Bump nokogiri from 1.9.1 to 1.11.7

[dependabot]

Bumps nokogiri from 1.9.1 to 1.11.7.

Release notes

Sourced from nokogiri's releases.

1.11.7 / 2021-06-02

• [CRuby] Backporting an upstream fix to XPath recursion depth limits which impacted some users of complex XPath queries. This issue is present in libxml 2.9.11 and 2.9.12. [#2257]

Checksums

SHA256:

4976a9c9e796527d51dc6c311b9bd93a0233f6a7962a0f569aa5c782461836ef  nokogiri-1.11.7.gem
9d69f57f6c024d86e358a8aef7a273f574721e48a6b2e1426cca007827325413  nokogiri-1.11.7-java.gem
6017dee25feb80292b04554cc1bf8a0a2ede3b6c3daeac811902157bbc6a3bdc  nokogiri-1.11.7-x64-mingw32.gem
38892350c1e695eab9bd77483300d681c32a22714d0e2d04d10a4c343b424bdd  nokogiri-1.11.7-x86-mingw32.gem
1d15603cd878fa2b710a3ba3028a99d9dd0c14b75711faebf9fb6ff40bac3880  nokogiri-1.11.7-x86-linux.gem
7ad9741e7a2fee1ffb4a4b2e20b00e87992c9efd969f557ca3b83fb2653b9bfc  nokogiri-1.11.7-x86_64-linux.gem
c93d66d9413ea7c37d30f95e2c54606fec638e556d454e08124d9a33b7fa82c8  nokogiri-1.11.7-arm64-darwin.gem
8761d9c7baacb26546869ed56dbc78d3eb3cabf49b85d91b1cd827cd6e94fb25  nokogiri-1.11.7-x86_64-darwin.gem

1.11.6 / 2021-05-26

Fixed

• [CRuby] DocumentFragment#path now does proper error-checking to handle behavior introduced in libxml > 2.9.10. In v1.11.4 and v1.11.5, calling DocumentFragment#path could result in a segfault.

1.11.5 / 2021-05-19

Fixed

[Windows CRuby] Work around segfault at process exit on Windows when using libxml2 system DLLs.

libxml 2.9.12 introduced new behavior to avoid memory leaks when unloading libxml2 shared libraries (see libxml/!66). Early testing caught this segfault on non-Windows platforms (see #2059 and libxml@956534e) but it was incompletely fixed and is still an issue on Windows platforms that are using system DLLs.

We work around this by configuring libxml2 in this situation to use its default memory management functions. Note that if Nokogiri is not on Windows, or is not using shared system libraries, it will will continue to configure libxml2 to use Ruby's memory management functions. Nokogiri::VERSION_INFO["libxml"]["memory_management"] will allow you to verify when the default memory management functions are being used. [#2241]

Added

Nokogiri::VERSION_INFO["libxml"] now contains the key "memory_management" to declare whether libxml2 is using its default memory management functions, or whether it uses the memory management functions from ruby. See above for more details.

1.11.4 / 2021-05-14

Security

[CRuby] Vendored libxml2 upgraded to v2.9.12 which addresses:

• CVE-2019-20388
• CVE-2020-24977

... (truncated)

Changelog

Sourced from nokogiri's changelog.

1.11.7 / 2021-06-02

Fixed

• [CRuby] Backporting an upstream fix to XPath recursion depth limits which impacted some users of complex XPath queries. This issue is present in libxml 2.9.11 and 2.9.12. [#2257]

1.11.6 / 2021-05-26

Fixed

• [CRuby] DocumentFragment#path now does proper error-checking to handle behavior introduced in libxml > 2.9.10. In v1.11.4 and v1.11.5, calling DocumentFragment#path could result in a segfault.

1.11.5 / 2021-05-19

Fixed

[Windows CRuby] Work around segfault at process exit on Windows when using libxml2 system DLLs.

libxml 2.9.12 introduced new behavior to avoid memory leaks when unloading libxml2 shared libraries (see libxml/!66). Early testing caught this segfault on non-Windows platforms (see #2059 and libxml@956534e) but it was incompletely fixed and is still an issue on Windows platforms that are using system DLLs.

We work around this by configuring libxml2 in this situation to use its default memory management functions. Note that if Nokogiri is not on Windows, or is not using shared system libraries, it will will continue to configure libxml2 to use Ruby's memory management functions. Nokogiri::VERSION_INFO["libxml"]["memory_management"] will allow you to verify when the default memory management functions are being used. [#2241]

Added

Nokogiri::VERSION_INFO["libxml"] now contains the key "memory_management" to declare whether libxml2 is using its default memory management functions, or whether it uses the memory management functions from ruby. See above for more details.

1.11.4 / 2021-05-14

Security

[CRuby] Vendored libxml2 upgraded to v2.9.12 which addresses:

• CVE-2019-20388
• CVE-2020-24977
• CVE-2021-3517
• CVE-2021-3518
• CVE-2021-3537
• CVE-2021-3541

Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).

Please see nokogiri/GHSA-7rrm-v45f-jp64 or #2233 for a more complete analysis of these CVEs and patches.

Dependencies

... (truncated)

Commits

• 0a6681e version bump to v1.11.7
• de0844c test: add coverage for xpath recursion depth fix
• ed38fea Merge pull request #2258 from sparklemotion/2257-libxml2-xpath-recursion-limi...
• 1f6c661 fix: upstream libxml2 bug in calculating xpath query recursion depth
• a48c305 version bump to v1.11.6
• d7b58c3 Merge pull request #2252 from sparklemotion/2250-doc-frag-path-v1_11_x
• a1b0e6b update CHANGELOG
• d0f14d1 fix: DocumentFragment#path checks for error case in libxml 2.9.11+
• e43f521 version bump to v1.11.5
• 42354e4 Merge pull request #2243 from sparklemotion/flavorjones-v1_11_x-update-tests-...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.