🚨 [security] Update loofah: 2.14.0 → 2.19.1 (minor)

[depfu[bot]]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ loofah (indirect, 2.14.0 → 2.19.1) · Repo · Changelog

Security Advisories 🚨

🚨 Inefficient Regular Expression Complexity in Loofah

Summary

Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Severity

The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

• CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)
• https://hackerone.com/reports/1684163

Credit

This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).

🚨 Improper neutralization of data URIs may allow XSS in Loofah

Summary

Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs.

Mitigation

Upgrade to Loofah >= 2.19.1.

Severity

The Loofah maintainers have evaluated this as Medium Severity 6.1.

References

• CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)
• SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg
• https://hackerone.com/reports/1694173
• #101

Credit

This vulnerability was responsibly reported by Maciej Piechota (@haqpl).

🚨 Uncontrolled Recursion in Loofah

Summary

Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.

Severity

The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

• CWE - CWE-674: Uncontrolled Recursion (4.9)

Release Notes

2.19.0

2.19.0 / 2022-09-14

Features

• Allow SVG 1.0 color keyword names in CSS attributes. These colors are part of the CSS Color Module Level 3 recommendation released 2022-01-18. [#243]

2.18.0

2.18.0 / 2022-05-11

Features

• Allow CSS property aspect-ratio. [#236] (Thanks, @louim!)

2.17.0

2.17.0 / 2022-04-28

Features

• Allow ARIA attributes. [#232, #233] (Thanks, @nick-desteffen!)

2.16.0

2.16.0 / 2022-04-01

Features

• Allow MathML elements menclose and ms, and MathML attributes dir, href, lquote, mathsize, notation, and rquote. [#231] (Thanks, @nick-desteffen!)

2.15.0

2.15.0 / 2022-03-14

Features

• Expand set of allowed protocols to include sms:. [#228] (Thanks, @brendon!)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.13.3 → 1.13.10) · Repo · Changelog

Security Advisories 🚨

🚨 Unchecked return value from xmlTextReaderExpand

Summary

Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.

For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.

Mitigation

Upgrade to Nokogiri >= 1.13.10.

Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

• CWE - CWE-252: Unchecked Return Value (4.9)
• CWE - CWE-476: NULL Pointer Dereference (4.9)

Credit

This vulnerability was responsibly reported by @davidwilemski.

🚨 Improper Handling of Unexpected Data Type in Nokogiri

Summary

Nokogiri < v1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers.
For CRuby users, this may allow specially crafted untrusted inputs to cause illegal
memory access errors (segfault) or reads from unrelated memory.

Severity

The Nokogiri maintainers have evaluated this as High 8.2 (CVSS3.1).

Mitigation

CRuby users should upgrade to Nokogiri >= 1.13.6.

JRuby users are not affected.

Workarounds

To avoid this vulnerability in affected applications, ensure the untrusted input is a
String by calling #to_s or equivalent.

🚨 Integer Overflow or Wraparound in libxml2 affects Nokogiri

Summary

Nokogiri v1.13.5 upgrades the packaged version of its dependency libxml2 from
v2.9.13 to v2.9.14.

libxml2 v2.9.14 addresses CVE-2022-29824.
This version also includes several security-related bug fixes for which CVEs were not created,
including a potential double-free, potential memory leaks, and integer-overflow.

Please note that this advisory only applies to the CRuby implementation of Nokogiri
< 1.13.5, and only if the packaged libraries are being used. If you've overridden
defaults at installation time to use system libraries instead of packaged libraries,
you should instead pay attention to your distro's libxml2 and libxslt release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.5.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation:
compile and link Nokogiri against external libraries libxml2 >= 2.9.14 which will also
address these same issues.

Impact

libxml2 CVE-2022-29824

• CVSS3 score:
  • Unspecified upstream
  • Nokogiri maintainers evaluate at 8.6 (High) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H). Note that this is different from the CVSS assessed by NVD.
• Type: Denial of service, information disclosure
• Description: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
• Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a24

All versions of libml2 prior to v2.9.14 are affected.

Applications parsing or serializing multi-gigabyte documents (in excess of INT_MAX bytes) may be vulnerable to an integer overflow bug in buffer handling that could lead to exposure of confidential data, modification of unrelated data, or a segmentation fault resulting in a denial-of-service.

References

• libxml2 v2.9.14 release notes
• CVE-2022-29824
• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

🚨 Inefficient Regular Expression Complexity in Nokogiri

Summary

Nokogiri < v1.13.4 contains an inefficient regular expression that is
susceptible to excessive backtracking when attempting to detect encoding
in HTML documents.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

🚨 XML Injection in Xerces Java affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored xerces:xercesImpl from 2.12.0 to
2.12.2, which addresses CVE-2022-23437.
That CVE is scored as CVSS 6.5 "Medium" on the NVD record.

Please note that this advisory only applies to the JRuby implementation
of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2022-23437 in xerces-J

• Severity: Medium
• Type: CWE-91 XML Injection (aka Blind XPath Injection)
• Description: There's a vulnerability within the Apache Xerces Java
  (XercesJ) XML parser when handling specially crafted XML document payloads.
  This causes, the XercesJ XML parser to wait in an infinite loop, which may
  sometimes consume system resources for prolonged duration. This vulnerability
  is present within XercesJ version 2.12.1 and the previous versions.
• See also: GHSA-h65f-jvqw-m9fj

🚨 Denial of Service (DoS) in Nokogiri on JRuby

Summary

Nokogiri v1.13.4 updates the vendored org.cyberneko.html library to
1.9.22.noko2 which addresses CVE-2022-24839.
That CVE is rated 7.5 (High Severity).

See GHSA-9849-p7jc-9rmv
for more information.

Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

Impact

CVE-2022-24839 in nekohtml

• Severity: High 7.5
• Type: CWE-400 Uncontrolled Resource Consumption
• Description: The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a
  java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup.
• See also: GHSA-9849-p7jc-9rmv

🚨 Out-of-bounds Write in zlib affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored zlib from 1.2.11
to 1.2.12, which addresses CVE-2018-25032.
That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.

Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.13.4, and only if the packaged version of zlib is being used.
Please see this document
for a complete description of which platform gems vendor zlib. If you've
overridden defaults at installation time to use system libraries instead of
packaged libraries, you should instead pay attention to your distro's zlib
release announcements.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2018-25032 in zlib

• Severity: High
• Type: CWE-787
  Out of bounds write
• Description: zlib before 1.2.12 allows memory corruption when
  deflating (i.e., when compressing) if the input has many distant matches.

Release Notes

1.13.10

1.13.10 / 2022-12-07

Security

• [CRuby] Address CVE-2022-23476, unchecked return value from xmlTextReaderExpand. See GHSA-qv4q-mr5r-qprj for more information.

Improvements

• [CRuby] XML::Reader#attribute_hash now returns nil on parse errors. This restores the behavior of #attributes from v1.13.7 and earlier. [#2715]

---

sha256 checksums:

777ce2e80f64772e91459b943e531dfef387e768f2255f9bc7a1655f254bbaa1  nokogiri-1.13.10-aarch64-linux.gem
b432ff47c51386e07f7e275374fe031c1349e37eaef2216759063bc5fa5624aa  nokogiri-1.13.10-arm64-darwin.gem
73ac581ddcb680a912e92da928ffdbac7b36afd3368418f2cee861b96e8c830b  nokogiri-1.13.10-java.gem
916aa17e624611dddbf2976ecce1b4a80633c6378f8465cff0efab022ebc2900  nokogiri-1.13.10-x64-mingw-ucrt.gem
0f85a1ad8c2b02c166a6637237133505b71a05f1bb41b91447005449769bced0  nokogiri-1.13.10-x64-mingw32.gem
91fa3a8724a1ce20fccbd718dafd9acbde099258183ac486992a61b00bb17020  nokogiri-1.13.10-x86-linux.gem
d6663f5900ccd8f72d43660d7f082565b7ffcaade0b9a59a74b3ef8791034168  nokogiri-1.13.10-x86-mingw32.gem
81755fc4b8130ef9678c76a2e5af3db7a0a6664b3cba7d9fe8ef75e7d979e91b  nokogiri-1.13.10-x86_64-darwin.gem
51d5246705dedad0a09b374d09cc193e7383a5dd32136a690a3cd56e95adf0a3  nokogiri-1.13.10-x86_64-linux.gem
d3ee00f26c151763da1691c7fc6871ddd03e532f74f85101f5acedc2d099e958  nokogiri-1.13.10.gem

1.13.9

1.13.9 / 2022-10-18

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2022-2309, CVE-2022-40304, and CVE-2022-40303. See GHSA-2qc6-mcvw-92cw for more information.
• [CRuby] Vendored zlib is updated to address CVE-2022-37434. Nokogiri was not affected by this vulnerability, but this version of zlib was being flagged up by some vulnerability scanners, see #2626 for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.10.3 from v2.9.14.
• [CRuby] Vendored libxslt is updated to v1.1.37 from v1.1.35.
• [CRuby] Vendored zlib is updated from 1.2.12 to 1.2.13. (See LICENSE-DEPENDENCIES.md for details on which packages redistribute this library.)

Fixed

• [CRuby] Nokogiri::XML::Namespace objects, when compacted, update their internal struct's reference to the Ruby object wrapper. Previously, with GC compaction enabled, a segmentation fault was possible after compaction was triggered. [#2658] (Thanks, @eightbitraptor and @peterzhu2118!)
• [CRuby] Document#remove_namespaces! now defers freeing the underlying xmlNs struct until the Document is GCed. Previously, maintaining a reference to a Namespace object that was removed in this way could lead to a segfault. [#2658]

---

sha256 checksums:

9b69829561d30c4461ea803baeaf3460e8b145cff7a26ce397119577a4083a02  nokogiri-1.13.9-aarch64-linux.gem
e76ebb4b7b2e02c72b2d1541289f8b0679fb5984867cf199d89b8ef485764956  nokogiri-1.13.9-arm64-darwin.gem
15bae7d08bddeaa898d8e3f558723300137c26a2dc2632a1f89c8574c4467165  nokogiri-1.13.9-java.gem
f6a1dbc7229184357f3129503530af73cc59ceba4932c700a458a561edbe04b9  nokogiri-1.13.9-x64-mingw-ucrt.gem
36d935d799baa4dc488024f71881ff0bc8b172cecdfc54781169c40ec02cbdb3  nokogiri-1.13.9-x64-mingw32.gem
ebaf82aa9a11b8fafb67873d19ee48efb565040f04c898cdce8ca0cd53ff1a12  nokogiri-1.13.9-x86-linux.gem
11789a2a11b28bc028ee111f23311461104d8c4468d5b901ab7536b282504154  nokogiri-1.13.9-x86-mingw32.gem
01830e1646803ff91c0fe94bc768ff40082c6de8cfa563dafd01b3f7d5f9d795  nokogiri-1.13.9-x86_64-darwin.gem
8e93b8adec22958013799c8690d81c2cdf8a90b6f6e8150ab22e11895844d781  nokogiri-1.13.9-x86_64-linux.gem
96f37c1baf0234d3ae54c2c89aef7220d4a8a1b03d2675ff7723565b0a095531  nokogiri-1.13.9.gem

1.13.8

1.13.8 / 2022-07-23

Deprecated

• XML::Reader#attribute_nodes is deprecated due to incompatibility between libxml2's xmlReader memory semantics and Ruby's garbage collector. Although this method continues to exist for backwards compatibility, it is unsafe to call and may segfault. This method will be removed in a future version of Nokogiri, and callers should use #attribute_hash instead. [#2598]

Improvements

• XML::Reader#attribute_hash is a new method to safely retrieve the attributes of a node from XML::Reader. [#2598, #2599]

Fixed

• [CRuby] Calling XML::Reader#attributes is now safe to call. In Nokogiri <= 1.13.7 this method may segfault. [#2598, #2599]

---

sha256 checksums:

d6b2c45a57738f12fe27783939fe1394e7049246288c7770d3b1fee7f49432a6  nokogiri-1.13.8-aarch64-linux.gem
00217e48a6995e81dd83014325c0ea0b015023a8922c7bdb2ef1416aa87c1f43  nokogiri-1.13.8-arm64-darwin.gem
9d04c616900e2b5118e501436ebb9bc48520d08f3695d012a314006e28082f72  nokogiri-1.13.8-java.gem
98f7dac7583f07a84ec3fcc01dc03a66fce10f412cd363fce7de749acdb2a42d  nokogiri-1.13.8-x64-mingw-ucrt.gem
117a71b37f2e1d774a9f031d393e72d5d04b92af8036e0c1a8dd509c247b2013  nokogiri-1.13.8-x64-mingw32.gem
6d04342456edfb8fbc041d0c2cf5a59baaa7aacdda414b2333100b02f85d441d  nokogiri-1.13.8-x86-linux.gem
0529d558b4280a55bc7af500d3d4d590b7c059c814a0cea52e4e18cb30c25d15  nokogiri-1.13.8-x86-mingw32.gem
8966d79e687b271df87a4b240456597c43cd98584e3f783fc35de4f066486421  nokogiri-1.13.8-x86_64-darwin.gem
344f1bc66feac787e5b2053c6e9095d1f33605083e58ddf2b8d4eef257bccc5f  nokogiri-1.13.8-x86_64-linux.gem
79c279298b2f22fd4e760f49990c7930436bac1b1cfeff7bacff192f30edea3c  nokogiri-1.13.8.gem

1.13.7

1.13.7 / 2022-07-12

Fixed

XML::Node objects, when compacted, update their internal struct's reference to the Ruby object wrapper. Previously, with GC compaction enabled, a segmentation fault was possible after compaction was triggered. [#2578] (Thanks, @eightbitraptor!)

---

sha256 checksums:

16facd06367325b75bba1575ee87ee4c695e017ab7d447106ed2c00d6211db43  nokogiri-1.13.7-aarch64-linux.gem
69a1705a1f2be838bd0a778c1ff04ea58f847a41c3b5159de012617abba53f86  nokogiri-1.13.7-arm64-darwin.gem
6f26c7ed388406541ddc10cf7ea670cebe8f08a37e69be60503687374f835e1a  nokogiri-1.13.7-java.gem
3952cb78db8d107942ec7f3096d417f4d5d77bf44ae812c488bc49269d1dde6a  nokogiri-1.13.7-x64-mingw-ucrt.gem
e836c387eae9c6c93d4870db0d50e4d9505edd28100eef80c38a70d4481c09ed  nokogiri-1.13.7-x64-mingw32.gem
194484866cd0d100ee6e207a69611a63ece9e0cf305e42d449f244526e102f63  nokogiri-1.13.7-x86-linux.gem
f75903e7a1fbb896b8bd6e4ed895a0fc1760e7334b9c7faf2593f491907a9e26  nokogiri-1.13.7-x86-mingw32.gem
d41b8c9f609b3eecb129da52b9605bc833e464b9b9132c29a0c2115e5ea0ab57  nokogiri-1.13.7-x86_64-darwin.gem
dcb36fd4e75782e7b1b3315f464a0942b230497cd21d296a24d90b0d3620a9d0  nokogiri-1.13.7-x86_64-linux.gem
6ca1d753334418e749beb9bb69515a906451c9abfb9a5b060a36650419b61052  nokogiri-1.13.7.gem

1.13.6

1.13.6 / 2022-05-08

Security

• [CRuby] Address CVE-2022-29181, improper handling of unexpected data types, related to untrusted inputs to the SAX parsers. See GHSA-xh29-r2w5-wx8m for more information.

Improvements

• {HTML4,XML}::SAX::{Parser,ParserContext} constructor methods now raise TypeError instead of segfaulting when an incorrect type is passed.

---

sha256:

58417c7c10f78cd1c0e1984f81538300d4ea98962cfd3f46f725efee48f9757a  nokogiri-1.13.6-aarch64-linux.gem
a2b04ec3b1b73ecc6fac619b41e9fdc70808b7a653b96ec97d04b7a23f158dbc  nokogiri-1.13.6-arm64-darwin.gem
4437f2d03bc7da8854f4aaae89e24a98cf5c8b0212ae2bc003af7e65c7ee8e27  nokogiri-1.13.6-java.gem
99d3e212bbd5e80aa602a1f52d583e4f6e917ec594e6aa580f6aacc253eff984  nokogiri-1.13.6-x64-mingw-ucrt.gem
a04f6154a75b6ed4fe2d0d0ff3ac02f094b54e150b50330448f834fa5726fbba  nokogiri-1.13.6-x64-mingw32.gem
a13f30c2863ef9e5e11240dd6d69ef114229d471018b44f2ff60bab28327de4d  nokogiri-1.13.6-x86-linux.gem
63a2ca2f7a4f6bd9126e1695037f66c8eb72ed1e1740ef162b4480c57cc17dc6  nokogiri-1.13.6-x86-mingw32.gem
2b266e0eb18030763277b30dc3d64337f440191e2bd157027441ac56a59d9dfe  nokogiri-1.13.6-x86_64-darwin.gem
3fa37b0c3b5744af45f9da3e4ae9cbd89480b35e12ae36b5e87a0452e0b38335  nokogiri-1.13.6-x86_64-linux.gem
b1512fdc0aba446e1ee30de3e0671518eb363e75fab53486e99e8891d44b8587  nokogiri-1.13.6.gem

1.13.5

1.13.5 / 2022-05-04

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2022-29824. See GHSA-cgx6-hpwq-fhv5 for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated from v2.9.13 to v2.9.14.

Improvements

• [CRuby] The libxml2 HTML4 parser no longer exhibits quadratic behavior when recovering some broken markup related to start-of-tag and bare < characters.

Changed

• [CRuby] The libxml2 HTML4 parser in v2.9.14 recovers from some broken markup differently. Notably, the XML CDATA escape sequence <![CDATA[ and incorrectly-opened comments will result in HTML text nodes starting with <! instead of skipping the invalid tag. This behavior is a direct result of the quadratic-behavior fix noted above. The behavior of downstream sanitizers relying on this behavior will also change. Some tests describing the changed behavior are in test/html4/test_comments.rb.

---

sha256sum:

aa1bfd0fd0b33110729d4a063b7b02de9419c559eb48a1f8940b74fc638d60ea  nokogiri-1.13.5-aarch64-linux.gem
d0b872786d6c2b44c10a389e585a77c07274a2b5e7211a470f76909c0711f218  nokogiri-1.13.5-arm64-darwin.gem
3f1434c198f0daf46d24c4696a53504beb69b8c15efe0548a7aa17a8378be21d  nokogiri-1.13.5-java.gem
0e60dc107c7e289dd3817acff14a12c9f4447a994a2411f772d6dd1220a35ae6  nokogiri-1.13.5-x64-mingw-ucrt.gem
c9897dd7236738d260b66ac99ea93950fd3a6375f11a9927bf345eec4ec1fde6  nokogiri-1.13.5-x64-mingw32.gem
a81586845f99a16a85586717b0051ce1508a68722a56486582ab09b3255d3b17  nokogiri-1.13.5-x86-linux.gem
e2abaef3af396adee3b0995693d5e690eb826782f7ecddf8b1b6a5a706075cff  nokogiri-1.13.5-x86-mingw32.gem
19360ba28f31562691926d1c542c783fc0ed5f2a145f1329206f8c09e46a85ea  nokogiri-1.13.5-x86_64-darwin.gem
a598598163233ee907472808c0bc7ae4354999e77409e1711b61406066a7afb4  nokogiri-1.13.5-x86_64-linux.gem
e15570ec6d46921a3de5f5b057b027cc0c4f32775353c00e8c8dfbe443741e78  nokogiri-1.13.5.gem

1.13.4

1.13.4 / 2022-04-11

Security

• Address CVE-2022-24836, a regular expression denial-of-service vulnerability. See GHSA-crjr-9rc5-ghw8 for more information.
• [CRuby] Vendored zlib is updated to address CVE-2018-25032. See GHSA-v6gp-9mmm-c6p5 for more information.
• [JRuby] Vendored Xerces-J (xerces:xercesImpl) is updated to address CVE-2022-23437. See GHSA-xxx9-3xcr-gjj3 for more information.
• [JRuby] Vendored nekohtml (org.cyberneko.html) is updated to address CVE-2022-24839. See GHSA-gx8x-g87m-h5q6 for more information.

Dependencies

• [CRuby] Vendored zlib is updated from 1.2.11 to 1.2.12. (See LICENSE-DEPENDENCIES.md for details on which packages redistribute this library.)
• [JRuby] Vendored Xerces-J (xerces:xercesImpl) is updated from 2.12.0 to 2.12.2.
• [JRuby] Vendored nekohtml (org.cyberneko.html) is updated from a fork of 1.9.21 to 1.9.22.noko2. This fork is now publicly developed at https://github.com/sparklemotion/nekohtml

---

sha256sum:

095ff1995ed3dda3ea98a5f08bdc54bef02be1ce4e7c81034c4812e5e7c6e7e3  nokogiri-1.13.4-aarch64-linux.gem
7ebfc7415c819bcd4e849627e879cef2fb328bec90e802e50d74ccd13a60ec75  nokogiri-1.13.4-arm64-darwin.gem
41efd87c121991de26ef0393ac713d687e539813c3b79e454a2e3ffeecd107ea  nokogiri-1.13.4-java.gem
ab547504692ada0cec9d2e4e15afab659677c3f4c1ac3ea639bf5212b65246a1  nokogiri-1.13.4-x64-mingw-ucrt.gem
fa5c64cfdb71642ed647428e4d0d75ee0f4d189cfb63560c66fd8bdf99eb146b  nokogiri-1.13.4-x64-mingw32.gem
d6f07cbcbc28b75e8ac5d6e729ffba3602dffa0ad16ffac2322c9b4eb9b971fc  nokogiri-1.13.4-x86-linux.gem
0f7a4fd13e25abe3f98663fef0d115d58fdeff62cf23fef12d368e42adad2ce6  nokogiri-1.13.4-x86-mingw32.gem
3eef282f00ad360304fbcd5d72eb1710ff41138efda9513bb49eec832db5fa3e  nokogiri-1.13.4-x86_64-darwin.gem
3978610354ec67b59c128d23259c87b18374ee1f61cb9ed99de7143a88e70204  nokogiri-1.13.4-x86_64-linux.gem
0d46044eb39271e3360dae95ed6061ce17bc0028d475651dc48db393488c83bc  nokogiri-1.13.4.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ racc (indirect, 1.6.0 → 1.6.1) · Repo · Changelog

Release Notes

1.6.1

What's Changed

• CI: Add JRuby 9.3, use bundler-cache by @olleolleolle in #173
• Fix names by @nobu in #178
• Update README.rdoc by @jwillemsen in #179
• s/RubyVM::JIT/RubyVM::MJIT/g by @k0kubun in #180
• ci: update to cover Ruby 3.1 by @flavorjones in #181
• Fix typo in sample/calc.y. by @simi in #184
• Added dependabot.yml for actions by @hsbt in #186
• Bump actions/checkout from 2 to 3 by @dependabot in #187
• [DOC] Remove stale Object::ParseError documentation by @nobu in #188
• Strip trailing spaces by @nobu in #189
• Fix flag to Regexp.new by @nobu in #191
• Fix documentation directory name in README by @okuramasafumi in #193
• Make racc test more flexible (for JRuby). by @enebo in #194
• Update racc.en.rhtml by @jwillemsen in #195
• Update README.rdoc by @jwillemsen in #196
• Update racc.gemspec by @jwillemsen in #197
• ci: update jruby versions and add truffleruby by @flavorjones in #198

New Contributors

• @jwillemsen made their first contribution in #179
• @k0kubun made their first contribution in #180
• @simi made their first contribution in #184
• @dependabot made their first contribution in #187
• @okuramasafumi made their first contribution in #193

Full Changelog: v1.6.0...v1.6.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu[bot]]

Closing because this update has already been applied