🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
Nokogiri < v1.13.4 contains an inefficient regular expression that is
susceptible to excessive backtracking when attempting to detect encoding
in HTML documents.
Nokogiri v1.13.4 updates the vendored org.cyberneko.html library to 1.9.22.noko2 which addresses CVE-2022-24839.
That CVE is rated 7.5 (High Severity).
Description: The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup.
Nokogiri v1.13.4 updates the vendored zlib from 1.2.11
to 1.2.12, which addresses CVE-2018-25032.
That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.
Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.13.4, and only if the packaged version of zlib is being used.
Please see this document
for a complete description of which platform gems vendor zlib. If you've
overridden defaults at installation time to use system libraries instead of
packaged libraries, you should instead pay attention to your distro's zlib
release announcements.
Nokogiri v1.13.4 updates the vendored xerces:xercesImpl from 2.12.0 to
2.12.2, which addresses CVE-2022-23437.
That CVE is scored as CVSS 6.5 "Medium" on the NVD record.
Please note that this advisory only applies to the JRuby implementation
of Nokogiri < 1.13.4.
Type: CWE-91 XML Injection (aka Blind XPath Injection)
Description: There's a vulnerability within the Apache Xerces Java
(XercesJ) XML parser when handling specially crafted XML document payloads.
This causes, the XercesJ XML parser to wait in an infinite loop, which may
sometimes consume system resources for prolonged duration. This vulnerability
is present within XercesJ version 2.12.1 and the previous versions.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗️ nokogiri (indirect, 1.13.3 → 1.13.4) · Repo · Changelog
Security Advisories 🚨
🚨 Inefficient Regular Expression Complexity in Nokogiri
🚨 Denial of Service (DoS) in Nokogiri on JRuby
🚨 Out-of-bounds Write in zlib affects Nokogiri
🚨 XML Injection in Xerces Java affects Nokogiri
Commits
See the full diff on Github. The new version differs by 17 commits:
version bump to v1.13.4Merge pull request #2510 from sparklemotion/flavorjones-encoding-reader-performance-v1.13.xMerge pull request #2509 from sparklemotion/flavorjones-parse-processing-instructions-v1.13.xtest: pend the LIBXML_LOADED_VERSION test on freebsdfix(perf): HTML4::EncodingReader detectionstyle(rubocop): allow intentional use of empty initializerfix(dep): HTML parsing of processing instructionstest: recent nekohtml versions do not consider 'a' to be inlinestyle(rubocop): allow intentional use of empty initializerMerge pull request #2499 from sparklemotion/2441-xerces-2.12.2-backport-v1.13.xdep: bump xerces version to 2.12.2Merge pull request #2497 from sparklemotion/flavorjones-update-zlib-backport-to-v1.13.xdep: update zlib to v1.2.12style(rubocop): Minitest/AssertPredicate, newline after guard clauseci: upstream pipeline runs only as a cron jobdoc: {Node,HTML4::Document}#serialize link to serialization sectiondoc: create link to SaveOptionsDepfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands