Fix patched version for nokogiri (GHSA-2qc6-mcvw-92cw)

[GUI]

GHSA-2qc6-mcvw-92cw is reported to be fixed by 1.13.9+, not 1.13.19.

[alder-a]

Please merge this, as it is breaking our audit step in our build

[aldent95]

Can this please be merged soon? I'm sure we are not the only ones having issues with their CI/CD yelling at them about failing bundle audits because of this issue.

[GSmes]

Merge, please! 🙏🏻 Let this be a lesson in why you don't release shit immediately before signing off for the day 🤣

[carlwiedemann]

cc @reedloden @postmodern This is blocking CI for lots of people, it should be a trivial review/merge.

[JuanitoFatas]

Fyi: We could ignore this CVE to unblock CI until this gets merged

bundle-audit check --ignore GHSA-2qc6-mcvw-92cw

[aldent95]

Fyi: We could ignore this CVE to unblock CI until this gets merged

bundle-audit check --ignore GHSA-2qc6-mcvw-92cw

We have tried that. Not sure if it's an issue with our build system but it's not working.

[rsanheim]

Fyi: We could ignore this CVE to unblock CI until this gets merged

This worked for us on circleci FWIW:

bundle exec bundle-audit update && bundle exec bundle-audit check --ignore GHSA-2qc6-mcvw-92cw

[royalpeasantry]

Fyi: We could ignore this CVE to unblock CI until this gets merged

bundle-audit check --ignore GHSA-2qc6-mcvw-92cw

We have tried that. Not sure if it's an issue with our build system but it's not working.

It also did not work for me until I updated the bundler-audit gem

bin/bundle update bundler-audit
...
Fetching bundler-audit 0.9.1 (was 0.6.1)
Installing bundler-audit 0.9.1 (was 0.6.1)
...

[reedloden]

Apologies to all for my typo! Sorry to any extra work this may have caused folks.

[flavorjones]

@reedloden Would it be helpful in the future if I shipped a PR here for the inevitable next nokogiri/libxml2 GHSA? Happy to do it, I've got a release checklist.

[radar]

@reedloden It's okay :) We all make mistakes. Thank you for your diligence on maintaining this repo.

[reedloden]

@reedloden Would it be helpful in the future if I shipped a PR here for the inevitable next nokogiri/libxml2 GHSA? Happy to do it, I've got a release checklist.

Yes, please. That would be amazing!

[postmodern]

I bet we could add additional linter tests to check that every >= or ~> version actually exists on rubygems.org.