Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump nokogiri from 1.10.9 to 1.11.4 #3581

Merged
merged 4 commits into from
Aug 17, 2021
Merged

Bump nokogiri from 1.10.9 to 1.11.4 #3581

merged 4 commits into from
Aug 17, 2021

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github May 19, 2021

Bumps nokogiri from 1.10.9 to 1.11.4.

Release notes

Sourced from nokogiri's releases.

1.11.4 / 2021-05-14

Security

[CRuby] Vendored libxml2 upgraded to v2.9.12 which addresses:

Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).

Please see nokogiri/GHSA-7rrm-v45f-jp64 or #2233 for a more complete analysis of these CVEs and patches.

Dependencies

  • [CRuby] vendored libxml2 is updated from 2.9.10 to 2.9.12. (Note that 2.9.11 was skipped because it was superseded by 2.9.12 a few hours after its release.)

1.11.3 / 2021-04-07

Fixed

  • [CRuby] Passing non-Node objects to Document#root= now raises an ArgumentError exception. Previously this likely segfaulted. [#1900]
  • [JRuby] Passing non-Node objects to Document#root= now raises an ArgumentError exception. Previously this raised a TypeError exception.
  • [CRuby] arm64/aarch64 systems (like Apple's M1) can now compile libxml2 and libxslt from source (though we continue to strongly advise users to install the native gems for the best possible experience)

1.11.2 / 2021-03-11

Fixed

  • [CRuby] NodeSet may now safely contain Node objects from multiple documents. Previously the GC lifecycle of the parent Document objects could lead to nodes being GCed while still in scope. [#1952]
  • [CRuby] Patch libxml2 to avoid "huge input lookup" errors on large CDATA elements. (See upstream GNOME/libxml2#200 and GNOME/libxml2!100.) [#2132].
  • [CRuby+Windows] Enable Nokogumbo (and other downstream gems) to compile and link against nokogiri.so by including LDFLAGS in Nokogiri::VERSION_INFO. [#2167]
  • [CRuby] {XML,HTML}::Document.parse now invokes #initialize exactly once. Previously #initialize was invoked twice on each object.
  • [JRuby] {XML,HTML}::Document.parse now invokes #initialize exactly once. Previously #initialize was not called, which was a problem for subclassing such as done by Loofah.

Improved

  • Reduce the number of object allocations needed when parsing an HTML::DocumentFragment. [#2087] (Thanks, @​ashmaroli!)
  • [JRuby] Update the algorithm used to calculate Node#line to be wrong less-often. The underlying parser, Xerces, does not track line numbers, and so we've always used a hacky solution for this method. [#1223, #2177]
  • Introduce --enable-system-libraries and --disable-system-libraries flags to extconf.rb. These flags provide the same functionality as --use-system-libraries and the NOKOGIRI_USE_SYSTEM_LIBRARIES environment variable, but are more idiomatic. [#2193] (Thanks, @​eregon!)
  • [TruffleRuby] --disable-static is now the default on TruffleRuby when the packaged libraries are used. This is more flexible and compiles faster. (Note, though, that the default on TR is still to use system libraries.) [#2191, #2193] (Thanks, @​eregon!)

... (truncated)

Changelog

Sourced from nokogiri's changelog.

1.11.4 / 2021-05-14

Security

[CRuby] Vendored libxml2 upgraded to v2.9.12 which addresses:

Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).

Please see nokogiri/GHSA-7rrm-v45f-jp64 or #2233 for a more complete analysis of these CVEs and patches.

Dependencies

  • [CRuby] vendored libxml2 is updated from 2.9.10 to 2.9.12. (Note that 2.9.11 was skipped because it was superseded by 2.9.12 a few hours after its release.)

1.11.3 / 2021-04-07

Fixed

  • [CRuby] Passing non-Node objects to Document#root= now raises an ArgumentError exception. Previously this likely segfaulted. [#1900]
  • [JRuby] Passing non-Node objects to Document#root= now raises an ArgumentError exception. Previously this raised a TypeError exception.
  • [CRuby] arm64/aarch64 systems (like Apple's M1) can now compile libxml2 and libxslt from source (though we continue to strongly advise users to install the native gems for the best possible experience)

1.11.2 / 2021-03-11

Fixed

  • [CRuby] NodeSet may now safely contain Node objects from multiple documents. Previously the GC lifecycle of the parent Document objects could lead to nodes being GCed while still in scope. [#1952]
  • [CRuby] Patch libxml2 to avoid "huge input lookup" errors on large CDATA elements. (See upstream GNOME/libxml2#200 and GNOME/libxml2!100.) [#2132].
  • [CRuby+Windows] Enable Nokogumbo (and other downstream gems) to compile and link against nokogiri.so by including LDFLAGS in Nokogiri::VERSION_INFO. [#2167]
  • [CRuby] {XML,HTML}::Document.parse now invokes #initialize exactly once. Previously #initialize was invoked twice on each object.
  • [JRuby] {XML,HTML}::Document.parse now invokes #initialize exactly once. Previously #initialize was not called, which was a problem for subclassing such as done by Loofah.

Improved

  • Reduce the number of object allocations needed when parsing an HTML::DocumentFragment. [#2087] (Thanks, @​ashmaroli!)
  • [JRuby] Update the algorithm used to calculate Node#line to be wrong less-often. The underlying parser, Xerces, does not track line numbers, and so we've always used a hacky solution for this method. [#1223, #2177]
  • Introduce --enable-system-libraries and --disable-system-libraries flags to extconf.rb. These flags provide the same functionality as --use-system-libraries and the NOKOGIRI_USE_SYSTEM_LIBRARIES environment variable, but are more idiomatic. [#2193] (Thanks, @​eregon!)
  • [TruffleRuby] --disable-static is now the default on TruffleRuby when the packaged libraries are used. This is more flexible and compiles faster. (Note, though, that the default on TR is still to use system libraries.) [#2191, #2193] (Thanks, @​eregon!)

... (truncated)

Commits
  • 9d69b44 version bump to v1.11.4
  • 058e87f update CHANGELOG with complete CVE information
  • 9285251 Merge pull request #2234 from sparklemotion/2233-upgrade-to-libxml-2-9-12
  • 5436f61 update CHANGELOG
  • 761d320 patch: renumber libxml2 patches
  • 889ee2a test: update behavior of namespaces in HTML
  • 9751d85 test: remove low-value HTML::SAX::PushParser encoding test
  • 9fcb7d2 test: adjust xpath gc test to libxml2's max recursion depth
  • 1c99019 patch: backport libxslt configure.ac change for libxml2 config
  • 82a253f patch: fix isnan/isinf patch to apply cleanly to libxml 2.9.12
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label May 19, 2021
@alita-moore
Copy link
Contributor

Hi! I'm a bot, and I wanted to automerge your PR, but couldn't because of the following issue(s):

 - Filename Gemfile.lock is not in EIP format 'EIPS/eip-####.md'

lightclient
lightclient approved these changes May 19, 2021
View reviewed changes
Copy link
Member

@lightclient lightclient left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, I think we merge and make sure the EIPs site builds -- rewinding if not?

@lightclient
Copy link
Member

@aliatiia seems like the eip-bot is incorrectly failing on this.

@alita-moore
Copy link
Contributor

no, it will only pass on eip files so in this case it needs to be merged manually I suppose. I can build in certain exception though, if that'd be useful

@MicahZoltu
Copy link
Contributor

I don't think we should automatically merge things like this. I do want a way to make it so PRs like this can be merged without needing to use admin override, without being auto-merged.

@MicahZoltu
Copy link
Contributor

Maybe we do auto-merge after an editor does a PR approval review?

@alita-moore
Copy link
Contributor

I have enabled the auto-merge feature so that may work but honestly github is such a pita, lol. Regardless, if there's just a way to give merge authority to commits with passing checks would be great

@lightclient lightclient enabled auto-merge (squash) June 18, 2021 18:41
auto-merge was automatically disabled June 18, 2021 18:41

Pull request was closed

@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Jun 18, 2021

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@lightclient lightclient reopened this Jun 18, 2021
@eth-bot eth-bot enabled auto-merge (squash) June 18, 2021 18:42
@lightclient lightclient mentioned this pull request Jun 18, 2021
Closed
@github-actions
Copy link

There has been no activity on this pull request for two months. It will be closed in a week if no further activity occurs. If you would like to move this EIP forward, please respond to any outstanding feedback or add a comment indicating that you have addressed all required feedback and are ready for a review.

@github-actions github-actions bot added the stale label Aug 17, 2021
@MicahZoltu MicahZoltu disabled auto-merge August 17, 2021 23:02
@MicahZoltu MicahZoltu merged commit 0205ff8 into master Aug 17, 2021
@MicahZoltu MicahZoltu deleted the dependabot/bundler/nokogiri-1.11.4 branch August 17, 2021 23:02
@eth-bot eth-bot added ambiguous and removed dependencies Pull requests that update a dependency file stale labels Dec 29, 2021
@eth-bot
Copy link
Collaborator

eth-bot commented Dec 29, 2021

All tests passed; auto-merging...

(pass) Gemfile.lock

classification
ambiguous
  • file Gemfile.lock is not a valid filename, but this error has been ignored due to editor approvals

1 similar comment
@eth-bot
Copy link
Collaborator

eth-bot commented Dec 29, 2021

All tests passed; auto-merging...

(pass) Gemfile.lock

classification
ambiguous
  • file Gemfile.lock is not a valid filename, but this error has been ignored due to editor approvals

PhABC pushed a commit to PhABC/EIPs that referenced this pull request Jan 25, 2022
@dependabot @lightclient
@alita-moore @PhABC
Bump nokogiri from 1.10.9 to 1.11.4 (ethereum#3581)
41b33fa 
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.10.9 to 1.11.4.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](sparklemotion/nokogiri@v1.10.9...v1.11.4)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: lightclient <14004106+lightclient@users.noreply.github.com>
Co-authored-by: Alita Moore <alita.moore805@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lightclient lightclient lightclient approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@alita-moore @lightclient @MicahZoltu @eth-bot