Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dependency to vulnerable nokogiri version #8

Closed
guentr opened this issue Apr 23, 2019 · 1 comment
Closed

Dependency to vulnerable nokogiri version #8

guentr opened this issue Apr 23, 2019 · 1 comment

Comments

@guentr
Copy link

guentr commented Apr 23, 2019
edited

html2text depends on nokogiri "~> 1.8.5", which has a vulnerability in this version (CVE-2019-11068, see sparklemotion/nokogiri#1892). Updating nokogiri dependency to "~> 1.10.3" should resolve this issue I guess?
soundasleep added a commit that referenced this issue Jun 11, 2019
@soundasleep
Bump nokogiri requirement to resolve CVE
665a486 
Resolves CVE-2019-11068, issue #8

https://nvd.nist.gov/vuln/detail/CVE-2019-11068

Also add bundler-audit, and connect with travis, so that we can verify
that the Gemfile.lock is not relying on any vulnerable dependencies. (Of
course, this does not impact users of the gem, who will have their own
Gemfile.lock.)
@soundasleep
Copy link
Owner

Thank you for the report! I've bumped the nokogiri requirement in 665a486, will release a new version later today.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@soundasleep @guentr