ComputerScienceHouse / blog

A public blog for CSH
MIT License
3 stars 53 forks source link

Bump nokogiri from 1.8.1 to 1.8.5 #85

Closed dependabot[bot] closed 5 years ago

dependabot[bot] commented 5 years ago

Bumps nokogiri from 1.8.1 to 1.8.5.

Changelog *Sourced from [nokogiri's changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md).* > ## 1.8.5 / 2018-10-04 > > ### Security Notes > > [MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in [#1785](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1785). Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2. > > > ### Bug fixes > > * [MRI] Fix regression in installation when building against system libraries, where some systems would not be able to find libxml2 or libxslt when present. (Regression introduced in v1.8.3.) [#1722](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1722) > * [JRuby] Fix node reparenting when the destination doc is empty. [#1773](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1773) > > > ## 1.8.4 / 2018-07-03 > > ### Bug fixes > > * [MRI] Fix memory leak when creating nodes with namespaces. (Introduced in v1.5.7) [#1771](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1771) > > > ## 1.8.3 / 2018-06-16 > > ### Security Notes > > [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is here: > > > https://github.com/GNOME/libxml2/commit/960f0e2 > > and more information is available about this commit and its impact here: > > > [#144](https://github-redirect.dependabot.com/flavorjones/loofah/issues/144) > > This release simply reverts the libxml2 commit in question to protect users of Nokogiri's vendored libraries from similar vulnerabilities. > > If you're offended by what happened here, I'd kindly ask that you comment on the upstream bug report here: > > > https://bugzilla.gnome.org/show_bug.cgi?id=769760 > > > ### Dependencies > > * [MRI] libxml2 is updated from 2.9.7 to 2.9.8 > > > ### Features > > * Node#classes, #add_class, #append_class, and #remove_class are added. > * NodeSet#append_class is added. > * NodeSet#remove_attribute is a new alias for NodeSet#remove_attr. > * NodeSet#each now returns an Enumerator when no block is passed (Thanks, [@​park53kr](https://github.com/park53kr)!) > ... (truncated)
Commits - [`e28fa4b`](https://github.com/sparklemotion/nokogiri/commit/e28fa4bb2ed6844c3c63f58062d034e7b99fc90c) version bump to v1.8.5 - [`712edef`](https://github.com/sparklemotion/nokogiri/commit/712edef8a8c7fa593e09517891d336758af42cba) update changelog - [`7feb4c1`](https://github.com/sparklemotion/nokogiri/commit/7feb4c167a9ae1ba4e87923597ba7e7b309b1713) Merge branch 'fix-1773' - [`7cc6cf6`](https://github.com/sparklemotion/nokogiri/commit/7cc6cf6a74bd718b46182f0e646b63ff0a00f728) Organize imports in XmlNode.java. - [`1697442`](https://github.com/sparklemotion/nokogiri/commit/169744261c5c023dff40de0811a826ad4d1fcc05) Allow reparenting nodes to be a child of an empty document. - [`7b8cd0f`](https://github.com/sparklemotion/nokogiri/commit/7b8cd0f5b15a926e92c869b450dd6f71cdd17b61) Merge pull request [#1786](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1786) from sparklemotion/1785-canonical-usns - [`5bff4bb`](https://github.com/sparklemotion/nokogiri/commit/5bff4bb3f1692069c617f4333b2ccc5570f0f414) pull in upstream libxml2 patches - [`c232226`](https://github.com/sparklemotion/nokogiri/commit/c232226448a44bb81220d3750a6453a0aef88fb1) changelog - [`862b88f`](https://github.com/sparklemotion/nokogiri/commit/862b88f39264b7b5e223a63e3d4d0eeade4db9ff) changelog - [`b3750eb`](https://github.com/sparklemotion/nokogiri/commit/b3750eb71e101287aa0e7a231232222c7213b3f3) remove `-Wextra` CFLAG - Additional commits viewable in [compare view](https://github.com/sparklemotion/nokogiri/compare/v1.8.1...v1.8.5)


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
dependabot[bot] commented 5 years ago

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.