Build(deps): Bump nokogiri from 1.11.3 to 1.11.4 (PR #13074)

Bumps nokogiri from 1.11.3 to 1.11.4.

Release notes

Sourced from nokogiri's releases.

1.11.4 / 2021-05-14

Security

[CRuby] Vendored libxml2 upgraded to v2.9.12 which addresses:

Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).

Please see nokogiri/GHSA-7rrm-v45f-jp64 or #2233 for a more complete analysis of these CVEs and patches.

Dependencies

  • [CRuby] vendored libxml2 is updated from 2.9.10 to 2.9.12. (Note that 2.9.11 was skipped because it was superseded by 2.9.12 a few hours after its release.)
Changelog

Sourced from nokogiri's changelog.

1.11.4 / 2021-05-14

Security

[CRuby] Vendored libxml2 upgraded to v2.9.12 which addresses:

Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).

Please see nokogiri/GHSA-7rrm-v45f-jp64 or #2233 for a more complete analysis of these CVEs and patches.

Dependencies

  • [CRuby] vendored libxml2 is updated from 2.9.10 to 2.9.12. (Note that 2.9.11 was skipped because it was superseded by 2.9.12 a few hours after its release.)
Commits
  • 9d69b44 version bump to v1.11.4
  • 058e87f update CHANGELOG with complete CVE information
  • 9285251 Merge pull request #2234 from sparklemotion/2233-upgrade-to-libxml-2-9-12
  • 5436f61 update CHANGELOG
  • 761d320 patch: renumber libxml2 patches
  • 889ee2a test: update behavior of namespaces in HTML
  • 9751d85 test: remove low-value HTML::SAX::PushParser encoding test
  • 9fcb7d2 test: adjust xpath gc test to libxml2's max recursion depth
  • 1c99019 patch: backport libxslt configure.ac change for libxml2 config
  • 82a253f patch: fix isnan/isinf patch to apply cleanly to libxml 2.9.12
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don’t alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually

GitHub

I think we should merge this before the release. It contains security fixes.

I guess we can backport. will add a tag