Bump nokogiri from 1.11.7 to 1.13.7

[dependabot[bot]]

Bumps nokogiri from 1.11.7 to 1.13.7.

Release notes

Sourced from nokogiri's releases.

1.13.7 / 2022-07-12

Fixed

XML::Node objects, when compacted, update their internal struct's reference to the Ruby object wrapper. Previously, with GC compaction enabled, a segmentation fault was possible after compaction was triggered. [#2578] (Thanks, @​eightbitraptor!)

---

sha256 checksums:

16facd06367325b75bba1575ee87ee4c695e017ab7d447106ed2c00d6211db43  nokogiri-1.13.7-aarch64-linux.gem
69a1705a1f2be838bd0a778c1ff04ea58f847a41c3b5159de012617abba53f86  nokogiri-1.13.7-arm64-darwin.gem
6f26c7ed388406541ddc10cf7ea670cebe8f08a37e69be60503687374f835e1a  nokogiri-1.13.7-java.gem
3952cb78db8d107942ec7f3096d417f4d5d77bf44ae812c488bc49269d1dde6a  nokogiri-1.13.7-x64-mingw-ucrt.gem
e836c387eae9c6c93d4870db0d50e4d9505edd28100eef80c38a70d4481c09ed  nokogiri-1.13.7-x64-mingw32.gem
194484866cd0d100ee6e207a69611a63ece9e0cf305e42d449f244526e102f63  nokogiri-1.13.7-x86-linux.gem
f75903e7a1fbb896b8bd6e4ed895a0fc1760e7334b9c7faf2593f491907a9e26  nokogiri-1.13.7-x86-mingw32.gem
d41b8c9f609b3eecb129da52b9605bc833e464b9b9132c29a0c2115e5ea0ab57  nokogiri-1.13.7-x86_64-darwin.gem
dcb36fd4e75782e7b1b3315f464a0942b230497cd21d296a24d90b0d3620a9d0  nokogiri-1.13.7-x86_64-linux.gem
6ca1d753334418e749beb9bb69515a906451c9abfb9a5b060a36650419b61052  nokogiri-1.13.7.gem

1.13.6 / 2022-05-08

Security

• [CRuby] Address CVE-2022-29181, improper handling of unexpected data types, related to untrusted inputs to the SAX parsers. See GHSA-xh29-r2w5-wx8m for more information.

Improvements

• {HTML4,XML}::SAX::{Parser,ParserContext} constructor methods now raise TypeError instead of segfaulting when an incorrect type is passed.

---

sha256:

58417c7c10f78cd1c0e1984f81538300d4ea98962cfd3f46f725efee48f9757a  nokogiri-1.13.6-aarch64-linux.gem
a2b04ec3b1b73ecc6fac619b41e9fdc70808b7a653b96ec97d04b7a23f158dbc  nokogiri-1.13.6-arm64-darwin.gem
4437f2d03bc7da8854f4aaae89e24a98cf5c8b0212ae2bc003af7e65c7ee8e27  nokogiri-1.13.6-java.gem
99d3e212bbd5e80aa602a1f52d583e4f6e917ec594e6aa580f6aacc253eff984  nokogiri-1.13.6-x64-mingw-ucrt.gem
a04f6154a75b6ed4fe2d0d0ff3ac02f094b54e150b50330448f834fa5726fbba  nokogiri-1.13.6-x64-mingw32.gem
a13f30c2863ef9e5e11240dd6d69ef114229d471018b44f2ff60bab28327de4d  nokogiri-1.13.6-x86-linux.gem
63a2ca2f7a4f6bd9126e1695037f66c8eb72ed1e1740ef162b4480c57cc17dc6  nokogiri-1.13.6-x86-mingw32.gem
2b266e0eb18030763277b30dc3d64337f440191e2bd157027441ac56a59d9dfe  nokogiri-1.13.6-x86_64-darwin.gem
3fa37b0c3b5744af45f9da3e4ae9cbd89480b35e12ae36b5e87a0452e0b38335  nokogiri-1.13.6-x86_64-linux.gem
b1512fdc0aba446e1ee30de3e0671518eb363e75fab53486e99e8891d44b8587  nokogiri-1.13.6.gem
</tr></table> 

... (truncated)

Changelog

Sourced from nokogiri's changelog.

1.13.7 / 2022-07-12

Fixed

XML::Node objects, when compacted, update their internal struct's reference to the Ruby object wrapper. Previously, with GC compaction enabled, a segmentation fault was possible after compaction was triggered. [#2578] (Thanks, @​eightbitraptor!)

1.13.6 / 2022-05-08

Security

• [CRuby] Address CVE-2022-29181, improper handling of unexpected data types, related to untrusted inputs to the SAX parsers. See GHSA-xh29-r2w5-wx8m for more information.

Improvements

• {HTML4,XML}::SAX::{Parser,ParserContext} constructor methods now raise TypeError instead of segfaulting when an incorrect type is passed.

1.13.5 / 2022-05-04

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2022-29824. See GHSA-cgx6-hpwq-fhv5 for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated from v2.9.13 to v2.9.14.

Improvements

• [CRuby] The libxml2 HTML parser no longer exhibits quadratic behavior when recovering some broken markup related to start-of-tag and bare < characters.

Changed

• [CRuby] The libxml2 HTML parser in v2.9.14 recovers from some broken markup differently. Notably, the XML CDATA escape sequence <![CDATA[ and incorrectly-opened comments will result in HTML text nodes starting with <! instead of skipping the invalid tag. This behavior is a direct result of the quadratic-behavior fix noted above. The behavior of downstream sanitizers relying on this behavior will also change. Some tests describing the changed behavior are in test/html4/test_comments.rb.

1.13.4 / 2022-04-11

Security

• Address CVE-2022-24836, a regular expression denial-of-service vulnerability. See GHSA-crjr-9rc5-ghw8 for more information.
• [CRuby] Vendored zlib is updated to address CVE-2018-25032. See GHSA-v6gp-9mmm-c6p5 for more information.
• [JRuby] Vendored Xerces-J (xerces:xercesImpl) is updated to address CVE-2022-23437. See GHSA-xxx9-3xcr-gjj3 for more information.
• [JRuby] Vendored nekohtml (org.cyberneko.html) is updated to address CVE-2022-24839. See GHSA-gx8x-g87m-h5q6 for more information.

... (truncated)

Commits

• 88b4730 version bump to v1.13.7
• 25fb3c8 doc: update CHANGELOG
• e7f3eea dep: lock rubocop and rubocop-shopify
• a13241e Merge pull request #2588 from sparklemotion/fix-compaction-on-nodes_backport-...
• d15d1f4 dep: lock rake-compiler-dock to 1.2.2
• 5f63c8b test: add memcheck suppressions
• ffe2669 Only add compaction callback on Rubies that support it
• ab306bb Only check compaction on platforms that support it
• 2b82282 Add compaction callback to nodes
• 720d6f4 Add a "node unwrap" macro and use it
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[vercel[bot]]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated
middleman-template	✅ Ready (Inspect)	Visit Preview	Jul 12, 2022 at 8:05PM (UTC)

[dependabot[bot]]

Superseded by #62.