Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump the bundler group across 3 directories with 5 updates #95

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github May 14, 2024

Bumps the bundler group with 3 updates in the /humans-in-the-loop-files/scribe-hitl/loop_1 directory: puma, loofah and omniauth.
Bumps the bundler group with 3 updates in the /humans-in-the-loop-files/scribe-hitl/loop_2 directory: puma, loofah and omniauth.
Bumps the bundler group with 3 updates in the /humans-in-the-loop-files/scribe-hitl/loop_3 directory: puma, loofah and omniauth.

Updates puma from 3.12.6 to 5.6.8

Release notes

Sourced from puma's releases.

5.6.7

Security Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields (GHSA-68xg-gqqm-vgj8)

5.6.5 / 2022-08-23

  • Bugfixes
    • NullIO#closed should return false (#2883)
    • Puma::ControlCLI - allow refork command to be sent as a request (#2868, #2866)
    • [jruby] Fix TLS verification hang (#2890, #2729)
    • extconf.rb - don't use pkg_config('openssl') if '--with-openssl-dir' is used (#2885, #2839)
    • MiniSSL - detect SSL_CTX_set_dh_auto (#2864, #2863)
    • Fix rack.after_reply exceptions breaking connections (#2861, #2856)
    • Escape SSL cert and filenames (#2855)
    • Fail hard if SSL certs or keys are invalid (#2848)
    • Fail hard if SSL certs or keys cannot be read by user (#2847)
    • Fix build with Opaque DH in LibreSSL 3.5. (#2838)
    • Pre-existing socket file removed when TERM is issued after USR2 (if puma is running in cluster mode) (#2817)
    • Fix Puma::StateFile#load incompatibility (#2810)

5.6.4

  • Security

The 5.6.3 release was a mistake (released the wrong branch), 5.6.4 is correct.

5.6.2 / 2022-02-11

5.6.1

Bugfixes

  • Reverted a commit which appeared to be causing occasional blank header values (see issue #2808) (#2809)

Full Changelog: puma/puma@v5.6.0...v5.6.1

5.6.0 - Birdie's Version

Maintainer @​nateberkopec had a daughter, nicknamed Birdie:

slack-imgs

5.6.0 / 2022-01-25

  • Features
    • Support localhost integration in ssl_bind (#2764, #2708)
    • Allow backlog parameter to be set with ssl_bind DSL (#2780)
    • Remove yaml (psych) requirement in StateFile (#2784)
    • Allow culling of oldest workers, previously was only youngest (#2773, #2794)
    • Add worker_check_interval configuration option (#2759)

... (truncated)

Changelog

Sourced from puma's changelog.

5.6.8 / 2024-01-08

  • Security
    • Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. (GHSA-c2f4-cvqm-65w2)

5.6.7 / 2023-08-18

  • Security
    • Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields (GHSA-68xg-gqqm-vgj8)

5.6.6 / 2023-06-21

  • Bugfix
    • Prevent loading with rack 3 (#3166)

5.6.5 / 2022-08-23

  • Feature

    • Puma::ControlCLI - allow refork command to be sent as a request (#2868, #2866)
  • Bugfixes

    • NullIO#closed should return false (#2883)
    • [jruby] Fix TLS verification hang (#2890, #2729)
    • extconf.rb - don't use pkg_config('openssl') if '--with-openssl-dir' is used (#2885, #2839)
    • MiniSSL - detect SSL_CTX_set_dh_auto (#2864, #2863)
    • Fix rack.after_reply exceptions breaking connections (#2861, #2856)
    • Escape SSL cert and filenames (#2855)
    • Fail hard if SSL certs or keys are invalid (#2848)
    • Fail hard if SSL certs or keys cannot be read by user (#2847)
    • Fix build with Opaque DH in LibreSSL 3.5. (#2838)
    • Pre-existing socket file removed when TERM is issued after USR2 (if puma is running in cluster mode) (#2817)
    • Fix Puma::StateFile#load incompatibility (#2810)

5.6.4 / 2022-03-30

  • Security

5.6.2 / 2022-02-11

5.6.1 / 2022-01-26

  • Bugfixes
    • Reverted a commit which appeared to be causing occasional blank header values (#2809)

5.6.0 / 2022-01-25

... (truncated)

Commits

Updates loofah from 2.8.0 to 2.22.0

Release notes

Sourced from loofah's releases.

2.22.0 / 2023-11-13

Added

2.21.4 / 2023-10-10

Fixed

  • Loofah::HTML5::Scrub.scrub_css is more consistent in preserving whitespace (and lack of whitespace) in CSS property values. In particular, .scrub_css no longer inserts whitespace between tokens that did not already have whitespace between them. [#273, fixes #271]

2.21.3 / 2023-05-15

2.21.2 / 2023-05-11

Dependencies

  • Update the dependency on Nokogiri to be >= 1.12.0. The dependency in 2.21.0 and 2.21.1 was left at >= 1.5.9 but versions before 1.12 would result in a NameError exception. [#266]

2.21.1 / 2023-05-10

Fixed

  • Don't define HTML5::Document and HTML5::DocumentFragment when Nokogiri is < 1.14. In 2.21.0 these classes were defined whenever Nokogiri::HTML5 was defined, but Nokogiri v1.12 and v1.13 do not support Loofah subclassing properly.

2.21.0 / 2023-05-10

HTML5 Support

Classes Loofah::HTML5::Document and Loofah::HTML5::DocumentFragment are introduced, along with helper methods:

  • Loofah.html5_document
  • Loofah.html5_fragment
  • Loofah.scrub_html5_document
  • Loofah.scrub_html5_fragment

These classes and methods use Nokogiri's HTML5 parser to ensure modern web standards are used.

⚠ HTML5 functionality is only available with Nokogiri v1.14.0 and higher.

... (truncated)

Changelog

Sourced from loofah's changelog.

2.22.0 / 2023-11-13

Added

2.21.4 / 2023-10-10

Fixed

  • Loofah::HTML5::Scrub.scrub_css is more consistent in preserving whitespace (and lack of whitespace) in CSS property values. In particular, .scrub_css no longer inserts whitespace between tokens that did not already have whitespace between them. [#273, fixes #271]

2.21.3 / 2023-05-15

Fixed

2.21.2 / 2023-05-11

Dependencies

  • Update the dependency on Nokogiri to be >= 1.12.0. The dependency in 2.21.0 and 2.21.1 was left at >= 1.5.9 but versions before 1.12 would result in a NameError exception. [#266]

2.21.1 / 2023-05-10

Fixed

  • Don't define HTML5::Document and HTML5::DocumentFragment when Nokogiri is < 1.14. In 2.21.0 these classes were defined whenever Nokogiri::HTML5 was defined, but Nokogiri v1.12 and v1.13 do not support Loofah subclassing properly.

2.21.0 / 2023-05-10

HTML5 Support

Classes Loofah::HTML5::Document and Loofah::HTML5::DocumentFragment are introduced, along with helper methods:

  • Loofah.html5_document
  • Loofah.html5_fragment
  • Loofah.scrub_html5_document
  • Loofah.scrub_html5_fragment

These classes and methods use Nokogiri's HTML5 parser to ensure modern web standards are used.

⚠ HTML5 functionality is only available with Nokogiri v1.14.0 and higher.

... (truncated)

Commits
  • cb14ea7 version bump to v2.22.0
  • 64e0a26 update CHANGELOG
  • c5cfb80 Merge pull request #277 from wynksaiddestroy/feature/noreferrer_scrubber
  • 4ad2e13 Add noreferrer scrubber
  • 5345bb7 Merge pull request #275 from hexdevs/add-target-blank-scrub
  • 09e11ad feat: adds :targetblank scrubber
  • 992b054 version bump to v2.21.4
  • 5d9a22f Merge pull request #273 from flavorjones/flavorjones-css-whitespace-handling
  • 876116e fix: scrub_css is more consistent with whitespace
  • edde5f2 Merge pull request #274 from flavorjones/flavorjones-bump-hoe-markdown
  • Additional commits viewable in compare view

Updates nokogiri from 1.9.1 to 1.12.5

Release notes

Sourced from nokogiri's releases.

1.12.5 / 2021-09-27

Security

[JRuby] Address CVE-2021-41098 (GHSA-2rr5-8q37-2w7h).

In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parsers resolve external entities (XXE) by default. This fix turns off entity-resolution-by-default in the JRuby SAX parsers to match the CRuby SAX parsers' behavior.

CRuby users are not affected by this CVE.

Fixed

  • [CRuby] Document#to_xhtml properly serializes self-closing tags in libxml > 2.9.10. A behavior change introduced in libxml 2.9.11 resulted in emitting start and and tags (e.g., <br></br>) instead of a self-closing tag (e.g., <br/>) in previous Nokogiri versions. [#2324]

SHA256 checksums:

36bfa3a07aced069b3f3c9b39d9fb62cb0728d284d02b079404cd55780beaeff  nokogiri-1.12.5-arm64-darwin.gem
16b1a9ddbb70a9c998462912a5972097cbc79c3e01eb373906886ef8a469f589  nokogiri-1.12.5-java.gem
218dcc6edd1b49cc6244b5f88afb978739bb2f3f166c271557fe5f51e4bc713c  nokogiri-1.12.5-x64-mingw32.gem
e33bb919d64c16d931a5f26dc880969e587d225cfa97e6b56e790fb52179f527  nokogiri-1.12.5-x86-linux.gem
e13c2ed011b8346fbd589e96fe3542d763158bc2c7ad0f4f55f6d801afd1d9ff  nokogiri-1.12.5-x86-mingw32.gem
1ed64f7db7c1414b87fce28029f2a10128611d2037e0871ba298d00f9a00edd6  nokogiri-1.12.5-x86_64-darwin.gem
0868c8d0a147904d4dedaaa05af5f06656f2d3c67e4432601718559bf69d6cea  nokogiri-1.12.5-x86_64-linux.gem
2b20905942acc580697c8c496d0d1672ab617facb9d30d156b3c7676e67902ec  nokogiri-1.12.5.gem

1.12.4 / 2021-08-29

Notable fix: Namespace inheritance

Namespace behavior when reparenting nodes has historically been poorly specified and the behavior diverged between CRuby and JRuby. As a result, making this behavior consistent in v1.12.0 introduced a breaking change.

This patch release reverts the Builder behavior present in v1.12.0..v1.12.3 but keeps the Document behavior. This release also introduces a Document attribute to allow affected users to easily change this behavior for their legacy code without invasive changes.

Compensating Feature in XML::Document

This release of Nokogiri introduces a new Document boolean attribute, namespace_inheritance, which controls whether children should inherit a namespace when they are reparented. Nokogiri::XML:Document defaults this attribute to false meaning "do not inherit," thereby making explicit the behavior change introduced in v1.12.0.

CRuby users who desire the pre-v1.12.0 behavior may set document.namespace_inheritance = true before reparenting nodes.

See https://nokogiri.org/rdoc/Nokogiri/XML/Document.html#namespace_inheritance-instance_method for example usage.

Fix for XML::Builder

... (truncated)

Changelog

Sourced from nokogiri's changelog.

1.12.5 / 2021-09-27

Security

[JRuby] Address CVE-2021-41098 (GHSA-2rr5-8q37-2w7h).

In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parsers resolve external entities (XXE) by default. This fix turns off entity-resolution-by-default in the JRuby SAX parsers to match the CRuby SAX parsers' behavior.

CRuby users are not affected by this CVE.

Fixed

  • [CRuby] Document#to_xhtml properly serializes self-closing tags in libxml > 2.9.10. A behavior change introduced in libxml 2.9.11 resulted in emitting start and and tags (e.g., <br></br>) instead of a self-closing tag (e.g., <br/>) in previous Nokogiri versions. #2324

1.12.4 / 2021-08-29

Notable fix: Namespace inheritance

Namespace behavior when reparenting nodes has historically been poorly specified and the behavior diverged between CRuby and JRuby. As a result, making this behavior consistent in v1.12.0 introduced a breaking change.

This patch release reverts the Builder behavior present in v1.12.0..v1.12.3 but keeps the Document behavior. This release also introduces a Document attribute to allow affected users to easily change this behavior for their legacy code without invasive changes.

Compensating Feature in XML::Document

This release of Nokogiri introduces a new Document boolean attribute, namespace_inheritance, which controls whether children should inherit a namespace when they are reparented. Nokogiri::XML:Document defaults this attribute to false meaning "do not inherit," thereby making explicit the behavior change introduced in v1.12.0.

CRuby users who desire the pre-v1.12.0 behavior may set document.namespace_inheritance = true before reparenting nodes.

See https://nokogiri.org/rdoc/Nokogiri/XML/Document.html#namespace_inheritance-instance_method for example usage.

Fix for XML::Builder

However, recognizing that we want Builder-created children to inherit namespaces, Builder now will set namespace_inheritance=true on the underlying document for both JRuby and CRuby. This means that, on CRuby, the pre-v1.12.0 behavior is restored.

Users who want to turn this behavior off may pass a keyword argument to the Builder constructor like so:

Nokogiri::XML::Builder.new(namespace_inheritance: false)

See https://nokogiri.org/rdoc/Nokogiri/XML/Builder.html#label-Namespace+inheritance for example usage.

Downstream gem maintainers

Note that any downstream gems may want to specifically omit Nokogiri v1.12.0--v1.12.3 from their dependency specification if they rely on child namespace inheritance:

... (truncated)

Commits

Updates omniauth from 1.9.1 to 2.0.4

Release notes

Sourced from omniauth's releases.

v2.0.4

This release removes unnecessary warning logging when accessing GET routes that are not related to the OmniAuth request path.

Thanks to @​charlie-wasp and @​sponomarev at Evil Martians for the bug find and subsequent PR.

Fix rescuing of application errors when call_app! is used.

As a consequence of the changes that were merged in #689, errors thrown by strategies that utilize other_phase (or more specifically call_app!), would be caught by omniauth, causing headaches for folks looking to have those errors handled by their application. This should allow for errors that come from the app to pass through, while passing errors that come from the authentication phases to the fail! handler.

Resolves #1030

Fix for incorrect order of request_validation_phase in test_mode.

@​jsdalton gave an awesome report of the issue present in test_mode in #1033

The current implementation of mock_call was verifying the token for all requests, regardless of whether the current path is on the omniauth request path. The change was introduced recently in 1b784ff. See #1032 for details.

This creates two problems:

  1. When test mode is on, the authenticity verification logic is run inappropriately against requests where this may not even be wanted.
  2. The behavior varies from actual production behavior, potentially allowing bugs to be introduced by unwary developers.

Note that this bug was only present when OmniAuth was configured for test_mode and using the mock_call phases.

Allow passing rack-protection configuration to default request_validation_phase

This release now properly allows an instance of OmniAuth::AuthenticityTokenProtection (with passed in rack-protection configuration) to be used as the request_validation_phase.

Thanks @​jkowens #1027

If you haven't already read the release notes for v2.0.0, you should do so.

v2.0.0

Version 2.0 of OmniAuth includes some changes that may be breaking depending on how you use OmniAuth in your app.

Many thanks to the folks who contributed in code and discussion for these changes.

OmniAuth now defaults to only POST as the allowed request_phase method.

Hopefully, you were already doing this as a result of the warnings due to CVE-2015-9284.
For detailed context, see:
#960
#809
Resolving CVE-2015-9284

This change also includes an additional configurable phase: request_validation_phase.

Rack/Sinatra

By default, this uses rack-protection's AuthenticityToken class to validate authenticity tokens. If you are using a rack based framework like sinatra, you can find an example of how to add authenticity tokens to your view here.

... (truncated)

Commits
  • e7b8811 Release v2.0.4
  • 119a54d Remove jruby-head for now
  • f0e5d42 Merge pull request #1041 from charlie-wasp/fix/get-request-warning
  • b72a8db Warn only on GET requests for login path
  • 481e307 Prepare for next development iteration
  • f9dddef v2.0.3 release
  • 7e1b49f Merge pull request #1035 from omniauth/1030-standard-error-handling
  • 6f4cdb0 Better handle errors that come from the actual app.
  • 0d533c3 Update README for next dev cycle.
  • ba115e1 Prepare for 2.0.2 release
  • Additional commits viewable in compare view

Updates rails-html-sanitizer from 1.3.0 to 1.5.0

Release notes

Sourced from rails-html-sanitizer's releases.

1.5.0 / 2023-01-20

  • SafeListSanitizer, PermitScrubber, and TargetScrubber now all support pruning of unsafe tags.

    By default, unsafe tags are still stripped, but this behavior can be changed to prune the element and its children from the document by passing prune: true to any of these classes' constructors.

    @​seyerian

1.4.4 / 2022-12-13

1.4.3 / 2022-06-09

  • Address a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

    Prevent the combination of select and style as allowed tags in SafeListSanitizer.

    Fixes CVE-2022-32209

    Mike Dalessio

1.4.2 / 2021-08-23

... (truncated)

Changelog

Sourced from rails-html-sanitizer's changelog.

1.5.0 / 2023-01-20

  • SafeListSanitizer, PermitScrubber, and TargetScrubber now all support pruning of unsafe tags.

    By default, unsafe tags are still stripped, but this behavior can be changed to prune the element and its children from the document by passing prune: true to any of these classes' constructors.

    seyerian

1.4.4 / 2022-12-13

1.4.3 / 2022-06-09

  • Address a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.

    Prevent the combination of select and style as allowed tags in SafeListSanitizer.

... (truncated)

Commits
  • a337ec8 version bump to v1.5.0
  • 459f1cd Merge pull request #149 from kyoshidajp/update-checkout-v3
  • 23ac131 Bump actions/checkout from 2 to 3
  • 79bc10b Merge pull request #147 from rails/flavorjones-port-1.4.4-changes
  • 9ef5975 dev: set version to 1.5.0.dev
  • e31343f doc: changelog entry for 1.4.4
  • e8cbe25 dep: bump dependency on loofah
  • 373fc62 fix: escape CDATA nodes using Loofah's escaping methods
  • 68ccf7e revert 45a5c10
  • bb6dfcb fix: use Loofah's scrub_uri_attribute method
  • Additional commits viewable in compare view

Updates puma from 3.12.6 to 5.6.8

Release notes

Sourced from puma's releases.

5.6.7

Security Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields (GHSA-68xg-gqqm-vgj8)

5.6.5 / 2022-08-23

  • Bugfixes
    • NullIO#closed should return false (#2883)
    • Puma::ControlCLI - allow refork command to be sent as a request (#2868, #2866)
    • [jruby] Fix TLS verification hang (#2890, #2729)
    • extconf.rb - don't use pkg_config('openssl') if '--with-openssl-dir' is used (#2885, #2839)
    • MiniSSL - detect SSL_CTX_set_dh_auto (#2864, #2863)
    • Fix rack.after_reply exceptions breaking connections (#2861, #2856)
    • Escape SSL cert and filenames (#2855)
    • Fail hard if SSL certs or keys are invalid (#2848)
    • Fail hard if SSL certs or keys cannot be read by user (#2847)
    • Fix build with Opaque DH in LibreSSL 3.5. (#2838)
    • Pre-existing socket file removed when TERM is issued after USR2 (if puma is running in cluster mode) (#2817)
    • Fix Puma::StateFile#load incompatibility (#2810)

5.6.4

  • Security

The 5.6.3 release was a mistake (released the wrong branch), 5.6.4 is correct.

5.6.2 / 2022-02-11

5.6.1

Bugfixes

  • Reverted a commit which appeared to be causing occasional blank header values (see issue #2808) (#2809)

Full Changelog: puma/puma@v5.6.0...v5.6.1

5.6.0 - Birdie's Version

Maintainer @​nateberkopec had a daughter, nicknamed Birdie:

slack-imgs

5.6.0 / 2022-01-25

  • Features
    • Support localhost integration in ssl_bind (#2764, #2708)
    • Allow backlog parameter to be set with ssl_bind DSL (#2780)
    • Remove yaml (psych) requirement in StateFile (#2784)
    • Allow culling of oldest workers, previously was only youngest (#2773, #2794)
    • Add worker_check_interval configuration option (#2759)

... (truncated)

Changelog

Sourced from puma's changelog.

5.6.8 / 2024-01-08

  • Security
    • Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. (GHSA-c2f4-cvqm-65w2)

5.6.7 / 2023-08-18

  • Security
    • Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields (GHSA-68xg-gqqm-vgj8)

5.6.6 / 2023-06-21

  • Bugfix
    • Prevent loading with rack 3 (#3166)

5.6.5 / 2022-08-23

  • Feature

    • Puma::ControlCLI - allow refork command to be sent as a request (#2868, #2866)
  • Bugfixes

    • NullIO#closed should return false (#2883)
    • [jruby] Fix TLS verification hang (#2890, #2729)
    • extconf.rb - don't use pkg_config('openssl') if '--with-openssl-dir' is used (#2885, #2839)
    • MiniSSL - detect SSL_CTX_set_dh_auto (#2864, #2863)
    • Fix rack.after_reply exceptions breaking connections (#2861, #2856)
    • Escape SSL cert and filenames (#2855)
    • Fail hard if SSL certs or keys are invalid (#2848)
    • Fail hard if SSL certs or keys cannot be read by user (#2847)
    • Fix build with Opaque DH in LibreSSL 3.5. (#2838)
    • Pre-existing socket file removed when TERM is issued after USR2 (if puma is running in cluster mode) (#2817)
    • Fix Puma::StateFile#load incompatibility (#2810)

5.6.4 / 2022-03-30

  • Security

5.6.2 / 2022-02-11

5.6.1 / 2022-01-26

  • Bugfixes
    • Reverted a commit which appeared to be causing occasional blank header values (#2809)

5.6.0 / 2022-01-25

... (truncated)

Commits

Updates loofah from 2.8.0 to 2.22.0

Release notes

Sourced from loofah's releases.

2.22.0 / 2023-11-13

Added

2.21.4 / 2023-10-10

Fixed

  • Loofah::HTML5::Scrub.scrub_css is more consistent in preserving whitespace (and lack of whitespace) in CSS property values. In particular, .scrub_css no longer inserts whitespace between tokens that did not already have whitespace between them. [#273, fixes #271]

2.21.3 / 2023-05-15

2.21.2 / 2023-05-11

Dependencies

  • Update the dependency on Nokogiri to be >= 1.12.0. The dependency in 2.21.0 and 2.21.1 was left at >= 1.5.9 but versions before 1.12 would result in a NameError exception. [#266]

2.21.1 / 2023-05-10

Fixed

  • Don't define HTML5::Document and HTML5::DocumentFragment when Nokogiri is < 1.14. In 2.21.0 these classes were defined whenever Nokogiri::HTML5 was defined, but Nokogiri v1.12 and v1.13 do not support Loofah subclassing properly.

2.21.0 / 2023-05-10

HTML5 Support

Classes Loofah::HTML5::Document and Loofah::HTML5::DocumentFragment are introduced, along with helper methods:

  • Loofah.html5_document
  • Loofah.html5_fragment
  • Loofah.scrub_html5_document
  • Loofah.scrub_html5_fragment

These classes and methods use Nokogiri's HTML5 parser to ensure modern web standards are used.

⚠ HTML5 functionality is only available with Nokogiri v1.14.0 and higher.

... (truncated)

Changelog

Sourced from loofah's changelog.

2.22.0 / 2023-11-13

Added

2.21.4 / 2023-10-10

Fixed

  • Loofah::HTML5::Scrub.scrub_css is more consistent in preserving whitespace (and lack of whitespace) in CSS property values. In particular, .scrub_css no longer inserts whitespace between tokens that did not already have whitespace between them. [#273, fixes #271]

2.21.3 / 2023-05-15

Fixed

2.21.2 / 2023-05-11

Dependencies

  • Update the dependency on Nokogiri to be >= 1.12.0. The dependency in 2.21.0 and 2.21.1 was left at >= 1.5.9 but versions before 1.12 would result in a NameError exception. [#266]

2.21.1 / 2023-05-10

Fixed

  • Don't define HTML5::Document and HTML5::DocumentFragment when Nokogiri is < 1.14. In 2.21.0 these classes were defined whenever Nokogiri::HTML5 was defined, but Nokogiri v1.12 and v1.13 do not support Loofah subclassing properly.

2.21.0 / 2023-05-10

HTML5 Support

Classes Loofah::HTML5::Document and Loofah::HTML5::DocumentFragment are introduced, along with helper methods:

  • Loofah.html5_document
  • Loofah.html5_fragment
  • Loofah.scrub_html5_document
  • Loofah.scrub_html5_fragment

These classes and methods use Nokogiri's HTML5 parser to ensure modern web standards are used.

⚠ HTML5 functionality is only available with Nokogiri v1.14.0 and higher.

... (truncated)

Commits
  • cb14ea7 version bump to v2.22.0
  • 64e0a26 update CHANGELOG
  • c5cfb80 Merge pull request #277 from wynksaiddestroy/feature/noreferrer_scrubber
  • 4ad2e13 Add noreferrer scrubber
  • 5345bb7 Merge pull request #275 from hexdevs/add-target-blank-scrub
  • 09e11ad feat: adds :targetblank scrubber
  • 992b054 version bump to v2.21.4
  • 5d9a22f Merge pull request #273 from flavorjones/flavorjones-css-whitespace-handling
  • 876116e fix: scrub_css is more consistent with whitespace
  • edde5f2 Merge pull request #274 from flavorjones/flavorjones-bump-hoe-markdown
  • Additional commits viewable in compare view

Updates nokogiri from 1.9.1 to 1.12.5

Release notes

Sourced from nokogiri's releases.

1.12.5 / 2021-09-27

Security

[JRuby] Address CVE-2021-41098 (GHSA-2rr5-8q37-2w7h).

In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parsers resolve external entities (XXE) by default. This fix turns off entity-resolution-by-default in the JRuby SAX parsers to match the CRuby SAX parsers' behavior.

CRuby users are not affected by this CVE.

Fixed

  • [CRuby] Document#to_xhtml properly serializes self-closing tags in libxml > 2.9.10. A behavior change introduced in libxml 2.9.11 resulted in emitting start and and tags (e.g., <br></br>) instead of a self-closing tag (e.g., <br/>) in previous Nokogiri versions. [#2324]

SHA256 checksums:

36bfa3a07aced069b3f3c9b39d9fb62cb0728d284d02b079404cd55780beaeff  nokogiri-1.12.5-arm64-darwin.gem
16b1a9ddbb70a9c998462912a5972097cbc79c3e01eb373906886ef8a469f589  nokogiri-1.12.5-java.gem
218dcc6edd1b49cc6244b5f88afb978739bb2f3f166c271557fe5f51e4bc713c  nokogiri-1.12.5-x64-mingw32.gem
e33bb919d64c16d931a5f26dc880969e587d225cfa97e6b56e790fb52179f527  nokogiri-1.12.5-x86-linux.gem
e13c2ed011b8346fbd589e96fe3542d763158bc2c7ad0f4f55f6d801afd1d9ff  nokogiri-1.12.5-x86-mingw32.gem
1ed64f7db7c1414b87fce28029f2a10128611d2037e0871ba298d00f9a00edd6  nokogiri-1.12.5-x86_64-darwin.gem
0868c8d0a147904d4dedaaa05af5f06656f2d3c67e4432601718559bf69d6cea  nokogiri-1.12.5-x86_64-linux.gem
2b20905942acc580697c8c496d0d1672ab617facb9d30d156b3c7676e67902ec  nokogiri-1.12.5.gem

1.12.4 / 2021-08-29

Notable fix: Namespace inheritance

Namespace behavior when reparenting nodes has historically been poorly specified and the behavior diverged between CRuby and JRuby. As a result, making this behavior consistent in v1.12.0 introduced a breaking change.

This patch release reverts the Builder behavior present in v1.12.0..v1.12.3 but keeps the Document behavior. This release also introduces a Document attribute to allow affected users to easily change this behavior for their legacy code without invasive changes.

Compensating Feature in XML::Document

This release of Nokogiri introduces a new Document boolean attribute, namespace_inheritance, which controls whether children should inherit a namespace when they are reparented. Nokogiri::XML:Document defaults this attribute to false meaning "do not inherit," thereby making explicit the behavior change introduced in v1.12.0.

CRuby users who desire the pre-v1.12.0 behavior may set document.namespace_inheritance = true before reparenting nodes.

See https://nokogiri.org/rdoc/Nokogiri/XML/Document.html#namespace_inheritance-instance_method for example usage.

Fix for XML::Builder

... (truncated)

Changelog

Sourced from nokogiri's changelog.

1.12.5 / 2021-09-27

Security

[JRuby] Address CVE-2021-41098 (GHSA-2rr5-8q37-2w7h).

In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parsers resolve external entities (XXE) by default. This fix turns off entity-resolution-by-default in the JRuby SAX parsers to match the CRuby SAX parsers' behavior.

CRuby users are not affected by this CVE.

Fixed

  • [CRuby] Document#to_xhtml properly serializes self-closing tags in libxml > 2.9.10. A behavior change introduced in libxml 2.9.11 resulted in emitting start and and tags (e.g., <br></br>) instead of a self-closing tag (e.g., <br/>) in previous Nokogiri versions. #2324

1.12.4 / 2021-08-29

Notable fix: Namespace inheritance

Namespace behavior when reparenting nodes has historically been poorly specified and the behavior diverged between CRuby and JRuby. As a result, making this behavior consistent in v1.12.0 introduced a breaking change.

This patch release reverts the Builder behavior present in v1.12.0..v1.12.3 but keeps the Document behavior. This release also introduces a Document attribute to allow affected users to easily change this behavior for their legacy code without invasive changes.

Compensating Feature in XML::Document

This release of Nokogiri introduces a new Document boolean attribute, namespace_inheritance, which...

Description has been truncated

Bumps the bundler group with 3 updates in the /humans-in-the-loop-files/scribe-hitl/loop_1 directory: [puma](https://github.com/puma/puma), [loofah](https://github.com/flavorjones/loofah) and [omniauth](https://github.com/omniauth/omniauth).
Bumps the bundler group with 3 updates in the /humans-in-the-loop-files/scribe-hitl/loop_2 directory: [puma](https://github.com/puma/puma), [loofah](https://github.com/flavorjones/loofah) and [omniauth](https://github.com/omniauth/omniauth).
Bumps the bundler group with 3 updates in the /humans-in-the-loop-files/scribe-hitl/loop_3 directory: [puma](https://github.com/puma/puma), [loofah](https://github.com/flavorjones/loofah) and [omniauth](https://github.com/omniauth/omniauth).


Updates `puma` from 3.12.6 to 5.6.8
- [Release notes](https://github.com/puma/puma/releases)
- [Changelog](https://github.com/puma/puma/blob/master/History.md)
- [Commits](puma/puma@v3.12.6...v5.6.8)

Updates `loofah` from 2.8.0 to 2.22.0
- [Release notes](https://github.com/flavorjones/loofah/releases)
- [Changelog](https://github.com/flavorjones/loofah/blob/main/CHANGELOG.md)
- [Commits](flavorjones/loofah@v2.8.0...v2.22.0)

Updates `nokogiri` from 1.9.1 to 1.12.5
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](sparklemotion/nokogiri@v1.9.1...v1.12.5)

Updates `omniauth` from 1.9.1 to 2.0.4
- [Release notes](https://github.com/omniauth/omniauth/releases)
- [Commits](omniauth/omniauth@v1.9.1...v2.0.4)

Updates `rails-html-sanitizer` from 1.3.0 to 1.5.0
- [Release notes](https://github.com/rails/rails-html-sanitizer/releases)
- [Changelog](https://github.com/rails/rails-html-sanitizer/blob/main/CHANGELOG.md)
- [Commits](rails/rails-html-sanitizer@v1.3.0...v1.5.0)

Updates `puma` from 3.12.6 to 5.6.8
- [Release notes](https://github.com/puma/puma/releases)
- [Changelog](https://github.com/puma/puma/blob/master/History.md)
- [Commits](puma/puma@v3.12.6...v5.6.8)

Updates `loofah` from 2.8.0 to 2.22.0
- [Release notes](https://github.com/flavorjones/loofah/releases)
- [Changelog](https://github.com/flavorjones/loofah/blob/main/CHANGELOG.md)
- [Commits](flavorjones/loofah@v2.8.0...v2.22.0)

Updates `nokogiri` from 1.9.1 to 1.12.5
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](sparklemotion/nokogiri@v1.9.1...v1.12.5)

Updates `omniauth` from 1.9.1 to 2.0.4
- [Release notes](https://github.com/omniauth/omniauth/releases)
- [Commits](omniauth/omniauth@v1.9.1...v2.0.4)

Updates `rails-html-sanitizer` from 1.3.0 to 1.5.0
- [Release notes](https://github.com/rails/rails-html-sanitizer/releases)
- [Changelog](https://github.com/rails/rails-html-sanitizer/blob/main/CHANGELOG.md)
- [Commits](rails/rails-html-sanitizer@v1.3.0...v1.5.0)

Updates `puma` from 3.12.6 to 5.6.8
- [Release notes](https://github.com/puma/puma/releases)
- [Changelog](https://github.com/puma/puma/blob/master/History.md)
- [Commits](puma/puma@v3.12.6...v5.6.8)

Updates `loofah` from 2.8.0 to 2.22.0
- [Release notes](https://github.com/flavorjones/loofah/releases)
- [Changelog](https://github.com/flavorjones/loofah/blob/main/CHANGELOG.md)
- [Commits](flavorjones/loofah@v2.8.0...v2.22.0)

Updates `nokogiri` from 1.9.1 to 1.12.5
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](sparklemotion/nokogiri@v1.9.1...v1.12.5)

Updates `omniauth` from 1.9.1 to 2.0.4
- [Release notes](https://github.com/omniauth/omniauth/releases)
- [Commits](omniauth/omniauth@v1.9.1...v2.0.4)

Updates `rails-html-sanitizer` from 1.3.0 to 1.5.0
- [Release notes](https://github.com/rails/rails-html-sanitizer/releases)
- [Changelog](https://github.com/rails/rails-html-sanitizer/blob/main/CHANGELOG.md)
- [Commits](rails/rails-html-sanitizer@v1.3.0...v1.5.0)

---
updated-dependencies:
- dependency-name: puma
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: loofah
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: nokogiri
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: omniauth
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: rails-html-sanitizer
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: puma
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: loofah
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: nokogiri
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: omniauth
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: rails-html-sanitizer
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: puma
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: loofah
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: nokogiri
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: omniauth
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: rails-html-sanitizer
  dependency-type: indirect
  dependency-group: bundler
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code labels May 14, 2024
This was referenced May 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants