π¨ [security] Update nokogiri 1.10.4 β 1.18.9 (minor) #41
Conversation
|
Hi! I'm VTEX IO CI/CD Bot and I'll be helping you to publish your app! π€ Please select which version do you want to release:
And then you just need to merge your PR when you are ready! There is no need to create a release commit/tag.
|
|
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
|
Welcome to Depfu π
This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.
After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.
Let us know if you have any questions. Thanks so much for giving Depfu a try!
π¨ Your current dependencies have known security vulnerabilities π¨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
Security Advisories π¨
π¨ Nokogiri patches vendored libxml2 to resolve multiple CVEs
π¨ Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415
π¨ Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs
π¨ Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171
π¨ Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459
π¨ Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062
π¨ Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062
π¨ Nokogiri updates packaged libxml2 to v2.10.4 to resolve multiple CVEs
π¨ Unchecked return value from xmlTextReaderExpand
π¨ Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
π¨ libxslt Type Confusion vulnerability that affects Nokogiri
π¨ Uninitialized read in Nokogiri gem
π¨ Nokogiri affected by libxslt Use of Uninitialized Resource/Use After Free vulnerability
π¨ Nokogiri implementation of libxslt vulnerable to heap corruption
π¨ Nokogiri Implements libxml2 version vulnerable to null pointer dereferencing
π¨ Nokogiri Implements libxml2 version vulnerable to use-after-free
π¨ Nokogiri contains libxml Out-of-bounds Write vulnerability
π¨ Nokogiri has vulnerable dependencies on libxml2 and libxslt
π¨ Nokogiri Improperly Handles Unexpected Data Type
π¨ Integer Overflow or Wraparound in libxml2 affects Nokogiri
π¨ XML Injection in Xerces Java affects Nokogiri
π¨ Out-of-bounds Write in zlib affects Nokogiri
π¨ Denial of Service (DoS) in Nokogiri on JRuby
π¨ Nokogiri Inefficient Regular Expression Complexity
π¨ Nokogiri affected by zlib's Out-of-bounds Write vulnerability
π¨ Vulnerable dependencies in Nokogiri
π¨ Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
π¨ Nokogiri updates packaged dependency on libxml2 from 2.9.10 to 2.9.12
π¨ Nokogiri::XML::Schema trusts input by default, exposing risk of XXE vulnerability
π¨ libxml as used in Nokogiri has an infinite loop in a certain end-of-file situation
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
π racc (added, 1.8.1)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands