🚨 [security] Update html-proofer: 3.19.3 → 5.0.4 (major)

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ html-proofer (3.19.3 → 5.0.4) · Repo · Changelog

Release Notes

5.0.4

What's Changed

Improved PDF hash handling by @gjtorikian in #789

Full Changelog: v5.0.3...v5.0.4

5.0.3

What's Changed

Address some typos by @gjtorikian in #780

Fix poor srcset parsing by @gjtorikian in #784

Full Changelog: v5.0.1...v5.0.3

5.0.2

What's Changed

Address some typos by @gjtorikian in #780

Full Changelog: v5.0.1...v5.0.2

4.4.3 (from changelog)

Full Changelog

Merged pull requests:

Revert "Validate options" #774 (gjtorikian)

4.4.2 (from changelog)

Full Changelog

Closed issues:

erstiebegrüßung.html causing problems on macOS #771

HTMLProofer times out #768

Merged pull requests:

Create erstiebegrüßung.html from code #772 (asbjornu)

Validate options #767 (asbjornu)

4.1.0 (from changelog)

Full Changelog

Closed issues:

Set enforce_https to false on the CLI #727

hash ref's on the same page aren't found #725

srcset width/pixel density descriptors cause missing image error #724

Example cache config not working #723

Removal of --check-html #722

CHANGELOG.md says Unreleased but 4.0 is out #721

Make --checks options case insensitive #720

Merged pull requests:

Squash some minor 4.x bugs #728 (gjtorikian)

Change --url-ignore to --ignore-urls in README.md #726 (nwhetsell)

4.0.1 (from changelog)

Full Changelog

Closed issues:

Linking to directories without a trailing slash in 4.0.0 #718

Merged pull requests:

Restore follow_location #719 (gjtorikian)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ethon (indirect, 0.15.0 → 0.16.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 10 commits:

↗️ mini_portile2 (indirect, 2.8.0 → 2.8.1) · Repo · Changelog

Release Notes

2.8.1

2.8.1 / 2022-12-24

Fixed

Support applying patches via git apply even when the working directory resembles a git directory. [#119] (Thanks, @h0tw1r3!)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

↗️ nokogiri (indirect, 1.13.9 → 1.14.0) · Repo · Changelog

Security Advisories 🚨

🚨 Unchecked return value from xmlTextReaderExpand

Summary

Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.

For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.

Mitigation

Upgrade to Nokogiri >= 1.13.10.

Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

CWE - CWE-252: Unchecked Return Value (4.9)

CWE - CWE-476: NULL Pointer Dereference (4.9)

Credit

This vulnerability was responsibly reported by @davidwilemski.

Release Notes

1.14.0

1.14.0 / 2023-01-12

Notable Changes

Ruby

This release introduces native gem support for Ruby 3.2. (Also see "Technical note" under "Changed" below.)

This release ends support for:

Ruby 2.6, for which upstream support ended 2022-04-12.

JRuby 9.3, which is not fully compatible with Ruby 2.7+

Faster, more reliable installation: Native Gem for aarch64-linux (aka linux/arm64/v8)

This version of Nokogiri ships official native gem support for the aarch64-linux platform, which should support AWS Graviton and other ARM64 Linux platforms. Please note that glibc >= 2.29 is required for aarch64-linux systems, see Supported Platforms for more information.

Faster, more reliable installation: Native Gem for arm-linux (aka linux/arm/v7)

This version of Nokogiri ships experimental native gem support for the arm-linux platform. Please note that glibc >= 2.29 is required for arm-linux systems, see Supported Platforms for more information.

Pattern matching

This version introduces an experimental pattern matching API for XML::Attr, XML::Document, XML::DocumentFragment, XML::Namespace, XML::Node, and XML::NodeSet (and their subclasses).

Some documentation on what can be matched:

XML::Attr#deconstruct_keys

XML::Document#deconstruct_keys

XML::Namespace#deconstruct_keys

XML::Node#deconstruct_keys

XML::DocumentFragment#deconstruct

XML::NodeSet#deconstruct

We welcome feedback on this API at #2360.

Dependencies

CRuby

Vendored libiconv is updated to v1.17

JRuby

This version of Nokogiri uses jar-dependencies to manage most of the vendored Java dependencies. nokogiri -v now outputs maven metadata for all Java dependencies, and Nokogiri::VERSION_INFO also contains this metadata. [#2432]

HTML parsing is now provided by net.sourceforge.htmlunit:neko-htmlunit:2.61.0 (previously Nokogiri used a fork of org.cyberneko.html:nekohtml)

Vendored Jing is updated from com.thaiopensource:jing:20091111 to nu.validator:jing:20200702VNU.

New dependency on net.sf.saxon:Saxon-HE:9.6.0-4 (via nu.validator:jing:20200702VNU).

Added

Node#wrap and NodeSet#wrap now also accept a Node type argument, which will be duped for each wrapper. For cases where many nodes are being wrapped, creating a Node once using Document#create_element and passing that Node multiple times is significantly faster than re-parsing markup on each call. [#2657]

[CRuby] Invocation of custom XPath or CSS handler functions may now use the nokogiri namespace prefix. Historically, the JRuby implementation required this namespace but the CRuby implementation did not support it. It's recommended that all XPath and CSS queries use the nokogiri namespace going forward. Invocation without the namespace is planned for deprecation in v1.15.0 and removal in a future release. [#2147]

HTML5::Document#quirks_mode and HTML5::DocumentFragment#quirks_mode expose the quirks mode used by the parser.

Improved

Functional

HTML5 parser update to reflect changes to the living specification:

Add the <search> element by domenic · whatwg/html

Remove parse error for <template><tr></tr> </template> by zcorpan · whatwg/html

Performance

Serialization of HTML5 documents and fragments has been re-implemented and is ~10x faster than previous versions. [#2596, #2569]

Parsing of HTML5 documents is ~90% faster thanks to additional compiler optimizations being applied. [#2639]

Compare Encoding objects rather than compare their names. This is a slight performance improvement and is future-proof. [#2454] (Thanks, @casperisfine!)

Error handling

Document#canonicalize now raises an exception if inclusive_namespaces is non-nil and the mode is inclusive, i.e. XML_C14N_1_0 or XML_C14N_1_1. inclusive_namespaces can only be passed with exclusive modes, and previously this silently failed.

Empty CSS selectors now raise a clearer Nokogiri::CSS::SyntaxError message, "empty CSS selector". Previously the exception raised from the bowels of racc was "unexpected '$' after ''". [#2700]

[CRuby] XML::Reader parsing errors encountered during Reader#attribute_hash and Reader#namespaces now raise an XML::SyntaxError. Previously these methods would return nil and users would generally experience NoMethodErrors from elsewhere in the code.

Prefer ruby_xmalloc to malloc within the C extension. [#2480] (Thanks, @Garfield96!)

Installation

Avoid compile-time conflict with system-installed gumbo.h on OpenBSD. [#2464]

Remove calls to vasprintf in favor of platform-independent rb_vsprintf

Installation from source on systems missing libiconv will once again generate a helpful error message (broken since v1.11.0). [#2505]

[CRuby+OSX] Compiling from source on MacOS will use the clang option -Wno-unknown-warning-option to avoid errors when Ruby injects options that clang doesn't know about. [#2689]

Fixed

SAX::Parser's encoding attribute will not be clobbered when an alternative encoding is passed into SAX::Parser#parse_io. [#1942] (Thanks, @kp666!)

Serialized HTML4::DocumentFragment will now be properly encoded. Previously this empty string was encoded as US-ASCII. [#2649]

Node#wrap now uses the parent as the context node for parsing wrapper markup, falling back to the document for unparented nodes. Previously the document was always used.

[CRuby] UTF-16-encoded documents longer than ~4000 code points now serialize properly. Previously the serialized document was corrupted when it exceeded the length of libxml2's internal string buffer. [#752]

[CRuby] The HTML5 parser now correctly handles text at the end of form elements.

[CRuby] HTML5::Document#fragment now always uses body as the parsing context. Previously, fragments were parsed in the context of the associated document's root node, which allowed for inconsistent parsing. [#2553]

[CRuby] Nokogiri::HTML5::Document#url now correctly returns the URL passed to the constructor method. Previously it always returned nil. [#2583]

[CRuby] HTML5 encoding detection is now case-insensitive with respect to meta tag charset declaration. [#2693]

[CRuby] HTML5 fragment parsing in context of an annotation-xml node now works. Previously this rarely-used path invoked rb_funcall with incorrect parameters, resulting in an exception, a fatal error, or potentially a segfault. [#2692]

[CRuby] HTML5 quirks mode during fragment parsing more closely matches document parsing. [#2646]

[JRuby] Fixed a bug with adding the same namespace to multiple nodes via #add_namespace_definition. [#1247]

[JRuby] NodeSet#[] now raises a TypeError if passed an invalid parameter type. [#2211]

Deprecated

Nokogiri.install_default_aliases is deprecated in favor of Nokogiri::EncodingHandler.install_default_aliases. This is part of a private API and is probably not called by anybody, but we'll go through a deprecation cycle before removal anyway. [#2643, #2446]

Changed

[CRuby+OSX] Technical note: On MacOS Ruby 3.2, the symbols from libxml2 and libxslt are no longer exported. Ruby 3.2 adopted new features from the Darwin toolchain that make it challenging to continue to support this rarely-used binary API. A future minor release of Nokogiri may remove these symbols (and others) entirely. Feedback from downstream gem maintainers is welcome at #2746, where you'll also be able to read deeper context on this decision.

Thank you!

The following people and organizations were kind enough to sponsor @flavorjones or the Nokogiri project during the development of v1.14.0:

Götz Görisch @GoetzGoerisch

Airbnb @airbnb

Kyohei Nanba @kyo-nanba

Maxime Gauthier @biximilien

@renuo

@dbootyfvrt

YOSHIDA Katsuhiko @kyoshidajp

Homebrew @Homebrew

David Vrensk @dvrensk

Alex Daragiu @daragiu

Github @github

Julian Joseph @Julian88Tex

Charles Simon-Meunier @csimonmeunier

Ben Slaughter @benSlaughter

Garen Torikian @gjtorikian

Frank Groeneveld @frenkel

Hiroshi SHIBATA @hsbt

sha256 checksums:
c87564f5f8fbfb72fbcb7ed9781f6472ceabe2f288ede6b9c37071dc32320ba6  nokogiri-1.14.0-aarch64-linux.gem
33617e8a94993b8130a50bd59d6141a8d4d2aa4d4053f5c7874c71608e6e6dcc  nokogiri-1.14.0-arm-linux.gem
5c0cd4eeb8501526e7e2aaba93b60ebf3dda37bfda665691196d4e9bb87adb1a  nokogiri-1.14.0-arm64-darwin.gem
772936bf635b33b99bc89828de8e7077de47009638fe5ff11795f8b1d578465c  nokogiri-1.14.0-java.gem
ee11c092b2cf2b137e71f623746162c578b53483dccf4c6209c80f5ba47927fe  nokogiri-1.14.0-x64-mingw-ucrt.gem
9b91eede6155eb8891d7d95d8087d514f3007dd19813982104ed77452a2a7ace  nokogiri-1.14.0-x64-mingw32.gem
649019d961b0ea8aee1bc8aa2573ab8ffb77d3f5e9c333aa2462a79fc56745fc  nokogiri-1.14.0-x86-linux.gem
40985fc46315ea3d33ed900a649c0bb77484035ea882b7c9e55aef436b1958a8  nokogiri-1.14.0-x86-mingw32.gem
5d328c0d0c5f6f37a26c75b0282f9014c9686d4c10578ec8dfbbfcbea7da8b95  nokogiri-1.14.0-x86_64-darwin.gem
faa88b2bca46adaa3420c6e27eb8eb71f5b8d9f454ed7488a194a00c5ef52fbe  nokogiri-1.14.0-x86_64-linux.gem
55ca6e87ae85e944a5901dd5a6cacbb961eaaf8b8dd3901b57475665396914bb  nokogiri-1.14.0.gem

1.13.10

1.13.10 / 2022-12-07

Security

[CRuby] Address CVE-2022-23476, unchecked return value from xmlTextReaderExpand. See GHSA-qv4q-mr5r-qprj for more information.

Improvements

[CRuby] XML::Reader#attribute_hash now returns nil on parse errors. This restores the behavior of #attributes from v1.13.7 and earlier. [#2715]

sha256 checksums:

777ce2e80f64772e91459b943e531dfef387e768f2255f9bc7a1655f254bbaa1  nokogiri-1.13.10-aarch64-linux.gem
b432ff47c51386e07f7e275374fe031c1349e37eaef2216759063bc5fa5624aa  nokogiri-1.13.10-arm64-darwin.gem
73ac581ddcb680a912e92da928ffdbac7b36afd3368418f2cee861b96e8c830b  nokogiri-1.13.10-java.gem
916aa17e624611dddbf2976ecce1b4a80633c6378f8465cff0efab022ebc2900  nokogiri-1.13.10-x64-mingw-ucrt.gem
0f85a1ad8c2b02c166a6637237133505b71a05f1bb41b91447005449769bced0  nokogiri-1.13.10-x64-mingw32.gem
91fa3a8724a1ce20fccbd718dafd9acbde099258183ac486992a61b00bb17020  nokogiri-1.13.10-x86-linux.gem
d6663f5900ccd8f72d43660d7f082565b7ffcaade0b9a59a74b3ef8791034168  nokogiri-1.13.10-x86-mingw32.gem
81755fc4b8130ef9678c76a2e5af3db7a0a6664b3cba7d9fe8ef75e7d979e91b  nokogiri-1.13.10-x86_64-darwin.gem
51d5246705dedad0a09b374d09cc193e7383a5dd32136a690a3cd56e95adf0a3  nokogiri-1.13.10-x86_64-linux.gem
d3ee00f26c151763da1691c7fc6871ddd03e532f74f85101f5acedc2d099e958  nokogiri-1.13.10.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ public_suffix (indirect, 5.0.0 → 5.0.1) · Repo · Changelog

Release Notes

5.0.1 (from changelog)

Changed

Updated definitions.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 28 commits:

↗️ racc (indirect, 1.6.0 → 1.6.2) · Repo · Changelog

Release Notes

1.6.2

What's Changed

Fixed typo in racc.en.rhtml by @jwillemsen in #200

Removed old Id tag by @jwillemsen in #204

Removed old originalId in comment by @jwillemsen in #203

Adjust Racc parser version with gem version. by @hsbt in #205

Full Changelog: v1.6.1...v1.6.2

1.6.1

What's Changed

CI: Add JRuby 9.3, use bundler-cache by @olleolleolle in #173

Fix names by @nobu in #178

Update README.rdoc by @jwillemsen in #179

s/RubyVM::JIT/RubyVM::MJIT/g by @k0kubun in #180

ci: update to cover Ruby 3.1 by @flavorjones in #181

Fix typo in sample/calc.y. by @simi in #184

Added dependabot.yml for actions by @hsbt in #186

Bump actions/checkout from 2 to 3 by @dependabot in #187

[DOC] Remove stale Object::ParseError documentation by @nobu in #188

Strip trailing spaces by @nobu in #189

Fix flag to Regexp.new by @nobu in #191

Fix documentation directory name in README by @okuramasafumi in #193

Make racc test more flexible (for JRuby). by @enebo in #194

Update racc.en.rhtml by @jwillemsen in #195

Update README.rdoc by @jwillemsen in #196

Update racc.gemspec by @jwillemsen in #197

ci: update jruby versions and add truffleruby by @flavorjones in #198

New Contributors

@jwillemsen made their first contribution in #179

@k0kubun made their first contribution in #180

@simi made their first contribution in #184

@dependabot made their first contribution in #187

@okuramasafumi made their first contribution in #193

Full Changelog: v1.6.0...v1.6.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 50 commits:

↗️ rainbow (indirect, 3.0.0 → 3.1.1) · Repo · Changelog

Release Notes

3.1.1 (from changelog)

fix: Ensure files directive in gemspec adds all files

3.1.0 (from changelog)

Bad release: superseded by 3.1.1.

added cross_out aka strike

hexadecimal color names supported better, see #83

gemspec: list files using a Ruby expression, avoiding git

(2020-08-26 was the planned release date, but the real release date is reflected in the heading.)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 29 commits:

🆕 Ascii85 (added, 1.1.0)

🆕 afm (added, 0.2.2)

🆕 async (added, 2.3.1)

🆕 console (added, 1.16.2)

🆕 fiber-local (added, 1.0.0)

🆕 hashery (added, 2.1.2)

🆕 io-event (added, 1.1.6)

🆕 pdf-reader (added, 2.11.0)

🆕 ruby-rc4 (added, 0.1.5)

🆕 timers (added, 4.3.5)

🆕 ttfunk (added, 1.7.0)

🆕 zeitwerk (added, 2.6.6)

🗑️ parallel (removed)

Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@depfu rebase
Rebases against your default branch and redoes this update

@depfu recreate
Recreates this PR, overwriting any edits that you've made to it

@depfu merge
Merges this PR once your tests are passing and conflicts are resolved

@depfu close
Closes this PR and deletes the branch

@depfu reopen
Restores the branch and reopens this PR (if it's closed)

@depfu pause
Ignores all future updates for this dependency and closes this PR

@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR

@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

techworkersco / twc-site-berlin