🚨 [security] Update github-pages: 219 → 220 (major)

[depfu[bot]]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ github-pages (219 → 220) · Repo

Release Notes

220

• Bump pages-health-check to 1.17.9 #790

Does any of this look wrong? Please let us know.

Sorry, we couldn't find anything useful about this release.

↗️ faraday (indirect, 1.7.0 → 1.8.0) · Repo · Changelog

Release Notes

1.8.0

Features

• Backport authorization procs (#1322, @jarl-dk)

1.7.2

Fixes

• Fix deprecation warning when providing basic auth in url (#1323, @iMacTia)

1.7.1

Fixes

• Respect the params_encoder in Faraday::Adapter::Test (#1316, @yykamei)

Deprecations

• Deprecate Authorization helpers in Faraday::Connection (#1306, @iMacTia)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

• Version bump to 1.8.0
• Proc auth value backport cleanup (#1326)
• Backport authorization procs to 1.x branch (#1322)
• Version bump to 1.7.2
• Fix deprecation warning (#1323)
• Version bump to 1.7.1
• Respect the `params_encoder` in `Faraday::Adapter::Test` (#1316)
• [1.x] Deprecate Authorization helpers in Faraday::Connection (#1306)

↗️ ffi (indirect, 1.15.3 → 1.15.4) · Repo · Changelog

Release Notes

1.15.4 (from changelog)

Fixed:

• Fix build for uClibc. #913
• Correct module lookup when including ffi-module gem. #912

Changed:

• Use ruby code of the ffi gem in JRuby-9.2.20+. #915

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

• Bump VERSION to 1.15.4 and add CHANGELOG entry
• Merge pull request #913 from xtkoba/uclibc
• Fix build for uClibc
• Correct module lookup when including ffi-module
• Allow prerelease FFI::VERSION
• Remove unused rubygems-tasks development dependency
• Bump VERSION to 1.15.4.pre1
• Lower the JRuby version guard to 9.2.20
• CI: Install libffi which matches running arch (#905)

↗️ github-pages-health-check (indirect, 1.17.7 → 1.17.9) · Repo

Release Notes

1.17.9

What's Changed

• Fix IPv6 support (AAAA records validation) in #140

Full Changelog: v1.17.8...v1.17.9

1.17.8

What's Changed

• Require bundler in script/check to avoid needing to run bundle exec. by @jriggins in #137
• Remove Travis builds by @jriggins in #138
• Add AAAA Support by @jriggins in #136
• Bump version to 1.17.8 by @jriggins in #139

Full Changelog: v1.17.7...v1.17.8

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 8 commits:

• Merge pull request #140 from github/ipv6-fix
• Bump version
• Add test
• Better ipv6 handling (need tests)
• Bump version to 1.17.8 (#139)
• Add AAAA Support
• Remove Travis builds (#138)
• Require bundler in script/check to avoid needing to run `bundle exec`. (#137)

↗️ nokogiri (indirect, 1.12.3 → 1.12.5) · Repo · Changelog

Security Advisories 🚨

🚨 Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.0) for JRuby users. (This security advisory does not apply to CRuby users.)

Impact

In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default.

Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected:

• Nokogiri::XML::SAX::Parser
• Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser
• Nokogiri::XML::SAX::PushParser
• Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser

Mitigation

JRuby users should upgrade to Nokogiri v1.12.5 or later. There are no workarounds available for v1.12.4 or earlier.

CRuby users are not affected.

Release Notes

1.12.5

1.12.5 / 2021-09-27

Security

[JRuby] Address CVE-2021-41098 (GHSA-2rr5-8q37-2w7h).

In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parsers resolve external entities (XXE) by default. This fix turns off entity-resolution-by-default in the JRuby SAX parsers to match the CRuby SAX parsers' behavior.

CRuby users are not affected by this CVE.

Fixed

• [CRuby] Document#to_xhtml properly serializes self-closing tags in libxml > 2.9.10. A behavior change introduced in libxml 2.9.11 resulted in emitting start and and tags (e.g., <br></br>) instead of a self-closing tag (e.g., <br/>) in previous Nokogiri versions. [#2324]

---

SHA256 checksums:

36bfa3a07aced069b3f3c9b39d9fb62cb0728d284d02b079404cd55780beaeff  nokogiri-1.12.5-arm64-darwin.gem
16b1a9ddbb70a9c998462912a5972097cbc79c3e01eb373906886ef8a469f589  nokogiri-1.12.5-java.gem
218dcc6edd1b49cc6244b5f88afb978739bb2f3f166c271557fe5f51e4bc713c  nokogiri-1.12.5-x64-mingw32.gem
e33bb919d64c16d931a5f26dc880969e587d225cfa97e6b56e790fb52179f527  nokogiri-1.12.5-x86-linux.gem
e13c2ed011b8346fbd589e96fe3542d763158bc2c7ad0f4f55f6d801afd1d9ff  nokogiri-1.12.5-x86-mingw32.gem
1ed64f7db7c1414b87fce28029f2a10128611d2037e0871ba298d00f9a00edd6  nokogiri-1.12.5-x86_64-darwin.gem
0868c8d0a147904d4dedaaa05af5f06656f2d3c67e4432601718559bf69d6cea  nokogiri-1.12.5-x86_64-linux.gem
2b20905942acc580697c8c496d0d1672ab617facb9d30d156b3c7676e67902ec  nokogiri-1.12.5.gem

1.12.4

1.12.4 / 2021-08-29

Notable fix: Namespace inheritance

Namespace behavior when reparenting nodes has historically been poorly specified and the behavior diverged between CRuby and JRuby. As a result, making this behavior consistent in v1.12.0 introduced a breaking change.

This patch release reverts the Builder behavior present in v1.12.0..v1.12.3 but keeps the Document behavior. This release also introduces a Document attribute to allow affected users to easily change this behavior for their legacy code without invasive changes.

Compensating Feature in XML::Document

This release of Nokogiri introduces a new Document boolean attribute, namespace_inheritance, which controls whether children should inherit a namespace when they are reparented. Nokogiri::XML:Document defaults this attribute to false meaning "do not inherit," thereby making explicit the behavior change introduced in v1.12.0.

CRuby users who desire the pre-v1.12.0 behavior may set document.namespace_inheritance = true before reparenting nodes.

See https://nokogiri.org/rdoc/Nokogiri/XML/Document.html#namespace_inheritance-instance_method for example usage.

Fix for XML::Builder

However, recognizing that we want Builder-created children to inherit namespaces, Builder now will set namespace_inheritance=true on the underlying document for both JRuby and CRuby. This means that, on CRuby, the pre-v1.12.0 behavior is restored.

Users who want to turn this behavior off may pass a keyword argument to the Builder constructor like so:

Nokogiri::XML::Builder.new(namespace_inheritance: false)

See https://nokogiri.org/rdoc/Nokogiri/XML/Builder.html#label-Namespace+inheritance for example usage.

Downstream gem maintainers

Note that any downstream gems may want to specifically omit Nokogiri v1.12.0--v1.12.3 from their dependency specification if they rely on child namespace inheritance:

Gem::Specification.new do |gem|
  # ...
  gem.add_runtime_dependency 'nokogiri', '!=1.12.3', '!=1.12.2', '!=1.12.1', '!=1.12.0'
  # ...
end

Fixed

• [JRuby] Fix NPE in Schema parsing when an imported resource doesn't have a systemId. [#2296] (Thanks, @pepijnve!)

---

SHA256 checksums:

892808245fad3dea1bd4405461ba45d8f2261a6e23af91b8fc4b136e37cd3475  nokogiri-1.12.4-arm64-darwin.gem
1179f2c8fc13f4cb349b4e9219fbe7c1e7b885e24aceb2c8a0e06d1c3fe3ec2a  nokogiri-1.12.4-java.gem
44e728900a919ca9d8c6a3f545c2ff4903f4f45c47255904548386ad9f9869d6  nokogiri-1.12.4-x64-mingw32.gem
1116dac823e27f5255024c3154f0db3d2c9008cfdcaf11bbd66bde7770dca12d  nokogiri-1.12.4-x86-linux.gem
129b372c37dc817b588c623e6899ad32fe166498320789611ae3de0c361166ed  nokogiri-1.12.4-x86-mingw32.gem
f6f606dbdedd94e85e2fdc5e5829833441962115c3b62a2eab0a51f8ba938c3a  nokogiri-1.12.4-x86_64-darwin.gem
d706df7ed9382c749382e5b3bd9bfa4986935c0c5e36856d75fd9008d80f4da0  nokogiri-1.12.4-x86_64-linux.gem
7fec161ee1c7b2329e05fed019bfc7b1f910a39e6b30ae95825e75dda2094de9  nokogiri-1.12.4.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 14 commits:

• version bump to v1.12.5
• update CHANGELOG
• Merge pull request #2329 from sparklemotion/flavorjones-GHSA-2rr5-8q37-2w7h_1.12.x
• fix(jruby): SAX parser uses an entity resolver
• refactor(jruby): handle errors more consistently
• format: test files
• Merge pull request #2327 from sparklemotion/2324-xhtml-self-closing-tags_v1.12.x
• fix: HTML4::Document.to_xhtml self-closing tags
• release v1.12.4
• backport #2320
• update CHANGELOG for #2296
• Resolve potential NPE in SchemaResourceResolver
• test: repro for #2296
• test: move the test from 3c95d44 to be within a test class

↗️ unf_ext (indirect, 0.0.7.7 → 0.0.8) · Repo · Changelog

Release Notes

0.0.8 (from changelog)

• No functional change in the library code.
• Include Windows binaries for Ruby 3.0.
• Drop support for Ruby 2.1 and earlier.
• Replace Travis CI with Github Actions.
• Fix cross-build after upgrading rake-compiler/rake-compiler-dock to 1.1.1/1.1.0.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 6 commits:

• Bump the VERSION to 0.0.8
• Build a source gem as well
• Upgrade rake-compiler/rake-compiler-dock to 1.1.1/1.1.0
• Merge pull request #64 from tablecheck/github-actions
• Add Github Actions CI support.
• Add GitHub Actions, trim jobs from Travis

↗️ unicode-display_width (indirect, 1.7.0 → 1.8.0) · Repo · Changelog

Release Notes

1.8.0 (from changelog)

• Unicode 14.0 (last release of 1.x)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

• Release v1.8.0
• Update CHANGELOG
• Update Unicode version number
• Unicode 14.0

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)