Created by: dependabot[bot]
Bumps nokogiri from 1.6.6.2 to 1.10.7.
Release notes
Sourced from nokogiri's releases.
1.10.7 / 2019-12-03
Bug
- [MRI] Ensure the patch applied in v1.10.6 works with GNU
patch
. #19541.10.6 / 2019-12-03
Bug
1.10.5 / 2019-10-31
Dependencies
- [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
- [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34
1.10.4 / 2019-08-11
Security
#1915)
Address CVE-2019-5477 (A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's
Kernel.open
method. Processes are vulnerable only if the undocumented methodNokogiri::CSS::Tokenizer#load_file
is being passed untrusted user input.This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
This CVE's public notice is sparklemotion/nokogiri#1915
1.10.3 / 2019-04-22
Security Notes
[MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in #1892. Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.
1.10.2 / 2019-03-24
Security ... (truncated)
Changelog
Sourced from nokogiri's changelog.
1.10.7 / 2019-12-03
Bug
- [MRI] Ensure the patch applied in v1.10.6 works with GNU
patch
. #19541.10.6 / 2019-12-03
Bug
1.10.5 / 2019-10-31
Security
[MRI] Vendored libxslt upgraded to v1.1.34 which addresses three CVEs for libxslt:
- CVE-2019-13117
- CVE-2019-13118
- CVE-2019-18197
More details are available at #1943.
Dependencies
- [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
- [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34
1.10.4 / 2019-08-11
Security
#1915)
Address CVE-2019-5477 (A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's
Kernel.open
method. Processes are vulnerable only if the undocumented methodNokogiri::CSS::Tokenizer#load_file
is being passed untrusted user input.This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
This CVE's public notice is sparklemotion/nokogiri#1915
1.10.3 / 2019-04-22
... (truncated) Security Notes
Commits
-
e6b3229
version bump to v1.10.7 -
4f9d443
update CHANGELOG -
80e67ef
Fix the patch from #1953 to work with bothgit
andpatch
-
7cf1b85
Fix typo in generated metadata -
d76180d
add gem metadata -
13132fc
version bump to v1.10.6 -
95e56fd
update CHANGELOG -
73c53ee
Add a patch to fix libxml2.la's path -
061d75d
add security note to CHANGELOG -
1bc2ff9
version bump to v1.10.5 - Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase
.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
-
@dependabot rebase
will rebase this PR -
@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it -
@dependabot merge
will merge this PR after your CI passes on it -
@dependabot squash and merge
will squash and merge this PR after your CI passes on it -
@dependabot cancel merge
will cancel a previously requested merge and block automerging -
@dependabot reopen
will reopen this PR if it is closed -
@dependabot ignore this [patch|minor|major] version
will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -
@dependabot use these labels
will set the current labels as the default for future PRs for this repo and language -
@dependabot use these reviewers
will set the current reviewers as the default for future PRs for this repo and language -
@dependabot use these assignees
will set the current assignees as the default for future PRs for this repo and language -
@dependabot use this milestone
will set the current milestone as the default for future PRs for this repo and language
You can disable automated security fix PRs for this repo from the Security Alerts page.