Bumps nokogiri from 1.10.4 to 1.10.5. This update includes a security fix.
Vulnerabilities fixed
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-13117.yml).*
> **Nokogiri gem, via libxslt, is affected by multiple vulnerabilities**
> Nokogiri v1.10.5 has been released.
>
> This is a security release. It addresses three CVEs in upstream libxml2,
> for which details are below.
>
> If you're using your distro's system libraries, rather than Nokogiri's
> vendored libraries, there's no security need to upgrade at this time,
> though you may want to check with your distro whether they've patched this
> (Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses
> these vulnerabilities.
>
> Full details about the security update are available in Github Issue
> [#1943] https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1943.
>
> ---
>
> CVE-2019-13117
>
> https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html
>
> ... (truncated)
>
> Patched versions: >= 1.10.5
> Unaffected versions: none
Release notes
*Sourced from [nokogiri's releases](https://github.com/sparklemotion/nokogiri/releases).*
> ## 1.10.5 / 2019-10-31
>
> ### Dependencies
>
> * [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
> * [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34
>
>
Changelog
*Sourced from [nokogiri's changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md).*
> ## 1.10.5 / 2019-10-31
>
> ### Security
>
> [MRI] Vendored libxslt upgraded to v1.1.34 which addresses three CVEs for libxslt:
>
> * CVE-2019-13117
> * CVE-2019-13118
> * CVE-2019-18197
>
> More details are available at [#1943](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1943).
>
>
> ### Dependencies
>
> * [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
> * [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34
Commits
- [`1bc2ff9`](https://github.com/sparklemotion/nokogiri/commit/1bc2ff9f6218e1f814b18040e5bbb49b7b7bf60b) version bump to v1.10.5
- [`383c1f8`](https://github.com/sparklemotion/nokogiri/commit/383c1f8ee833cb63ca93fe3ecfe8d93755a993b6) update CHANGELOG
- [`43a1753`](https://github.com/sparklemotion/nokogiri/commit/43a175339b47b8c604508813fc75b83f13cd173e) dependency: update libxslt to 1.1.34 final
- [`99d8a6b`](https://github.com/sparklemotion/nokogiri/commit/99d8a6b6ec83077652a06a333571e4705120f022) dependency: update libxml to 2.9.10 final
- [`2a86496`](https://github.com/sparklemotion/nokogiri/commit/2a86496ca565aa283c4fd9cd247d21c6026d7b61) add suppressions for ruby 2.7
- [`dca794a`](https://github.com/sparklemotion/nokogiri/commit/dca794a716fb285e2b19f8e028e61e4e3613ed14) update CHANGELOG with correct release date for v1.10.4
- [`077e010`](https://github.com/sparklemotion/nokogiri/commit/077e010613cfb41f8cc03383c3e3b901a3985a49) update rake-compiler commands to install bundler
- See full diff in [compare view](https://github.com/sparklemotion/nokogiri/compare/v1.10.4...v1.10.5)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Bumps nokogiri from 1.10.4 to 1.10.5. This update includes a security fix.
Vulnerabilities fixed
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2019-13117.yml).* > **Nokogiri gem, via libxslt, is affected by multiple vulnerabilities** > Nokogiri v1.10.5 has been released. > > This is a security release. It addresses three CVEs in upstream libxml2, > for which details are below. > > If you're using your distro's system libraries, rather than Nokogiri's > vendored libraries, there's no security need to upgrade at this time, > though you may want to check with your distro whether they've patched this > (Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses > these vulnerabilities. > > Full details about the security update are available in Github Issue > [#1943] https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1943. > > --- > > CVE-2019-13117 > > https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html > > ... (truncated) > > Patched versions: >= 1.10.5 > Unaffected versions: noneRelease notes
*Sourced from [nokogiri's releases](https://github.com/sparklemotion/nokogiri/releases).* > ## 1.10.5 / 2019-10-31 > > ### Dependencies > > * [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10 > * [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34 > >Changelog
*Sourced from [nokogiri's changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md).* > ## 1.10.5 / 2019-10-31 > > ### Security > > [MRI] Vendored libxslt upgraded to v1.1.34 which addresses three CVEs for libxslt: > > * CVE-2019-13117 > * CVE-2019-13118 > * CVE-2019-18197 > > More details are available at [#1943](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1943). > > > ### Dependencies > > * [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10 > * [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34Commits
- [`1bc2ff9`](https://github.com/sparklemotion/nokogiri/commit/1bc2ff9f6218e1f814b18040e5bbb49b7b7bf60b) version bump to v1.10.5 - [`383c1f8`](https://github.com/sparklemotion/nokogiri/commit/383c1f8ee833cb63ca93fe3ecfe8d93755a993b6) update CHANGELOG - [`43a1753`](https://github.com/sparklemotion/nokogiri/commit/43a175339b47b8c604508813fc75b83f13cd173e) dependency: update libxslt to 1.1.34 final - [`99d8a6b`](https://github.com/sparklemotion/nokogiri/commit/99d8a6b6ec83077652a06a333571e4705120f022) dependency: update libxml to 2.9.10 final - [`2a86496`](https://github.com/sparklemotion/nokogiri/commit/2a86496ca565aa283c4fd9cd247d21c6026d7b61) add suppressions for ruby 2.7 - [`dca794a`](https://github.com/sparklemotion/nokogiri/commit/dca794a716fb285e2b19f8e028e61e4e3613ed14) update CHANGELOG with correct release date for v1.10.4 - [`077e010`](https://github.com/sparklemotion/nokogiri/commit/077e010613cfb41f8cc03383c3e3b901a3985a49) update rake-compiler commands to install bundler - See full diff in [compare view](https://github.com/sparklemotion/nokogiri/compare/v1.10.4...v1.10.5)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)