Bump Nokogiri

[luisramos0]

What? Why?

I think I just fixed our only critical severity security issue 🎉
https://github.com/openfoodfoundation/openfoodnetwork/network/alert/Gemfile.lock/nokogiri/closed

We can remove deface from spree_core now that we dont use spree_backend and spree_i18n and better_spree_paypal dont use deface. This is done in openfoodfoundation/spree#42 for current spree 2-0-4 and in openfoodfoundation/spree#42 for the next spree 2-1-0.

After removing deface from spree we can just remove nokogiri from our concerns and let it upgrade through the other gems that depend on it 🎉

The paperclip requirement in spree_core changed but our version 3.4.2 is good for it, no paper_clip upgrade in this PR.

What should we test?

Maybe a sanity check? I think this is a fundamental piece of software so we would see problem in the build if there were any.

Release notes

Changelog Category: Fixed
Fixed long standing critical security issue in OFN related to a dependency with security problems 🎉

[luisramos0]

This can only go after the spree PRs are merged.

[luisramos0]

ready for review.

[luisramos0]

if you have reviewed this PR you can probably quickly review this one #5194 that updates the spree revision on the 3-0-stable version.

[sauloperez]

This is very good news! 💪

We should watch out with Paperclip upgrades. Upgrading it in the past proved to be tricky because it had backward-incompatible changes. I'd double-check their release notes.

[luisramos0]

It's just my mistake!!! the require in spree_core changed but our version remains the same 🙈
No paper_clip change here.

[filipefurtad0]

Hi @luisramos0,

I performed a basic sanity check:

• Creating hub/customer
• Setting a product/OC/payment and delivery method
• Making a cash-purchase
• Getting all the right emails during the process.

All good - moving to ready to go.