🚨 [security] [ruby] Update nokogiri 1.16.3 → 1.16.5 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ nokogiri (indirect, 1.16.2 → 1.16.5) · Repo · Changelog

Security Advisories 🚨

🚨 Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

• described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
• patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53

Impact

There is no impact to Nokogiri users because the issue is present only in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

• 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
• 2024-05-13 08:30 EDT, nokogiri maintainers begin triage
• 2024-05-13 10:05 EDT, nokogiri v1.16.5 is released and this GHSA made public

Release Notes

1.16.5

v1.16.5 / 2024-05-13

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-34459. See GHSA-r95h-9x8f-r3f7 for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.7 from v2.12.6. (@flavorjones)

---

sha256 checksums:

af0f44fa3e664dfb2aa10de8b551447d720c1e8d1f0aa3f35783dcc43e40a874  nokogiri-1.16.5-aarch64-linux.gem
23dc2357b26409a5c33b7e32a82902f0e9995305420f16d1a03ab3ea1a482fec  nokogiri-1.16.5-arm-linux.gem
950d037530edb49f75ad35de0b8038b970a7dda57e2b6326895b0e49fadf6214  nokogiri-1.16.5-arm64-darwin.gem
b7aefc94370c62476b8528e8d8abb6160203abd84a1f4eceda8f1aa8974d9989  nokogiri-1.16.5-java.gem
ec2167160df8fec3137bf95d574ed80ebc1d002bb3b281546b60b4aa9002466e  nokogiri-1.16.5-x64-mingw-ucrt.gem
6984200491fac69974005ecfa2de129d61843d345eafa5d6f58e8b908d1cf107  nokogiri-1.16.5-x64-mingw32.gem
abdc389ab1ec6604492da16bd9d06ad746fdb6bd6a1bd274c400d61ffcadb3c4  nokogiri-1.16.5-x86-linux.gem
63d24981345856f2baf7f4089870a62d3042fb8d3021b280fb04fc052532e3c4  nokogiri-1.16.5-x86-mingw32.gem
71b5f54e378c433d13df67c3b71acc4716129da62402d8181f310c4216a63279  nokogiri-1.16.5-x86_64-darwin.gem
0ca238da870066bed2f7837af6f35791bb9b76c4c5638999c46aac44818a6a97  nokogiri-1.16.5-x86_64-linux.gem
ec36162c68984fa0a90a5c4ae7ab7759460639e716cc1ce75f34c3cb54158ad2  nokogiri-1.16.5.gem

1.16.4

v1.16.4 / 2024-04-10

Dependencies

• [CRuby] Vendored zlib in the precompiled native gems is updated to v1.3.1 from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see this discussion about removing the compression libraries altogether in a future version of Nokogiri.

---

sha256 checksums:

bdb1dc4378ebcf3ade8f440c7df68f6d76946a1a96c4823a2b4c53c01a320cd5  nokogiri-1.16.4-aarch64-linux.gem
0c994b9996d5576eddcc3201a94ef2bff6fc3627c4ae4d2708b0ec9b9743ec6a  nokogiri-1.16.4-arm-linux.gem
8e86abb64c93c06d3c588042a0e757279e8f1dc88b5210a00be892a9a7a27196  nokogiri-1.16.4-arm64-darwin.gem
bf84fa28be4943692bd64772186e0832fb1061f80714ccb93e111e9d72b1cadc  nokogiri-1.16.4-java.gem
a46808467c1f63a2031e1ca0715cd5336bb4ec759e9c0e2f4c951c1cc30994ae  nokogiri-1.16.4-x64-mingw-ucrt.gem
4cdf64bc5e9443ec3e0b595347ecc8affe21968d9ae934c0825d26630ef96468  nokogiri-1.16.4-x64-mingw32.gem
d86d21bae47dd9f6f5223055e45d33fae08b0b89aad94cbc0ece4f4274fa7af5  nokogiri-1.16.4-x86-linux.gem
d488b872884844686780fda7cf5da44ee884d32faa713a55aeb4736d76718168  nokogiri-1.16.4-x86-mingw32.gem
a896e52a56951ffb0e6a9279afbf485d683e357a053d27f4cfcb2a73b0824628  nokogiri-1.16.4-x86_64-darwin.gem
92ff4f09910255fec84b3bc4c4b182e94cada3ed12b9f7a6ea058e0af186fb31  nokogiri-1.16.4-x86_64-linux.gem
62c116c3a14b4ed4e1faec786da266c4bd4c717a0bd04a9916164a7046040f45  nokogiri-1.16.4.gem

1.16.3

v1.16.3 / 2024-03-15

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.6 from v2.12.5. (@flavorjones)

Changed

• [CRuby] XML::Reader sets the @encoding instance variable during reading if it is not passed into the initializer. Previously, it would remain nil. The behavior of Reader#encoding has not changed. This works around changes to how libxml2 reports the encoding used in v2.12.6.

---

sha256 checksums:

3d806263a0548e5163ff256655d78a87998fa83a5ae256b83c14a1a97731e824  nokogiri-1.16.3-aarch64-linux.gem
cfb923c02bde065005e2521f0a6883c63cf305cb899a9dd4c74897731bb2af1d  nokogiri-1.16.3-arm-linux.gem
5d3268558c002fa493e33076798cfda1df8effbd5363060dc41595cfebb1cf90  nokogiri-1.16.3-arm64-darwin.gem
6bf0918233959c7d5e703061ada0f436544612397475a866aa314071f02bfabb  nokogiri-1.16.3-java.gem
656f163dd287671c3a28157a2e853ee1a36afeb3f4185a78af863f3980efc58d  nokogiri-1.16.3-x64-mingw-ucrt.gem
7330f65cf2f8fa442327112b6515b4988f396d23010d33571714fd2ac0648fb9  nokogiri-1.16.3-x64-mingw32.gem
08d8a369940fa2309379cd8af1e7b3cc702b0115d3ddd197cfa7b33daedfd541  nokogiri-1.16.3-x86-linux.gem
cd26e99fa6388cd73c8892bb99ac98af162fe83c8f71c6473dfeba7aac76bcb9  nokogiri-1.16.3-x86-mingw32.gem
bc22786f4db4c32a5587e3b77a106408148d3bb1602dd0b52c0f5c968c42d17d  nokogiri-1.16.3-x86_64-darwin.gem
47a3330e41b49a100225b6fab490b2dc43410931e01e791886e0c2998412e8cb  nokogiri-1.16.3-x86_64-linux.gem
498aa253ccd5b89a0fa5c4c82b346d22176fc865f4a12ef8da642064d1d3e248  nokogiri-1.16.3.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 11 commits:

• version bump to v1.16.5
• dep: update vendored libxml2 to v2.12.7 (#3191)
• ci: add arm64-darwin coverage using macos-14
• dep: update libxml2 to v2.12.7
• version bump to v1.16.4
• dep: update to zlib 1.3.1 (v1.16.x) (#3175)
• dep: update to zlib 1.3.1
• version bump to v1.16.3
• dep: update libxml 2.12.6 (branch v1.16.x) (#3151)
• fix: Reader#read sets @encoding if it is unset
• dep: update libxml2 to v2.12.6

↗️ avo (indirect, 3.6.1 → 3.7.4) · Repo · Changelog

Release Notes

3.7.4

Release notes

More information and release video here

🐛 Bug Fixes

• fix: default sort @Paul-Bob (#2760)
• fix: wrong label on belongs_tofield @adrianthedev (#2758)
• fix: active sidebar menu js error with custom menu @adrianthedev (#2759)

For more information, check out Avo's release notes page

3.7.3

Release notes

More information and release video here

• security: prevent SQL injection in sorting param @Paul-Bob (#2756)

For more information, check out Avo's release notes page

3.7.2

Release notes

More information and release video here

🎸 Features

• feature: html classes for heading wrapper @Paul-Bob (#2755)

For more information, check out Avo's release notes page

3.7.1

Release notes

More information and release video here

🎸 Features

• feature: heading target @Paul-Bob (#2753)

🤖 Maintenance

• chore: pagy 8 support @adrianthedev (#2752)
• [js] Update all Yarn dependencies (2024-04-25) @depfu (#2720)
• chore: require ostruct @adrianthedev (#2750)
• chore(deps): bump trix from 2.1.0 to 2.1.1 in the npm_and_yarn group across 1 directory @dependabot (#2749)

For more information, check out Avo's release notes page

3.7.0

Release notes

More information and release video here

🎸 Features

• feature: Money field Docs
• feature: Record link field Docs
• feature: callable chartkick options @Paul-Bob (avo-dashboards #33)
  • 📖 https://docs.avohq.io/3.0/cards.html#customize-chart
• feature: access to result_data on chart_options @Paul-Bob (avo-dashboards #35)
• feature: linkable association titles @adrianthedev (#2591)
• feature: configurable default pagination @Paul-Bob (#2717)
  • 📖 https://docs.avohq.io/3.0/customization.html#pagination
• Add disable_editing_values for key_value field @gabrielgiroe1 (#2663)
  • 📖 https://docs.avohq.io/3.0/fields/key_value.html#disable_editing_values
• feature: for_attribute option for fields @Paul-Bob (#2560)
  • 📖 https://docs.avohq.io/3.0/field-options.html#for_attribute
• feature: add sidebar collapse animation @adrianthedev (#2695)
• Autofocus first field in action @gabrielgiroe1 (#2554)
• enhancement: full-width fields when sidebar present @adrianthedev (#2683)
• feature: resource controls dynamic width @anjoseb121 (#2583)
• Enable boolean group computed options @krystof-k (#2679)
  • 📖https://docs.avohq.io/3.0/fields/boolean_group.html#computed-options

🐛 Bug Fixes

• fix: check if ActionText::RichText is defined @Paul-Bob (#2741)
• fix: resource controls spacing issue @adrianthedev (#2740)
• fix: table cache @Paul-Bob (#2734)
  • ⚠️ https://docs.avohq.io/3.0/upgrade.html#cache
• fix: cache_table_rows @Paul-Bob (#2733)
• fix: don't export avo.custom.js build @Paul-Bob (#2731)
• fix: render background context when accessing extrernal action links @Paul-Bob (#2730)
• fix: actions eager loader @Paul-Bob (#2726)
• fix: eager load actions @Paul-Bob (#2719)
• fix: check proper dir for internal controller override @Paul-Bob (#2712)
• fix: bad animation for menu on reload @adrianthedev (#2704)
• Add disable_editing_values for key_value field @gabrielgiroe1 (#2663)
• fix: index header and rows visibility @Paul-Bob (#2549)
• fix: detach action record @Paul-Bob (#2690)
• fix: actions layout @Paul-Bob (#2692)
• fix: leaky global default_url_options @adrianthedev (#2694)
• fix: ActionText support for trix field @Paul-Bob (#2639)
• Render text area newlines @krystof-k (#2678)
• Add missing migration to dummy app @krystof-k (#2676)
• fix: preserve page when go back from resource show page (#1555) @dmitrytrager (#2652)

🤖 Maintenance

• chore: add record_link field to gemfile @adrianthedev (#2705)
• [js] Update all Yarn dependencies (2024-04-18) @depfu (#2701)
• [js] Update all Yarn dependencies (2024-04-12) @depfu (#2685)
• chore: prepare for record_link field @adrianthedev (#2684)
• [js] Update all Yarn dependencies (2024-03-31) @depfu (#2644)
• chore: performance tweak on boolean group field and select field @Paul-Bob (#2682)

💡 Refactor

• refactor: tweaks and money field preparations @adrianthedev (#2669)
• Don't affect unspecified options in boolean group @krystof-k (#2677)

⚡️ Performance

• performance: memoize a few things @adrianthedev (#2700)
  For more information, check out Avo's release notes page

3.6.4

Release notes

More information and release video here

🐛 Bug Fixes

• fix: table cache @Paul-Bob (#2734)

For more information, check out Avo's release notes page

3.6.3

Release notes

More information and release video here

🐛 Bug Fixes

• fix: cache_table_rows @Paul-Bob (#2733)

For more information, check out Avo's release notes page

3.6.2

Release notes

More information and release video here

🎸 Features

• feature: linkable association titles @adrianthedev (#2591)
• feature: configurable default pagination @Paul-Bob (#2717)
• Add disable_editing_values for key_value field @gabrielgiroe1 (#2663)
• feature: for_attribute option for fields @Paul-Bob (#2560)
• feature: add sidebar collapse animation @adrianthedev (#2695)
• Autofocus first field in action @gabrielgiroe1 (#2554)
• enhancement: full-width fields when sidebar present @adrianthedev (#2683)
• feature: resource controls dynamic width @anjoseb121 (#2583)
• Enable boolean group computed options @krystof-k (#2679)

🐛 Bug Fixes

• fix: don't export avo.custom.js build @Paul-Bob (#2731)
• fix: render background context when accessing extrernal action links @Paul-Bob (#2730)
• fix: actions eager loader @Paul-Bob (#2726)
• fix: eager load actions @Paul-Bob (#2719)
• fix: check proper dir for internal controller override @Paul-Bob (#2712)
• fix: bad animation for menu on reload @adrianthedev (#2704)
• Add disable_editing_values for key_value field @gabrielgiroe1 (#2663)
• fix: index header and rows visibility @Paul-Bob (#2549)
• fix: detach action record @Paul-Bob (#2690)
• fix: actions layout @Paul-Bob (#2692)
• fix: leaky global default_url_options @adrianthedev (#2694)
• fix: ActionText support for trix field @Paul-Bob (#2639)
• Render text area newlines @krystof-k (#2678)
• Add missing migration to dummy app @krystof-k (#2676)
• fix: preserve page when go back from resource show page (#1555) @dmitrytrager (#2652)

🤖 Maintenance

• chore: add record_link field to gemfile @adrianthedev (#2705)
• [js] Update all Yarn dependencies (2024-04-18) @depfu (#2701)
• [js] Update all Yarn dependencies (2024-04-12) @depfu (#2685)
• chore: prepare for record_link field @adrianthedev (#2684)
• [js] Update all Yarn dependencies (2024-03-31) @depfu (#2644)
• chore: performance tweak on boolean group field and select field @Paul-Bob (#2682)

💡 Refactor

• Don't affect unspecified options in boolean group @krystof-k (#2677)

⚡️ Perf

• performance: memoize a few things @adrianthedev (#2700)

For more information, check out Avo's release notes page

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 56 commits:

• Bumped avo to 3.7.4
• fix: default sort (#2760)
• fix: wrong label on `belongs_to`field (#2758)
• fix: active sidebar menu js error with custom menu (#2759)
• Bumped avo to 3.7.3
• security: prevent SQL injection in sorting param (#2756)
• Bumped avo to 3.7.2
• feature: html classes for heading wrapper (#2755)
• Bumped avo to 3.7.1
• feature: heading target (#2753)
• chore: pagy 8 support (#2752)
• [js] Update all Yarn dependencies (2024-04-25) (#2720)
• chore: require ostruct (#2750)
• chore(deps): bump trix in the npm_and_yarn group across 1 directory (#2749)
• Bumped avo to 3.7.0
• fix: check if ActionText::RichText is defined (#2741)
• fix: resource controls spacing issue (#2740)
• Bumped avo to 3.6.4
• fix: table cache (#2734)
• Bumped avo to 3.6.3
• fix: cache_table_rows (#2733)
• Bumped avo to 3.6.2
• fix: don't export `avo.custom.js` build (#2731)
• fix: render background context when accessing extrernal action links (#2730)
• fix: actions eager loader (#2726)
• fix: eager load actions (#2719)
• feature: linkable association titles (#2591)
• feature: configurable default pagination (#2717)
• fix: check proper dir for internal controller override (#2712)
• chore: add record_link field to gemfile (#2705)
• fix: bad animation for menu on reload (#2704)
• Add disable_editing_values for key_value field (#2663)
• performance: memoize a few things (#2700)
• fix: index header and rows visibility (#2549)
• feature: `for_attribute` option for fields (#2560)
• fix: detach action record (#2690)
• Update all Yarn dependencies (2024-04-18) (#2701)
• feature: add sidebar collapse animation (#2695)
• fix: actions layout (#2692)
• fix: leaky global default_url_options (#2694)
• Autofocus first field (#2554)
• Merge branch 'main' of github.com:avo-hq/avo
• wip
• Update all Yarn dependencies (2024-04-12) (#2685)
• chore: prepare for record_link field (#2684)
• Merge branch 'main' into feature/linkable-association-titles
• [js] Update all Yarn dependencies (2024-03-31) (#2644)
• fix: ActionText support for trix field (#2639)
• enhancement: full-width fields when sidebar present (#2683)
• feature: resource controls dynamic width (#2583)
• Don't affect unspecified options in boolean group (#2677)
• chore: performance tweak on boolean group field and select field (#2682)
• Render text area newlines (#2678)
• Enable boolean group computed options (#2679)
• Add missing migration to dummy app (#2676)
• fix: preserve page when go back from resource show page (#1555) (#2652)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[codeclimate]

Code Climate has analyzed commit 4fcab87 and detected 0 issues on this pull request.

View more on Code Climate.

[github-actions]

This PR has been merged into main. The functionality will be available in the next release.

Please check the release guide for more information.