🚨 [security] Update nokogiri: 1.8.5 → 1.10.4 (minor)

[depfu]

---

🚨 Your version of nokogiri has known security vulnerabilities 🚨

Advisory: CVE-2019-5477
Disclosed: August 11, 2019
URL: https://github.com/sparklemotion/nokogiri/issues/1915

Nokogiri Command Injection Vulnerability

🚨 We recommend to merge and deploy this update as soon as possible! 🚨

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ nokogiri (indirect, 1.8.5 → 1.10.4) · Repo · Changelog

Release Notes

1.10.3

1.10.3 / 2019-04-22

Security Notes

[MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in #1892. Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.

1.10.2

1.10.2 / 2019-03-24

Security

• [MRI] Remove support from vendored libxml2 for future script macros. [#1871]
• [MRI] Remove support from vendored libxml2 for server-side includes within attributes. [#1877]

Bug fixes

• [JRuby] Fix node ownership in duplicated documents. [#1060]
• [JRuby] Rethrow exceptions caught by Java SAX handler. [#1847, #1872] (Thanks, @adjam!)

1.10.1

1.10.1 / 2019-01-13

Features

• [MRI] During installation, handle Xcode 10's new library pathOS. [#1801, #1851] (Thanks, @mlj and @deepj!)
• Avoid unnecessary creation of Procs in many methods. [#1776] (Thanks, @chopraanmol1!)

Bug fixes

• CSS selector :has() now correctly matches against any descendant. Previously this selector matched against only direct children). [#350] (Thanks, @Phrogz!)
• NodeSet#attr now returns nil if it's empty. Previously this raised a NoMethodError.
• [MRI] XPath errors are no longer suppressed during XSLT::Stylesheet#transform. Previously these errors were suppressed which led to silent failures and a subsequent segfault. [#1802]

1.10.0

1.10.0 / 2019-01-04

Features

• [MRI] Cross-built Windows gems now support Ruby 2.6 [#1842, #1850]

Backwards incompatibilities

This release ends support for:

• Ruby 2.2, for which official support ended on 2018-03-31 [#1841]
• JRuby 1.7, for which official support ended on 2017-11-21 [#1741]

Dependencies

• [MRI] libxml2 is updated from 2.9.8 to 2.9.9
• [MRI] libxslt is updated from 1.1.32 to 1.1.33

1.9.1

1.9.1 / 2018-12-17

Bug fixes

• Fix a bug introduced in v1.9.0 where XML::DocumentFragment#dup no longer returned an instance of the callee's class, instead always returning an XML::DocumentFragment. This notably broke any subclass of XML::DocumentFragment including HTML::DocumentFragment as well as the Loofah gem's Loofah::HTML::DocumentFragment. [#1846]

1.9.0

1.9.0 / 2018-12-17

Security Notes

• [JRuby] Upgrade Xerces dependency from 2.11.0 to 2.12.0 to address upstream vulnerability CVE-2012-0881 [#1831] (Thanks @grajagandev for reporting.)

Notable non-functional changes

• Decrease installation size by removing many unneeded files (e.g., /test) from the packaged gems. [#1719] (Thanks, @stevecrozz!)

Features

• XML::Attr#value= allows HTML node attribute values to be set to either a blank string or an empty boolean attribute. [#1800]
• Introduce XML::Node#wrap which does what XML::NodeSet#wrap has always done, but for a single node. [#1531] (Thanks, @ethirajsrinivasan!)
• [MRI] Improve installation experience on macOS High Sierra (Darwin). [#1812, #1813] (Thanks, @gpakosz and @nurse!)
• [MRI] Node#dup supports copying a node directly to a new document. See the method documentation for details.
• [MRI] DocumentFragment#dup is now more memory-efficient, avoiding making unnecessary copies. [#1063]
• [JRuby] NodeSet has been rewritten to improve performance! [#1795]

Bug fixes

• NodeSet#each now returns self instead of zero. [#1822] (Thanks, @olehif!)
• [MRI] Address a memory leak when using XML::Builder to create nodes with namespaces. [#1810]
• [MRI] Address a memory leak when unparenting a DTD. [#1784] (Thanks, @stevecheckoway!)
• [MRI] Use RbConfig::CONFIG instead of ::MAKEFILE_CONFIG to fix installations that use Makefile macros. [#1820] (Thanks, @nobu!)
• [JRuby] Decrease large memory usage when making nested XPath queries. [#1749]
• [JRuby] Fix failing tests on JRuby 9.2.x
• [JRuby] Fix default namespaces in nodes reparented into a different document [#1774]
• [JRuby] Fix support for Java 9. [#1759] (Thanks, @Taywee!)

Dependencies

• [MRI] Upgrade mini_portile2 dependency from ~> 2.3.0 to ~> 2.4.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_portile2 (indirect, 2.3.0 → 2.4.0) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 10 commits:

• version bump to v2.4.0
• update CHANGELOG in preparation for v2.4.0
• update dev dependencies
• Merge pull request #86 from eagletmt/skip-progress-when-chunked
• Merge pull request #87 from halfbyte/patch-1
• Make version in changelog fit release version.
• Skip progress report when Content-Length is unavailable
• update test:examples to libiconv 1.15
• concourse: test most-recent two rubies
• convert to using windows-ruby-dev-tools-release

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #591.