Created by: dependabot-preview[bot]
Bumps nokogiri from 1.10.7 to 1.10.8. This update includes a security fix.
Vulnerabilities fixed
Sourced from The GitHub Security Advisory Database.
Moderate severity vulnerability that affects nokogiri xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. The Nokogiri RubyGem has patched it's vendored copy of libxml2 in order to prevent this issue from affecting nokogiri.
Affected versions: < 1.10.8
Release notes
Sourced from nokogiri's releases.
1.10.8 / 2020-02-10
Security
[MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in #1992. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.
Changelog
Sourced from nokogiri's changelog.
Nokogiri (1.10.7)
--- warnings: [] nokogiri: 1.10.7 ruby: version: 2.7.0 platform: x86_64-linux description: ruby 2.7.0p0 (2019-12-25 revision 647ee6f091) [x86_64-linux] engine: ruby libxml: binding: extension source: packaged libxml2_path: "/home/flavorjones/.rvm/gems/ruby-2.7.0/gems/nokogiri-1.10.7/ports/x86_64-pc-linux-gnu/libxml2/2.9.10" libxslt_path: "/home/flavorjones/.rvm/gems/ruby-2.7.0/gems/nokogiri-1.10.7/ports/x86_64-pc-linux-gnu/libxslt/1.1.34" libxml2_patches: - 0001-Revert-Do-not-URI-escape-in-server-side-includes.patch - 0002-Remove-script-macro-support.patch - 0003-Update-entities-to-remove-handling-of-ssi.patch - 0004-libxml2.la-is-in-top_builddir.patch libxslt_patches: [] compiled: 2.9.10 loaded: 2.9.10
but now looks like:
Nokogiri (1.11.0)
... (truncated)--- warnings: [] nokogiri: 1.11.0 ruby: version: 2.7.0 platform: x86_64-linux description: ruby 2.7.0p0 (2019-12-25 revision 647ee6f091) [x86_64-linux] engine: ruby libxml: source: packaged patches: - 0001-Revert-Do-not-URI-escape-in-server-side-includes.patch - 0002-Remove-script-macro-support.patch - 0003-Update-entities-to-remove-handling-of-ssi.patch - 0004-libxml2.la-is-in-top_builddir.patch compiled: 2.9.10 loaded: 2.9.10 libxslt: source: packaged patches: [] compiled: 1.1.34 loaded: 1.1.34
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase
.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
-
@dependabot rebase
will rebase this PR -
@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it -
@dependabot merge
will merge this PR after your CI passes on it -
@dependabot squash and merge
will squash and merge this PR after your CI passes on it -
@dependabot cancel merge
will cancel a previously requested merge and block automerging -
@dependabot reopen
will reopen this PR if it is closed -
@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually -
@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) -
@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) -
@dependabot use these labels
will set the current labels as the default for future PRs for this repo and language -
@dependabot use these reviewers
will set the current reviewers as the default for future PRs for this repo and language -
@dependabot use these assignees
will set the current assignees as the default for future PRs for this repo and language -
@dependabot use this milestone
will set the current milestone as the default for future PRs for this repo and language -
@dependabot badge me
will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot dashboard:
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)