-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
π¨ [security] Update nokogiri 1.10.4 β 1.15.6 (minor) #36
Conversation
Hi! I'm VTEX IO CI/CD Bot and I'll be helping you to publish your app! π€ Please select which version do you want to release:
And then you just need to merge your PR when you are ready! There is no need to create a release commit/tag.
|
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
Quality Gate passedIssues Measures |
Closed in favor of #37. |
Closed in favor of #37. |
10 similar comments
Closed in favor of #37. |
Closed in favor of #37. |
Closed in favor of #37. |
Closed in favor of #37. |
Closed in favor of #37. |
Closed in favor of #37. |
Closed in favor of #37. |
Closed in favor of #37. |
Closed in favor of #37. |
Closed in favor of #37. |
Welcome to Depfu π
This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.
After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.
Let us know if you have any questions. Thanks so much for giving Depfu a try!
π¨ Your current dependencies have known security vulnerabilities π¨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
Security Advisories π¨
π¨ Use-after-free in libxml2 via Nokogiri::XML::Reader
π¨ Update packaged libxml2 to v2.10.4 to resolve multiple CVEs
π¨ Unchecked return value from xmlTextReaderExpand
π¨ Nokogiri Implements libxml2 version vulnerable to null pointer dereferencing
π¨ Nokogiri Implements libxml2 version vulnerable to use-after-free
π¨ Nokogiri contains libxml Out-of-bounds Write vulnerability
π¨ libxslt Type Confusion vulnerability that affects Nokogiri
π¨ Nokogiri implementation of libxslt vulnerable to heap corruption
π¨ Nokogiri affected by libxslt Use of Uninitialized Resource/ Use After Free vulnerability
π¨ Improper Handling of Unexpected Data Type in Nokogiri
π¨ Integer Overflow or Wraparound in libxml2 affects Nokogiri
π¨ XML Injection in Xerces Java affects Nokogiri
π¨ Out-of-bounds Write in zlib affects Nokogiri
π¨ Denial of Service (DoS) in Nokogiri on JRuby
π¨ Inefficient Regular Expression Complexity in Nokogiri
π¨ Update packaged libxml2 (2.9.12 β 2.9.13) and libxslt (1.1.34 β 1.1.35)
π¨ Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
π¨ Update packaged dependency libxml2 from 2.9.10 to 2.9.12
π¨ Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
π¨ xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
π¨ Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Release Notes
Too many releases to show here. View the full release notes.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
π racc (added, 1.7.3)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase
.All Depfu comment commands