passing unvalidated input.

The API for search criteria and fetch attributes is intentionally low-level and "close to the wire". It allows developers to use some IMAP extensions without requiring explicit support from the library and allows developers to use complex IMAP grammar without complex argument translation. Even so, basic validation is appropriate and could neutralize command injection.

Although this was explicitly documented for search criteria, it was insufficiently documented for fetch attr. So developers may not have realized that the attr argument to #fetch and #uid_fetch is sent as "raw data".

Impact

If a developer passes an unvalidated user-controlled input for one of these method arguments, an attacker can append CRLF sequence followed by a new IMAP command (like DELETE mailbox). Although this does not directly enable data exfiltration, it could be combined with other attack vectors or knowledge of the target system's attributes, e.g.: shared mail folders or the application's installed response handlers.

The SEARCH, STORE, and FETCH commands, and their UID variants are some of the most commonly used features of the library. Applications that build search queries or fetch attributes dynamically based on user input (e.g., mail clients or archival tools) may be at significant risk.

Expected use of Net::IMAP#setquota is much more limited: SETQUOTA is often only usable by users with special administrative privileges. Depending on the server, quota administration might be managed through server configuration rather than via the IMAP protocol SETQUOTA command. It is expected to be uncommonly used in system administration scripts or in interactive sessions, it should be completely controlled by trusted users, and should only use trusted inputs. Calling #setquota with untrusted user input is expected to be a very uncommon use case. Please note however this might be combined with other attacks, for example CSRF, which provide unauthorized access to trusted inputs, and may specifically target users or scripts with administrator privileges.

Mitigation

• Update to a patched version of net-imap which:
  • validates that Net::IMAP::RawData is composed of well-formed IMAP text, literal, and literal8 values, with no unescaped NULL, CR, or LF bytes.
  • does not use Net::IMAP::RawData for #store, #uid_store, or #setquota.
• Prefer to send search criteria as an array of key value pairs. Avoid sending it as an interpolated string.
• If an immediate upgrade is not possible:
  • String inputs to search criteria and fetch attributes can be validated against command injection by checking for \r and \n characters.
  • Hard-coding the store attr argument is often appropriate. Alternatively, user controlled inputs can be restricted to a small enumerated list which is valid for the calling application.
  • Use Kernel#Integer to coerce and validate user controlled inputs to #setquota limit.

🚨 net-imap has quadratic complexity when reading response literals

Summary

Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack.

Details

For each literal in a response, ResponseReader rescans the entire growing response buffer. The regular expression that is used to scan the response buffer runs in linear time. With many literals, this becomes O(n²) total work. The regular expression should run in constant time: it is anchored to the end and only the last 23 bytes of the buffer are relevant.

Because the algorithmic complexity is super-linear, this bypasses protection from max_response_size: a response can stay well below the default size limit while still causing very large CPU cost.

Net::IMAP::ResponseReader runs continuously in the receiver thread until the connection closes.

Impact

This consumes disproportionate CPU time in the client's receiver thread. A hostile server could use this to exhaust the client's CPU for a denial of service attack.

For a response near the default max_response_size, each individual regexp scan could take between 100 to 200ms on common modern hardware, and this may be repeated 200k times per megabyte of response. While the regexp is scanning, it retains the Global VM lock, preventing other threads from running.

Although other threads should not be completely blocked, their run time will be significantly impacted.

Mitigation

• Upgrade to a patched version of net-imap that reads responses more efficiently.
• Do not connect to untrusted IMAP servers.
• When connecting to untrusted servers, a much smaller max_response_size (for example: 8KiB) will limit the impact. Although this is too small for fetching unpaginated message bodies, it should be enough for most other operations.

🚨 net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication

Summary

When authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value.

Details

A hostile IMAP server can send an arbitrarily large PBKDF2 iteration count in the SCRAM server-first-message, causing the client to perform an expensive OpenSSL::KDF.pbkdf2_hmac call. Because the PBKDF2 function is a blocking C extension and holds onto Ruby’s Global VM Lock, it can freeze the entire Ruby VM for the duration of the computation.

OpenSSL enforces an effective maximum by using a 32-bit signed integer for the iteration count, Depending on hardware capabilities and OpenSSL version, this iteration count may be sufficient for to block all Ruby threads in the process for over seven minutes.

This is listed as one of the "Security Considerations", in RFC 7804:

A hostile server can perform a computational denial-of-service attack on clients by sending a big iteration count value. In order to defend against that, a client implementation can pick a maximum iteration count that it is willing to use and reject any values that exceed that threshold (in such cases, the client, of course, has to fail the authentication).

Impact

During SCRAM authentication to a hostile server, the entire Ruby VM will be locked for the duration of the computation. Depending on hardware capabilities and OpenSSL version, this may take many minutes.

OpenSSL::KDF.pbkdf2_hmac is a blocking C function, so Timeout cannot be used to guard against this. And it retains the Global VM lock, so other ruby threads will also be unable to run.

Mitigation

• Upgrade to a patched version of net-imap that adds the max_iterations option to the SASL-* authenticators, and call Net::IMAP#authenticate with a max_iterations keyword argument.

  NOTE: The default max_iterations is 2³¹ - 1, the maximum signed 32 bit integer, the maximum allowed by OpenSSL.
  To prevent a denial of service attack, this must be set to a safe value, depending on hardware and version of OpenSSL.
  It is the user's responsibility to enforce minimum and maximum iteration counts that are appropriate for their security context.

• Alternatively, avoid SCRAM-* mechanisms when authenticating to untrusted servers.

Release Notes

0.5.12

What's Changed

TruffleRuby is not (yet) "officially supported" but it seems to work (with a few small caveats). Several tests are still marked as pending, but the rest all pass. #528 protects us from merging PRs that break TruffleRuby and (in some cases) JRuby.

Fixed

• 🐛 Fix loading of net/imap for JRuby/TruffleRuby by @nevans in #530

Miscellaneous

• ✅ Test overriding inherited ::Data methods by @nevans in #531
• ✅ Add TruffleRuby to CI by @nevans in #528

Full Changelog: v0.5.11...v0.5.12

0.5.11

What's Changed

Added

• ✨ Add ESearchResult#to_sequence_set by @nevans in #511
• ✨ Add ESearchResult#each by @nevans in #513
• ✨ Add VanishedData#each, delegated to #uids.each_number by @nevans in #522
• support new Ractor.shareable_proc by @ko1 in #525

Fixed

• 🐛 Fix SearchResult#== for LHS with no modseq by @nevans in #514

Other Changes

• ✨ Allow obj.to_sequence_set => nil in try_convert by @nevans in #512
• ♻️ Allow VanishedData#uids to be SequenceSet.empty by @nevans in #517
• 🥅 Raise ArgumentError for #fetch with partial by @nevans in #521

Documentation

• 📚 Fix rdoc call-seq for uid_expunge by @nevans in #516
• 📚 Add QRESYNC to #enable (docs only) by @nevans in #518

Miscellaneous

• ✅ Organize test files by @nevans in #515
• ✅ Fix flaky tests with FakeServer#Connection#close mutex by @nevans in #520
• Bump step-security/harden-runner from 2.13.0 to 2.13.1 by @dependabot[bot] in #524

New Contributors

• @ko1 made their first contribution in #525

Full Changelog: v0.5.10...v0.5.11

0.5.10

What's Changed

Added

• 🔎 Update SequenceSet#inspect format to Net::IMAP::SequenceSet(#{string}) by @nevans in #501
• ⚡🔎 Abridge SequenceSet#inspect output for more than 512 entries by @nevans in #502

Fixed

• 🐛 Fix spelling of \Remote mailbox attr constant by @voxik in #509

Documentation

• 📚🐛 Fix mistake in SequenceSet#string= rdoc by @nevans in #497
• 📚🐛 Fix SequenceSet creation rdoc example output by @nevans in #499

Other Changes

• 🥅 Improve ArgumentError in SequenceSet#string= by @nevans in #498
• ♻️ Refactor SequenceSet#dup, #clone, and #replace by @nevans in #505

Miscellaneous

• ⬆️ Bump step-security/harden-runner from 2.12.1 to 2.12.2 by @dependabot[bot] in #496
• ⬆️ Bump step-security/harden-runner from 2.12.2 to 2.13.0 by @dependabot[bot] in #500
• 📉 Add SequenceSet benchmarks by @nevans in #485
• 📉 Fix benchmark data for SequenceSet#normalize by @nevans in #503
• ⚡ Add vernier profiler for SequenceSet tests and benchmarks by @nevans in #504
• ⬆️ Bump actions/upload-pages-artifact from 3 to 4 by @dependabot[bot] in #507
• ⬆️ Bump actions/checkout from 4 to 5 by @dependabot[bot] in #506

Full Changelog: v0.5.9...v0.5.10

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ bundler-audit (0.9.2 → 0.9.3) · Repo · Changelog

Release Notes

0.9.3

• Officially support Ruby 3.4, 3.5, and 4.0.
• Added support for Bundler 4.x.
• Fixed typos in API documentation.

CLI

• Ensure that the bundler-audit check command honors the BUNDLER_AUDIT_DB environment variable.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ date (indirect, 3.4.1 → 3.5.1) · Repo · Changelog

Release Notes

3.5.1

What's Changed

• Remove archaic conditions by @nobu in #144
• [DOC] Remove the name from same file references by @nobu in #147
• Call rb_gc_register_mark_object after object allocation by @peterzhu2118 in #149

New Contributors

• @peterzhu2118 made their first contribution in #149

Full Changelog: v3.5.0...v3.5.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ timeout (indirect, 0.4.3 → 0.6.1) · Repo · Changelog

Release Notes

0.6.1

What's Changed

• add test case for string argument by @t-mangoe in #90
• Improve Timeout.timeout documentation formatting and typos by @ybiquitous in #92
• [DOC] document the private instance method by @nobu in #94
• Compatibility with Fiber scheduler. by @ioquatix in #97
• Remove warnings by @etiennebarrie in #99

New Contributors

• @t-mangoe made their first contribution in #90
• @ybiquitous made their first contribution in #92
• @ioquatix made their first contribution in #97
• @etiennebarrie made their first contribution in #99

Full Changelog: v0.6.0...v0.6.1

0.6.0

What's Changed

• Suppress warnings in two tests by @olleolleolle in #71
• Revert "Suppress warnings in two tests" by @nobu in #74
• Only the timeout method should be public on the Timeout module by @eregon in #76
• support Ractor by @ko1 in #75
• Test that Timeout does not expose extra constants by @eregon in #77
• Revert "Exclude constantly-failing test on x86_64-darwin" by @ko1 in #79
• Reset the interrupt mask when creating the Timeout thread by @eregon in #80
• Make Timeout.timeout work in a trap handler on CRuby by @eregon in #81
• Skip signal test on windows by @byroot in #82
• Add windows to CI matrix by @byroot in #83
• Fix failing timeout test by @luke-gruber in #85
• Restore original signal handler in test_timeout_in_trap_handler by @eregon in #87
• Run on Windows for all versions and remove old excludes by @eregon in #84

New Contributors

• @ko1 made their first contribution in #75
• @byroot made their first contribution in #82
• @luke-gruber made their first contribution in #85

Full Changelog: v0.4.4...v0.6.0

0.5.0

What's Changed

• Suppress warnings in two tests by @olleolleolle in #71
• Revert "Suppress warnings in two tests" by @nobu in #74
• Only the timeout method should be public on the Timeout module by @eregon in #76
• support Ractor by @ko1 in #75
• Test that Timeout does not expose extra constants by @eregon in #77

New Contributors

• @ko1 made their first contribution in #75

Full Changelog: v0.4.4...v0.5.0

0.4.4

What's Changed

• Gracefully handle a call to ensure_timeout_thread_created in a signal handler by @eregon in #64
• Add a workflow to sync commits to ruby/ruby by @k0kubun in #69

Full Changelog: v0.4.3...v0.4.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)