🚨 [security] Update nokogiri: 1.8.1 → 1.8.4 (patch)

🚨 Your version of nokogiri has known security vulnerabilities 🚨

Advisory: CVE-2018-8048 Disclosed: March 29, 2018 URL: https://github.com/sparklemotion/nokogiri/pull/1746

Revert libxml2 behavior in Nokogiri gem that could cause XSS

[MRI] Behavior in libxml2 has been reverted which caused
CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and
CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is
here:

GNOME/libxml2@960f0e2

and more information is available about this commit and its impact
here:

flavorjones/loofah#144

This release simply reverts the libxml2 commit in question to protect
users of Nokogiri's vendored libraries from similar vulnerabilities.

If you're offended by what happened here, I'd kindly ask that you
comment on the upstream bug report here:

https://bugzilla.gnome.org/show_bug.cgi?id=769760

🚨 We recommend to merge and deploy this update as soon as possible! 🚨

We've updated a dependency and all tests pass. \o/

name	version specification	old version	new version
nokogiri	>= 1.7.1	1.8.1	1.8.4

You should probably take a good look at this before merging this pull request, of course.

What changed?

✳️ nokogiri (1.8.1 → 1.8.4) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

Depfu Status

thetallgrassnet / pokesite

🚨 [security] Update nokogiri: 1.8.1 → 1.8.4 (patch) #315

What changed?

✳️ nokogiri (1.8.1 → 1.8.4) · Repo · Changelog