Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump nokogiri from 1.10.7 to 1.11.7 #8

Closed
wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github Jun 11, 2021

Bumps nokogiri from 1.10.7 to 1.11.7.

Release notes

Sourced from nokogiri's releases.

1.11.7 / 2021-06-02

  • [CRuby] Backporting an upstream fix to XPath recursion depth limits which impacted some users of complex XPath queries. This issue is present in libxml 2.9.11 and 2.9.12. [#2257]

Checksums

SHA256:

4976a9c9e796527d51dc6c311b9bd93a0233f6a7962a0f569aa5c782461836ef  nokogiri-1.11.7.gem
9d69f57f6c024d86e358a8aef7a273f574721e48a6b2e1426cca007827325413  nokogiri-1.11.7-java.gem
6017dee25feb80292b04554cc1bf8a0a2ede3b6c3daeac811902157bbc6a3bdc  nokogiri-1.11.7-x64-mingw32.gem
38892350c1e695eab9bd77483300d681c32a22714d0e2d04d10a4c343b424bdd  nokogiri-1.11.7-x86-mingw32.gem
1d15603cd878fa2b710a3ba3028a99d9dd0c14b75711faebf9fb6ff40bac3880  nokogiri-1.11.7-x86-linux.gem
7ad9741e7a2fee1ffb4a4b2e20b00e87992c9efd969f557ca3b83fb2653b9bfc  nokogiri-1.11.7-x86_64-linux.gem
c93d66d9413ea7c37d30f95e2c54606fec638e556d454e08124d9a33b7fa82c8  nokogiri-1.11.7-arm64-darwin.gem
8761d9c7baacb26546869ed56dbc78d3eb3cabf49b85d91b1cd827cd6e94fb25  nokogiri-1.11.7-x86_64-darwin.gem

1.11.6 / 2021-05-26

Fixed

  • [CRuby] DocumentFragment#path now does proper error-checking to handle behavior introduced in libxml > 2.9.10. In v1.11.4 and v1.11.5, calling DocumentFragment#path could result in a segfault.

1.11.5 / 2021-05-19

Fixed

[Windows CRuby] Work around segfault at process exit on Windows when using libxml2 system DLLs.

libxml 2.9.12 introduced new behavior to avoid memory leaks when unloading libxml2 shared libraries (see libxml/!66). Early testing caught this segfault on non-Windows platforms (see #2059 and libxml@956534e) but it was incompletely fixed and is still an issue on Windows platforms that are using system DLLs.

We work around this by configuring libxml2 in this situation to use its default memory management functions. Note that if Nokogiri is not on Windows, or is not using shared system libraries, it will will continue to configure libxml2 to use Ruby's memory management functions. Nokogiri::VERSION_INFO["libxml"]["memory_management"] will allow you to verify when the default memory management functions are being used. [#2241]

Added

Nokogiri::VERSION_INFO["libxml"] now contains the key "memory_management" to declare whether libxml2 is using its default memory management functions, or whether it uses the memory management functions from ruby. See above for more details.

1.11.4 / 2021-05-14

Security

[CRuby] Vendored libxml2 upgraded to v2.9.12 which addresses:

... (truncated)

Changelog

Sourced from nokogiri's changelog.

1.11.7 / 2021-06-02

  • [CRuby] Backporting an upstream fix to XPath recursion depth limits which impacted some users of complex XPath queries. This issue is present in libxml 2.9.11 and 2.9.12. [#2257]

1.11.6 / 2021-05-26

Fixed

  • [CRuby] DocumentFragment#path now does proper error-checking to handle behavior introduced in libxml > 2.9.10. In v1.11.4 and v1.11.5, calling DocumentFragment#path could result in a segfault.

1.11.5 / 2021-05-19

Fixed

[Windows CRuby] Work around segfault at process exit on Windows when using libxml2 system DLLs.

libxml 2.9.12 introduced new behavior to avoid memory leaks when unloading libxml2 shared libraries (see libxml/!66). Early testing caught this segfault on non-Windows platforms (see #2059 and libxml@956534e) but it was incompletely fixed and is still an issue on Windows platforms that are using system DLLs.

We work around this by configuring libxml2 in this situation to use its default memory management functions. Note that if Nokogiri is not on Windows, or is not using shared system libraries, it will will continue to configure libxml2 to use Ruby's memory management functions. Nokogiri::VERSION_INFO["libxml"]["memory_management"] will allow you to verify when the default memory management functions are being used. [#2241]

Added

Nokogiri::VERSION_INFO["libxml"] now contains the key "memory_management" to declare whether libxml2 is using its default memory management functions, or whether it uses the memory management functions from ruby. See above for more details.

1.11.4 / 2021-05-14

Security

[CRuby] Vendored libxml2 upgraded to v2.9.12 which addresses:

Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).

Please see nokogiri/GHSA-7rrm-v45f-jp64 or #2233 for a more complete analysis of these CVEs and patches.

Dependencies

  • [CRuby] vendored libxml2 is updated from 2.9.10 to 2.9.12. (Note that 2.9.11 was skipped because it was superseded by 2.9.12 a few hours after its release.)

... (truncated)

Commits
  • 0a6681e version bump to v1.11.7
  • de0844c test: add coverage for xpath recursion depth fix
  • ed38fea Merge pull request #2258 from sparklemotion/2257-libxml2-xpath-recursion-limi...
  • 1f6c661 fix: upstream libxml2 bug in calculating xpath query recursion depth
  • a48c305 version bump to v1.11.6
  • d7b58c3 Merge pull request #2252 from sparklemotion/2250-doc-frag-path-v1_11_x
  • a1b0e6b update CHANGELOG
  • d0f14d1 fix: DocumentFragment#path checks for error case in libxml 2.9.11+
  • e43f521 version bump to v1.11.5
  • 42354e4 Merge pull request #2243 from sparklemotion/flavorjones-v1_11_x-update-tests-...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.10.7 to 1.11.7.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](sparklemotion/nokogiri@v1.10.7...v1.11.7)

---
updated-dependencies:
- dependency-name: nokogiri
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Jun 11, 2021
@dependabot @github
Copy link
Author

dependabot bot commented on behalf of github Sep 28, 2021

Superseded by #10.

@dependabot dependabot bot closed this Sep 28, 2021
@dependabot dependabot bot deleted the dependabot/bundler/nokogiri-1.11.7 branch September 28, 2021 00:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants