dependabot-preview[bot]
commented
5 years ago Superseded by #192.
Closed dependabot-preview[bot] closed 5 years ago
dependabot-preview[bot]
commented
5 years ago Superseded by #192.
Bumps nokogiri from 1.8.2 to 1.10.0. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-14404.yml).* > **Nokogiri gem, via libxml2, is affected by multiple vulnerabilities** > Nokogiri 1.8.5 has been released. > > This is a security and bugfix release. It addresses two CVEs in upstream > libxml2 rated as "medium" by Red Hat, for which details are below. > > If you're using your distro's system libraries, rather than Nokogiri's > vendored libraries, there's no security need to upgrade at this time, > though you may want to check with your distro whether they've patched this > (Canonical has patched Ubuntu packages). Note that these patches are not > yet (as of 2018-10-04) in an upstream release of libxml2. > > Full details about the security update are available in Github Issue #1785. > [#1785]: https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1785 > > ----- > > [MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 > and CVE-2018-14567. Full details are available in #1785. Note that these > patches are not yet (as of 2018-10-04) in an upstream release of libxml2. > > ... (truncated) > > Patched versions: >= 1.8.5 > Unaffected versions: none *Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-8048.yml).* > **Revert libxml2 behavior in Nokogiri gem that could cause XSS** > [MRI] Behavior in libxml2 has been reverted which caused > CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and > CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is > here: > > https://github.com/GNOME/libxml2/commit/960f0e2 > > and more information is available about this commit and its impact > here: > > https://github-redirect.dependabot.com/flavorjones/loofah/issues/144 > > This release simply reverts the libxml2 commit in question to protect > users of Nokogiri's vendored libraries from similar vulnerabilities. > > If you're offended by what happened here, I'd kindly ask that you > comment on the upstream bug report here: > > https://bugzilla.gnome.org/show_bug.cgi?id=769760 > > Patched versions: >= 1.8.3 > Unaffected versions: noneRelease notes
*Sourced from [nokogiri's releases](https://github.com/sparklemotion/nokogiri/releases).* > ## 1.10.0 / 2019-01-04 > > ### Features > > * [MRI] Cross-built Windows gems now support Ruby 2.6 [#1842, [#1850](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1850)] > > > ### Backwards incompatibilities > > This release ends support for: > > * Ruby 2.2, for which [official support ended on 2018-03-31](https://www.ruby-lang.org/en/news/2018/06/20/support-of-ruby-2-2-has-ended/) [#1841] > * JRuby 1.7, for which [official support ended on 2017-11-21](https://github-redirect.dependabot.com/jruby/jruby/issues/4112) [#1741] > > > ### Dependencies > > * [MRI] libxml2 is updated from 2.9.8 to 2.9.9 > * [MRI] libxslt is updated from 1.1.32 to 1.1.33 > > > > # 1.9.1 / 2018-12-17 > > ## Bug fixes > > * Fix a bug introduced in v1.9.0 where `XML::DocumentFragment#dup` no longer returned an instance of the callee's class, instead always returning an `XML::DocumentFragment`. This notably broke any subclass of `XML::DocumentFragment` including `HTML::DocumentFragment` as well as the Loofah gem's `Loofah::HTML::DocumentFragment`. [#1846] > > > > # 1.9.0 / 2018-12-17 > > ## Security Notes > > * [JRuby] Upgrade Xerces dependency from 2.11.0 to 2.12.0 to address upstream vulnerability CVE-2012-0881 [#1831] (Thanks [**grajagandev**](https://github.com/grajagandev) for reporting.) > > > ## Notable non-functional changes > > * Decrease installation size by removing many unneeded files (e.g., `/test`) from the packaged gems. [#1719] (Thanks, [**stevecrozz**](https://github.com/stevecrozz)!) > > > ## Features > > * `XML::Attr#value=` allows HTML node attribute values to be set to either a blank string or an empty boolean attribute. [#1800] > * Introduce `XML::Node#wrap` which does what `XML::NodeSet#wrap` has always done, but for a single node. [#1531] (Thanks, [**ethirajsrinivasan**](https://github.com/ethirajsrinivasan)!) > * [MRI] Improve installation experience on macOS High Sierra (Darwin). [#1812, [#1813](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1813)] (Thanks, [**gpakosz**](https://github.com/gpakosz) and [**nurse**](https://github.com/nurse)!) > * [MRI] Node#dup supports copying a node directly to a new document. See the method documentation for details. > * [MRI] DocumentFragment#dup is now more memory-efficient, avoiding making unnecessary copies. [#1063] > * [JRuby] NodeSet has been rewritten to improve performance! [#1795] > ... (truncated)Changelog
*Sourced from [nokogiri's changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md).* > ## 1.10.0 / 2019-01-04 > > ### Features > > * [MRI] Cross-built Windows gems now support Ruby 2.6 [#1842, [#1850](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1850)] > > > ### Backwards incompatibilities > > This release ends support for: > > * Ruby 2.2, for which [official support ended on 2018-03-31](https://www.ruby-lang.org/en/news/2018/06/20/support-of-ruby-2-2-has-ended/) [#1841] > * JRuby 1.7, for which [official support ended on 2017-11-21](https://github-redirect.dependabot.com/jruby/jruby/issues/4112) [#1741] > > > ### Dependencies > > * [MRI] libxml2 is updated from 2.9.8 to 2.9.9 > * [MRI] libxslt is updated from 1.1.32 to 1.1.33 > > > ## 1.9.1 / 2018-12-17 > > ### Bug fixes > > * Fix a bug introduced in v1.9.0 where `XML::DocumentFragment#dup` no longer returned an instance of the callee's class, instead always returning an `XML::DocumentFragment`. This notably broke any subclass of `XML::DocumentFragment` including `HTML::DocumentFragment` as well as the Loofah gem's `Loofah::HTML::DocumentFragment`. [#1846] > > > ## 1.9.0 / 2018-12-17 > > ### Security Notes > > * [JRuby] Upgrade Xerces dependency from 2.11.0 to 2.12.0 to address upstream vulnerability CVE-2012-0881 [#1831] (Thanks [**grajagandev**](https://github.com/grajagandev) for reporting.) > > > ### Notable non-functional changes > > * Decrease installation size by removing many unneeded files (e.g., `/test`) from the packaged gems. [#1719] (Thanks, [**stevecrozz**](https://github.com/stevecrozz)!) > > > ### Features > > * `XML::Attr#value=` allows HTML node attribute values to be set to either a blank string or an empty boolean attribute. [#1800] > * Introduce `XML::Node#wrap` which does what `XML::NodeSet#wrap` has always done, but for a single node. [#1531] (Thanks, [**ethirajsrinivasan**](https://github.com/ethirajsrinivasan)!) > * [MRI] Improve installation experience on macOS High Sierra (Darwin). [#1812, [#1813](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1813)] (Thanks, [**gpakosz**](https://github.com/gpakosz) and [**nurse**](https://github.com/nurse)!) > * [MRI] Node#dup supports copying a node directly to a new document. See the method documentation for details. > * [MRI] DocumentFragment#dup is now more memory-efficient, avoiding making unnecessary copies. [#1063] > * [JRuby] NodeSet has been rewritten to improve performance! [#1795] > > > ... (truncated)Commits
- [`4a448d1`](https://github.com/sparklemotion/nokogiri/commit/4a448d1924d99f32982be17c2a6256fd42afa330) version bump to v1.10.0 - [`104ccc9`](https://github.com/sparklemotion/nokogiri/commit/104ccc9be84b85fb644943ee1b67b82c7f3aeef9) ensure hoe ignores .yardoc - [`0935b22`](https://github.com/sparklemotion/nokogiri/commit/0935b22459a850e6b8a733ee263bdaf95fe18b15) update concourse TODO - [`d48820a`](https://github.com/sparklemotion/nokogiri/commit/d48820a7a7ddcb77b491f40303ea06298c01b207) Merge branch 'flavorjones-try-libxml-2.9.9' - [`c5d661f`](https://github.com/sparklemotion/nokogiri/commit/c5d661fa5ef8f59665215ddb5251de1864b5f0bf) update CHANGELOG with libxml2/libxslt updates - [`f78f50a`](https://github.com/sparklemotion/nokogiri/commit/f78f50a42ada365511f896ea8cb09db1eb1bae45) update libxml to 2.9.9 final, libxslt to 1.1.33 final - [`90d5807`](https://github.com/sparklemotion/nokogiri/commit/90d58076c52712bc987a11f3ca035b28a7a386f5) update to libxslt 1.1.33-rc2 - [`18d2b07`](https://github.com/sparklemotion/nokogiri/commit/18d2b070e750ee7bb4b3bbd0fd5b0e5b39fda6b8) libxml2: remove patches present in 2.9.9 - [`ecc1fc7`](https://github.com/sparklemotion/nokogiri/commit/ecc1fc7fe73b07084db9bb0ddb6128808464156d) update to libxml 2.9.9-rc2 - [`416651c`](https://github.com/sparklemotion/nokogiri/commit/416651c519152a40fd93177628bfe4e13fb4bd53) version bump to v1.10.0.rc1 - Additional commits viewable in [compare view](https://github.com/sparklemotion/nokogiri/compare/v1.8.2...v1.10.0)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.