Force update gem nokogiri to '1.11.0.rc4' #1532
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This counters CVE-2020-26247,
"XML::Schema input is now "untrusted" by default".
For more information, see:
GHSA-vr8q-g5c7-m54m
This is debatable. We are almost certainly not vulnerable, because we
never use Nokogiri's XML Schema system. In addition, this recommended
fix uses a release candidate version of a library, instead of a final
release, and we generally avoid doing that. However, it's hard to be
certain that there's no exploit, and this release candidate
appears to be very solid for our purposes. I think there
are good arguments to use this nokogiri release candidate, and that there
are also good reasons not to use it. Sadly I must make some decision;
no decision is a decision. I've made a judgement call to
use the release candidate version with the security update.
I think the risk is smallest if we upgrade now for this specific case.
Signed-off-by: David A. Wheeler dwheeler@dwheeler.com