search

openware / barong

Barong auth server
https://www.openware.com
Apache License 2.0
139 stars 262 forks source link

Bump nokogiri from 1.12.5 to 1.13.6 #1360

Closed dependabot[bot] closed 2 years ago

dependabot[bot] commented 2 years ago

Bumps nokogiri from 1.12.5 to 1.13.6.

Release notes

Sourced from nokogiri's releases.

1.13.6 / 2022-05-08

Security

  • [CRuby] Address CVE-2022-29181, improper handling of unexpected data types, related to untrusted inputs to the SAX parsers. See GHSA-xh29-r2w5-wx8m for more information.

Improvements

  • {HTML4,XML}::SAX::{Parser,ParserContext} constructor methods now raise TypeError instead of segfaulting when an incorrect type is passed.

sha256:

58417c7c10f78cd1c0e1984f81538300d4ea98962cfd3f46f725efee48f9757a  nokogiri-1.13.6-aarch64-linux.gem
a2b04ec3b1b73ecc6fac619b41e9fdc70808b7a653b96ec97d04b7a23f158dbc  nokogiri-1.13.6-arm64-darwin.gem
4437f2d03bc7da8854f4aaae89e24a98cf5c8b0212ae2bc003af7e65c7ee8e27  nokogiri-1.13.6-java.gem
99d3e212bbd5e80aa602a1f52d583e4f6e917ec594e6aa580f6aacc253eff984  nokogiri-1.13.6-x64-mingw-ucrt.gem
a04f6154a75b6ed4fe2d0d0ff3ac02f094b54e150b50330448f834fa5726fbba  nokogiri-1.13.6-x64-mingw32.gem
a13f30c2863ef9e5e11240dd6d69ef114229d471018b44f2ff60bab28327de4d  nokogiri-1.13.6-x86-linux.gem
63a2ca2f7a4f6bd9126e1695037f66c8eb72ed1e1740ef162b4480c57cc17dc6  nokogiri-1.13.6-x86-mingw32.gem
2b266e0eb18030763277b30dc3d64337f440191e2bd157027441ac56a59d9dfe  nokogiri-1.13.6-x86_64-darwin.gem
3fa37b0c3b5744af45f9da3e4ae9cbd89480b35e12ae36b5e87a0452e0b38335  nokogiri-1.13.6-x86_64-linux.gem
b1512fdc0aba446e1ee30de3e0671518eb363e75fab53486e99e8891d44b8587  nokogiri-1.13.6.gem

1.13.5 / 2022-05-04

Security

Dependencies

  • [CRuby] Vendored libxml2 is updated from v2.9.13 to v2.9.14.

Improvements

  • [CRuby] The libxml2 HTML4 parser no longer exhibits quadratic behavior when recovering some broken markup related to start-of-tag and bare < characters.

Changed

  • [CRuby] The libxml2 HTML4 parser in v2.9.14 recovers from some broken markup differently. Notably, the XML CDATA escape sequence <![CDATA[ and incorrectly-opened comments will result in HTML text nodes starting with &lt;! instead of skipping the invalid tag. This behavior is a direct result of the quadratic-behavior fix noted above. The behavior of downstream sanitizers relying on this behavior will also change. Some tests describing the changed behavior are in test/html4/test_comments.rb.

... (truncated)

Changelog

Sourced from nokogiri's changelog.

1.13.6 / 2022-05-08

Security

  • [CRuby] Address CVE-2022-29181, improper handling of unexpected data types, related to untrusted inputs to the SAX parsers. See GHSA-xh29-r2w5-wx8m for more information.

Improvements

  • {HTML4,XML}::SAX::{Parser,ParserContext} constructor methods now raise TypeError instead of segfaulting when an incorrect type is passed.

1.13.5 / 2022-05-04

Security

Dependencies

  • [CRuby] Vendored libxml2 is updated from v2.9.13 to v2.9.14.

Improvements

  • [CRuby] The libxml2 HTML parser no longer exhibits quadratic behavior when recovering some broken markup related to start-of-tag and bare < characters.

Changed

  • [CRuby] The libxml2 HTML parser in v2.9.14 recovers from some broken markup differently. Notably, the XML CDATA escape sequence <![CDATA[ and incorrectly-opened comments will result in HTML text nodes starting with &lt;! instead of skipping the invalid tag. This behavior is a direct result of the quadratic-behavior fix noted above. The behavior of downstream sanitizers relying on this behavior will also change. Some tests describing the changed behavior are in test/html4/test_comments.rb.

1.13.4 / 2022-04-11

Security

Dependencies

  • [CRuby] Vendored zlib is updated from 1.2.11 to 1.2.12. (See LICENSE-DEPENDENCIES.md for details on which packages redistribute this library.)
  • [JRuby] Vendored Xerces-J (xerces:xercesImpl) is updated from 2.12.0 to 2.12.2.
  • [JRuby] Vendored nekohtml (org.cyberneko.html) is updated from a fork of 1.9.21 to 1.9.22.noko2. This fork is now publicly developed at https://github.com/sparklemotion/nekohtml

... (truncated)

Commits
  • b7817b6 version bump to v1.13.6
  • 61b1a39 Merge pull request #2530 from sparklemotion/flavorjones-check-parse-memory-ty...
  • 83cc451 fix: {HTML4,XML}::SAX::{Parser,ParserContext} check arg types
  • 22c9e5b version bump to v1.13.5
  • 6155881 doc: update CHANGELOG for v1.13.5
  • c519a47 Merge pull request #2527 from sparklemotion/2525-update-libxml-2_9_14-v1_13_x
  • 66c2886 dep: update libxml2 to v2.9.14
  • b7c4cc3 test: unpend the LIBXML_LOADED_VERSION test on freebsd
  • eac7934 dev: require yaml
  • f3521ba style(rubocop): pend Style/FetchEnvVar for now
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/openware/barong/network/alerts).
sonarcloud[bot] commented 2 years ago

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

guardrails[bot] commented 2 years ago

:warning: We detected 8 security issues in this pull request:

Vulnerable Libraries (8)
Severity | Details ----- | -------- Informational | [activerecord@5.2.6](https://github.com/openware/barong/blob/cb4dc1ce9bf69f994228852803a37d9bbe8eb1b4/Gemfile.lock#L40) - **no patch available** High | [actionpack@5.2.6](https://github.com/openware/barong/blob/cb4dc1ce9bf69f994228852803a37d9bbe8eb1b4/Gemfile.lock#L13) - **no patch available** Medium | [rails@5.2.6](https://github.com/openware/barong/blob/cb4dc1ce9bf69f994228852803a37d9bbe8eb1b4/Gemfile.lock#L2) - **no patch available** N/A | [actionview@5.2.6](https://github.com/openware/barong/blob/cb4dc1ce9bf69f994228852803a37d9bbe8eb1b4/Gemfile.lock#L18) upgrade to: *~> 5.2.7, >= 5.2.7.1, ~> 6.0.4, >= 6.0.4.8, ~> 6.1.5, >= 6.1.5.1, >= 7.0.2.4* N/A | [activestorage@5.2.6](https://github.com/openware/barong/blob/cb4dc1ce9bf69f994228852803a37d9bbe8eb1b4/Gemfile.lock#L44) upgrade to: *~> 5.2.7, >= 5.2.7.1, ~> 6.0.4, >= 6.0.4.8, ~> 6.1.5, >= 6.1.5.1, >= 7.0.2.4* N/A | [image_processing@5.2.6](https://github.com/openware/barong/blob/cb4dc1ce9bf69f994228852803a37d9bbe8eb1b4/Gemfile.lock#L95) upgrade to: *~> 5.2.7, >= 5.2.7.1, ~> 6.0.4, >= 6.0.4.8, ~> 6.1.5, >= 6.1.5.1, >= 7.0.2.4* N/A | [puma@5.2.6](https://github.com/openware/barong/blob/cb4dc1ce9bf69f994228852803a37d9bbe8eb1b4/Gemfile.lock#L318) upgrade to: *~> 5.2.7, >= 5.2.7.1, ~> 6.0.4, >= 6.0.4.8, ~> 6.1.5, >= 6.1.5.1, >= 7.0.2.4* N/A | [sidekiq@5.2.6](https://github.com/openware/barong/blob/cb4dc1ce9bf69f994228852803a37d9bbe8eb1b4/Gemfile.lock#L401) upgrade to: *~> 5.2.7, >= 5.2.7.1, ~> 6.0.4, >= 6.0.4.8, ~> 6.1.5, >= 6.1.5.1, >= 7.0.2.4* More info on how to fix Vulnerable Libraries in [General](https://docs.guardrails.io/docs/en/vulnerabilities/general/using_vulnerable_libraries.html?utm_source=ghpr) and [Ruby](https://docs.guardrails.io/docs/en/vulnerabilities/ruby/using_vulnerable_libraries.html?utm_source=ghpr).

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

dependabot[bot] commented 2 years ago

Superseded by #1366.