Bump nokogiri from 1.10.10 to 1.11.1

[dependabot]

Bumps nokogiri from 1.10.10 to 1.11.1.

Release notes

Sourced from nokogiri's releases.

v1.11.1 / 2021-01-06

Fixed

• [CRuby] If libxml-ruby is loaded before nokogiri, the SAX and Push parsers no longer call libxml-ruby's handlers. Instead, they defensively override the libxml2 global handler before parsing. [#2168]

SHA-256 Checksums of published gems

a41091292992cb99be1b53927e1de4abe5912742ded956b0ba3383ce4f29711c  nokogiri-1.11.1-arm64-darwin.gem
d44fccb8475394eb71f29dfa7bb3ac32ee50795972c4557ffe54122ce486479d  nokogiri-1.11.1-java.gem
f760285e3db732ee0d6e06370f89407f656d5181a55329271760e82658b4c3fc  nokogiri-1.11.1-x64-mingw32.gem
dd48343bc4628936d371ba7256c4f74513b6fa642e553ad7401ce0d9b8d26e1f  nokogiri-1.11.1-x86-linux.gem
7f49138821d714fe2c5d040dda4af24199ae207960bf6aad4a61483f896bb046  nokogiri-1.11.1-x86-mingw32.gem
5c26111f7f26831508cc5234e273afd93f43fbbfd0dcae5394490038b88d28e7  nokogiri-1.11.1-x86_64-darwin.gem
c3617c0680af1dd9fda5c0fd7d72a0da68b422c0c0b4cebcd7c45ff5082ea6d2  nokogiri-1.11.1-x86_64-linux.gem
42c2a54dd3ef03ef2543177bee3b5308313214e99f0d1aa85f984324329e5caa  nokogiri-1.11.1.gem

v1.11.0 / 2021-01-03

Notes

Faster, more reliable installation: Native Gems for Linux and OSX/Darwin

"Native gems" contain pre-compiled libraries for a specific machine architecture. On supported platforms, this removes the need for compiling the C extension and the packaged libraries. This results in much faster installation and more reliable installation, which as you probably know are the biggest headaches for Nokogiri users.

We've been shipping native Windows gems since 2009, but starting in v1.11.0 we are also shipping native gems for these platforms:

• Linux: x86-linux and x86_64-linux -- including musl platforms like alpine
• OSX/Darwin: x86_64-darwin and arm64-darwin

We'd appreciate your thoughts and feedback on this work at #2075.

Dependencies

Ruby

This release introduces support for Ruby 2.7 and 3.0 in the precompiled native gems.

This release ends support for:

• Ruby 2.3, for which official support ended on 2019-03-31 [#1886] (Thanks @ashmaroli!)
• Ruby 2.4, for which official support ended on 2020-04-05
• JRuby 9.1, which is the Ruby 2.3-compatible release.

Gems

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.11.1 / 2021-01-06

Fixed

• [CRuby] If libxml-ruby is loaded before nokogiri, the SAX and Push parsers no longer call libxml-ruby's handlers. Instead, they defensively override the libxml2 global handler before parsing. [#2168]

v1.11.0 / 2021-01-03

Notes

Faster, more reliable installation: Native Gems for Linux and OSX/Darwin

"Native gems" contain pre-compiled libraries for a specific machine architecture. On supported platforms, this removes the need for compiling the C extension and the packaged libraries. This results in much faster installation and more reliable installation, which as you probably know are the biggest headaches for Nokogiri users.

We've been shipping native Windows gems since 2009, but starting in v1.11.0 we are also shipping native gems for these platforms:

• Linux: x86-linux and x86_64-linux -- including musl platforms like alpine
• OSX/Darwin: x86_64-darwin and arm64-darwin

We'd appreciate your thoughts and feedback on this work at #2075.

Dependencies

Ruby

This release introduces support for Ruby 2.7 and 3.0 in the precompiled native gems.

This release ends support for:

• Ruby 2.3, for which official support ended on 2019-03-31 [#1886] (Thanks @ashmaroli!)
• Ruby 2.4, for which official support ended on 2020-04-05
• JRuby 9.1, which is the Ruby 2.3-compatible release.

Gems

• Explicitly add racc as a runtime dependency. [#1988] (Thanks, @voxik!)
• [MRI] Upgrade mini_portile2 dependency from ~> 2.4.0 to ~> 2.5.0 [#2005] (Thanks, @alejandroperea!)

Security

See note below about CVE-2020-26247 in the "Changed" subsection entitled "XML::Schema parsing treats input as untrusted by default".

Added

• Add Node methods for manipulating "keyword attributes" (for example, class and rel): #kwattr_values, #kwattr_add, #kwattr_append, and #kwattr_remove. [#2000]

... (truncated)

Commits

• 7be6f04 version bump to v1.11.1
• aa0c399 dev: overhaul .gitignore
• 3d90c6d Merge pull request #2169 from sparklemotion/2168-active-support-test-failure
• bbf850c changelog: update for #2168
• ee69772 ci: another valgrind suppression
• f9a2c4e fix: restore proper error handling in the SAX push parser
• 35aa88b fix(cruby): reset libxml2's error handler in sax and push parsers
• 07459fd fix(test): clobber libxml2's global error handler before every test
• b682ac5 ci: ensure all tests are running setup
• 007662f github: update "installation difficulty" issue template
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dentarg]

Hmm... after merging this and git pull locally

$ bundle
Fetching gem metadata from https://rubygems.org/.........
Using rake 13.0.3
Using concurrent-ruby 1.1.7
Using i18n 1.8.5
Using minitest 5.14.2
Using thread_safe 0.3.6
Using tzinfo 1.2.7
Using zeitwerk 2.4.0
Using activesupport 6.0.3.2
Using public_suffix 4.0.6
Using addressable 2.7.0
Using ast 2.4.1
Using bundler 1.17.3
Using climate_control 0.2.0
Using coderay 1.1.3
Using ruby-enum 0.8.0
Using commonmarker 0.21.0
Using rexml 3.2.4
Using crack 0.4.5
Using unf_ext 0.0.7.7
Using unf 0.1.4
Using domain_name 0.5.20190701
Using multipart-post 2.1.1
Using faraday 0.17.3
Using foreman 0.87.2
Using github-markup 3.0.5
Using temple 0.8.2
Using tilt 2.0.10
Using haml 5.2.1
Using hashdiff 1.0.1
Installing mini_portile2 2.5.0
Installing racc 1.5.2 with native extensions
Fetching nokogiri 1.11.1 (x86_64-darwin)
Installing nokogiri 1.11.1 (x86_64-darwin)
Using html-pipeline 2.14.0
Using http-accept 1.7.0
Using http-cookie 1.0.3
Using method_source 1.0.0
Using mime-types-data 3.2020.1104
Using mime-types 3.3.1
Using multi_json 1.15.0
Using ruby2_keywords 0.0.2
Using mustermann 1.1.1
Using netrc 0.11.0
Using nio4r 2.5.4
Using sawyer 0.8.2
Using octokit 4.20.0
Using parallel 1.20.1
Using parser 3.0.0.0
Using pg 1.2.3
Using pry 0.13.1
Using puma 5.1.1
Using rack 2.2.3
Using rack-flash3 1.0.5
Using rack-protection 2.1.0
Using rack-ssl 1.4.1
Using rack-test 1.1.0
Using racksh 1.0.0
Using rainbow 3.0.0
Using regexp_parser 2.0.2
Using rest-client 2.1.0
Using rubocop-ast 1.3.0
Using ruby-progressbar 1.10.1
Using unicode-display_width 1.7.0
Using rubocop 1.7.0
Using sentry-raven 2.9.0
Installing sequel 5.40.0
Using sequel_pg 1.14.0
Using sinatra 2.1.0
Using sinatra-contrib 2.1.0
Using wait_for_it 0.2.1
Using warning 1.1.0
Using webmock 3.11.0
Updating files in vendor/cache
  * nokogiri-1.11.1-x86_64-darwin.gem
Bundle complete! 27 Gemfile dependencies, 71 gems now installed.
Use `bundle info [gemname]` to see where a bundled gem is installed.

$ git status
On branch master
Your branch is up to date with 'origin/master'.

Untracked files:
  (use "git add <file>..." to include in what will be committed)
	vendor/cache/nokogiri-1.11.1-x86_64-darwin.gem

nothing added to commit but untracked files present (use "git add" to track)

$ bundler --version
Bundler version 1.17.3

[dentarg]

Related stuff:

• https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0
• Feedback and final to-do items for precompiled native gems on Linux and OSX sparklemotion/nokogiri#2075
• Dependabot removing platform specific gems from Gemfile.lock dependabot/dependabot-core#2927
• buildpack bundler version with latest nokogiri (1.11.0 - native gems) fails to deploy heroku/heroku-buildpack-ruby#1105 (our build succeeded though)

I'm gonna commit vendor/cache/nokogiri-1.11.1-x86_64-darwin.gem and see what happens

[dentarg]

I'm gonna commit vendor/cache/nokogiri-1.11.1-x86_64-darwin.gem and see what happens

Both CI and deploy went fine, from the deploy log: Using nokogiri 1.11.1 (x86_64-linux)

[dentarg]

I wonder if we need to add back the vendoring workflow, but run it on macOS? 🤔 Or will Dependabot be able to update both vendored native .gem files in the future? Any thoughts @jurre / @feelepxyz?

(or @greysteil as you just commented in the old issue 😆 (I know you are not as involved in Dependabot anymore as before))

[greysteil]

Too complicated for me - I'll leave that one for @jurre and @feelepxyz!

[jurre]

Hmm, I know that a feature was added to the latest version of Bundler to support updating all platforms, but we don't run that version of Bundler yet. I'll try to find some time this week to look into how we can support this in the current version of bundler. Adding back the vendoring workflow and running it on macOS would probably work, but I'm pretty sure we can tell bundler to do the right thing, maybe by running bundle lock --add-platform, but I'll have to dive into it a bit.

Edit: I wonder if having the OSX version installed before running this ensures that it'll be present in subsequent updates. Currently I'm mostly wondering how Dependabot can tell which versions to install 🤔

[dentarg]

@jurre or @feelepxyz, has there been any progress in this area?

Dependabot PR #256 Bump nokogiri from 1.11.1 to 1.11.5 only updated the linux version, the darwin version was removed

• removed vendor/cache/nokogiri-1.11.1-x86_64-darwin.gem
• removed vendor/cache/nokogiri-1.11.1-x86_64-linux.gem
• added vendor/cache/nokogiri-1.11.5-x86_64-linux.gem

The Gemfile only have ruby as the platform

wikimum/Gemfile.lock

Lines 137 to 138 in 4431e97

	PLATFORMS
	ruby

Maybe because Bundler 1.17.3 was used? Not sure if Dependabot cares about this or not, either way I'm gonna update that to 2.2.23 today.

wikimum/Gemfile.lock

Lines 172 to 173 in 4431e97

	BUNDLED WITH
	1.17.3

[feelepxyz]

@dentarg yes this should be fixed in bundler 2. Let us know if you run into issues with it.

[dentarg]

#273 added vendor/cache/nokogiri-1.11.5.gem