Bump the bundler group across 2 directories with 20 updates

[dependabot]

Bumps the bundler group with 11 updates in the /rails3-deps directory:

Package	From	To
omniauth	1.3.1	1.4.2
redcarpet	3.3.4	3.5.1
sanitize	4.0.1	6.0.2
addressable	2.4.0	2.8.6
ffi	1.9.10	1.16.3
i18n	0.7.0	0.9.5
json	1.8.3	1.8.6
rake	10.5.0	13.2.1
rubyzip	1.1.7	2.3.2
tzinfo	0.3.46	0.3.62
yard	0.8.7.6	0.9.36

Bumps the bundler group with 13 updates in the /rails4-deps directory:

Package	From	To
omniauth	1.3.1	1.4.3
rack	1.6.4	1.6.13
redcarpet	3.3.4	3.5.1
sanitize	4.0.1	6.0.2
addressable	2.4.0	2.8.0
ffi	1.9.10	1.16.3
rake	11.1.1	13.2.1
rubyzip	1.2.0	2.3.2
sprockets	3.5.2	3.7.3
actionpack-page_caching	1.0.2	1.2.4
dalli	2.7.6	3.2.3
httparty	0.13.7	0.21.0
globalid	0.3.6	0.4.2

Updates omniauth from 1.3.1 to 1.4.2

Release notes

Sourced from omniauth's releases.

v1.4.2

Fixes

• Mitigate Hashie regressions

v1.4.1

Security Updates

• Update Rack to => 1.6.2

v1.4.0

Dropped

• Dropped support Ruby 1.8.7

Fixed

• Silence Hashie::Mash logger on Hashie 3.5.0+
• Use secure URL for OpenID asset

Commits

• 9897127 Bump version to 1.4.2
• 6abedb0 Merge pull request #880 from omniauth/hashie
• df7699d Temporary Hashie Regression Fix
• 2dccbb5 Bump version to 1.4.1
• 3c0f586 Merge pull request #878 from omniauth/dependency-updates
• c299e30 Gem updates CI tests
• 949ffca Bump version to 1.4.0
• 0edc7ec Merge pull request #874 from michaelherold/silence-mash-logger
• 00481a9 Silence Hashie::Mash logger on Hashie 3.5.0+
• cb82bb4 Merge pull request #876 from omniauth/secure-asset-url
• Additional commits viewable in compare view

Updates redcarpet from 3.3.4 to 3.5.1

Release notes

Sourced from redcarpet's releases.

Redcarpet v3.5.1

Fix a security vulnerability using :quote in combination with the :escape_html option.

Reported by Johan Smits.

v3.5.0

This release mostly ships with bug fixes and tiny improvements.

Improvements

• Avoid mutating the options hash passed to a render object (See #663).

• Automatically enable the fenced_code_blocks option passing a HTML_TOC object to the Markdown object's constructor since some languages rely on the sharp to comment code (See #451).

• Remove the rel and rev attributes from the output generated for footnotes as they don't pass the HTML 5 validation (See #536).

• Allow passing Range objects to the nesting_level option to have a higher level of customization for table of contents (See #519):

  Redcarpet::Render::HTML_TOC.new(nesting_level: 2..5)

Bug fixes

• Fix a segfault rendering quotes using StripDown and the :quote option.

• Fix SmartyPants single quotes right after a link. For example:

  [John](http://john.doe)'s cat

  Will now properly converts ' to a right single quote (i.e. ’).

v3.4.0

Redcarpet v3.4.0

This new release ships with a bunch of bug fixes especially regarding anchor generation.

Improvements to anchor generation

The anchor generation now relies on a djb2 hashing algorithm whenever the generated anchor is empty as non alpha-numeric chars. This is specifically interesting for CJK contents as Redcarpet used to generate empty anchors dealing with titles in these locales.

Special thanks to Alexey Kopytko and namusyaka for their work on that !

Also now, the html-escaped entities are removed from anchors generated with the HTML render in order to be consistent with the HTML_TOC render and as it is more expected.

Other improvements

• Table headers don't require a minimum of three dashes anymore; a single one can be used for each row.
• The Markdown and rendering options are now exposed through a Hash inside the @options instance variable inside your custom render objects.

Bug fixes

... (truncated)

Changelog

Sourced from redcarpet's changelog.

Version 3.5.1 (Security)

• Fix a security vulnerability using :quote in combination with the :escape_html option.

  Reported by Johan Smits.

Version 3.5.0

• Avoid mutating the options hash passed to a render object.

  Refs #663.

  Max Schwenk

• Fix a segfault rendering quotes using StripDown and the :quote option.

  Fixes #639.

• Fix warning: instance variable @options not initialized when running under verbose mode (-w, $VERBOSE = true).

• Fix SmartyPants single quotes right after a link. For example:

  [John](http://john.doe)'s cat

  Will now properly converts ' to a right single quote (i.e. ’).

  Fixes #624.

• Remove the rel and rev attributes from the output generated for footnotes as they don't pass the HTML 5 validation.

  Fixes #536.

• Automatically enable the fenced_code_blocks option passing a HTML_TOC object to the Markdown object's constructor since some languages rely on the sharp to comment code.

  Fixes #451.

• Allow passing Range objects to the nesting_level option to have a higher level of customization for table of contents:

  Redcarpet::Render::HTML_TOC.new(nesting_level: 2..5)

... (truncated)

Commits

• a699c82 Fix a security issue using :quote with :escape_html
• 6270d6b Redcarpet v3.5.0
• 94f6e27 Tiny follow-up to #663
• 3100f65 Merge pull request #663 from maschwenk/dont-mutate-options
• fc52d9c Add regression test
• 03e7997 Don't mutated passed options
• 92a7b3a Fix a segfault with StripDown and the :quote option
• 7352162 Merge pull request #649 from rbalint/master
• e23383e Merge pull request #650 from kolen/fix-warning-options-not-initialized
• 6b86656 Fix "instance variable @​options not initialized" warning
• Additional commits viewable in compare view

Updates sanitize from 4.0.1 to 6.0.2

Release notes

Sourced from sanitize's releases.

v6.0.2

Bug Fixes

• CVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS (cross-site scripting). This issue affects Sanitize versions 3.0.0 through 6.0.1.

  When using Sanitize's relaxed config or a custom config that allows <style> elements and one or more CSS at-rules, carefully crafted input could be used to sneak arbitrary HTML through Sanitize.

  See the following security advisory for additional details: GHSA-f5ww-cq3m-q3g7

  Thanks to @​cure53 for finding this issue.

v6.0.1

Bug Fixes

• Sanitize now always removes <noscript> elements and their contents, even when noscript is in the allowlist.

  This fixes a sanitization bypass that could occur when noscript was allowed by a custom allowlist. In this scenario, carefully crafted input could sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack.

  Sanitize's default configs don't allow <noscript> elements and are not vulnerable. This issue only affects users who are using a custom config that adds noscript to the element allowlist.

  The root cause of this issue is that HTML parsing rules treat the contents of a <noscript> element differently depending on whether scripting is enabled in the user agent. Nokogiri doesn't support scripting so it follows the "scripting disabled" rules, but a web browser with scripting enabled will follow the "scripting enabled" rules. This means that Sanitize can't reliably make the contents of a <noscript> element safe for scripting enabled browsers, so the safest thing to do is to remove the element and its contents entirely.

  See the following security advisory for additional details: GHSA-fw3g-2h3j-qmm7

  Thanks to David Klein from TU Braunschweig (@​leeN) for reporting this issue.

• Fixed an edge case in which the contents of an "unescaped text" element (such as <noembed> or <xmp>) were not properly escaped if that element was allowlisted and was also inside an allowlisted <math> or <svg> element.

  The only way to encounter this situation was to ignore multiple warnings in the readme and create a custom config that allowlisted all the elements involved, including <math> or <svg>. If you're using a default config or if you heeded the warnings about MathML and SVG not being supported, you're not affected by this issue.

  Please let this be a reminder that Sanitize cannot safely sanitize MathML or SVG content and does not support this use case. The default configs don't allow MathML or SVG elements, and allowlisting MathML or SVG elements in a custom config may create a security vulnerability in your application.

  Documentation has been updated to add more warnings and to make the existing warnings about this more prominent.

  Thanks to David Klein from TU Braunschweig (@​leeN) for reporting this issue.

v6.0.0

Potentially Breaking Changes

• Ruby 2.5.0 is now the oldest officially supported Ruby version.

• Sanitize now requires Nokogiri 1.12.0 or higher, which includes Nokogumbo. The separate dependency on Nokogumbo has been removed. [@​lis2 - #211]211

v5.2.3

Bug Fixes

• Ensure protocol sanitization is applied to data attributes. [@​ccutrer - #207][207]

... (truncated)

Changelog

Sourced from sanitize's changelog.

6.0.2 (2023-07-06)

Bug Fixes

• CVE-2023-36823: Fixed an HTML+CSS sanitization bypass that could allow XSS (cross-site scripting). This issue affects Sanitize versions 3.0.0 through 6.0.1.

  When using Sanitize's relaxed config or a custom config that allows <style> elements and one or more CSS at-rules, carefully crafted input could be used to sneak arbitrary HTML through Sanitize.

  See the following security advisory for additional details: GHSA-f5ww-cq3m-q3g7

  Thanks to @​cure53 for finding this issue.

6.0.1 (2023-01-27)

Bug Fixes

• Sanitize now always removes <noscript> elements and their contents, even when noscript is in the allowlist.

  This fixes a sanitization bypass that could occur when noscript was allowed by a custom allowlist. In this scenario, carefully crafted input could sneak arbitrary HTML through Sanitize, potentially enabling an XSS (cross-site scripting) attack.

  Sanitize's default configs don't allow <noscript> elements and are not vulnerable. This issue only affects users who are using a custom config that adds noscript to the element allowlist.

  The root cause of this issue is that HTML parsing rules treat the contents of a <noscript> element differently depending on whether scripting is enabled in the user agent. Nokogiri doesn't support scripting so it follows the "scripting disabled" rules, but a web browser with scripting enabled will follow the "scripting enabled" rules. This means that Sanitize can't reliably make the contents of a <noscript> element safe for scripting enabled browsers, so the safest thing to do is to remove the element and its contents entirely.

  See the following security advisory for additional details: GHSA-fw3g-2h3j-qmm7

  Thanks to David Klein from TU Braunschweig (@​leeN) for reporting this issue.

• Fixed an edge case in which the contents of an "unescaped text" element (such as <noembed> or <xmp>) were not properly escaped if that element was

... (truncated)

Commits

• 76ed46e Merge pull request from GHSA-f5ww-cq3m-q3g7
• 3481ac3 Release 6.0.2
• 773d927 Update history
• 041c068 Escape </ to prevent a style element from being closed prematurely
• a92f21c Release 6.0.1
• 7ac1dfb Update links
• 784e789 Remove outdated comparison
• ec14265 Always remove \<noscript> elements
• b4ee521 Forcibly escape content in "unescaped text" elements inside math or svg names...
• 94d5c22 Add Ruby 3.1 to the test matrix
• Additional commits viewable in compare view

Updates addressable from 2.4.0 to 2.8.6

Changelog

Sourced from addressable's changelog.

Addressable 2.8.6

• Memoize regexps for common character classes (#524)

#524: sporkmonger/addressable#524

Addressable 2.8.5

• Fix thread safety issue with encoding tables (#515)
• Define URI::NONE as a module to avoid serialization issues (#509)
• Fix YAML serialization (#508)

#508: sporkmonger/addressable#508 #509: sporkmonger/addressable#509 #515: sporkmonger/addressable#515

Addressable 2.8.4

• Restore Addressable::IDNA.unicode_normalize_kc as a deprecated method (#504)

#504: sporkmonger/addressable#504

Addressable 2.8.3

• Fix template expand level 2 hash support for non-string objects (#499, #498)

#499: sporkmonger/addressable#499 #498: sporkmonger/addressable#498

Addressable 2.8.2

• Improve cache hits and JIT friendliness (#486)
• Improve code style and test coverage (#482)
• Ensure reset of deferred validation (#481)
• Resolve normalization differences between IDNA::Native and IDNA::Pure (#408, #492)
• Remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438) (accidentally reverted by #449 merge but added back in #492)

#492: sporkmonger/addressable#492

Addressable 2.8.1

• refactor Addressable::URI.normalize_path to address linter offenses (#430)
• update gemspec to reflect supported Ruby versions (#466, #464, #463)
• compatibility w/ public_suffix 5.x (#466, #465, #460)
• fixes "invalid byte sequence in UTF-8" exception when unencoding URLs containing non UTF-8 characters (#459)
• Ractor compatibility (#449)
• use the whole string instead of a single line for template match (#431)
• force UTF-8 encoding only if needed (#341)

#449: sporkmonger/addressable#449 #460: sporkmonger/addressable#460 #463: sporkmonger/addressable#463 #464: sporkmonger/addressable#464 #465: sporkmonger/addressable#465 #466: sporkmonger/addressable#466

... (truncated)

Commits

• 35a0f5c gemspec: more #freeze and rubygems_version bump (#526)
• 63ab40e Update version, gemspec, and CHANGELOG for 2.8.6 (#525)
• 20879a9 Memoize regexps for common character classes (#524)
• 60feb48 Link directly to versioned changelog from gemspec (#522)
• d3635cc Bump actions/checkout from 3 to 4 (#521)
• 7cd185e Update version, gemspec, and CHANGELOG for 2.8.5 (#518)
• a5a8514 Fix gemspec generation (#517)
• e01456b Fix thread safety issue with encoding tables (#515)
• cf2153e Allow ruby-head to fail (#516)
• b56cef3 Define URI::NONE as a module to avoid serialization issues (#509)
• Additional commits viewable in compare view

Updates ffi from 1.9.10 to 1.16.3

Changelog

Sourced from ffi's changelog.

1.16.3 / 2023-10-04

Fixed:

• Fix gcc error when building on CentOS 7. #1052
• Avoid trying to store new DataConverter type in frozen TypeDefs hash. #1057

1.16.2 / 2023-09-25

Fixed:

• Handle null pointer crash after fork. #1051

1.16.1 / 2023-09-24

Fixed:

• Fix compiling the builtin libffi. #1049

1.16.0 / 2023-09-23

Fixed:

• Fix an issue with signed bitmasks when using flags on the most significant bit. #949
• Fix FFI::Pointer#initialize using NUM2LL instead of NUM2ULL.
• Fix FFI::Type#inspect to properly display the constant name. #1002
• Use libffi closure allocations on hppa-Linux. #1017 Previously they would segfault.
• Fix class name of Symbol#inspect.
• Fix MSVC support of libtest. #1028
• Fix attach_function of functions ending in ? or ! #971

Added:

• Convert all C-based classes to TypedData and use write barriers. #994, #995, #996, #997, #998, #999, #1000, #1001, #1003, #1004, #1005, #1006, #1007, #1008, #1009, #1010, #1011, #1012 This results in less pressure on the garbage collector, since the objects can be promoted to the old generation, which means they only get marked on major GC.
• Implement ObjectSpace.memsize_of() of all C-based classes.
• Make FFI Ractor compatible. #1023 Modules extended per extend FFI::Library need to be frozen in order to be used by non-main Ractors. This can be done by calling freeze below of all C interface definitions.
  • In a Ractor it's possible to:
    • load DLLs and call its functions, access its global variables
    • use builtin typedefs
    • use and modify ractor local typedefs
    • define callbacks
    • receive async callbacks from non-ruby threads
    • use frozen FFI::Library based modules with all attributes (enums, structs, typedefs, functions, callbacks)
    • invoke frozen functions and callbacks defined in the main Ractor

... (truncated)

Commits

• 6cef66d Bump VERSION to 1.16.3
• 87ca653 Update CHANGELOG for ffi-1.16.3
• a8f7d97 Update link in README.md [ci skip]
• 87ff960 Merge branch 'master' of github.com:ffi/ffi
• c97b825 Add examples from https://github.com/ffi/ffi/wiki/How-to-use-FFI-in-Ruby-Ractors
• c1ed9bc Add link to Ractor docs to README.md
• 13afd23 Merge pull request #1057 from mvz/avoid-frozen-typemap
• 6e29dc1 Avoid trying to store new DataConverter type in frozen TypeDefs hash
• bf21280 Prepare a CHANGELOG entry for ffi-1.16.3
• 683e18b Merge pull request #1053 from larskanis/fix-1052
• Additional commits viewable in compare view

Updates i18n from 0.7.0 to 0.9.5

Release notes

Sourced from i18n's releases.

v0.9.5

• #404 reported a regression in 0.9.3, which wasn't fixed by 0.9.4. #408 fixes this issue.

Thanks @​wjordan!

v0.9.4

• Fixed a regression with chained backends introduced in v0.9.3 (#402) - #405 - bug report / #407 - PR to fix
• Optimize Backend::Simple#available_locales - reports are that this is now 4x faster than previously - #406

v0.9.3

(For those wondering where v0.9.2 went: I got busy after I pushed the commit for the release, so there was no gem release that day. I am not busy today, so here is v0.9.3 in its stead. This changelog contains changes from v0.9.1 -> v0.9.3)

• I18n no longer stores translations for unavailable locales. #391.
• Added the ability to interpolate with arrays #395.
• Documentation for lambda has been corrected. #396
• I18n will use oj -- a faster JSON library -- but only if it is available. #398
• Fixed an issue with translate and default: [false] as an option. #399
• Fixed an issue with translate with nil and empty keys. #400
• Fix issue with disabled subtrees and pluralization for KeyValue backend #402

Thank you to @​stereobooster, @​fatkodima and @​lulalala for the patches that went towards this release. We appreciate your efforts!

v0.9.1

• Reverted Hash#slice behaviour introduced with #250 - See #390.
• Fixed a regression caused by #387, where translations may have returned a not-helpful error message - See #389

v0.9.0

• Made Backend::Memoize threadsafe. See #51 and #352.
• Added a middleware I18n::Middleware that should be used to ensure that i18n config is reset correctly between requests. See #381 and #382.

v0.8.6

Fixed a small regression introduced in v0.8.5 when using fallbacks - See #378

v0.8.5

• Improved error message for MissingPluralizationKey error - See #371
• Fixed a thread issue when calling translate when fallbacks were enabled - See #369

v0.8.4

Reverted #236 - "Don't allow nil to be submitted as a key to I18n.translate" - See #370

v0.8.3

I18n::Gettext#plural_keys will now return a hash from Gettext if no arguments are provided - svenfuchs/i18n#122 Fixed a bug where passing false to translate would not translate that value - svenfuchs/i18n#367

v0.8.2

Do not allow nil to be passed to translate - svenfuchs/i18n#236

... (truncated)

Commits

• 416859a Bump to 0.9.5
• 5c28de8 Lock Rake to 12.2.x versions
• 29fe565 Merge pull request #408 from wjordan/enforce_available_locales_false_fix
• 596a71d store translations for unavailable locales if enforce_available_locales is false
• 888abcb Bump to 0.9.4
• ba8b206 Merge pull request #407 from fatkodima/fix-key-value-subtrees
• 9ddc9f5 Merge pull request #406 from jhawthorn/optimize_available_locales
• 77c26aa Fix Chained backend with KeyValue
• 7eb3576 Optimize Backend::Simple#available_locales
• 7c6ccf4 Bump to 0.9.3
• Additional commits viewable in compare view

Updates json from 1.8.3 to 1.8.6

Release notes

Sourced from json's releases.

v1.8.6

Full Changelog: ruby/json@v1.8.5...v1.8.6

v1.8.5

Full Changelog: ruby/json@v1.8.3...v1.8.5

Changelog

Sourced from json's changelog.

2017-01-13 (1.8.6)

• Be compatible with ancient ruby 1.8 (maybe?)

2015-09-11 (1.8.5)

• Be compatible with ruby 2.4.0
• There were still some mentions of dual GPL licensing in the source, but JSON has just the Ruby license that itself includes an explicit dual-licensing clause that allows covered software to be distributed under the terms of the Simplified BSD License instead for all ruby versions >= 1.9.3. This is however a GPL compatible license according to the Free Software Foundation. I changed these mentions to be consistent with the Ruby license setting in the gemspec files which were already correct now.

Commits

• 7f4cfd8 Try to be compatible with ruby 1.8
• 4cf6c62 Update gemspecs
• 48c5e99 Stop testing on 1.8, it might work though
• 5d46fb9 Travis don't know how to build these rubies
• 7f05140 Fix conversion crash on 1.9
• 2bcacc1 Require ruby version 2.0 or better
• f8e2aa6 Reduce supported ruby versions
• b4eeed1 Test newer rubies
• c7a6e31 Use 2.3.1 for testing
• 953f474 Merge RUBY_INTEGER_UNIFICATION changes
• Additional commits viewable in compare view

Updates nokogiri from 1.6.7.2 to 1.16.5

Release notes

Sourced from nokogiri's releases.

v1.16.5 / 2024-05-13

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-34459. See GHSA-r95h-9x8f-r3f7 for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.7 from v2.12.6. (@​flavorjones)

---

sha256 checksums:

af0f44fa3e664dfb2aa10de8b551447d720c1e8d1f0aa3f35783dcc43e40a874  nokogiri-1.16.5-aarch64-linux.gem
23dc2357b26409a5c33b7e32a82902f0e9995305420f16d1a03ab3ea1a482fec  nokogiri-1.16.5-arm-linux.gem
950d037530edb49f75ad35de0b8038b970a7dda57e2b6326895b0e49fadf6214  nokogiri-1.16.5-arm64-darwin.gem
b7aefc94370c62476b8528e8d8abb6160203abd84a1f4eceda8f1aa8974d9989  nokogiri-1.16.5-java.gem
ec2167160df8fec3137bf95d574ed80ebc1d002bb3b281546b60b4aa9002466e  nokogiri-1.16.5-x64-mingw-ucrt.gem
6984200491fac69974005ecfa2de129d61843d345eafa5d6f58e8b908d1cf107  nokogiri-1.16.5-x64-mingw32.gem
abdc389ab1ec6604492da16bd9d06ad746fdb6bd6a1bd274c400d61ffcadb3c4  nokogiri-1.16.5-x86-linux.gem
63d24981345856f2baf7f4089870a62d3042fb8d3021b280fb04fc052532e3c4  nokogiri-1.16.5-x86-mingw32.gem
71b5f54e378c433d13df67c3b71acc4716129da62402d8181f310c4216a63279  nokogiri-1.16.5-x86_64-darwin.gem
0ca238da870066bed2f7837af6f35791bb9b76c4c5638999c46aac44818a6a97  nokogiri-1.16.5-x86_64-linux.gem
ec36162c68984fa0a90a5c4ae7ab7759460639e716cc1ce75f34c3cb54158ad2  nokogiri-1.16.5.gem

v1.16.4 / 2024-04-10

Dependencies

• [CRuby] Vendored zlib in the precompiled native gems is updated to v1.3.1 from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see this discussion about removing the compression libraries altogether in a future version of Nokogiri.

---

sha256 checksums:

bdb1dc4378ebcf3ade8f440c7df68f6d76946a1a96c4823a2b4c53c01a320cd5  nokogiri-1.16.4-aarch64-linux.gem
0c994b9996d5576eddcc3201a94ef2bff6fc3627c4ae4d2708b0ec9b9743ec6a  nokogiri-1.16.4-arm-linux.gem
8e86abb64c93c06d3c588042a0e757279e8f1dc88b5210a00be892a9a7a27196  nokogiri-1.16.4-arm64-darwin.gem
bf84fa28be4943692bd64772186e0832fb1061f80714ccb93e111e9d72b1cadc  nokogiri-1.16.4-java.gem
a46808467c1f63a2031e1ca0715cd5336bb4ec759e9c0e2f4c951c1cc30994ae  nokogiri-1.16.4-x64-mingw-ucrt.gem
4cdf64bc5e9443ec3e0b595347ecc8affe21968d9ae934c0825d26630ef96468  nokogiri-1.16.4-x64-mingw32.gem
d86d21bae47dd9f6f5223055e45d33fae08b0b89aad94cbc0ece4f4274fa7af5  nokogiri-1.16.4-x86-linux.gem
d488b872884844686780fda7cf5da44ee884d32faa713a55aeb4736d76718168  nokogiri-1.16.4-x86-mingw32.gem
a896e52a56951ffb0e6a9279afbf485d683e357a053d27f4cfcb2a73b0824628  nokogiri-1.16.4-x86_64-darwin.gem
92ff4f09910255fec84b3bc4c4b182e94cada3ed12b9f7a6ea058e0af186fb31  nokogiri-1.16.4-x86_64-linux.gem
</tr></table> 

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.16.5

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-34459. See GHSA-r95h-9x8f-r3f7 for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.7 from v2.12.6. (@​flavorjones)

v1.16.4 / 2024-04-10

Dependencies

• [CRuby] Vendored zlib in the precompiled native gems is updated to v1.3.1 from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see this discussion about removing the compression libraries altogether in a future version of Nokogiri.

v1.16.3 / 2024-03-15

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.6 from v2.12.5. (@​flavorjones)

Changed

• [CRuby] XML::Reader sets the @encoding instance variable during reading if it is not passed into the initializer. Previously, it would remain nil. The behavior of Reader#encoding has not changed. This works around changes to how libxml2 reports the encoding used in v2.12.6.

v1.16.2 / 2024-02-04

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See GHSA-xc9x-jj77-9p9j for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.5 from v2.12.4. (@​flavorjones)

v1.16.1 / 2024-02-03

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.4 from v2.12.3. (@​flavorjones)

... (truncated)

Commits

• cd70bd3 version bump to v1.16.5
• afc36de dep: update vendored libxml2 to v2.12.7 (#3191)
• 41b4f08 ci: add arm64-darwin coverage using macos-14
• 67b9e86 dep: update libxml2 to v2.12.7
• 17c0362 version bump to v1.16.4
• 1c329e9 dep: update to zlib 1.3.1 (v1.16.x) (#3175)
• edeac07 dep: update to zlib 1.3.1
• 80fb608 version bump to v1.16.3
• 710bd96 dep: update libxml 2.12.6 (branch v1.16.x) (#3151)
• 461a96e fix: Reader#read sets @​encoding if it is unset
• Additional commits viewable in compare view

Updates rake from 10.5.0 to 13.2.1

Changelog

Sourced from rake's changelog.

=== 13.2.1

• Suppressed "internal:array:52:in 'Array#each'" from backtrace by @​hsbt in #554
• Bump actions/configure-pages from 4 to 5 by @​dependabot in #553

=== 13.2.0

• Fix rule example to be correct by @​zenspider in #525
• Switch to use test-unit by @​hsbt in #536
• Removed redundant block by @​hsbt in #537
• Use Struct instead of OpenStruct. by @​hsbt in #545
• Accept FileList object as directory task's target by @​gemmaro in #530
• Fix exception when exception has nil backtrace by @​janbiedermann in #451
• Add TruffleRuby on CI by @​andrykonchin in #551

=== 13.1.0

• Added dependabot.yml for actions by @​hsbt in #416
• Add Ruby 3.1 to the CI matrix by @​petergoldstein in #415
• (Performance) Remove unnecessary I/O syscalls for FileTasks by @​da2x in #393
• Skip test failure with JRuby by @​hsbt in #418
• Remove bin/rdoc by @​tnir in #421
• Remove bin/rake by @​tnir in #422
• Remove bin/bundle by @​tnir in #425
• Apply RuboCop linting for Ruby 2.3 by @​tnir in #423
• Update rubocop to work with Ruby 2.4 compatible by @​tnir in #424
• chore: fix typo in comments by @​tnir in #429
• Use 'test' as workflow name on Actions by @​tnir in #427
• docs: update CONTRIBUTING.rdoc by @​tnir in #428
• Add RuboCop job to Actions by @​tnir in #426
• Lock minitest-5.15.0 for Ruby 2.2 by @​hsbt in #442
• Eagerly require set in thread_pool.rb by @​jeremyevans in #440
• Avoid creating an unnecessary thread pool by @​jeremyevans in #441
• Add credit for maintenance in Rake 12/13 by @​tnir in #443
• Sh fully echoes commands which error exit by @​MarkDBlackwell in #147
• Correct RuboCop offenses by @​deivid-rodriguez in #444
• [StepSecurity] ci: Harden GitHub Actions by @​step-security-bot in #450
• Add ruby 3.2 to test matrix by @​hanneskaeufler in #458
• Missing 'do' on example by @​zzak in #467
• Try to use dependabot automerge by @​hsbt in #470
• Rewrite auto-merge feature for dependabot by @​hsbt in #471
• Update bundler in Dependabot by @​ono-max in #472
• Fix grammar in help text by @​mebezac in #381
• Try to use ruby/ruby/.github/workflows/ruby_versions.yml@master by @​hsbt in #475
• Use GitHub Pages Action for generating rdoc page by @​hsbt in #477
• Support #detailed_message when task failed by @​ksss in #486
• Debug at stop when task fail by @​ksss in #489
• Drop to support Ruby 2.2 by @​hsbt in #492
• Bump up setup-ruby by @​hsbt in #497
• Update development dependencies by @​hsbt in #505

... (truncated)

Commits

• d84f6ef Bump up 13.2.1
• 8b33b36 Merge pull request #553 from ruby/dependabot/github_actions/actions/configure...
• 99f6823 Merge pull request #554 from ruby/suppress-array-internal
• 54950e0 Suppressed "<internal:array>:52:in 'Array#each'" from backtrace
• 675498c Bump up 13.2.0
• 3dc4277 Bump actions/configure-pages from 4 to 5