Update Nokogiri for a security patch (!294) · Merge requests · thoughtbot, inc. / administrate

Merged Administrator requested to merge gw-update-nokogiri into master Dec 05, 2015

Created by: gracewashere

Problem:

Running bundler-audit reveals a security vulnerability in Nokogiri, which can be traced back to a libxml2 vulnerability.

$ bundle-audit
Name: nokogiri
Version: 1.6.6.2
Advisory: CVE-2015-1819
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/issues/1374
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4

Vulnerabilities found!

Solution:

Update nokogiri to ~> 1.6.6.4, as suggested.

Nokogiri is a dependency of capybara, which is a dependency of poltergeist.

We only need to specify the nokogiri version for the test bundler group, which already depends on it.

References:

https://github.com/rubysec/bundler-audit https://github.com/sparklemotion/nokogiri/issues/1374 http://www.ubuntu.com/usn/usn-2812-1/