dependabot-preview[bot]
commented
5 years ago Superseded by #191.
Closed dependabot-preview[bot] closed 5 years ago
dependabot-preview[bot]
commented
5 years ago Superseded by #191.
Bumps nokogiri from 1.8.2 to 1.9.1. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-14404.yml).* > **Nokogiri gem, via libxml2, is affected by multiple vulnerabilities** > Nokogiri 1.8.5 has been released. > > This is a security and bugfix release. It addresses two CVEs in upstream > libxml2 rated as "medium" by Red Hat, for which details are below. > > If you're using your distro's system libraries, rather than Nokogiri's > vendored libraries, there's no security need to upgrade at this time, > though you may want to check with your distro whether they've patched this > (Canonical has patched Ubuntu packages). Note that these patches are not > yet (as of 2018-10-04) in an upstream release of libxml2. > > Full details about the security update are available in Github Issue #1785. > [#1785]: https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1785 > > ----- > > [MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 > and CVE-2018-14567. Full details are available in #1785. Note that these > patches are not yet (as of 2018-10-04) in an upstream release of libxml2. > > ... (truncated) > > Patched versions: >= 1.8.5 > Unaffected versions: none *Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-8048.yml).* > **Revert libxml2 behavior in Nokogiri gem that could cause XSS** > [MRI] Behavior in libxml2 has been reverted which caused > CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and > CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is > here: > > https://github.com/GNOME/libxml2/commit/960f0e2 > > and more information is available about this commit and its impact > here: > > https://github-redirect.dependabot.com/flavorjones/loofah/issues/144 > > This release simply reverts the libxml2 commit in question to protect > users of Nokogiri's vendored libraries from similar vulnerabilities. > > If you're offended by what happened here, I'd kindly ask that you > comment on the upstream bug report here: > > https://bugzilla.gnome.org/show_bug.cgi?id=769760 > > Patched versions: >= 1.8.3 > Unaffected versions: noneRelease notes
*Sourced from [nokogiri's releases](https://github.com/sparklemotion/nokogiri/releases).* > # 1.9.1 / 2018-12-17 > > ## Bug fixes > > * Fix a bug introduced in v1.9.0 where `XML::DocumentFragment#dup` no longer returned an instance of the callee's class, instead always returning an `XML::DocumentFragment`. This notably broke any subclass of `XML::DocumentFragment` including `HTML::DocumentFragment` as well as the Loofah gem's `Loofah::HTML::DocumentFragment`. [#1846] > > > > # 1.9.0 / 2018-12-17 > > ## Security Notes > > * [JRuby] Upgrade Xerces dependency from 2.11.0 to 2.12.0 to address upstream vulnerability CVE-2012-0881 [#1831] (Thanks [**grajagandev**](https://github.com/grajagandev) for reporting.) > > > ## Notable non-functional changes > > * Decrease installation size by removing many unneeded files (e.g., `/test`) from the packaged gems. [#1719] (Thanks, [**stevecrozz**](https://github.com/stevecrozz)!) > > > ## Features > > * `XML::Attr#value=` allows HTML node attribute values to be set to either a blank string or an empty boolean attribute. [#1800] > * Introduce `XML::Node#wrap` which does what `XML::NodeSet#wrap` has always done, but for a single node. [#1531] (Thanks, [**ethirajsrinivasan**](https://github.com/ethirajsrinivasan)!) > * [MRI] Improve installation experience on macOS High Sierra (Darwin). [#1812, #1813] (Thanks, [**gpakosz**](https://github.com/gpakosz) and [**nurse**](https://github.com/nurse)!) > * [MRI] Node#dup supports copying a node directly to a new document. See the method documentation for details. > * [MRI] DocumentFragment#dup is now more memory-efficient, avoiding making unnecessary copies. [#1063] > * [JRuby] NodeSet has been rewritten to improve performance! [#1795] > > > ## Bug fixes > > * `NodeSet#each` now returns `self` instead of zero. [#1822] (Thanks, [**olehif**](https://github.com/olehif)!) > * [MRI] Address a memory leak when using XML::Builder to create nodes with namespaces. [#1810] > * [MRI] Address a memory leak when unparenting a DTD. [#1784] (Thanks, [**stevecheckoway**](https://github.com/stevecheckoway)!) > * [MRI] Use RbConfig::CONFIG instead of ::MAKEFILE_CONFIG to fix installations that use Makefile macros. [#1820] (Thanks, [**nobu**](https://github.com/nobu)!) > * [JRuby] Decrease large memory usage when making nested XPath queries. [#1749] > * [JRuby] Fix failing tests on JRuby 9.2.x > * [JRuby] Fix default namespaces in nodes reparented into a different document [#1774] > * [JRuby] Fix support for Java 9. [#1759] (Thanks, [**Taywee**](https://github.com/Taywee)!) > > > ## Dependencies > > * [MRI] Upgrade mini_portile2 dependency from `~> 2.3.0` to `~> 2.4.0` > > > > # 1.9.0.rc1 / 2018-12-10 > > ... (truncated)Changelog
*Sourced from [nokogiri's changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md).* > # 1.9.1 / 2018-12-17 > > ## Bug fixes > > * Fix a bug introduced in v1.9.0 where `XML::DocumentFragment#dup` no longer returned an instance of the callee's class, instead always returning an `XML::DocumentFragment`. This notably broke any subclass of `XML::DocumentFragment` including `HTML::DocumentFragment` as well as the Loofah gem's `Loofah::HTML::DocumentFragment`. [#1846] > > > # 1.9.0 / 2018-12-17 > > ## Security Notes > > * [JRuby] Upgrade Xerces dependency from 2.11.0 to 2.12.0 to address upstream vulnerability CVE-2012-0881 [#1831] (Thanks [**grajagandev**](https://github.com/grajagandev) for reporting.) > > > ## Notable non-functional changes > > * Decrease installation size by removing many unneeded files (e.g., `/test`) from the packaged gems. [#1719] (Thanks, [**stevecrozz**](https://github.com/stevecrozz)!) > > > ## Features > > * `XML::Attr#value=` allows HTML node attribute values to be set to either a blank string or an empty boolean attribute. [#1800] > * Introduce `XML::Node#wrap` which does what `XML::NodeSet#wrap` has always done, but for a single node. [#1531] (Thanks, [**ethirajsrinivasan**](https://github.com/ethirajsrinivasan)!) > * [MRI] Improve installation experience on macOS High Sierra (Darwin). [#1812, #1813] (Thanks, [**gpakosz**](https://github.com/gpakosz) and [**nurse**](https://github.com/nurse)!) > * [MRI] Node#dup supports copying a node directly to a new document. See the method documentation for details. > * [MRI] DocumentFragment#dup is now more memory-efficient, avoiding making unnecessary copies. [#1063] > * [JRuby] NodeSet has been rewritten to improve performance! [#1795] > > > ## Bug fixes > > * `NodeSet#each` now returns `self` instead of zero. [#1822] (Thanks, [**olehif**](https://github.com/olehif)!) > * [MRI] Address a memory leak when using XML::Builder to create nodes with namespaces. [#1810] > * [MRI] Address a memory leak when unparenting a DTD. [#1784] (Thanks, [**stevecheckoway**](https://github.com/stevecheckoway)!) > * [MRI] Use RbConfig::CONFIG instead of ::MAKEFILE_CONFIG to fix installations that use Makefile macros. [#1820] (Thanks, [**nobu**](https://github.com/nobu)!) > * [JRuby] Decrease large memory usage when making nested XPath queries. [#1749] > * [JRuby] Fix failing tests on JRuby 9.2.x > * [JRuby] Fix default namespaces in nodes reparented into a different document [#1774] > * [JRuby] Fix support for Java 9. [#1759] (Thanks, [**Taywee**](https://github.com/Taywee)!) > > > ## Dependencies > > * [MRI] Upgrade mini_portile2 dependency from `~> 2.3.0` to `~> 2.4.0` > > > # 1.8.5 / 2018-10-04 > > ## Security Notes > > ... (truncated)Commits
- [`db26a04`](https://github.com/sparklemotion/nokogiri/commit/db26a04e3d8f2b30456ae203d6c023b299a8e0f9) limit test of libxml-specific DocumentFragment#dup behavior - [`2e15c88`](https://github.com/sparklemotion/nokogiri/commit/2e15c885de3e0669f35dca1f5a1dd047c92e1c7d) version bump to v1.9.1 - [`e9ac292`](https://github.com/sparklemotion/nokogiri/commit/e9ac29275afde6f670a4db64d609a7a07c828ea6) Fix XML::DocumentFragment to return an instance of callee's class - [`ab40787`](https://github.com/sparklemotion/nokogiri/commit/ab40787f49fc71d566cd5a2c3a16c21edffd9d2b) correct CHANGELOG - [`fff550c`](https://github.com/sparklemotion/nokogiri/commit/fff550cbfbfbc7da0ab6f5f16da37fb576afb4c2) version bump to v1.9.0 - [`8d9a65b`](https://github.com/sparklemotion/nokogiri/commit/8d9a65b34d51cf9e5c3ebf5756521126d9dbd959) Merge branch '1719-stevecrozz-decrease-gem-size' - [`dd19ddd`](https://github.com/sparklemotion/nokogiri/commit/dd19ddd5ab9ca6c2d7044274eae11e98b645d57e) update CHANGELOG - [`985b9fc`](https://github.com/sparklemotion/nokogiri/commit/985b9fc229792a658c631ba78b6fbd1010a01fec) add .hoerc containing excludes - [`b61b34c`](https://github.com/sparklemotion/nokogiri/commit/b61b34c1815d7e05b4bfb5a16c6570073f393ccd) Make builds minimal - [`9bb0226`](https://github.com/sparklemotion/nokogiri/commit/9bb0226b680ef0d248504379be0584ae6f64a49d) remove hacks preventing jruby from using racc and rexical - Additional commits viewable in [compare view](https://github.com/sparklemotion/nokogiri/compare/v1.8.2...v1.9.1)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.