⚠️ [fixing yanked version] 🚨 [security] Update mimemagic: 0.3.5 → 0.3.7 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

---

⚠️ You are using a yanked version of mimemagic ⚠️

We're getting an error that the version of mimemagic you're currently using is no longer installable, it most likely has been yanked. That means your deployment, CI build and local development setup are broken until you update mimemagic to a different version.

We recommend to merge this update as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ mimemagic (indirect, 0.3.5 → 0.3.7) · Repo · Changelog

Release Notes

0.3.7 (from changelog)

Add a dependency on having a preinstalled version of the fd.o shared MIME types info to resolve licensing concerns, and allow this gem to remain MIT licensed.

See the readme for details on ensuring you have a copy of the database available at install time.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ capybara (3.33.0 → 3.35.3) · Repo · Changelog

Release Notes

3.35.3 (from changelog)

Release date: 2021-01-29

Fixed

• Just a release to have the correct dates in the History.md in released gem

3.35.2 (from changelog)

Release date: 2021-01-29

Fixed

• Selenium deprecation suppressor with Selenium 3.x

3.35.1 (from changelog)

Release date: 2021-01-26

Fixed

• Default chrome driver registrations use chrome - Issue #2442 [Yuriy Alekseyev]
• 'Capybara.test_id' usage with the :button selector - Issue #2443

3.35.0 (from changelog)

Release date: 2020-01-25

Added

• Support Regexp matching for individual class names in :class filter passed an Array
• Animation disabler now supports JQuery animation disabling when JQuery loaded from body [Chien-Wei Huang]

Fixed

• :button selector type use with enable_aria_role [Sean Doyle]
• elements don't associate with aria-role buttons
• Ignore Selenium::WebDriver::Error::InvalidSessionIdError when quitting driver [Robin Daugherty]
• Firefox: Don't click input when sending keys if already focused
• Miscellaneous issues with selenium-webdriver 4.0.0.alphas
• Nil return error in node details optimizations
• Animation disabler now inserts XHTML compliant content [Dale Morgan]

3.34.0 (from changelog)

Release date: 2020-11-26

Added

• Ability to fill in with emoji when using Chrome with selenium driver (Firefox already worked)
• Current path assetsions/expectations accept optional filter block
• Animation disabler now specifies scroll-behavior: auto; [Nathan Broadbent]
• :button selector can now find elements by label text [Sean Doyle]
• Session#send_keys to send keys to the current element with focus in drivers that support the concept of a current element [Sean Doyle]

Changed

• Text query validates the type parameter to prevent undefined behavior

Fixed

• racktest driver better handles fragments and redirection to urls that include fragments
• Don't error when attempting to get XPath location of a shadow element
• Missing readonly? added to Node::Simple
• Selenium version detection when loaded via alternate method [Joel Hawksley]
• Connection count issue if REQUEST_URI value changed by app [Blake Williams]
• Maintain URI fragment when redirecting in rack-test driver
• Text query error message [Wojciech Wnętrzak]
• Checking a checkbox/radio button with allow_label_click now works if there are multiple labels (Issue #2421)
• drop with Pathname (Issue #2424)[Máximo Mussini]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ rails (5.2.4.4 → 5.2.4.5) · Repo

Release Notes

5.2.4.5

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Fix possible DoS vector in PostgreSQL money type

  Carefully crafted input can cause a DoS via the regular expressions used
  for validating the money format in the PostgreSQL adapter. This patch
  fixes the regexp.

  Thanks to @dee-see from Hackerone for this patch!

  [CVE-2021-22880]

  Aaron Patterson

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

• No changes.

Railties

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actioncable (indirect, 5.2.4.4 → 5.2.4.5) · Repo · Changelog

Release Notes

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionmailer (indirect, 5.2.4.4 → 5.2.4.5) · Repo · Changelog

Release Notes

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionpack (indirect, 5.2.4.4 → 5.2.4.5) · Repo · Changelog

Release Notes

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ actionview (indirect, 5.2.4.4 → 5.2.4.5) · Repo · Changelog

Release Notes

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activejob (indirect, 5.2.4.4 → 5.2.4.5) · Repo · Changelog

Release Notes

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activemodel (indirect, 5.2.4.4 → 5.2.4.5) · Repo · Changelog

Release Notes

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activerecord (indirect, 5.2.4.4 → 5.2.4.5) · Repo · Changelog

Security Advisories 🚨

🚨 Possible DoS Vulnerability in Active Record PostgreSQL adapter

There is a possible DoS vulnerability in the PostgreSQL adapter in Active
Record. This vulnerability has been assigned the CVE identifier CVE-2021-22880.

Versions Affected: >= 4.2.0
Not affected: < 4.2.0
Fixed Versions: 6.1.2.1, 6.0.3.5, 5.2.4.5

Impact

Carefully crafted input can cause the input validation in the "money" type of
the PostgreSQL adapter in Active Record to spend too much time in a regular
expression, resulting in the potential for a DoS attack.

This only impacts Rails applications that are using PostgreSQL along with
money type columns that take user input.

Workarounds

In the case a patch can't be applied, the following monkey patch can be used
in an initializer:

module ActiveRecord
  module ConnectionAdapters
    module PostgreSQL
      module OID # :nodoc:
        class Money < Type::Decimal # :nodoc:
          def cast_value(value)
            return value unless ::String === value
        value = value.sub(/^\((.+)\)$/, '-\1') # (4)
        case value
        when /^-?\D*+[\d,]+\.\d{2}$/  # (1)
          value.gsub!(/[^-\d.]/, "")
        when /^-?\D*+[\d.]+,\d{2}$/  # (2)
          value.gsub!(/[^-\d,]/, "").sub!(/,/, ".")
        end

        super(value)
      end
    end
  end
end

end

end

Release Notes

5.2.4.5 (from changelog)

• Fix possible DoS vector in PostgreSQL money type

  Carefully crafted input can cause a DoS via the regular expressions used for validating the money format in the PostgreSQL adapter. This patch fixes the regexp.

  Thanks to @dee-see from Hackerone for this patch!

  [CVE-2021-22880]

  Aaron Patterson

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activestorage (indirect, 5.2.4.4 → 5.2.4.5) · Repo · Changelog

Release Notes

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ activesupport (indirect, 5.2.4.4 → 5.2.4.5) · Repo · Changelog

Release Notes

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.1.7 → 1.1.8) · Repo · Changelog

Release Notes

1.1.8 (from changelog)

• (#885) Fix race condition in TVar for stale reads
• (#884) RubyThreadLocalVar: Do not iterate over hash which might conflict with new pair addition

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ erubi (indirect, 1.9.0 → 1.10.0) · Repo · Changelog

Release Notes

1.10.0 (from changelog)

* Improve template parsing, mostly by reducing allocations (jeremyevans)


Do not ship tests in the gem, reducing gem size about 20% (jeremyevans)


Support :literal_prefix and :literal_postfix options for how to output literal tags (e.g. <%% code %>) (jaredcwhite) (#26, #27)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ i18n (indirect, 1.8.5 → 1.8.9) · Repo · Changelog

Release Notes

1.8.9

• Rely on Ruby 3's native Hash#except method -- #557

This release also contains several build related updates -- rather than listing them out here, you can see the compare view between 1.8.8 and 1.8.9.

1.8.8

• Fixed threadsafety issues in Simple backend: #554
• Re-attempt to fix threadsafety of fallbacks: #548

---

• Use OpenSSL::Digest instead of usual Digest libraries: #549
• Goodbye, post-install message #552
• Use Rails' main branch, instead of master #553

1.8.7

• Fixed a regression with fallback logic: see issues #547, #546 and #542.

1.8.6

• Fallbacks are now stored in Thread.current for multi-threading compatibility: #542
• no-op arguments are no longer allowed for I18n.t calls -- fixes an incompatibility with Ruby 3.0: #545

This gem's GitHub workflow files have been updated to ensure compatibility between new Rails versions (6.1) and the new Ruby release (3.0). See the "Actions" tab on GitHub for the full range of supported Rails and Ruby versions.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ loofah (indirect, 2.7.0 → 2.9.0) · Repo · Changelog

Release Notes

2.9.0

2.9.0 / 2021-01-14

• Handle CSS functions in a CSS shorthand property (like background). [#199, #200]

2.8.0

2.8.0 / 2020-11-25

• Allow CSS properties order, flex-direction, flex-grow, flex-wrap, flex-shrink, flex-flow, flex-basis, flex, justify-content, align-self, align-items, and align-content. [#197] (Thanks, @miguelperez!)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_portile2 (indirect, 2.4.0 → 2.5.0) · Repo · Changelog

Release Notes

2.5.0

2.5.0 / 2020-02-24

Enhancements

• When verifying GPG signatures, remove all imported pubkeys from keyring [#90] (Thanks, @hanazuki!)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minitest (indirect, 5.14.2 → 5.14.4) · Repo · Changelog

Release Notes

5.14.4 (from changelog)

• 1 bug fix:

  • Fixed deprecation warning using stub with methods using keyword arguments. (Nakilon)

5.14.3 (from changelog)

• 1 bug fix:

  • Bumped require_ruby_version to < 4 (trunk = 3.1).

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nio4r (indirect, 2.5.3 → 2.5.7) · Repo · Changelog

Release Notes

2.5.4 (from changelog)

• #251 Intermittent SEGV during GC. (@boazsegev)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.10.10 → 1.11.2) · Repo · Changelog

Security Advisories 🚨

🚨 Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability

Description

In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema
are trusted by default, allowing external resources to be accessed over the
network, potentially enabling XXE or SSRF attacks.

This behavior is counter to
the security policy followed by Nokogiri maintainers, which is to treat all input
as untrusted by default whenever possible.

Please note that this security
fix was pushed into a new minor version, 1.11.x, rather than a patch release to
the 1.10.x branch, because it is a breaking change for some schemas and the risk
was assessed to be "Low Severity".

Affected Versions

Nokogiri <= 1.10.10 as well as prereleases 1.11.0.rc1, 1.11.0.rc2, and 1.11.0.rc3

Mitigation

There are no known workarounds for affected versions. Upgrade to Nokogiri
1.11.0.rc4 or later.

If, after upgrading to 1.11.0.rc4 or later, you wish
to re-enable network access for resolution of external resources (i.e., return to
the previous behavior):

1. Ensure the input is trusted. Do not enable this option
   for untrusted input.
2. When invoking the Nokogiri::XML::Schema constructor,
   pass as the second parameter an instance of Nokogiri::XML::ParseOptions with the
   NONET flag turned off.

So if your previous code was:

# in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network
# but in v1.11.0.rc4 and later, this call will disallow network access for external resources
schema = Nokogiri::XML::Schema.new(schema)
# in v1.11.0.rc4 and later, the following is equivalent to the code above

# (the second parameter is optional, and this demonstrates its default value)

schema = Nokogiri::XML::Schema.new(schema, Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA)

Then you can add the second parameter to indicate that the input is trusted by changing it to:

# in v1.11.0.rc3 and earlier, this would raise an ArgumentError
# but in v1.11.0.rc4 and later, this allows resources to be accessed over the network
schema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet)

Release Notes

1.11.2

1.11.2 / 2021-03-11

Fixed

• [CRuby] NodeSet may now safely contain Node objects from multiple documents. Previously the GC lifecycle of the parent Document objects could lead to nodes being GCed while still in scope. [#1952]
• [CRuby] Patch libxml2 to avoid "huge input lookup" errors on large CDATA elements. (See upstream GNOME/libxml2#200 and GNOME/libxml2!100.) [#2132].
• [CRuby+Windows] Enable Nokogumbo (and other downstream gems) to compile and link against nokogiri.so by including LDFLAGS in Nokogiri::VERSION_INFO. [#2167]
• [CRuby] {XML,HTML}::Document.parse now invokes #initialize exactly once. Previously #initialize was invoked twice on each object.
• [JRuby] {XML,HTML}::Document.parse now invokes #initialize exactly once. Previously #initialize was not called, which was a problem for subclassing such as done by Loofah.

Improved

• Reduce the number of object allocations needed when parsing an HTML::DocumentFragment. [#2087] (Thanks, @ashmaroli!)
• [JRuby] Update the algorithm used to calculate Node#line to be wrong less-often. The underlying parser, Xerces, does not track line numbers, and so we've always used a hacky solution for this method. [#1223, #2177]
• Introduce --enable-system-libraries and --disable-system-libraries flags to extconf.rb. These flags provide the same functionality as --use-system-libraries and the NOKOGIRI_USE_SYSTEM_LIBRARIES environment variable, but are more idiomatic. [#2193] (Thanks, @eregon!)
• [TruffleRuby] --disable-static is now the default on TruffleRuby when the packaged libraries are used. This is more flexible and compiles faster. (Note, though, that the default on TR is still to use system libraries.) [#2191, #2193] (Thanks, @eregon!)

Changed

• Nokogiri::XML::Path is now a Module (previously it has been a Class). It has been acting solely as a Module since v1.0.0. See 8461c74.

1.11.1

v1.11.1 / 2021-01-06

Fixed

• [CRuby] If libxml-ruby is loaded before nokogiri, the SAX and Push parsers no longer call libxml-ruby's handlers. Instead, they defensively override the libxml2 global handler before parsing. [#2168]

SHA-256 Checksums of published gems

a41091292992cb99be1b53927e1de4abe5912742ded956b0ba3383ce4f29711c  nokogiri-1.11.1-arm64-darwin.gem
d44fccb8475394eb71f29dfa7bb3ac32ee50795972c4557ffe54122ce486479d  nokogiri-1.11.1-java.gem
f760285e3db732ee0d6e06370f89407f656d5181a55329271760e82658b4c3fc  nokogiri-1.11.1-x64-mingw32.gem
dd48343bc4628936d371ba7256c4f74513b6fa642e553ad7401ce0d9b8d26e1f  nokogiri-1.11.1-x86-linux.gem
7f49138821d714fe2c5d040dda4af24199ae207960bf6aad4a61483f896bb046  nokogiri-1.11.1-x86-mingw32.gem
5c26111f7f26831508cc5234e273afd93f43fbbfd0dcae5394490038b88d28e7  nokogiri-1.11.1-x86_64-darwin.gem
c3617c0680af1dd9fda5c0fd7d72a0da68b422c0c0b4cebcd7c45ff5082ea6d2  nokogiri-1.11.1-x86_64-linux.gem
42c2a54dd3ef03ef2543177bee3b5308313214e99f0d1aa85f984324329e5caa  nokogiri-1.11.1.gem

1.11.0

v1.11.0 / 2021-01-03

Notes

Faster, more reliable installation: Native Gems for Linux and OSX/Darwin

"Native gems" contain pre-compiled libraries for a specific machine architecture. On supported platforms, this removes the need for compiling the C extension and the packaged libraries. This results in much faster installation and more reliable installation, which as you probably know are the biggest headaches for Nokogiri users.

We've been shipping native Windows gems since 2009, but starting in v1.11.0 we are also shipping native gems for these platforms:

• Linux: x86-linux and x86_64-linux -- including musl platforms like alpine
• OSX/Darwin: x86_64-darwin and arm64-darwin

We'd appreciate your thoughts and feedback on this work at #2075.

Dependencies

Ruby

This release introduces support for Ruby 2.7 and 3.0 in the precompiled native gems.

This release ends support for:

• Ruby 2.3, for which official support ended on 2019-03-31 [#1886] (Thanks @ashmaroli!)
• Ruby 2.4, for which official support ended on 2020-04-05
• JRuby 9.1, which is the Ruby 2.3-compatible release.

Gems

• Explicitly add racc as a runtime dependency. [#1988] (Thanks, @voxik!)
• [MRI] Upgrade mini_portile2 dependency from ~> 2.4.0 to ~> 2.5.0 [#2005] (Thanks, @alejandroperea!)

Security

See note below about CVE-2020-26247 in the "Changed" subsection entitled "XML::Schema parsing treats input as untrusted by default".

Added

• Add Node methods for manipulating "keyword attributes" (for example, class and rel): #kwattr_values, #kwattr_add, #kwattr_append, and #kwattr_remove. [#2000]
• Add support for CSS queries a:has(> b), a:has(~ b), and a:has(+ b). [#688] (Thanks, @jonathanhefner!)
• Add Node#value? to better match expected semantics of a Hash-like object. [#1838, #1840] (Thanks, @MatzFan!)
• [CRuby] Add Nokogiri::XML::Node#line= for use by downstream libs like nokogumbo. [#1918] (Thanks, @stevecheckoway!)
• nokogiri.gemspec is back after a 10-year hiatus. We still prefer you use the official releases, but master is pretty stable these days, and YOLO.

Performance

• [CRuby] The CSS ~= operator and class selector . are about 2x faster. [#2137, #2135]
• [CRuby] Patch libxml2 to call strlen from xmlStrlen rather than the naive implementation, because strlen is generally optimized for the architecture. [#2144] (Thanks, @ilyazub!)
• Improve performance of some namespace operations. [#1916] (Thanks, @ashmaroli!)
• Remove unnecessary array allocations from Node serialization methods [#1911] (Thanks, @ashmaroli!)
• Avoid creation of unnecessary zero-length String objects. [#1970] (Thanks, @ashmaroli!)
• Always compile libxml2 and libxslt with '-O2' [#2022, #2100] (Thanks, @ilyazub!)
• [JRuby] Lots of code cleanup and performance improvements. [#1934] (Thanks, @kares!)
• [CRuby] RelaxNG.from_document no longer leaks memory. [#2114]

Improved

• [CRuby] Handle incorrectly-closed HTML comments as WHATWG recommends for browsers. [#2058] (Thanks to HackerOne user mayflower for reporting this!)
• {HTML,XML}::Document#parse now accept Pathname objects. Previously this worked only if the referenced file was less than 4096 bytes long; longer files resulted in undefined behavior because the read method would be repeatedly invoked. [#1821, #2110] (Thanks, @doriantaylor and @phokz!)
• [CRuby] Nokogumbo builds faster because it can now use header files provided by Nokogiri. [#1788] (Thanks, @stevecheckoway!)
• Add frozen_string_literal: true magic comment to all lib files. [#1745] (Thanks, @oniofchaos!)
• [JRuby] Clean up deprecated calls into JRuby. [#2027] (Thanks, @headius!)

Fixed

• HTML Parsing in "strict" mode (i.e., the RECOVER parse option not set) now correctly raises a XML::SyntaxError exception. Previously the value of the RECOVER bit was being ignored by CRuby and was misinterpreted by JRuby. [#2130]
• The CSS ~= operator now correctly handles non-space whitespace in the class attribute. commit e45dedd
• The switch to turn off the CSS-to-XPath cache is now thread-local, rather than being shared mutable state. [#1935]
• The Node methods add_previous_sibling, previous=, before, add_next_sibling, next=, after, replace, and swap now correctly use their parent as the context node for parsing markup. These methods now also raise a RuntimeError if they are called on a node with no parent. [nokogumbo#160]
• [JRuby] XML::Schema XSD validation errors are captured in XML::Schema#errors. These errors were previously ignored.
• [JRuby] Standardize reading from IO like objects, including StringIO. [#1888, #1897]
• [JRuby] Fix how custom XPath function namespaces are inferred to be less naive. [#1890, #2148]
• [JRuby] Clarify exception message when custom XPath functions can't be resolved.
• [JRuby] Comparison of Node to Document with Node#<=> now matches CRuby/libxml2 behavior.
• [CRuby] Syntax errors are now correctly captured in Document#errors for short HTML documents. Previously the SAX parser used for encoding detection was clobbering libxml2's global error handler.
• [CRuby] Fixed installation on AIX with respect to vasprintf. [#1908]
• [CRuby] On some platforms, avoid symbol name collision with glibc's canonicalize. [#2105]
• [Windows Visual C++] Fixed compiler warnings and errors. [#2061, #2068]
• [CRuby] Fixed Nokogumbo integration which broke in the v1.11.0 release candidates. [#1788] (Thanks, @stevecheckoway!)
• [JRuby] Fixed document encoding regression in v1.11.0 release candidates. [#2080, #2083] (Thanks, @thbar!)

Removed

• The internal method Nokogiri::CSS::Parser.cache_on= has been removed. Use .set_cache if you need to muck with the cache internals.
• The class method Nokogiri::CSS::Parser.parse has been removed. This was originally deprecated in 2009 in 13db61b. Use Nokogiri::CSS.parse instead.

Changed

XML::Schema input is now "untrusted" by default

Address CVE-2020-26247.

In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema were trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.

This behavior is counter to the security policy intended by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible.

Please note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be "Low Severity".

More information and instructions for enabling "trusted input" behavior in v1.11.0.rc4 and later is available at the public advisory.

HTML parser now obeys the strict or norecover parsing option

(Also noted above in the "Fixed" section) HTML Parsing in "strict" mode (i.e., the RECOVER parse option not set) now correctly raises a XML::SyntaxError exception. Previously the value of the RECOVER bit was being ignored by CRuby and was misinterpreted by JRuby.

If you're using the default parser options, you will be unaffected by this fix. If you're passing strict or norecover to your HTML parser call, you may be surprised to see that the parser now fails to recover and raises a XML::SyntaxError exception. Given the number of HTML documents on the internet that libxml2 would consider to be ill-formed, this is probably not what you want, and you can omit setting that parse option to restore the behavior that you have been relying upon.

Apologies to anyone inconvenienced by this breaking bugfix being present in a minor release, but I felt it was appropriate to introduce this fix because it's straightforward to fix any code that has been relying on this buggy behavior.

VersionInfo, the output of nokogiri -v, and related constants

This release changes the metadata provided in Nokogiri::VersionInfo which also affects the output of nokogiri -v. Some related constants have also been changed. If you're using VersionInfo programmatically, or relying on constants related to underlying library versions, please read the detailed changes for Nokogiri::VersionInfo at #2139 and accept our apologies for the inconvenience.

SHA-256 Checksums of published gems

17ed2567bf76319075b4a6a7258d1a4c9e2661fca933b03e037d79ae2b9910d0  nokogiri-1.11.0.gem
2f0149c735b0672c49171b18467ce25fd323a8e608c9e6b76e2b2fa28e7f66ee  nokogiri-1.11.0-java.gem
2f249be8cc705f9e899c07225fcbe18f4f7dea220a59eb5fa82461979991082e  nokogiri-1.11.0-x64-mingw32.gem
9e219401dc3f93abf09166d12ed99c8310fcaf8c56a99d64ff93d8b5f0604e91  nokogiri-1.11.0-x86-mingw32.gem
bda2a9c9debf51da7011830c7f2dc5771c122ebcf0fc2dd2c4ba4fc95b5c38f2  nokogiri-1.11.0-x86-linux.gem
d500c3202e2514b32f4b02049d9193aa825ae3e9442c9cad2d235446c3e17d8d  nokogiri-1.11.0-x86_64-linux.gem
3a613188e3b76d593b04e0ddcc46f44c288b13f80b32ce83957356f50e22f9ee  nokogiri-1.11.0-arm64-darwin.gem
b8f9b826d09494b20b30ecd048f5eb2827dccd85b77abeb8baf1f610e5ed28ed  nokogiri-1.11.0-x86_64-darwin.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ public_suffix (indirect, 4.0.5 → 4.0.6) · Repo · Changelog

Release Notes

4.0.6 (from changelog)

Changed

• Updated definitions.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ railties (indirect, 5.2.4.4 → 5.2.4.5) · Repo · Changelog

Release Notes

5.2.4.5 (from changelog)

• No changes.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rake (indirect, 13.0.1 → 13.0.3) · Repo · Changelog

Release Notes

13.0.3 (from changelog)

• Fix breaking change of execution order on TestTask. Pull request #368 by ysakasin

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ regexp_parser (indirect, 1.7.1 → 2.1.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sprockets-rails (indirect, 3.2.1 → 3.2.2) · Repo · Changelog

Release Notes

3.2.2

• Fix extending ActionView::Base instances with Sprockets::Rails::Helper on Rails 6.1
• Fix deprecation warning on Ruby 2.7 [#454]
• action_view/base is no longer required when rake tasks are loaded [#455]
• Asset not precompiled error exception renamed to AssetNotPrecompiledError [#414]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ thor (indirect, 1.0.1 → 1.1.0) · Repo · Changelog

Release Notes

1.1.0 (from changelog)

• Don't use ANSI colors when terminal is dumb.
• Ensure default option/argument is not erroneously aliased.
• Fixes a bug in the calculation of the print_wrapped method.
• Obey :mute and options[:quiet] in Shell#say.
• Support Ruby 3.0.
• Add force option to the gsub_file action.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tzinfo (indirect, 1.2.7 → 1.2.9) · Repo · Changelog

Release Notes

1.2.9

• Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

TZInfo v1.2.9 on RubyGems.org

1.2.8

• Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. The 64-bit section is now always used regardless of whether Time has support for 64-bit times. #120.
• Rubinius is no longer supported.

TZInfo v1.2.8 on RubyGems.org

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 racc (added, 1.5.2)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)