Bumps nokogiri from 1.8.2 to 1.10.1. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-14404.yml).*
> **Nokogiri gem, via libxml2, is affected by multiple vulnerabilities**
> Nokogiri 1.8.5 has been released.
>
> This is a security and bugfix release. It addresses two CVEs in upstream
> libxml2 rated as "medium" by Red Hat, for which details are below.
>
> If you're using your distro's system libraries, rather than Nokogiri's
> vendored libraries, there's no security need to upgrade at this time,
> though you may want to check with your distro whether they've patched this
> (Canonical has patched Ubuntu packages). Note that these patches are not
> yet (as of 2018-10-04) in an upstream release of libxml2.
>
> Full details about the security update are available in Github Issue #1785.
> [#1785]: https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1785
>
> -----
>
> [MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404
> and CVE-2018-14567. Full details are available in #1785. Note that these
> patches are not yet (as of 2018-10-04) in an upstream release of libxml2.
>
> ... (truncated)
>
> Patched versions: >= 1.8.5
> Unaffected versions: none
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-8048.yml).*
> **Revert libxml2 behavior in Nokogiri gem that could cause XSS**
> [MRI] Behavior in libxml2 has been reverted which caused
> CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and
> CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is
> here:
>
> https://github.com/GNOME/libxml2/commit/960f0e2
>
> and more information is available about this commit and its impact
> here:
>
> https://github-redirect.dependabot.com/flavorjones/loofah/issues/144
>
> This release simply reverts the libxml2 commit in question to protect
> users of Nokogiri's vendored libraries from similar vulnerabilities.
>
> If you're offended by what happened here, I'd kindly ask that you
> comment on the upstream bug report here:
>
> https://bugzilla.gnome.org/show_bug.cgi?id=769760
>
> Patched versions: >= 1.8.3
> Unaffected versions: none
Release notes
*Sourced from [nokogiri's releases](https://github.com/sparklemotion/nokogiri/releases).*
> ## 1.10.1 / 2019-01-13
>
> ### Features
>
> * [MRI] During installation, handle Xcode 10's new library pathOS. [#1801, [#1851](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1851)] (Thanks, [**mlj**](https://github.com/mlj) and [**deepj**](https://github.com/deepj)!)
> * Avoid unnecessary creation of `Proc`s in many methods. [#1776] (Thanks, [**chopraanmol1**](https://github.com/chopraanmol1)!)
>
>
> ### Bug fixes
>
> * CSS selector `:has()` now correctly matches against any descendant. Previously this selector matched against only direct children). [#350] (Thanks, [**Phrogz**](https://github.com/Phrogz)!)
> * `NodeSet#attr` now returns `nil` if it's empty. Previously this raised a NoMethodError.
> * [MRI] XPath errors are no longer suppressed during `XSLT::Stylesheet#transform`. Previously these errors were suppressed which led to silent failures and a subsequent segfault. [#1802]
>
>
>
> ## 1.10.0 / 2019-01-04
>
> ### Features
>
> * [MRI] Cross-built Windows gems now support Ruby 2.6 [#1842, [#1850](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1850)]
>
>
> ### Backwards incompatibilities
>
> This release ends support for:
>
> * Ruby 2.2, for which [official support ended on 2018-03-31](https://www.ruby-lang.org/en/news/2018/06/20/support-of-ruby-2-2-has-ended/) [#1841]
> * JRuby 1.7, for which [official support ended on 2017-11-21](https://github-redirect.dependabot.com/jruby/jruby/issues/4112) [#1741]
>
>
> ### Dependencies
>
> * [MRI] libxml2 is updated from 2.9.8 to 2.9.9
> * [MRI] libxslt is updated from 1.1.32 to 1.1.33
>
>
>
> # 1.9.1 / 2018-12-17
>
> ## Bug fixes
>
> * Fix a bug introduced in v1.9.0 where `XML::DocumentFragment#dup` no longer returned an instance of the callee's class, instead always returning an `XML::DocumentFragment`. This notably broke any subclass of `XML::DocumentFragment` including `HTML::DocumentFragment` as well as the Loofah gem's `Loofah::HTML::DocumentFragment`. [#1846]
>
>
>
> # 1.9.0 / 2018-12-17
>
> ## Security Notes
>
> ... (truncated)
Changelog
*Sourced from [nokogiri's changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md).*
> ## 1.10.1 / 2019-01-13
>
> ### Features
>
> * [MRI] During installation, handle Xcode 10's new library path. [#1801, [#1851](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1851)] (Thanks, [**mlj**](https://github.com/mlj) and [**deepj**](https://github.com/deepj)!)
> * Avoid unnecessary creation of `Proc`s in many methods. [#1776] (Thanks, [**chopraanmol1**](https://github.com/chopraanmol1)!)
>
>
> ### Bug fixes
>
> * CSS selector `:has()` now correctly matches against any descendant. Previously this selector matched against only direct children). [#350] (Thanks, [**Phrogz**](https://github.com/Phrogz)!)
> * `NodeSet#attr` now returns `nil` if it's empty. Previously this raised a NoMethodError.
> * [MRI] XPath errors are no longer suppressed during `XSLT::Stylesheet#transform`. Previously these errors were suppressed which led to silent failures and a subsequent segfault. [#1802]
>
>
> ## 1.10.0 / 2019-01-04
>
> ### Features
>
> * [MRI] Cross-built Windows gems now support Ruby 2.6 [#1842, [#1850](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1850)]
>
>
> ### Backwards incompatibilities
>
> This release ends support for:
>
> * Ruby 2.2, for which [official support ended on 2018-03-31](https://www.ruby-lang.org/en/news/2018/06/20/support-of-ruby-2-2-has-ended/) [#1841]
> * JRuby 1.7, for which [official support ended on 2017-11-21](https://github-redirect.dependabot.com/jruby/jruby/issues/4112) [#1741]
>
>
> ### Dependencies
>
> * [MRI] libxml2 is updated from 2.9.8 to 2.9.9
> * [MRI] libxslt is updated from 1.1.32 to 1.1.33
>
>
> ## 1.9.1 / 2018-12-17
>
> ### Bug fixes
>
> * Fix a bug introduced in v1.9.0 where `XML::DocumentFragment#dup` no longer returned an instance of the callee's class, instead always returning an `XML::DocumentFragment`. This notably broke any subclass of `XML::DocumentFragment` including `HTML::DocumentFragment` as well as the Loofah gem's `Loofah::HTML::DocumentFragment`. [#1846]
>
>
> ## 1.9.0 / 2018-12-17
>
> ### Security Notes
>
> * [JRuby] Upgrade Xerces dependency from 2.11.0 to 2.12.0 to address upstream vulnerability CVE-2012-0881 [#1831] (Thanks [**grajagandev**](https://github.com/grajagandev) for reporting.)
>
>
> ... (truncated)
Commits
- [`320aadc`](https://github.com/sparklemotion/nokogiri/commit/320aadc771b52cbc3f7bec1deeb2200e5c6e243d) version bump to v1.10.1
- [`e515c15`](https://github.com/sparklemotion/nokogiri/commit/e515c1584bf531a359f05d78f07868ce1be71237) update CHANGELOG for v1.10.1
- [`a1b3c20`](https://github.com/sparklemotion/nokogiri/commit/a1b3c20674c647b1483cb7b91fa1f518a96106e8) update CHANGELOG
- [`c594d1d`](https://github.com/sparklemotion/nokogiri/commit/c594d1de8cb14d0cb95f713613b8258df29fbfe3) concourse: ignore changes to CHANGELOG when triggering
- [`75e9f2a`](https://github.com/sparklemotion/nokogiri/commit/75e9f2a505756d855c1b561f6e5b72e1f34f3648) Merge pull request [#1860](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1860) from sparklemotion/1802-xpath2-causes-segfault-in-tr...
- [`a8c032c`](https://github.com/sparklemotion/nokogiri/commit/a8c032c3b2b48fb0e4b9f94970311d04fe7447c8) add an to the PR template
- [`3ab0c9d`](https://github.com/sparklemotion/nokogiri/commit/3ab0c9df69917e2948e1341fa640f39b49a47db5) ensure we trap XML errors while applying XSLT stylesheet
- [`df1bfa0`](https://github.com/sparklemotion/nokogiri/commit/df1bfa02e6469f4acf7626646d04b5827e7df8fe) issue template: note how to report security vulnerabilities
- [`9833526`](https://github.com/sparklemotion/nokogiri/commit/9833526981c1045e91a53c971618111671fe1b45) update README and CONTRIBUTING with link to CoC file
- [`053b209`](https://github.com/sparklemotion/nokogiri/commit/053b209f970492e565ebd0884f65311fe2035b21) remove unneeded bug report template
- Additional commits viewable in [compare view](https://github.com/sparklemotion/nokogiri/compare/v1.8.2...v1.10.1)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Finally, you can contact us by mentioning @dependabot.
Bumps nokogiri from 1.8.2 to 1.10.1. This update includes security fixes.
Vulnerabilities fixed
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-14404.yml).* > **Nokogiri gem, via libxml2, is affected by multiple vulnerabilities** > Nokogiri 1.8.5 has been released. > > This is a security and bugfix release. It addresses two CVEs in upstream > libxml2 rated as "medium" by Red Hat, for which details are below. > > If you're using your distro's system libraries, rather than Nokogiri's > vendored libraries, there's no security need to upgrade at this time, > though you may want to check with your distro whether they've patched this > (Canonical has patched Ubuntu packages). Note that these patches are not > yet (as of 2018-10-04) in an upstream release of libxml2. > > Full details about the security update are available in Github Issue #1785. > [#1785]: https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1785 > > ----- > > [MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 > and CVE-2018-14567. Full details are available in #1785. Note that these > patches are not yet (as of 2018-10-04) in an upstream release of libxml2. > > ... (truncated) > > Patched versions: >= 1.8.5 > Unaffected versions: none *Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-8048.yml).* > **Revert libxml2 behavior in Nokogiri gem that could cause XSS** > [MRI] Behavior in libxml2 has been reverted which caused > CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and > CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is > here: > > https://github.com/GNOME/libxml2/commit/960f0e2 > > and more information is available about this commit and its impact > here: > > https://github-redirect.dependabot.com/flavorjones/loofah/issues/144 > > This release simply reverts the libxml2 commit in question to protect > users of Nokogiri's vendored libraries from similar vulnerabilities. > > If you're offended by what happened here, I'd kindly ask that you > comment on the upstream bug report here: > > https://bugzilla.gnome.org/show_bug.cgi?id=769760 > > Patched versions: >= 1.8.3 > Unaffected versions: noneRelease notes
*Sourced from [nokogiri's releases](https://github.com/sparklemotion/nokogiri/releases).* > ## 1.10.1 / 2019-01-13 > > ### Features > > * [MRI] During installation, handle Xcode 10's new library pathOS. [#1801, [#1851](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1851)] (Thanks, [**mlj**](https://github.com/mlj) and [**deepj**](https://github.com/deepj)!) > * Avoid unnecessary creation of `Proc`s in many methods. [#1776] (Thanks, [**chopraanmol1**](https://github.com/chopraanmol1)!) > > > ### Bug fixes > > * CSS selector `:has()` now correctly matches against any descendant. Previously this selector matched against only direct children). [#350] (Thanks, [**Phrogz**](https://github.com/Phrogz)!) > * `NodeSet#attr` now returns `nil` if it's empty. Previously this raised a NoMethodError. > * [MRI] XPath errors are no longer suppressed during `XSLT::Stylesheet#transform`. Previously these errors were suppressed which led to silent failures and a subsequent segfault. [#1802] > > > > ## 1.10.0 / 2019-01-04 > > ### Features > > * [MRI] Cross-built Windows gems now support Ruby 2.6 [#1842, [#1850](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1850)] > > > ### Backwards incompatibilities > > This release ends support for: > > * Ruby 2.2, for which [official support ended on 2018-03-31](https://www.ruby-lang.org/en/news/2018/06/20/support-of-ruby-2-2-has-ended/) [#1841] > * JRuby 1.7, for which [official support ended on 2017-11-21](https://github-redirect.dependabot.com/jruby/jruby/issues/4112) [#1741] > > > ### Dependencies > > * [MRI] libxml2 is updated from 2.9.8 to 2.9.9 > * [MRI] libxslt is updated from 1.1.32 to 1.1.33 > > > > # 1.9.1 / 2018-12-17 > > ## Bug fixes > > * Fix a bug introduced in v1.9.0 where `XML::DocumentFragment#dup` no longer returned an instance of the callee's class, instead always returning an `XML::DocumentFragment`. This notably broke any subclass of `XML::DocumentFragment` including `HTML::DocumentFragment` as well as the Loofah gem's `Loofah::HTML::DocumentFragment`. [#1846] > > > > # 1.9.0 / 2018-12-17 > > ## Security Notes > > ... (truncated)Changelog
*Sourced from [nokogiri's changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md).* > ## 1.10.1 / 2019-01-13 > > ### Features > > * [MRI] During installation, handle Xcode 10's new library path. [#1801, [#1851](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1851)] (Thanks, [**mlj**](https://github.com/mlj) and [**deepj**](https://github.com/deepj)!) > * Avoid unnecessary creation of `Proc`s in many methods. [#1776] (Thanks, [**chopraanmol1**](https://github.com/chopraanmol1)!) > > > ### Bug fixes > > * CSS selector `:has()` now correctly matches against any descendant. Previously this selector matched against only direct children). [#350] (Thanks, [**Phrogz**](https://github.com/Phrogz)!) > * `NodeSet#attr` now returns `nil` if it's empty. Previously this raised a NoMethodError. > * [MRI] XPath errors are no longer suppressed during `XSLT::Stylesheet#transform`. Previously these errors were suppressed which led to silent failures and a subsequent segfault. [#1802] > > > ## 1.10.0 / 2019-01-04 > > ### Features > > * [MRI] Cross-built Windows gems now support Ruby 2.6 [#1842, [#1850](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1850)] > > > ### Backwards incompatibilities > > This release ends support for: > > * Ruby 2.2, for which [official support ended on 2018-03-31](https://www.ruby-lang.org/en/news/2018/06/20/support-of-ruby-2-2-has-ended/) [#1841] > * JRuby 1.7, for which [official support ended on 2017-11-21](https://github-redirect.dependabot.com/jruby/jruby/issues/4112) [#1741] > > > ### Dependencies > > * [MRI] libxml2 is updated from 2.9.8 to 2.9.9 > * [MRI] libxslt is updated from 1.1.32 to 1.1.33 > > > ## 1.9.1 / 2018-12-17 > > ### Bug fixes > > * Fix a bug introduced in v1.9.0 where `XML::DocumentFragment#dup` no longer returned an instance of the callee's class, instead always returning an `XML::DocumentFragment`. This notably broke any subclass of `XML::DocumentFragment` including `HTML::DocumentFragment` as well as the Loofah gem's `Loofah::HTML::DocumentFragment`. [#1846] > > > ## 1.9.0 / 2018-12-17 > > ### Security Notes > > * [JRuby] Upgrade Xerces dependency from 2.11.0 to 2.12.0 to address upstream vulnerability CVE-2012-0881 [#1831] (Thanks [**grajagandev**](https://github.com/grajagandev) for reporting.) > > > ... (truncated)Commits
- [`320aadc`](https://github.com/sparklemotion/nokogiri/commit/320aadc771b52cbc3f7bec1deeb2200e5c6e243d) version bump to v1.10.1 - [`e515c15`](https://github.com/sparklemotion/nokogiri/commit/e515c1584bf531a359f05d78f07868ce1be71237) update CHANGELOG for v1.10.1 - [`a1b3c20`](https://github.com/sparklemotion/nokogiri/commit/a1b3c20674c647b1483cb7b91fa1f518a96106e8) update CHANGELOG - [`c594d1d`](https://github.com/sparklemotion/nokogiri/commit/c594d1de8cb14d0cb95f713613b8258df29fbfe3) concourse: ignore changes to CHANGELOG when triggering - [`75e9f2a`](https://github.com/sparklemotion/nokogiri/commit/75e9f2a505756d855c1b561f6e5b72e1f34f3648) Merge pull request [#1860](https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1860) from sparklemotion/1802-xpath2-causes-segfault-in-tr... - [`a8c032c`](https://github.com/sparklemotion/nokogiri/commit/a8c032c3b2b48fb0e4b9f94970311d04fe7447c8) add anto the PR template - [`3ab0c9d`](https://github.com/sparklemotion/nokogiri/commit/3ab0c9df69917e2948e1341fa640f39b49a47db5) ensure we trap XML errors while applying XSLT stylesheet - [`df1bfa0`](https://github.com/sparklemotion/nokogiri/commit/df1bfa02e6469f4acf7626646d04b5827e7df8fe) issue template: note how to report security vulnerabilities - [`9833526`](https://github.com/sparklemotion/nokogiri/commit/9833526981c1045e91a53c971618111671fe1b45) update README and CONTRIBUTING with link to CoC file - [`053b209`](https://github.com/sparklemotion/nokogiri/commit/053b209f970492e565ebd0884f65311fe2035b21) remove unneeded bug report template - Additional commits viewable in [compare view](https://github.com/sparklemotion/nokogiri/compare/v1.8.2...v1.10.1)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.