Thanks for submitting a pull request! Below are a few things you can do to help us more quickly review your changes.
Checklist
I have…
[x] run the application locally (./scripts/serve) and verified that my changes behave as expected.
[x] run the build process locally (./scripts/build) and make sure it builds correctly.
[x] run the test suite (./scripts/test) and verified that all tests pass.
[x] summarized below my changes and noted which issues (if any) this pull request fixes or addresses.
[ ] thoroughly outlined below the steps necessary to test my changes.
[ ] attached screenshots illustrating relevant behavior before and after my changes.
[x] read, understand, and agree to the terms described in CONTRIBUTING.md.
[ ] added my name, email address, and copyright date to CONTRIBUTORS.md.
Summary of Changes
This pull request updates nokogiri and kramdown gems in response to dependabot alerts about those two dependancies
kramdown to 2.3.0
Vulnerable versions: < 2.3.0
Patched version: 2.3.0
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.
nokogiri to 1.11.1
In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.
This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible.
Please note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be "Low Severity".
Thanks for submitting a pull request! Below are a few things you can do to help us more quickly review your changes.
Checklist
I have…
./scripts/serve
) and verified that my changes behave as expected../scripts/build
) and make sure it builds correctly../scripts/test
) and verified that all tests pass.Summary of Changes
This pull request updates nokogiri and kramdown gems in response to dependabot alerts about those two dependancies
kramdown to 2.3.0
nokogiri to 1.11.1