Bumps nokogiri from 1.8.2 to 1.8.4. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-8048.yml).*
> **Revert libxml2 behavior in Nokogiri gem that could cause XSS**
> [MRI] Behavior in libxml2 has been reverted which caused
> CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and
> CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is
> here:
>
> https://github.com/GNOME/libxml2/commit/960f0e2
>
> and more information is available about this commit and its impact
> here:
>
> https://github-redirect.dependabot.com/flavorjones/loofah/issues/144
>
> This release simply reverts the libxml2 commit in question to protect
> users of Nokogiri's vendored libraries from similar vulnerabilities.
>
> If you're offended by what happened here, I'd kindly ask that you
> comment on the upstream bug report here:
>
> https://bugzilla.gnome.org/show_bug.cgi?id=769760
>
> Patched versions: >= 1.8.3
> Unaffected versions: none
Changelog
*Sourced from [nokogiri's changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md).*
> # 1.8.4 / 2018-07-03
>
> ## Bug fixes
>
> * [MRI] Fix memory leak when creating nodes with namespaces. (Introduced in v1.5.7) [#1771]
>
>
> # 1.8.3 / 2018-06-16
>
> ## Security Notes
>
> [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is here:
>
> > https://github.com/GNOME/libxml2/commit/960f0e2
>
> and more information is available about this commit and its impact here:
>
> > https://github-redirect.dependabot.com/flavorjones/loofah/issues/144
>
> This release simply reverts the libxml2 commit in question to protect users of Nokogiri's vendored libraries from similar vulnerabilities.
>
> If you're offended by what happened here, I'd kindly ask that you comment on the upstream bug report here:
>
> > https://bugzilla.gnome.org/show_bug.cgi?id=769760
>
>
> ## Dependencies
>
> * [MRI] libxml2 is updated from 2.9.7 to 2.9.8
>
>
> ## Features
>
> * Node#classes, #add_class, #append_class, and #remove_class are added.
> * NodeSet#append_class is added.
> * NodeSet#remove_attribute is a new alias for NodeSet#remove_attr.
> * NodeSet#each now returns an Enumerator when no block is passed (Thanks, [**park53kr**](https://github.com/park53kr)!)
> * [JRuby] General improvements in JRuby implementation (Thanks, [**kares**](https://github.com/kares)!)
>
>
> ## Bug fixes
>
> * CSS attribute selectors now gracefully handle queries using integers. [#711]
> * Handle ASCII-8BIT encoding on fragment input [#553]
> * Handle non-string return values within `Reader` [#898]
> * [JRuby] Allow Node#replace to insert Comment and CDATA nodes. [#1666]
> * [JRuby] Stability and speed improvements to `Node`, `Sax::PushParser`, and the JRuby implementation [#1708, [#1710](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1710), #1501]
Commits
- [`254f341`](https://github.com/sparklemotion/nokogiri/commit/254f3414811b6d2fff8b0630efe4ce8d29778fb6) version bump to v1.8.4
- [`056f66d`](https://github.com/sparklemotion/nokogiri/commit/056f66df44fb274de3c950df586a71a9a74c05ae) enforcing formatting in xml_node.c
- [`ca4f9b2`](https://github.com/sparklemotion/nokogiri/commit/ca4f9b262ba4cbf7e6c47e55a8a5d5024665fd93) Merge branch '1771-memory-leak'
- [`0d26561`](https://github.com/sparklemotion/nokogiri/commit/0d26561bd7821dfe1c02b8dd0c82e8a1f510cc49) fix memory leak with creating nodes with a namespace
- [`117ca2e`](https://github.com/sparklemotion/nokogiri/commit/117ca2e067dbbf054bef9078c79387c8170d2156) README format
- [`20e11c3`](https://github.com/sparklemotion/nokogiri/commit/20e11c3f976395ee94982fcc893950d66490222f) version bump to 1.8.3
- [`be8a240`](https://github.com/sparklemotion/nokogiri/commit/be8a2405ba1667fbed0a841a4580d89ef1b52bda) update CHANGELOG
- [`06ac6ba`](https://github.com/sparklemotion/nokogiri/commit/06ac6bac8c4beb615aafd05180742d68efcd83d4) Merge branch '1765-enumerator'
- [`00bafb7`](https://github.com/sparklemotion/nokogiri/commit/00bafb76a82e03ce7f5042833d836f3742842e78) add test coverage for NodeSet#each enum
- [`75517e0`](https://github.com/sparklemotion/nokogiri/commit/75517e03aab9171a03527d315f64c258f1f0ef5d) '#each' returns enumerator when no block given
- Additional commits viewable in [compare view](https://github.com/sparklemotion/nokogiri/compare/v1.8.2...v1.8.4)
(This is an example of the kind of PRs Dependabot creates, so you can see it in action alongside #438. It won't automatically rebase or any of the clever stuff Dependabot normally does because I've manually copied it across, though.)
Coverage remained the same at 92.221% when pulling 2983f20a6a5e609766cdaa58e45d11b745bc7fd0 on greysteil:dependabot/bundler/nokogiri-1.8.4 into 1b9adfd4a350f2b64cd60500a17406328ebd46f9 on ivaldi:master.
Bumps nokogiri from 1.8.2 to 1.8.4. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-8048.yml).* > **Revert libxml2 behavior in Nokogiri gem that could cause XSS** > [MRI] Behavior in libxml2 has been reverted which caused > CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and > CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is > here: > > https://github.com/GNOME/libxml2/commit/960f0e2 > > and more information is available about this commit and its impact > here: > > https://github-redirect.dependabot.com/flavorjones/loofah/issues/144 > > This release simply reverts the libxml2 commit in question to protect > users of Nokogiri's vendored libraries from similar vulnerabilities. > > If you're offended by what happened here, I'd kindly ask that you > comment on the upstream bug report here: > > https://bugzilla.gnome.org/show_bug.cgi?id=769760 > > Patched versions: >= 1.8.3 > Unaffected versions: noneChangelog
*Sourced from [nokogiri's changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md).* > # 1.8.4 / 2018-07-03 > > ## Bug fixes > > * [MRI] Fix memory leak when creating nodes with namespaces. (Introduced in v1.5.7) [#1771] > > > # 1.8.3 / 2018-06-16 > > ## Security Notes > > [MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is here: > > > https://github.com/GNOME/libxml2/commit/960f0e2 > > and more information is available about this commit and its impact here: > > > https://github-redirect.dependabot.com/flavorjones/loofah/issues/144 > > This release simply reverts the libxml2 commit in question to protect users of Nokogiri's vendored libraries from similar vulnerabilities. > > If you're offended by what happened here, I'd kindly ask that you comment on the upstream bug report here: > > > https://bugzilla.gnome.org/show_bug.cgi?id=769760 > > > ## Dependencies > > * [MRI] libxml2 is updated from 2.9.7 to 2.9.8 > > > ## Features > > * Node#classes, #add_class, #append_class, and #remove_class are added. > * NodeSet#append_class is added. > * NodeSet#remove_attribute is a new alias for NodeSet#remove_attr. > * NodeSet#each now returns an Enumerator when no block is passed (Thanks, [**park53kr**](https://github.com/park53kr)!) > * [JRuby] General improvements in JRuby implementation (Thanks, [**kares**](https://github.com/kares)!) > > > ## Bug fixes > > * CSS attribute selectors now gracefully handle queries using integers. [#711] > * Handle ASCII-8BIT encoding on fragment input [#553] > * Handle non-string return values within `Reader` [#898] > * [JRuby] Allow Node#replace to insert Comment and CDATA nodes. [#1666] > * [JRuby] Stability and speed improvements to `Node`, `Sax::PushParser`, and the JRuby implementation [#1708, [#1710](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1710), #1501]Commits
- [`254f341`](https://github.com/sparklemotion/nokogiri/commit/254f3414811b6d2fff8b0630efe4ce8d29778fb6) version bump to v1.8.4 - [`056f66d`](https://github.com/sparklemotion/nokogiri/commit/056f66df44fb274de3c950df586a71a9a74c05ae) enforcing formatting in xml_node.c - [`ca4f9b2`](https://github.com/sparklemotion/nokogiri/commit/ca4f9b262ba4cbf7e6c47e55a8a5d5024665fd93) Merge branch '1771-memory-leak' - [`0d26561`](https://github.com/sparklemotion/nokogiri/commit/0d26561bd7821dfe1c02b8dd0c82e8a1f510cc49) fix memory leak with creating nodes with a namespace - [`117ca2e`](https://github.com/sparklemotion/nokogiri/commit/117ca2e067dbbf054bef9078c79387c8170d2156) README format - [`20e11c3`](https://github.com/sparklemotion/nokogiri/commit/20e11c3f976395ee94982fcc893950d66490222f) version bump to 1.8.3 - [`be8a240`](https://github.com/sparklemotion/nokogiri/commit/be8a2405ba1667fbed0a841a4580d89ef1b52bda) update CHANGELOG - [`06ac6ba`](https://github.com/sparklemotion/nokogiri/commit/06ac6bac8c4beb615aafd05180742d68efcd83d4) Merge branch '1765-enumerator' - [`00bafb7`](https://github.com/sparklemotion/nokogiri/commit/00bafb76a82e03ce7f5042833d836f3742842e78) add test coverage for NodeSet#each enum - [`75517e0`](https://github.com/sparklemotion/nokogiri/commit/75517e03aab9171a03527d315f64c258f1f0ef5d) '#each' returns enumerator when no block given - Additional commits viewable in [compare view](https://github.com/sparklemotion/nokogiri/compare/v1.8.2...v1.8.4)(This is an example of the kind of PRs Dependabot creates, so you can see it in action alongside #438. It won't automatically rebase or any of the clever stuff Dependabot normally does because I've manually copied it across, though.)