Skip to content
GitLab

[Security] Bump rexml from 3.2.4 to 3.2.5

Merged Administrator requested to merge dependabot/bundler/rexml-3.2.5 into main

Created by: dependabot-preview[bot]

Bumps rexml from 3.2.4 to 3.2.5. This update includes a security fix.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

XML round-trip vulnerability in REXML When parsing and serializing a crafted XML document, REXML gem (including the one bundled with Ruby) can create a wrong XML document whose structure is different from the original one.

Patched versions: >= 3.2.5 Unaffected versions: none

Changelog

Sourced from rexml's changelog.

3.2.5 - 2021-04-05 {#version-3-2-5}

Improvements

  • Add more validations to XPath parser.

  • require "rexml/docuemnt" by default. [GitHub#36][Patch by Koichi ITO]

  • Don't add #dcloe method to core classes globally. [GitHub#37][Patch by Akira Matsuda]

  • Add more documentations. [Patch by Burdette Lamar]

  • Added REXML::Elements#parent. [GitHub#52][Patch by Burdette Lamar]

Fixes

Thanks

  • Koichi ITO

  • Akira Matsuda

  • Burdette Lamar

  • Juho Nurminen

Commits
  • a622645 Add 3.2.5 entry
  • 3c137eb Fix a parser bug that some data may be ignored before DOCTYPE
  • 9b311e5 Fix a bug that invalid document declaration may be accepted
  • f9d88e4 Fix a bug that invalid document declaration may be generated
  • f7bab89 Fix a bug that invalid element end may be accepted
  • 6a250d2 Fix a bug that invalid element start may be accepted
  • 2fe62e2 Fix a bug that invalid notation declaration may be accepted
  • a659c63 Fix a bug that invalid notation declaration may be generated
  • 790dd11 Use ruby/setup-ruby (#66)
  • eda1b20 Clean up and enhance high-level RDoc (#65)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Automerge options (never/patch/minor, and dev/runtime dependencies)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)