🚨 [security] Update nokogiri 1.14.3 → 1.16.3 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ nokogiri (1.14.3 → 1.16.3) · Repo · Changelog

Security Advisories 🚨

🚨 Improper Handling of Unexpected Data Type in Nokogiri

Summary

Nokogiri v1.16.2 upgrades the version of its dependency libxml2 to v2.12.5.

libxml2 v2.12.5 addresses the following vulnerability:

CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.16.2, and only if the packaged libraries are being used. If
you've overridden defaults at installation time to use system libraries
instead of packaged libraries, you should instead pay attention to your
distro's libxml2 release announcements.

Severity

The Nokogiri maintainers have evaluated this as Moderate.

Mitigation

Upgrade to Nokogiri >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated
mitigation: compile and link Nokogiri against external libraries libxml2 >=
2.12.5 which will also address these same issues.

JRuby users are not affected.

Workarounds

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_portile2 (indirect, 2.8.2 → 2.8.5) · Repo · Changelog

Release Notes

2.8.5

2.8.5 / 2023-10-22

Added

• New methods #lib_path and #include_path which point at the installed directories under ports. (by @flavorjones)
• Add config param for CMAKE_BUILD_TYPE, which now defaults to Release. (#136 by @Watson1978)

Experimental

Introduce experimental support for MiniPortile#mkmf_config which sets up MakeMakefile variables to properly link against the recipe. This should make it easier for C extensions to package third-party libraries. (by @flavorjones)

• With no arguments, will set up just $INCFLAGS, $libs, and $LIBPATH.
• Optionally, if provided a pkg-config file, will use that config to more precisely set $INCFLAGS, $libs, $LIBPATH, and $CFLAGS/$CXXFLAGS.
• Optionally, if provided the name of a static archive, will rewrite linker flags to ensure correct linkage.

Note that the behavior may change slightly before official support is announced. Please comment on #118 if you have feedback.

2.8.4

2.8.4 / 2023-07-18

• cmake: set CMAKE compile flags to configure cross-compilation similarly to autotools --host flag: SYSTEM_NAME, SYSTEM_PROCESSOR, C_COMPILER, and CXX_COMPILER. [#130] (Thanks, @stanhu!)

2.8.3

2.8.3 / 2023-07-18

Fixed

• cmake: only use MSYS/NMake generators when available. [#129] (Thanks, @stanhu!)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 33 commits:

• version bump to 2.8.5
• doc: update README with cmake_build_type documentation
• Merge pull request #137 from flavorjones/flavorjones-update-gemspec
• dev: gemspec has better desc and uses require_relative
• Merge pull request #136 from Watson1978/release-build
• Add config param for CMAKE_BUILD_TYPE
• Create release binary with cmake explicitly
• Merge pull request #135 from amatsuda/warning
• warning: method redefined; discarding old source_directory=
• version bump to v2.8.5.rc2
• Merge pull request #134 from flavorjones/flavorjones-improve-mkmf-config-20230917
• introduce the "static" parameter to mkmf_config
• extract `lib_path` and `include_path` methods
• version bump to v2.8.5.rc1
• Merge pull request #133 from flavorjones/flavorjones-more-precise-pkg-config
• feat: more precise implementation of mkmf_config for pkg-config
• version bump to v2.9.0.rc1
• Merge pull request #131 from flavorjones/118-fedora-pkgconf
• feat: introduce MiniPortile.mkmf_config
• test: add an example that uses MakeMakefile.pkg_config
• ci: add a fedora job to the test suite
• test: backfill coverage for MiniPortile#activate
• Merge pull request #132 from flavorjones/flavorjones-uninitialized-ivar-warnings
• fix: avoid uninitialized ivar warnings
• version bump to v2.8.4
• Merge pull request #130 from stanhu/sh-cmake-cross-compile-vars
• version bump to v2.8.3
• Remap x64 processor type to x86_64
• [cmake] Automatically add required cross-compilation variables
• Merge pull request #129 from stanhu/sh-cmake-msys
• Update CHANGELOG.md
• Add CHANGELOG.md for CMake fix
• cmake: only use MSYS/NMake generators when available

↗️ racc (indirect, 1.6.2 → 1.7.3) · Repo · Changelog

Release Notes

1.7.3

What's Changed

• Exclude CRuby extension from JRuby gem by @nobu in #244
• Fix for dummy rake/extensiontask.rb at ruby test-bundled-gems by @nobu in #245
• Fix jar file path by @nobu in #246
• Bump by @nobu in #247
• Add srcs target to prepare to build by @nobu in #248
• Make CI runnable for any push by @yui-knk in #249
• Check rake build on CI by @yui-knk in #250
• Bump up v1.7.3.pre.1 by @yui-knk in #251
• Fix locations of expect param in docs by @yui-knk in #252
• 'lib/racc/parser-text.rb' depends on 'lib/racc/info.rb' by @yui-knk in #253
• Bump up v1.7.3 by @yui-knk in #254

Full Changelog: v1.7.2...v1.7.3

1.7.2

What's Changed

• Update parser.rb, fixed typo by @jwillemsen in #224
• Remove leading newline from on_error exception messages. by @zenspider in #226
• Add --frozen to add frozen_string_literals to top of generated files. by @zenspider in #225
• Update development dependency to avoid ruby 2.5 failures by @flavorjones in #228
• dep: pin development dependencies, and enable dependabot for gems by @flavorjones in #229
• Clean embedded pragmas by @nobu in #230
• Embed grammar file name into generated file by @yui-knk in #231
• Bump actions/checkout from 3 to 4 by @dependabot in #232
• Fix a typo by @yui-knk in #234
• Add "Release flow" to README.rdoc by @yui-knk in #235
• Prepare 1.7.2 by @nobu in #236
• Remove install guide by setup.rb by @yui-knk in #237
• Fix tiny typos by @makenowjust in #238
• Remove old checks by @nobu in #240
• Remove MANIFEST which was used by ancient extmk.rb by @nobu in #242
• Extract Racc::VERSION from racc/info.rb at extconf.rb by @nobu in #241
• Use prototype declarations by @nobu in #243
• Bump up v1.7.2 by @yui-knk in #239

New Contributors

• @makenowjust made their first contribution in #238

Full Changelog: v1.7.1...v1.7.2

1.7.1

What's Changed

• Use released version of test-unit-ruby-core by @hsbt in #220
• Fix place to specify rake-compiler version by @nobu in #223
• Embedded path by @nobu in #221

Full Changelog: v1.7.0...v1.7.1

1.7.0

What's Changed

• Update racc.ja document by @hsbt in #207
• Make racc Ractor compatible by @pocke in #167
• Get rid of anonymous eval calls by @casperisfine in #208
• Adds Ruby 3.2 to the CI matrix. by @petergoldstein in #209
• Improve actions by @hsbt in #211
• Exclude jruby-head on macOS by @flavorjones in #214
• Add a newline at EOF [ci skip] by @nobu in #215
• [DOC] Strip trailing spaces by @nobu in #216
• Add tests for sample dir and tweak samples by @hkdnet in #217
• Remove ErrorSymbolValue reference by @jeremyevans in #213
• Embed racc/info.rb too by @nobu in #218

New Contributors

• @petergoldstein made their first contribution in #209
• @hkdnet made their first contribution in #217
• @jeremyevans made their first contribution in #213

Full Changelog: v1.6.2...v1.7.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #524.