๐Ÿšจ [security] Update html-proofer 3.14.1 โ†’ 5.1.0 (major)

๐Ÿšจ Your current dependencies have known security vulnerabilities ๐Ÿšจ

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

โœณ๏ธ html-proofer (3.14.1 โ†’ 5.1.0) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โœณ๏ธ github-pages (207 โ†’ 232) ยท Repo

Release Notes

Too many releases to show here. View the full release notes.

Sorry, we couldnโ€™t find anything useful about this release.

โ†—๏ธ activesupport (indirect, 6.0.3.2 โ†’ 8.1.1) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ Active Support Possibly Discloses Locally Encrypted Files

There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5

Impact

ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary fileโ€™s permissions are defaulted to the userโ€™s current umask settings, meaning that itโ€™s possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

To work around this issue, you can set your umask to be more restrictive like this:

$ umask 0077

๐Ÿšจ Active Support Possibly Discloses Locally Encrypted Files

There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5

Impact

ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary fileโ€™s permissions are defaulted to the userโ€™s current umask settings, meaning that itโ€™s possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

To work around this issue, you can set your umask to be more restrictive like this:

$ umask 0077

๐Ÿšจ Possible XSS Security Vulnerability in SafeBuffer#bytesplice

There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
This vulnerability has been assigned the CVE identifier CVE-2023-28120.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3

Impact

ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized.
When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe.

Ruby 3.2 introduced a new bytesplice method which ActiveSupport did not yet understand to be a mutation.
Users on older versions of Ruby are likely unaffected.

All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.

Workarounds

Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.

๐Ÿšจ Possible XSS Security Vulnerability in SafeBuffer#bytesplice

There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
This vulnerability has been assigned the CVE identifier CVE-2023-28120.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3

Impact

ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized.
When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe.

Ruby 3.2 introduced a new bytesplice method which ActiveSupport did not yet understand to be a mutation.
Users on older versions of Ruby are likely unaffected.

All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.

Workarounds

Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.

๐Ÿšจ ReDoS based DoS vulnerability in Active Support's underscore

There is a possible regular expression based DoS vulnerability in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-22796.

Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem), 6.1.7.1, 7.0.4.1
Impact

A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

This affects String#underscore, ActiveSupport::Inflector.underscore, String#titleize, and any other methods using these.

All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases

The FIXED releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.

Users on Ruby 3.2.0 or greater may be able to reduce the impact by configuring Regexp.timeout.
Patches

To aid users who arenโ€™t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

6-1-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 6.1 series
7-0-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

๐Ÿšจ ReDoS based DoS vulnerability in Active Support's underscore

There is a possible regular expression based DoS vulnerability in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-22796.

Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem), 6.1.7.1, 7.0.4.1
Impact

A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

This affects String#underscore, ActiveSupport::Inflector.underscore, String#titleize, and any other methods using these.

All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases

The FIXED releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.

Users on Ruby 3.2.0 or greater may be able to reduce the impact by configuring Regexp.timeout.
Patches

To aid users who arenโ€™t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

6-1-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 6.1 series
7-0-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 5 commits:

โ†—๏ธ addressable (indirect, 2.7.0 โ†’ 2.8.7) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ Regular Expression Denial of Service in Addressable templates

Impact

Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.

Patches

The vulnerability was introduced in version 2.3.0 (previously yanked) and has been present in all subsequent versions up to, and including, 2.7.0. It is fixed in version 2.8.0.

Workarounds

The vulnerability can be avoided by only creating Template objects from trusted sources that have been validated not to produce catastrophic backtracking.

References

For more information

If you have any questions or comments about this advisory:

Release Notes

2.8.7 (from changelog)

  • Allow public_suffix 6 (#535)

2.8.6 (from changelog)

  • Memoize regexps for common character classes (#524)

2.8.5 (from changelog)

  • Fix thread safety issue with encoding tables (#515)
  • Define URI::NONE as a module to avoid serialization issues (#509)
  • Fix YAML serialization (#508)

2.8.4 (from changelog)

  • Restore Addressable::IDNA.unicode_normalize_kc as a deprecated method (#504)

2.8.3 (from changelog)

  • Fix template expand level 2 hash support for non-string objects (#499, #498)

2.8.2 (from changelog)

  • Improve cache hits and JIT friendliness (#486)
  • Improve code style and test coverage (#482)
  • Ensure reset of deferred validation (#481)
  • Resolve normalization differences between IDNA::Native and IDNA::Pure (#408, #492)
  • Remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438) (accidentally reverted by #449 merge but added back in #492)

2.8.1 (from changelog)

  • refactor Addressable::URI.normalize_path to address linter offenses (#430)
  • remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438)
  • update gemspec to reflect supported Ruby versions (#466, #464, #463)
  • compatibility w/ public_suffix 5.x (#466, #465, #460)
  • fixes "invalid byte sequence in UTF-8" exception when unencoding URLs containing non UTF-8 characters (#459)
  • Ractor compatibility (#449)
  • use the whole string instead of a single line for template match (#431)
  • force UTF-8 encoding only if needed (#341)

2.8.0 (from changelog)

  • fixes ReDoS vulnerability in Addressable::Template#match
  • no longer replaces + with spaces in queries for non-http(s) schemes
  • fixed encoding ipv6 literals
  • the :compacted flag for normalized_query now dedupes parameters
  • fix broken escape_component alias
  • dropping support for Ruby 2.0 and 2.1
  • adding Ruby 3.0 compatibility for development tasks
  • drop support for rack-mount and remove Addressable::Template#generate
  • performance improvements
  • switch CI/CD to GitHub Actions

Does any of this look wrong? Please let us know.

โ†—๏ธ coffee-script-source (indirect, 1.11.1 โ†’ 1.12.2)

Sorry, we couldnโ€™t find anything useful about this release.

โ†—๏ธ commonmarker (indirect, 0.17.13 โ†’ 0.23.12) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ Several quadratic complexity bugs may lead to denial of service in Commonmarker

Impact

Several quadratic complexity bugs in commonmarker's underlying cmark-gfm library may lead to unbounded resource exhaustion and subsequent denial of service.

The following vulnerabilities were addressed:

For more information, consult the release notes for version 0.29.0.gfm.12.

Mitigation

Users are advised to upgrade to commonmarker version 0.23.10.

๐Ÿšจ Commonmarker vulnerable to to several quadratic complexity bugs that may lead to denial of service

Impact

Several quadratic complexity bugs in commonmarker's underlying cmark-gfm library may lead to unbounded resource exhaustion and subsequent denial of service.

The following vulnerabilities were addressed:

For more information, consult the release notes for version 0.23.0.gfm.10 and 0.23.0.gfm.11.

Mitigation

Users are advised to upgrade to commonmarker version 0.23.9.

๐Ÿšจ Several quadratic complexity bugs may lead to denial of service in Commonmarker

Impact

Several quadratic complexity bugs in commonmarker's underlying cmark-gfm library may lead to unbounded resource exhaustion and subsequent denial of service.

The following vulnerabilities were addressed:

For more information, consult the release notes for version 0.23.0.gfm.7.

Mitigation

Users are advised to upgrade to commonmarker version 0.23.7.

๐Ÿšจ Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service

Impact

CommonMarker uses cmark-gfm for rendering Github Flavored Markdown. A polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service.

Patches

This vulnerability has been patched in the following CommonMarker release:

  • v0.23.6

Workarounds

Disable use of the autolink extension.

References

#190
GHSA-cgh3-p57x-9q7q
https://en.wikipedia.org/wiki/Time_complexity

For more information

If you have any questions or comments about this advisory:

Acknowledgements

We would like to thank Legit Security for reporting this vulnerability.

๐Ÿšจ Integer overflow in cmark-gfm table parsing extension leads to heap memory corruption

Impact

CommonMarker uses cmark-gfm for rendering Github Flavored Markdown. An integer overflow in cmark-gfm's table row parsing may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution.

If affected versions of CommonMarker are used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE).

Patches

This vulnerability has been patched in the following CommonMarker release:

  • v0.23.4

Workarounds

The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling any use of the table extension will prevent this vulnerability from being triggered.

References

Acknowledgements

We would like to thank Felix Wilhelm of Google's Project Zero for reporting this vulnerability

For more information

If you have any questions or comments about this advisory:

Release Notes

0.23.12

Full Changelog: v0.23.11...v0.23.12

0.23.11

What's Changed

New Contributors

Full Changelog: v0.23.10...v0.23.11

0.23.10

What's Changed

Full Changelog: v0.23.9...v0.23.10

0.23.9

What's Changed

Full Changelog: v0.23.8...v0.23.9

0.23.8

What's Changed

New Contributors

Full Changelog: v0.23.7...v0.23.8

0.23.7

What's Changed

Full Changelog: v0.23.6...v0.23.7

0.23.6

What's Changed

This release includes two updates from the upstream cmark-gfm library, namely:

0.22.0

  • Drop ruby-enum (#140)

0.21.0

  • Add support for tasklist_item_checked=: #116

0.19.0

  • Support tasklists: #94
  • Indicate the context of a parse/render option error: #97

0.18.0

  • Default to being safe: #81

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ concurrent-ruby (indirect, 1.1.7 โ†’ 1.3.5) ยท Repo ยท Changelog

Release Notes

1.3.5

What's Changed

New Contributors

Full Changelog: v1.3.4...v1.3.5

1.3.4

What's Changed

  • Update comment for JRuby variant of processor_count to reality by @meineerde in #1054
  • Add Concurrent.cpu_requests that is cgroups aware. by @heka1024 in #1058
  • Fix the doc of Concurrent.available_processor_count by @y-yagi in #1059
  • Fix the return value of Concurrent.available_processor_count when cpu.cfs_quota_us is -1 by @y-yagi in #1060

New Contributors

Full Changelog: v1.3.3...v1.3.4

1.3.3

What's Changed

Full Changelog: v1.3.2...v1.3.3

1.3.2

What's Changed

New Contributors

Full Changelog: v1.3.1...v1.3.2

1.3.1

This release is essentially v1.3.0, but with a properly packaged gem. There was an issue publishing v1.3.0 and that gem needed to be yanked to avoid breaking downstream projects. The v1.3.0 changelog is reproduced below.

What's Changed

  • Add Concurrent.usable_processor_count that is cgroups aware by @casperisfine in #1038
  • Align Java Executor Service behavior for shuttingdown?, shutdown? by @bensheldon in #1042

New Contributors

Full Changelog: v1.2.3...v1.3.1

1.2.3

What's Changed

New Contributors

Full Changelog: v1.2.2...v1.2.3

1.2.2

concurrent-ruby 1.2.2:

  • (#993) Fix arguments passed to Concurrent::Map's default_proc.

1.2.1

concurrent-ruby 1.2.1:

  • (#990) Add missing require 'fiber' for FiberLocalVar.
  • (#989) Optimize Concurrent::Map#[] on CRuby by letting the backing Hash handle the default_proc.

1.2.0

concurrent-ruby 1.2.0:

  • (#975) Set the Ruby compatibility version at 2.3
  • (#962) Fix ReentrantReadWriteLock to use the same granularity for locals as for Mutex it uses.
  • (#983) Add FiberLocalVar
  • (#934) concurrent-ruby now supports requiring individual classes (public classes listed in the docs), e.g., require 'concurrent/map'
  • (#976) Let Promises.any_fulfilled_future take an Event
  • Improve documentation of various classes
  • (#972) Remove Rubinius-related code

concurrent-ruby-edge 0.7.0:

  • (#975) Set the Ruby compatibility version at 2.3
  • (#934) concurrent-ruby now supports requiring individual classes (public classes listed in the docs), e.g., require 'concurrent/map'
  • (#972) Remove Rubinius-related code

1.1.10

concurrent-ruby:

  • (#951) Set the Ruby compatibility version at 2.2
  • (#939, #933) The caller_runs fallback policy no longer blocks reads from the job queue by worker threads
  • (#938, #761, #652) You can now explicitly prune_pool a thread pool (Sylvain Joyeux)
  • (#937, #757, #670) We switched the Yahoo stock API for demos to Alpha Vantage (Gustavo Caso)
  • (#932, #931) We changed how SafeTaskExecutor handles local jump errors (Aaron Jensen)
  • (#927) You can use keyword arguments in your initialize when using Async (Matt Larraz)
  • (#926, #639) We removed timeout from TimerTask because it wasn't sound, and now it's a no-op with a warning (Jacob Atzen)
  • (#919) If you double-lock a re-entrant read-write lock, we promote to locked for writing (zp yuan)
  • (#915) monotonic_time now accepts an optional unit parameter, as Ruby's clock_gettime (Jean Boussier)

1.1.9 (from changelog)

concurrent-ruby:

  • (#866) Child promise state not set to :pending immediately after #execute when parent has completed
  • (#905, #872) Fix RubyNonConcurrentPriorityQueue#delete method
  • (2df0337d) Make sure locks are not shared on shared when objects are dup/cloned
  • (#900, #906, #796, #847, #911) Fix Concurrent::Set tread-safety issues on CRuby
  • (#907) Add new ConcurrentMap backend for TruffleRuby

1.1.8 (from changelog)

  • (#885) Fix race condition in TVar for stale reads
  • (#884) RubyThreadLocalVar: Do not iterate over hash which might conflict with new pair addition

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ dnsruby (indirect, 1.61.4 โ†’ 1.73.0) ยท Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ em-websocket (indirect, 0.5.1 โ†’ 0.5.3) ยท Repo ยท Changelog

Commits

See the full diff on Github. The new version differs by 24 commits:

โ†—๏ธ ethon (indirect, 0.12.0 โ†’ 0.15.0) ยท Repo ยท Changelog

Release Notes

0.15.0 (from changelog)

Full Changelog

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ execjs (indirect, 2.7.0 โ†’ 2.10.0) ยท Repo

Release Notes

2.8.1

  • Wait for STDOUT to be flushed before exiting the node runtime

2.8.0

  • Fix Ruby 3.0 compatibility on Windows
  • Undefine console, process and other globals. See #43
  • Removed the RubyRacer runtime as it is no longer maintained and broken on recent rubies.
  • Node runtime look for node before nodejs.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ faraday (indirect, 1.0.1 โ†’ 2.14.0) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ ffi (indirect, 1.11.2 โ†’ 1.17.2) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ gemoji (indirect, 3.0.1 โ†’ 4.1.0) ยท Repo

Release Notes

4.1.0

What's Changed

  • Import Emoji 15.0 characters by @mislav in #261
  • Support skin tones for ๐Ÿง‘โ€๐Ÿคโ€๐Ÿง‘ emoji by @mislav in #262

Full Changelog: v4.0.1...v4.1.0

4.0.1

What's Changed

New Contributors

Full Changelog: v4.0.0...v4.0.1

4.0.0

What's New

Warning
See the v4.0.0.pre0 release notes for the list of breaking changes since gemoji v3.x.

  • Add skin tones support by @mislav in #165 โœŒ๐ŸปโœŒ๐ŸผโœŒ๐ŸฝโœŒ๐ŸพโœŒ๐Ÿฟ

    • Emoji.find_by_unicode() now recognizes emoji sequences with skin tone modifiers.
    • Emoji::Character#skin_tones? returns true when an emoji supports skin tone modifiers.
    • Emoji::Character#raw_skin_tone_variants generates a list of all 5 skin tone variants for an emoji.

  • Import Emoji 13.0 characters by @chvp in #173

  • Import Emoji 13.1 characters by @franciscorode in #209

  • Import Emoji 14.0 characters by @kardeslik in #244

What's Changed

New Contributors

Full Changelog: v4.0.0.pre0...v4.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ github-pages-health-check (indirect, 1.16.1 โ†’ 1.18.2) ยท Repo

Release Notes

1.18.2

octokit upgrade

1.18.1

  • Updates Cloudflare IPs to latest output of script/update-cloudflare-ips
  • Add _ domain name validation

1.17.9

What's Changed

  • Fix IPv6 support (AAAA records validation) in #140

Full Changelog: v1.17.8...v1.17.9

1.17.8

What's Changed

Full Changelog: v1.17.7...v1.17.8

1.17.6

  • Query DNS to Determine Apex Domains

1.17.2

Allows for non-200 requests to satisfy served_by_pages? if the response still looks like it was served by GitHub.

1.17.1

Update Cloudflare IPs.

1.17.0

  • Fix CI which is broken on master #115 (by @kytrinyx)
  • Silence warnings triggered by Ruby 2.7 #116 (by @kytrinyx)
  • Update dependencies to be compatible with Ruby 2.7 #117 (by @kytrinyx)
  • Update dotenv requirement from ~> 1.0 to ~> 2.7 #120 (dependabot)
  • Update gem-release requirement from ~> 0.7 to ~> 2.1 #119 (dependabot)
  • Update webmock requirement from ~> 1.21 to ~> 3.8 #118 (dependabot)
  • Upgrade to Ruby 2.7 & incorporate a Dockerfile #121 (by @parkr & @MarkTiedemann)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ html-pipeline (indirect, 2.14.0 โ†’ 2.14.3) ยท Repo ยท Changelog

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ http_parser.rb (indirect, 0.6.0 โ†’ 0.8.0) ยท Repo

Commits

See the full diff on Github. The new version differs by 53 commits:

โ†—๏ธ i18n (indirect, 0.9.5 โ†’ 1.14.7) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ jekyll (indirect, 3.9.0 โ†’ 3.10.0) ยท Repo ยท Changelog

Release Notes

3.10.0 (from changelog)

Minor Enhancements

  • Backport add-csv-dependency from #9522 to Jekyll 3 (#9616)
  • 3.10-stable: Add webrick as a dependency (#9620)

3.9.4

Bug Fixes

  • Backport #9392 for v3.9.x: Add support for Ruby 3.3 Logger (#9513)

3.9.3

Bug Fixes

  • 3.9.x: Support i18n 1.x (#9269)
  • Backport #8880 for v3.9.x: Support both tzinfo v1 and v2 alongwith
    non-half hour offsets (#9280)

Development Fixes

  • v3.9.x: test under Ruby 3.2 #9272)
  • v3.9.x: fix rdiscount test (#9277)

3.9.2

Bug Fixes

  • Lock http_parser.rb gem to v0.6.x on JRuby (#8943)
  • Backport #8756 for v3.9.x: Respect collections_dir config within include tag (#8795)
  • Backport #8965 for v3.9.x: Fix response header for content served via jekyll serve (#8976)

Development Fixes

  • Update and fix CI for 3.9-stable on Ruby 3.x (#8942)
  • Fix CI for commits to 3.9-stable branch (#8788)

3.9.1

Bug Fixes

  • Backport #8618 for v3.9.x: Update include tag to be more permissive (#8629)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 45 commits:

โ†—๏ธ jekyll-avatar (indirect, 0.7.0 โ†’ 0.8.0) ยท Repo ยท Changelog

Release Notes

0.8.0

0.8.0 / 2022-04-15

Minor Enhancements

  • Use Kernel#format to render <img /> HTML tag (#46)
  • Check if username and size matches a pattern once (#48)

Bug Fixes

  • Reduce allocations from computing username (#44)
  • Stringify keys of :attributes hash (#42)
  • Parse tag markup once per instance (#40)
  • Compute :srcset with an array of integer strings (#43)
  • Assign string values for attributes (#47)
  • Parse only custom-host provided through ENV (#45)

Development Fixes

  • Profile memory usage from rendering avatars (#41)
  • Bundle only relevant files in the gem (#50)
  • Upgrade to GitHub-native Dependabot (#52)
  • Remove redundant specifications (#56)
  • Improve context in workflow job names (#57)
  • Remove @benbalter-specific community health files (#58)
  • Update gem specification (#60)
  • Add workflow to release gem via GH Actions (#63)

Documentation

  • Fix typo in README.md (#62)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ jekyll-coffeescript (indirect, 1.1.1 โ†’ 1.2.2) ยท Repo ยท Changelog

Release Notes

1.2.2

Bug Fixes

  • Revert jekyll to be just a development_dependency for v1.x.x series.

1.2.1

Bug Fixes

  • Re-introduce Ruby 2.3 support and test Jekyll 3.7+ (#33)

1.2.0

Development Fixes

  • Require Ruby 2.3 (#27)

Major Enhancements

  • style: Target Ruby 2.4 (#31)

Documentation

  • Add essential step to readme (#32)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 26 commits:

โ†—๏ธ jekyll-commonmark (indirect, 1.3.1 โ†’ 1.4.0) ยท Repo ยท Changelog

Release Notes

1.4.0

Minor Enhancements

  • Require at least commonmarker-0.22 (#44)
  • Highlight fenced code-block contents with Rouge (#29)

Bug Fixes

  • Refactor away extra abstractions (#53)

Development Fixes

  • DRY begin-rescue-end block with a private helper (#28)
  • Fix failing CI builds (#33)
  • Remove gemspec dependency on Jekyll (#34)
  • Test rendering with invalid configuration (#27)
  • Refactor to improve readability (#37)
  • Set up Continuous Integration via GH Actions (#46)
  • Clean up gemspec (#47)
  • Add workflow to release gem via GH Actions (#54)

Documentation

  • Update README to link to commonmarker (#38)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 42 commits:

โ†—๏ธ jekyll-commonmark-ghpages (indirect, 0.1.6 โ†’ 0.5.1) ยท Repo

Release Notes

0.5.1

What's Changed

Full Changelog: v0.5.0...v0.5.1

0.5.0

What's Changed

New Contributors

Full Changelog: v0.2.0...v0.5.0

0.2.0

What's Changed

New Contributors

Full Changelog: v0.1.6...v0.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 39 commits:

โ†—๏ธ jekyll-default-layout (indirect, 0.1.4 โ†’ 0.1.5) ยท Repo

Release Notes

0.1.5

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ jekyll-feed (indirect, 0.13.0 โ†’ 0.17.0) ยท Repo ยท Changelog

Release Notes

0.17.0

Documentation

  • Update CI status badge (#363)

Development Fixes

  • Add Ruby 3.1 to the CI matrix (#365)

Minor Enhancements

  • Allow disabling of jekyll-feed while in development (#370)

0.16.0

Minor Enhancements

  • Add support for page.description in front matter to become entry <summary> (#297)

Bug Fixes

  • Fold private methods into the :render method as local variables (#327)
  • Check post.categories instead of post.category (#357)
  • Switched xml_escape for <![CDATA[]]> for post content (#332)

Development Fixes

  • Add Ruby 3.0 to CI (#337)
  • Lock RuboCop to v1.18.x (#348)
  • Add workflow to release gem via GH Action (#355)

Documentation

  • Use .atom extension in documented examples since we write an Atom feed (#359)

0.15.1

Bug Fixes

  • MetaTag: when encoding for XML special characters, handle non-string objects (#326)

0.15.0

Minor Enhancements

  • Add support for drafts (#316)

0.14.0

Minor Enhancements

  • add support for categories (#153) (#233)
  • add support for tags (#264)
  • Make posts limit configurable (#314)
  • XML escape the title field of feed_meta (#306)

Bug Fixes

  • Fix feed link when post title contains HTML (#305)

Development Fixes

  • Use Dir to list source files (#309)
  • Require Ruby >=2.4.0 (#307)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 61 commits:

โ†—๏ธ jekyll-github-metadata (indirect, 2.13.0 โ†’ 2.16.1) ยท Repo ยท Changelog

Release Notes

2.16.1

Bug Fixes

  • Update references of help.github.com to docs.github.com (#260)

2.16.0

Minor Enhancements

  • Update octokit requirement from ~> 4.0, != 4.4.0 to >= 4, != 4.4.0, < 7 (#243)
  • Prevent loading all GH data on reset (#245)
  • Deprecate unnecessary constant in GitHubMetadata::Client (#239)

Development Fixes

  • Update rspec requirement from ~> 3.11.0 to ~> 3.12.0 (#244)
  • Bump Ruby versions in AppVeyor jobs (#253)
  • Bump rubocop-jekyll to 0.13.0 and fix rubocop issues (#252)

2.15.0

Bug Fixes

  • Inject site.github via :pre_render step rather than :after_init (#238)

Documentation

  • Add GitHub Actions badge and remove Travis one (#236)

2.14.0

Minor Enhancements

  • Use owner name as site title for User and Organization sites. (#197)
  • Add site.github.public_repositories[].releases (#224)
  • Add site.github.public_repositories[].contributors (#234)

Documentation

  • docs: Add dev docs (#212)
  • set PAGES_GITHUB_HOSTNAME to hostname without protocol (#191)
  • Add JEKYLL_ENV limitation for git remote (#185)

Development Fixes

  • Restore log level after running tests that modify it. (#202)
  • Add GitHub Actions CI (#211)
  • Update rubocop-jekyll requirement from ~> 0.5.0 to ~> 0.12.0 (#226)
  • Create dependabot.yml (#225)
  • Add rubocop todo file (#230)
  • Upgrade rspec to 3.11.x (#231)
  • CI: use 'main' branch instead of 'master' (#232)
  • Add release workflow (#235)

New Contributors

Full Changelog: v2.13.0...v2.14.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 66 commits:

โ†—๏ธ jekyll-mentions (indirect, 1.5.1 โ†’ 1.6.0) ยท Repo ยท Changelog

Release Notes

1.6.0

Minor Enhancements

  • Allow configuring base URL in page front matter (#72)
  • Incorporate document data only if it has override (#73)

Development Fixes

  • ci: test against Jekyll 4.0
  • style: target Ruby 2.4
  • ignore vendor/bundle

Bug Fixes

  • Support handling body tag across multiple lines (#70)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 11 commits:

โ†—๏ธ jekyll-redirect-from (indirect, 0.15.0 โ†’ 0.16.0) ยท Repo ยท Changelog

Release Notes

0.16.0

Minor Enhancements

  • Allows generation of redirects.json to be disabled (#207)
  • Allow redirects from and for subclasses of page and document (#204)

Bug Fixes

  • Use Hash#key? instead of Hash#keys.any? (#201)

Development Fixes

  • Target Ruby 2.4
  • Stop testing with backwards-compatible site config (#211)

Documentation

  • Simplifies YAML for redirect_to (#185)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 13 commits:

โ†—๏ธ jekyll-remote-theme (indirect, 0.4.1 โ†’ 0.4.3) ยท Repo

Release Notes

0.4.3

0.4.2

Jekyll 4.0 support (#61)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 19 commits:

โ†—๏ธ jekyll-seo-tag (indirect, 2.6.1 โ†’ 2.8.0) ยท Repo ยท Changelog

Release Notes

2.8.0

Minor Enhancements

  • Allow to set type for author (#427)
  • Allow setting author.url (#453)
  • Implement Facebook domain verification (#455)
  • Add og:image:alt and twitter:image:alt (#438)
  • Sort JSON-LD data by key (#458)

Bug Fixes

  • Set the default og:type to 'website' (#391)
  • Template: Remove double new line (#454)

Development Fixes

  • Fix typo in source code comment (#449)
  • Set up Continuous Integration via GH Actions (#450)
  • Bump RuboCop to v1.18.x (#452)
  • Add workflow to release gem via GH Actions

2.7.1

Development Fixes

  • refactor: mutate site payload instead of duplicating it (#419)

2.7.0

Minor Enhancements

  • Change pagination message with seo_paginator_message option (#324)
  • Make Twitter Summary Card without having Twitter account (#284)
  • Prefer site.tagline to site.description for page title (#356)
  • Render og:locale meta only when defined explicitly (#388)

Bug Fixes

  • Ensure a single leading @ for twitter usernames (#367)

Development Fixes

  • chore(deps): require Ruby > 2.4.0 EOL
  • test: fix locale specs that use the fallback locale (#360)
  • refactor: Replace read-only empty hash with private constant (#418)
  • refactor: Mutate hash literals instead of duplicating them (#417)
  • refactor: Reduce allocations of instance-agnostic objects (#376)
  • refactor: Memoize #author_hash in SeoTag::AuthorDrop (#342)
  • refactor: simplify conditional in SeoTag::Drop#date_modified (#343)
  • chore(ci): profile seo-tag plugin on a third-party repository (#414)
  • chore(ci): Jekyll v4.0 (#372)
  • chore(ci): test against current stable Ruby 2.5 and 2.7 (#385)
  • style: align with latest jekyll-rubocop (#382)
  • fix: Travis builds for Jekyll 3.x (#415)

Documentation

  • Structured Data Testing Tool is deprecated (#409)
  • Rename Google webmaster tools to Google Search Console (#403)
  • Improve documentation on plugin usage (#399)
  • remove Google+ from example snippet (#358)
  • HTTPS link to https://ogp.me/ (#359)
  • HTTPS links to schema.org (#350)
  • use example.com for example URL (#351)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ jekyll-theme-architect (indirect, 0.1.1 โ†’ 0.2.0) ยท Repo

Release Notes

0.2.0

  • Add head-custom.html to allow easier customization of the <head> #48

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 26 commits:

โ†—๏ธ jekyll-theme-cayman (indirect, 0.1.1 โ†’ 0.2.0) ยท Repo

Release Notes

0.2.0

  • Add head-custom.html to allow easier customization of the <head> #133

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 45 commits:

โ†—๏ธ jekyll-theme-dinky (indirect, 0.1.1 โ†’ 0.2.0) ยท Repo

Release Notes

0.2.0

  • Add head-custom.html to allow easier customization of the <head> #22

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 21 commits:

โ†—๏ธ jekyll-theme-hacker (indirect, 0.1.1 โ†’ 0.2.0) ยท Repo

Release Notes

0.2.0

  • Add Google Analytics to head-custom.html to allow easier customization of the GA code #79

0.1.2

  • Allow Jekyll v4
  • Return to home on click page title #47
  • Show full header h1 for smaller displays #49

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 39 commits:

โ†—๏ธ jekyll-theme-leap-day (indirect, 0.1.1 โ†’ 0.2.0) ยท Repo

Release Notes

0.2.0

  • Added styled KBD tag, like in primer theme #47 (thanks, @gebeto)
  • Remove 'auto' from padding since it's not a valid padding #57
  • Add head-custom.html to allow easier customization of the <head> #56

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 34 commits:

โ†—๏ธ jekyll-theme-merlot (indirect, 0.1.1 โ†’ 0.2.0) ยท Repo

Release Notes

0.2.0

Add head-custom.html to allow easier customization of the <head> #10

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 19 commits:

โ†—๏ธ jekyll-theme-midnight (indirect, 0.1.1 โ†’ 0.2.0) ยท Repo

Release Notes

0.2.0

  • Add Google Analytics to head-custom.html to allow easier customization of the GA code #37

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 38 commits:

โ†—๏ธ jekyll-theme-minimal (indirect, 0.1.1 โ†’ 0.2.0) ยท Repo

Release Notes

0.2.0

  • Add head-custom.html to allow easier customization of the <head> #119

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 28 commits:

โ†—๏ธ jekyll-theme-modernist (indirect, 0.1.1 โ†’ 0.2.0) ยท Repo

Release Notes

0.2.0

  • Replace linear_gradient with linear-gradient() CSS function #17
  • Add head-custom.html to allow easier customization of the <head> #16

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 27 commits:

โ†—๏ธ jekyll-theme-primer (indirect, 0.5.4 โ†’ 0.6.0) ยท Repo

Release Notes

0.6.0

  • Add head-custom.html to allow easier customization of the #61

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 22 commits:

โ†—๏ธ jekyll-theme-slate (indirect, 0.1.1 โ†’ 0.2.0) ยท Repo

Release Notes

0.2.0

  • Add head-custom.html to allow easier customization of the <head> #66
  • Added styled KBD tag, like in primer theme #47 (thanks, @gebeto)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

โ†—๏ธ jekyll-theme-tactile (indirect, 0.1.1 โ†’ 0.2.0) ยท Repo

Release Notes

0.2.0

  • Add head-custom.html to allow easier customization of the <head> #23
  • Fall back code font-family to monospace #21 (thanks @lkslawek)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 24 commits:

โ†—๏ธ jekyll-theme-time-machine (indirect, 0.1.1 โ†’ 0.2.0) ยท Repo

Release Notes

0.2.0

  • Add head-custom.html to allow easier customization of the <head> #22
  • Added styled KBD tag, like in primer theme #13 (thanks @gebeto)
  • Fix show_downloads #16 (thanks @deargle)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

โ†—๏ธ jemoji (indirect, 0.11.1 โ†’ 0.13.0) ยท Repo ยท Changelog

Release Notes

0.13.0 (from changelog)

Development Fixes

  • Add Actions CI workflow (#127)
  • Add release workflow (#128)
  • Create dependabot config for rubygems upgrades (#126)
  • Add github-actions to dependabot (#132)
  • Bump actions/checkout from 2 to 3 (#133)
  • Upgrade Rubocop target version to 2.7 (#134)
  • Update rake requirement from ~> 12.0 to ~> 13.0 (#130)

Minor Enhancements

  • Update gemoji requirement from ~> 3.0 to >= 3, < 5 & test with both major versions (#131)

0.12.0

Minor Enhancements

  • perf: don't load Gemoji into memory immediately (#106)

Development Fixes

  • deps: Ruby > 2.4 (EOL)
  • ci: test with Ruby 2.7

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 33 commits:

โ†—๏ธ kramdown (indirect, 2.3.0 โ†’ 2.4.0) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ Remote code execution in Kramdown

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

โ†—๏ธ liquid (indirect, 4.0.3 โ†’ 4.0.4) ยท Repo ยท Changelog

Commits

See the full diff on Github. The new version differs by 12 commits:

โ†—๏ธ listen (indirect, 3.2.1 โ†’ 3.9.0) ยท Repo ยท Changelog

Release Notes

3.9.0

3.8.0

3.7.1

3.7.0

3.6.0

โœจ New Features

3.5.1

3.4.0

3.3.4

3.3.3

  • Add project metadata to the gemspec (#519) @orien

3.3.2

3.3.1

3.3.0

โœจ New Features

๐Ÿ› Bug Fixes

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ mini_portile2 (indirect, 2.4.0 โ†’ 2.8.9) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ minitest (indirect, 5.14.2 โ†’ 5.26.0) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ nokogiri (indirect, 1.10.8 โ†’ 1.18.10) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ Nokogiri patches vendored libxml2 to resolve multiple CVEs

Summary

Nokogiri v1.18.9 patches the vendored libxml2 to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796.

Impact and severity

CVE-2025-6021

A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.

NVD claims a severity of 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae

CVE-2025-6170

A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections.

NVD claims a severity of 2.5 Low (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c1

CVE-2025-49794

A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.

NVD claims a severity of 9.1 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5

CVE-2025-49795

A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.

NVD claims a severity of 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/62048278

CVE-2025-49796

A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.

NVD claims a severity of 9.1 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5

Affected Versions

  • Nokogiri < 1.18.9 when using CRuby (MRI) with vendored libxml2

Patched Versions

  • Nokogiri >= 1.18.9

Mitigation

Upgrade to Nokogiri v1.18.9 or later.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues.

References

๐Ÿšจ Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415

Summary

Nokogiri v1.18.8 upgrades its dependency libxml2 to v2.13.8.

libxml2 v2.13.8 addresses:

Impact

CVE-2025-32414: No impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

There is no impact from this CVE for Nokogiri users.

CVE-2025-32415: Low impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

In the upstream issue, further context is provided by the maintainer:

The bug affects validation against untrusted XML Schemas (.xsd) and validation of untrusted
documents against trusted Schemas if they make use of xsd:keyref in combination with recursively
defined types that have additional identity constraints.

MITRE has published a severity score of 2.9 LOW (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE.

๐Ÿšจ Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs

Summary

Nokogiri v1.18.4 upgrades its dependency libxslt to v1.1.43.

libxslt v1.1.43 resolves:

Impact

CVE-2025-24855

CVE-2024-55549

๐Ÿšจ Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.

CVE-2024-56171

Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

๐Ÿšจ Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

Impact

There is no impact to Nokogiri users because the issue is present only in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

  • 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
  • 2024-05-13 08:30 EDT, nokogiri maintainers begin triage
  • 2024-05-13 10:05 EDT, nokogiri v1.16.5 is released and this GHSA made public

๐Ÿšจ Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062

Summary

Nokogiri upgrades its dependency libxml2 as follows:

  • Nokogiri v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
  • Nokogiri v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

JRuby users are not affected.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Timeline

  • 2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information
  • 2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions
  • 2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public
  • 2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated "Impact" section
  • 2024-03-16 09:03 EDT - v1.15.6 published (see discussion at #3146), updated mitigation information
  • 2024-03-18 22:12 EDT - update "affected products" range with v1.15.6 information

๐Ÿšจ Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062

Summary

Nokogiri upgrades its dependency libxml2 as follows:

  • Nokogiri v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
  • Nokogiri v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

JRuby users are not affected.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Timeline

  • 2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information
  • 2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions
  • 2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public
  • 2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated "Impact" section
  • 2024-03-16 09:03 EDT - v1.15.6 published (see discussion at #3146), updated mitigation information
  • 2024-03-18 22:12 EDT - update "affected products" range with v1.15.6 information

๐Ÿšจ Nokogiri updates packaged libxml2 to v2.10.4 to resolve multiple CVEs

Summary

Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to v2.10.4 from v2.10.3.

libxml2 v2.10.4 addresses the following known vulnerabilities:

  • CVE-2023-29469: Hashing of empty dict strings isn't deterministic
  • CVE-2023-28484: Fix null deref in xmlSchemaFixupComplexType
  • Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.14.3, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.14.3.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.10.4 which will also address these same issues.

Impact

No public information has yet been published about the security-related issues other than the upstream commits. Examination of those changesets indicate that the more serious issues relate to libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.

The commits can be examined at:

๐Ÿšจ Unchecked return value from xmlTextReaderExpand

Summary

Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.

For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.

Mitigation

Upgrade to Nokogiri >= 1.13.10.

Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

Credit

This vulnerability was responsibly reported by @davidwilemski.

๐Ÿšจ Update bundled libxml2 to v2.10.3 to resolve multiple CVEs

Summary

Nokogiri v1.13.9 upgrades the packaged version of its dependency libxml2 to v2.10.3 from v2.9.14.

libxml2 v2.10.3 addresses the following known vulnerabilities:

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.9, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.9.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.10.3 which will also address these same issues.

Impact

libxml2 CVE-2022-2309

  • CVSS3 score: Under evaluation
  • Type: Denial of service
  • Description: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Nokogiri maintainers investigated at #2620 and determined this CVE does not affect Nokogiri users.

libxml2 CVE-2022-40304

  • CVSS3 score: Unspecified upstream
  • Type: Data corruption, denial of service
  • Description: When an entity reference cycle is detected, the entity content is cleared by setting its first byte to zero. But the entity content might be allocated from a dict. In this case, the dict entry becomes corrupted leading to all kinds of logic errors, including memory errors like double-frees.

See https://gitlab.gnome.org/GNOME/libxml2/-/commit/644a89e080bced793295f61f18aac8cfad6bece2

libxml2 CVE-2022-40303

  • CVSS3 score: Unspecified upstream
  • Type: Integer overflow
  • Description: Integer overflows with XML_PARSE_HUGE

See https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0

References

๐Ÿšจ Nokogiri Implements libxml2 version vulnerable to use-after-free

There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.

๐Ÿšจ Nokogiri has vulnerable dependencies on libxml2 and libxslt

Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

๐Ÿšจ Nokogiri Implements libxml2 version vulnerable to null pointer dereferencing

A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.

๐Ÿšจ Nokogiri contains libxml Out-of-bounds Write vulnerability

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.

Nokogiri prior to version 1.11.4 used a vulnerable version of libxml2. Nokogiri 1.11.4 updated libxml2 to version 2.9.11 to address this and other vulnerabilities in libxml2.

๐Ÿšจ Nokogiri Improperly Handles Unexpected Data Type

Summary

Nokogiri < v1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers. For CRuby users, this may allow specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory.

Severity

The Nokogiri maintainers have evaluated this as High 8.2 (CVSS3.1).

Mitigation

CRuby users should upgrade to Nokogiri >= 1.13.6.

JRuby users are not affected.

Workarounds

To avoid this vulnerability in affected applications, ensure the untrusted input is a String by calling #to_s or equivalent.

Credit

This vulnerability was responsibly reported by @agustingianni and the Github Security Lab.

๐Ÿšจ Integer Overflow or Wraparound in libxml2 affects Nokogiri

Summary

Nokogiri v1.13.5 upgrades the packaged version of its dependency libxml2 from v2.9.13 to v2.9.14.

libxml2 v2.9.14 addresses CVE-2022-29824. This version also includes several security-related bug fixes for which CVEs were not created, including a potential double-free, potential memory leaks, and integer-overflow.

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.5, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 and libxslt release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.5.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.9.14 which will also address these same issues.

Impact

libxml2 CVE-2022-29824

  • CVSS3 score:
  • Type: Denial of service, information disclosure
  • Description: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
  • Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a24

All versions of libml2 prior to v2.9.14 are affected.

Applications parsing or serializing multi-gigabyte documents (in excess of INT_MAX bytes) may be vulnerable to an integer overflow bug in buffer handling that could lead to exposure of confidential data, modification of unrelated data, or a segmentation fault resulting in a denial-of-service.

References

๐Ÿšจ Nokogiri Inefficient Regular Expression Complexity

Summary

Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

CWE-1333 Inefficient Regular Expression Complexity

Credit

This vulnerability was reported by HackerOne user ooooooo_q (ใชใชใŠใ).

๐Ÿšจ Denial of Service (DoS) in Nokogiri on JRuby

Summary

Nokogiri v1.13.4 updates the vendored org.cyberneko.html library to 1.9.22.noko2 which addresses CVE-2022-24839. That CVE is rated 7.5 (High Severity).

See GHSA-9849-p7jc-9rmv for more information.

Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

Impact

CVE-2022-24839 in nekohtml

  • Severity: High 7.5
  • Type: CWE-400 Uncontrolled Resource Consumption
  • Description: The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup.
  • See also: GHSA-9849-p7jc-9rmv

๐Ÿšจ Out-of-bounds Write in zlib affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12, which addresses CVE-2018-25032. That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.4, and only if the packaged version of zlib is being used. Please see this document for a complete description of which platform gems vendor zlib. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's zlib release announcements.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2018-25032 in zlib

  • Severity: High
  • Type: CWE-787 Out of bounds write
  • Description: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

๐Ÿšจ XML Injection in Xerces Java affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored xerces:xercesImpl from 2.12.0 to 2.12.2, which addresses CVE-2022-23437. That CVE is scored as CVSS 6.5 "Medium" on the NVD record.

Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2022-23437 in xerces-J

  • Severity: Medium
  • Type: CWE-91 XML Injection (aka Blind XPath Injection)
  • Description: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
  • See also: GHSA-h65f-jvqw-m9fj

๐Ÿšจ Nokogiri affected by zlib's Out-of-bounds Write vulnerability

zlib 1.2.11 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

๐Ÿšจ Vulnerable dependencies in Nokogiri

Summary

Nokogiri v1.13.2 upgrades two of its packaged dependencies:

  • vendored libxml2 from v2.9.12 to v2.9.13
  • vendored libxslt from v1.1.34 to v1.1.35

Those library versions address the following upstream CVEs:

Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs.

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.2, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 and libxslt release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 >= 2.9.13 and libxslt >= 1.1.35, which will also address these same CVEs.

Impact

libxslt CVE-2021-30560

All versions of libxslt prior to v1.1.35 are affected.

Applications using untrusted XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately.

libxml2 CVE-2022-23308

The upstream commit and the explanation linked above indicate that an application may be vulnerable to a denial of service, memory disclosure, or code execution if it parses an untrusted document with parse options DTDVALID set to true, and NOENT set to false.

An analysis of these parse options:

  • While NOENT is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later.
  • DTDVALID is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly.

It seems reasonable to assume that any application explicitly setting the parse option DTDVALID when parsing untrusted documents is vulnerable and should be upgraded immediately.

๐Ÿšจ Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.0) for JRuby users. (This security advisory does not apply to CRuby users.)

Impact

In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default.

Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected:

  • Nokogiri::XML::SAX::Parser
  • Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser
  • Nokogiri::XML::SAX::PushParser
  • Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser

Mitigation

JRuby users should upgrade to Nokogiri v1.12.5 or later. There are no workarounds available for v1.12.4 or earlier.

CRuby users are not affected.

๐Ÿšจ Nokogiri updates packaged dependency on libxml2 from 2.9.10 to 2.9.12

Summary

Nokogiri v1.11.4 updates the vendored libxml2 from v2.9.10 to v2.9.12 which addresses:

Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.11.4, and only if the packaged version of libxml2 is being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.11.4.

Impact

I've done a brief analysis of the published CVEs that are addressed in this upstream release. The libxml2 maintainers have not released a canonical set of CVEs, and so this list is pieced together from secondary sources and may be incomplete.

All information below is sourced from security.archlinux.org, which appears to have the most up-to-date information as of this analysis.

CVE-2019-20388

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2020-7595

This has been patched in Nokogiri since v1.10.8 (see #1992).

CVE-2020-24977

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3516

Verified that the fix commit first appears in v2.9.11. This vector does not exist within Nokogiri, which does not ship xmllint.

CVE-2021-3517

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3518

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3537

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3541

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4, however Nokogiri's default parse options prevent the attack from succeeding (it is necessary to opt into DTDLOAD which is off by default).

For more details supporting this analysis of this CVE, please visit #2233.

๐Ÿšจ Nokogiri::XML::Schema trusts input by default, exposing risk of XXE vulnerability

Severity

Nokogiri maintainers have evaluated this as Low Severity (CVSS3 2.6).

Description

In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.

This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible.

Please note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be "Low Severity".

Affected Versions

Nokogiri <= 1.10.10 as well as prereleases 1.11.0.rc1, 1.11.0.rc2, and 1.11.0.rc3

Mitigation

There are no known workarounds for affected versions. Upgrade to Nokogiri 1.11.0.rc4 or later.

If, after upgrading to 1.11.0.rc4 or later, you wish to re-enable network access for resolution of external resources (i.e., return to the previous behavior):

  1. Ensure the input is trusted. Do not enable this option for untrusted input.
  2. When invoking the Nokogiri::XML::Schema constructor, pass as the second parameter an instance of Nokogiri::XML::ParseOptions with the NONET flag turned off.

So if your previous code was:

# in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network
# but in v1.11.0.rc4 and later, this call will disallow network access for external resources
schema = Nokogiri::XML::Schema.new(schema)

# in v1.11.0.rc4 and later, the following is equivalent to the code above
# (the second parameter is optional, and this demonstrates its default value)
schema = Nokogiri::XML::Schema.new(schema, Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA)

Then you can add the second parameter to indicate that the input is trusted by changing it to:

# in v1.11.0.rc3 and earlier, this would raise an ArgumentError 
# but in v1.11.0.rc4 and later, this allows resources to be accessed over the network
schema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet)

References

Credit

This vulnerability was independently reported by @eric-therond and @gucki.

The Nokogiri maintainers would like to thank HackerOne for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to us.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ octokit (indirect, 4.18.0 โ†’ 4.25.1) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ Octokit gem published with world-writable files

Impact

Versions 4.23.0 and 4.24.0 of the octokit gem were published containing world-writeable files.

Specifically, the gem was packed with files having their permissions set to -rw-rw-rw- (i.e. 0666) instead of rw-r--r-- (i.e. 0644). This means everyone who is not the owner (Group and Public) with access to the instance where this release had been installed could modify the world-writable files from this gem.

Malicious code already present and running on your machine, separate from this package, could modify the gemโ€™s files and change its behavior during runtime.

Patches

Workarounds

Users can use the previous version of the gem v4.22.0. Alternatively, users can modify the file permissions manually until they are able to upgrade to the latest version.

Release Notes

4.25.1

  • Stop configuring Faraday's retry middleware twice (@Edouard-chin)
  • Fix various Ruby warnings (e.g. missing parentheses) (@coryf)

4.25.0

โœ… NOTE: This remediates A security advisory was published on versions 4.23.0 and 4.24.0 of this gem. You can read more about this in the published security advisory. โœ…

DX Improvements

CI Improvements

Updates all build scripts to be more durable and adds details on how to run a manual file integrity check by @nickfloyd in #1446

Housekeeping

  • Drop support for Ruby 1.9.2 in Octokit::Client::Contents#create_contents by @timrogers in #1442

Full Changelog: v4.24.0...v4.25.0

4.24.0

Known issues

Note: This release fixes the issue around autoloading modules causing some modules to not load before use #1428

Code improvements

CI Improvements

  • Adds Code QL analysis to octokit.rb via @nickfloyd

Bug fixes

Full Changelog: v4.23.0...v4.24.0

4.23.0

Code improvements

CI Improvements

Performance improvements

Bug fixes

Documentation

Full Changelog: v4.22.0...v4.23.0

4.22.0

Deprecation Fix

Code Improvements

CI and dependency updates

Documentation

4.21.0

API Support

Error handling

Code clean up

Documentation

4.20.0

API Support

Bug fixes

  • #1309 Paginate outside_collaborators calls @sds
  • #1316 Uses of FaradayMiddleware#on_complete should not be private @tarebyte

Code improvements

Documentation

4.19.0

Code Improvements

API Support

Documentation

CI and dependency updates

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ public_suffix (indirect, 3.1.1 โ†’ 5.1.1) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ rainbow (indirect, 3.0.0 โ†’ 3.1.1) ยท Repo ยท Changelog

Release Notes

3.1.1 (from changelog)

  • fix: Ensure files directive in gemspec adds all files

3.1.0 (from changelog)

  • Bad release: superseded by 3.1.1.
  • added cross_out aka strike
  • hexadecimal color names supported better, see #83
  • gemspec: list files using a Ruby expression, avoiding git

(2020-08-26 was the planned release date, but the real release date is reflected in the heading.)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 29 commits:

โ†—๏ธ rb-fsevent (indirect, 0.10.4 โ†’ 0.11.2) ยท Repo

Release Notes

0.11.2

  • Avoid modifying string literals #91

0.11.1

  • rescue Errno::EBADF when closing pipe #92

0.11.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

โ†—๏ธ rb-inotify (indirect, 0.10.1 โ†’ 0.11.1) ยท Repo

Commits

See the full diff on Github. The new version differs by 7 commits:

โ†—๏ธ rexml (indirect, 3.2.4 โ†’ 3.4.4) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ REXML has DoS condition when parsing malformed XML file

Impact

The REXML gems from 3.3.3 to 3.4.1 have a DoS vulnerability when parsing XML containing multiple XML declarations.
If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

Patches

REXML gems 3.4.2 or later include the patches to fix these vulnerabilities.

Workarounds

Don't parse untrusted XMLs.

References

๐Ÿšจ REXML ReDoS vulnerability

Impact

The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;).

This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.

Patches

The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

Workarounds

Use Ruby 3.2 or later instead of Ruby 3.1.

References

๐Ÿšจ REXML denial of service vulnerability

Impact

The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.

If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.

Patches

The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

Workarounds

Don't parse untrusted XMLs with tree parser API.

References

๐Ÿšจ REXML DoS vulnerability

Impact

The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API.

If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability.

Patches

The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

Workarounds

Don't parse untrusted XMLs with SAX2 or pull parser API.

References

๐Ÿšจ REXML DoS vulnerability

Impact

The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, >] and ]>.

If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

Patches

The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.

Workarounds

Don't parse untrusted XMLs.

References

๐Ÿšจ REXML denial of service vulnerability

Impact

The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as <, 0 and %>.

If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

Patches

The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities.

Workarounds

Don't parse untrusted XMLs.

References

๐Ÿšจ REXML contains a denial of service vulnerability

Impact

The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many >s in an attribute value.

If you need to parse untrusted XMLs, you may be impacted to this vulnerability.

Patches

The REXML gem 3.2.7 or later include the patch to fix this vulnerability.

Workarounds

Don't parse untrusted XMLs.

References

๐Ÿšจ REXML round-trip instability

The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ rouge (indirect, 3.19.0 โ†’ 3.30.0) ยท Repo ยท Changelog

Release Notes

3.30.0

We bring you 3 new exciting lexers in this release: Isabelle, Meson and Nial lexer. There are also some fixes and improvements on CPP, Dart, Groovy, JavaScript, Pascal, PHP and TOML lexer.

Thank you to all of the amazing contributors for your help and continuous support!

Full Changelog: v3.29.0...v3.30.0

3.29.0

We bring you 5 new exciting lexers in this release: Idris, Lean, Syzlang and Syzprog lexer. There are also some fixes and improvements on Docker, Matlab and Python lexer.

Furthermore, we have made some improvements in Rouge and Rouge CI. We are now running Ruby 3.1 as part of our CI. As part of this release, we also introduced Code of Conduct v2.1.

Thank you to all of the amazing contributors for your help and continuous support!

New Contributors

Full Changelog: v3.28.0...v3.29.0

3.28.0

This first release of 2022 introduces 3 new lexers: Fluent, Stan and Stata. There are also numerous fixes and improvements across C, Console, CPP, Cypher, Dart, HCL, JSX, Kotlin, Rust, SPARQL and TOML lexer. In addition, we have added support to run the visual test app in Ruby 3.0.

Thank you to everyone who has contributed to this release. It is wonderful to see some first-time contributors. May all your wishes come true in 2022!

3.27.0 (from changelog)

Comparison with the previous version

  • Ceylon Lexer
    • Backtracking fix in interpolation regex (#1773 by thewoolleyman)
  • Dafny Lexer
    • Add Dafny Lexer (#1647 by davidcok, mschlaipfer)
  • Elixir Lexer
    • Add support for HEEX templates (#1736 by sineed
  • Rust Lexer
    • Fix lexing of integers, escapes, identifiers, unicode idents, keywords and builtins, byte strings and multiline and doc comments (#1711 by thomcc)
  • SQL Lexer
    • Curly brace support (#1714 by hawkfish)
    • Add more SQL dialects in visual samples (#1751 by tancnle)
    • Windowing keywords support (#1754 by hawkfish)
  • Swift Lexer
    • Add 5.5 keywords (#1715 by johnfairh))
  • Rouge CI
    • Migrate from Travis CI to GitHub (#1728 by Geod24)
  • Documentation

3.26.1 (from changelog)

Comparison with the previous version

  • CPP Lexer
    • Add year and date chrono literals, add std::complex literals, fix chrono literals with digit separator (#1665 by swheaton)
  • Factor and GHC Core Lexer
    • Fix catastrophic backtrack (#1690 by Ravlen)
  • JSL Lexer
    • Fix single line block comments, scoped variables and functions (#1663 by BenPH)
  • YAML Lexer
    • Fix YAML key containing special character (#1667 by tancnle)
  • Fix Ruby 2.7 keyword parameter deprecation warning (#1597 by stanhu)
  • Updated README (#1666 by dchacke)

3.26.0

There are two things to report in this release.

The first are the usual notes. We have two new lexers: one for OCL and one for ReScript. There are also fixes for the CMake, Crystal, JSL, Python, ReasonML and Rust lexers. Thank you to all the contributors!

The second is that I'd like to announce that this will be my last release as a maintainer of Rouge. It's been a terrific experience and I'd like to thank @jneen and the other maintainers for making me feel very welcome. I wish them all the best as Rouge moves to version 4!

3.25.0

No new lexers this time but we do have a lot of updates. There are fixes for the Batchfile, C++, Docker, JavaScript, Kotlin, Perl, PowerShell, Ruby, Rust and Velocity lexers. Enjoy!

3.24.0

This release has two new lexers: one for e-mails (yes, I am aware it is only me that spells it that way) and one for J (why not another language starting with J?). There's also fixes for the Apex, HTTP, Janet, JavaScript and Rust lexers. And on top of all of that, there are some improvements to Rouge itself, including a new CLI debug command and a line highlighting option.

Thanks to everyone who contributed bug reports and pull requests. Stay safe and lex responsibly!

3.23.0

This release has two new lexers: one for PostScript and one for systemd unit files. There's also fixes for the Kotlin, Ruby and Rust lexers. Thanks to all the contributors who help make Rouge better. Don't forget to wear a mask!

3.22.0

This is a small release with just one update: a major rewrite of the PHP lexer. Hopefully the improved level of detail makes your PHP code look prettier but do report any issues you find with it!

3.21.0

This release has three new lexers, one for BrightScript, one for Janet and one for SSH Config. There's also fixes for the Batchfile, C++, Jinja, Perl, PowerShell, Rego, Sass, SCSS and Twig lexers. Happy highlighting!

3.20.0

We've got some new lexers again! This release includes lexers for Augeas, BibTeX, HLSL, LiveScript, Velocity and Zig. On top of that, we have fixes for the C++, Diff, Haskell, HTML, JavaScript, JSX, OpenType Feature File, PowerShell, TSX and TypeScript lexers.

I'd like to especially call out @lkinasiewicz for the LiveScript lexer. This was originally submitted back in 2017 and it's great to have it finally part of Rouge! The backlog of outstanding PRs is still too long but we are slowly making progress. As I like to say: forward, not backward; upward, not forward; and always twirling, twirling, twirling towards freedom!

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ rubyzip (indirect, 2.3.0 โ†’ 2.4.1) ยท Repo ยท Changelog

Release Notes

2.3.2 (from changelog)

  • A "dummy" release to warn about breaking changes coming in version 3.0. This updated version uses the Gem post_install_message instead of printing to STDERR.

2.3.1

This is a "dummy" release to warn about breaking changes coming in version 3.0.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 38 commits:

โ†—๏ธ sawyer (indirect, 0.8.2 โ†’ 0.9.3) ยท Repo

Release Notes

0.9.3

What's Changed

New Contributors

Full Changelog: v0.9.2...v0.9.3

0.9.1

What's Changed

  • Specify correct minimal Faraday version by @skryukov in #73

New Contributors

Full Changelog: v0.9.0...v0.9.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 20 commits:

โ†—๏ธ simpleidn (indirect, 0.1.1 โ†’ 0.2.3) ยท Repo

Sorry, we couldnโ€™t find anything useful about this release.

โ†—๏ธ typhoeus (indirect, 1.3.1 โ†’ 1.5.0) ยท Repo ยท Changelog

Release Notes

1.5.0 (from changelog)

Full Changelog

1.4.0 (from changelog)

Full Changelog

1 feature

  • Faraday adapter exceptions namespace compatibility with Faraday v1 (@iMacTia in #616)

3 Others

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ tzinfo (indirect, 1.2.7 โ†’ 2.0.6) ยท Repo ยท Changelog

Security Advisories ๐Ÿšจ

๐Ÿšจ TZInfo relative path traversal vulnerability allows loading of arbitrary files

Impact

Affected versions

  • 0.3.60 and earlier.
  • 1.0.0 to 1.2.9 when used with the Ruby data source (tzinfo-data).

Vulnerability

With the Ruby data source (the tzinfo-data gem for tzinfo version 1.0.0 and later and built-in to earlier versions), time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with require on demand. In the affected versions, TZInfo::Timezone.get fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process.

For example, with version 1.2.9, you can run the following to load a file with path /tmp/payload.rb:

TZInfo::Timezone.get("foo\n/../../../../../../../../../../../../../../../../tmp/payload")

The exact number of parent directory traversals needed will vary depending on the location of the tzinfo-data gem.

TZInfo versions 1.2.6 to 1.2.9 can be made to load files from outside of the Ruby load path. Versions up to and including 1.2.5 can only be made to load files from directories within the load path.

This could be exploited in, for example, a Ruby on Rails application using tzinfo version 1.2.9, that allows file uploads and has a time zone selector that accepts arbitrary time zone identifiers. The CVSS score and severity have been set on this basis.

Versions 2.0.0 and later are not vulnerable.

Patches

Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers (commit 9eddbb5 for 0.3.x and commit 9905ca9 for 1.2.x).

Note that version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of tzinfo/definition within a directory in the load path. For example if /tmp/upload was in the load path, then TZInfo::Timezone.get('foo') could load a file with path /tmp/upload/tzinfo/definition/foo.rb. Applications should ensure that untrusted files are not placed in a directory on the load path.

Workarounds

As a workaround, the time zone identifier can be validated before passing to TZInfo::Timezone.get by ensuring it matches the regular expression \A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z.

For more information

If you have any questions or comments about this advisory:

Release Notes

2.0.6

  • Eliminate Object#untaint deprecation warnings on JRuby 9.4.0.0. #145.

TZInfo v2.0.6 on RubyGems.org

2.0.5

  • Changed DateTime results to always use the proleptic Gregorian calendar. This affects DateTime results prior to 1582-10-15 and any arithmetic performed on the results that would produce a secondary result prior to 1582-10-15.
  • Added support for eager loading all the time zone and country data by calling either TZInfo::DataSource#eager_load! or TZInfo.eager_load!. Compatible with Ruby On Rails' eager_load_namespaces. #129.
  • Ignore the SECURITY file from Arch Linux's tzdata package. #134.

TZInfo v2.0.5 on RubyGems.org

2.0.4

  • Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

TZInfo v2.0.4 on RubyGems.org

2.0.3

  • Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. #120.
  • Fixed TimeWithOffset#getlocal returning a TimeWithOffset with the timezone_offset still assigned when called with an offset argument on JRuby 9.3.
  • Rubinius is no longer supported.

TZInfo v2.0.3 on RubyGems.org

2.0.2

  • Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
  • Fixed warnings when running on Ruby 2.8. #113.

TZInfo v2.0.2 on RubyGems.org

2.0.1

  • Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode. #100.
  • Fixed warnings when running on Ruby 2.7. #109.
  • Add a TZInfo::Timezone#=~ method that performs a regex match on the time zone identifier. #99.
  • Add a TZInfo::Country#=~ method that performs a regex match on the country code.

TZInfo v2.0.1 on RubyGems.org

2.0.0

Added

  • to_local and period_for instance methods have been added to TZInfo::Timezone. These are similar to utc_to_local and period_for_utc, but take the UTC offset of the given time into account.
  • abbreviation, dst?, base_utc_offset and observed_utc_offset instance methods have been added to TZInfo::Timezone, returning the abbreviation, whether daylight savings time is in effect and the UTC offset of the time zone at a specified time.
  • A TZInfo::Timestamp class has been added. It can be used with TZInfo::Timezone in place of a Time or DateTime.
  • local_time, local_datetime and local_timestamp instance methods have been added to TZInfo::Timezone. These methods construct local Time, DateTime and TZInfo::Timestamp instances with the correct UTC offset and abbreviation for the time zone.
  • Support for a (yet to be released) version 2 of tzinfo-data has been added, in addition to support for version 1. The new version will remove the (no longer needed) DateTime parameters from transition times, reduce memory consumption and improve the efficiency of loading timezone and country indexes.
  • A TZInfo::VERSION constant has been added, indicating the TZInfo version number.

Changed

  • The minimum supported Ruby versions are now Ruby MRI 1.9.3, JRuby 1.7 (in 1.9 or later mode) and Rubinius 3.
  • Local times are now returned using the correct UTC offset (instead of using UTC). #49 and #52.
  • Local times are returned as instances of TimeWithOffset, DateTimeWithOffset or TZInfo::TimestampWithOffset. These classes subclass Time, DateTime and TZInfo::Timestamp respectively. They override the default behaviour of the base classes to return information about the observed offset at the indicated time. For example, the zone abbreviation is returned when using the %Z directive with strftime.
  • The transitions_up_to, offsets_up_to and strftime instance methods of TZInfo::Timezone now take the UTC offsets of given times into account (instead of ignoring them as was previously the case).
  • The TZInfo::TimezonePeriod class has been split into two subclasses: TZInfo::OffsetTimezonePeriod and TZInfo::TransitionsTimezonePeriod. TZInfo::OffsetTimezonePeriod is returned for time zones that only have a single offset. TZInfo::TransitionsTimezonePeriod is returned for periods that start or end with a transition.
  • TZInfo::TimezoneOffset#abbreviation, TZInfo::TimezonePeriod#abbreviation and TZInfo::TimezonePeriod#zone_identifier now return frozen String instances instead of instances of Symbol.
  • The utc_offset and utc_total_offset attributes of TZInfo::TimezonePeriod and TZInfo::TimezoneOffset have been renamed base_utc_offset and observed_utc_offset respectively. The former names have been retained as aliases.
  • TZInfo::Timezone.get, TZInfo::Timezone.get_proxy and TZInfo::Country.get can now be used with strings having any encoding. Previously, only encodings that are directly comparable with UTF-8 were supported.
  • The requested identifier is included in TZInfo::InvalidTimezoneIdentifier exception messages.
  • The requested country code is included in TZInfo::InvalidCountryCode exception messages.
  • The full range of transitions is now loaded from zoneinfo files. Zoneinfo files produced with version 2014c of the zic tool contain an initial transition 2**63 seconds before the epoch. Zoneinfo files produced with version 2014d or later of zic contain an initial transition 2**59 seconds before the epoch. These transitions would previously have been ignored, but are now returned in methods such as TZInfo::Timezone#transitions_up_to.
  • The TZInfo::RubyDataSource and TZInfo::ZoneinfoDataSource classes have been moved into a new TZInfo::DataSources module. Code that is setting TZInfo::ZoneinfoDataSource.search_path or TZInfo::ZoneinfoDataSource.alternate_iso3166_tab_search_path will need to be updated accordingly.
  • The TZInfo::InvalidZoneinfoDirectory and TZInfo::ZoneinfoDirectoryNotFound exception classes raised by TZInfo::DataSources::ZoneinfoDataSource have been moved into the TZInfo::DataSources module.
  • Setting the data source to :ruby or instantiating TZInfo::DataSources::RubyDataSource will now immediately raise a TZInfo::DataSources::TZInfoDataNotFound exception if require 'tzinfo/data' fails. Previously, a failure would only occur later when accessing an index or loading a timezone or country.
  • The DEFAULT_SEARCH_PATH and DEFAULT_ALTERNATE_ISO3166_TAB_SEARCH_PATH constants of TZInfo::DataSources::ZoneinfoDataSource have been made private.
  • The TZInfo::Country.data_source, TZInfo::DataSource.create_default_data_source, TZInfo::DataSources::ZoneinfoDataSource.process_search_path, TZInfo::Timezone.get_proxies and TZInfo::Timezone.data_source methods have been made private.
  • The performance of loading zoneinfo files and the associated indexes has been improved.
  • Memory use has been decreased by deduplicating String instances when loading country and time zone data.
  • The dependency on the deprecated thread_safe gem as been removed and replaced by concurrent-ruby.
  • The Info classes used to return time zone and country information from TZInfo::DataSource implementations have been moved into the TZInfo::DataSources module.
  • The TZInfo::TransitionDataTimezoneInfo class has been removed and replaced with TZInfo::DataSources::TransitionsDataTimezoneInfo and TZInfo::DataSources::ConstantOffsetDataTimezoneInfo. TZInfo::DataSources::TransitionsDataTimezoneInfo is constructed with an Array of TZInfo::TimezoneTransition instances representing times when the offset changes. TZInfo::DataSources::ConstantOffsetDataTimezoneInfo is constructed with a TZInfo::TimezoneOffset instance representing the offset constantly observed in a time zone.
  • The TZInfo::DataSource#timezone_identifiers method should no longer be overridden in custom data source implementations. The implementation in the base class now calculates a result from TZInfo::DataSource#data_timezone_identifiers and TZInfo::DataSource#linked_timezone_identifiers.
  • The results of the TZInfo::DataSources::RubyDataSource to_s and inspect methods now include the time zone database and tzinfo-data versions.

Removed

  • Methods of TZInfo::Timezone that accept time arguments no longer allow Integer timestamp values. Time, DateTime or TZInfo::Timestamp values or objects that respond to to_i, subsec and optionally utc_offset must be used instead.
  • The %:::z format directive can now only be used with TZInfo::Timezone#strftime if it is supported by Time#strftime on the runtime platform.
  • Using TZInfo::Timezone.new(identifier) and TZInfo::Country.new(code) to obtain a specific TZInfo::Timezone or TZInfo::Country will no longer work. TZInfo::Timezone.get(identifier) and TZInfo::Country.get(code) should be used instead.
  • The TZInfo::TimeOrDateTime class has been removed.
  • The valid_for_utc?, utc_after_start?, utc_before_end?, valid_for_local?, local_after_start? and local_before_end? instance methods of TZInfo::TimezonePeriod have been removed. Comparisons can be performed with the results of the starts_at, ends_at, local_starts_at and local_ends_at methods instead.
  • The to_local and to_utc instance methods of TZInfo::TimezonePeriod and TZInfo::TimezoneOffset have been removed. Conversions should be performed using the TZInfo::Timezone class instead.
  • The TZInfo::TimezonePeriod#utc_total_offset_rational method has been removed. Equivalent information can be obtained using the TZInfo::TimezonePeriod#observed_utc_offset method.
  • The datetime, time, local_end, local_end_time, local_start and local_start_time instance methods of TZInfo::TimezoneTransition have been removed. The at, local_end_at and local_start_at methods should be used instead and the result (a TZInfo::TimestampWithOffset) converted to either a DateTime or Time by calling to_datetime or to_time on the result.
  • The us_zones and us_zone_identifiers class methods of TZInfo::Timezone have been removed. TZInfo::Country.get('US').zones and TZInfo::Country.get('US').zone_identifiers should be used instead.

TZInfo v2.0.0 on RubyGems.org

1.2.11

  • Eliminate Object#untaint deprecation warnings on JRuby 9.4.0.0. #145.

TZInfo v1.2.11 on RubyGems.org

1.2.10

  • Fixed a relative path traversal bug that could cause arbitrary files to be loaded with require when used with RubyDataSource. Please refer to
    GHSA-5cm2-9h8c-rvfx for details. CVE-2022-31163.
  • Ignore the SECURITY file from Arch Linux's tzdata package. #134.

TZInfo v1.2.10 on RubyGems.org

1.2.9

  • Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

TZInfo v1.2.9 on RubyGems.org

1.2.8

  • Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. The 64-bit section is now always used regardless of whether Time has support for 64-bit times. #120.
  • Rubinius is no longer supported.

TZInfo v1.2.8 on RubyGems.org

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

โ†—๏ธ unicode-display_width (indirect, 1.7.0 โ†’ 1.8.0) ยท Repo ยท Changelog

Release Notes

1.8.0 (from changelog)

  • Unicode 14.0 (last release of 1.x)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

โ†—๏ธ yell (indirect, 2.2.0 โ†’ 2.2.2) ยท Repo

Sorry, we couldnโ€™t find anything useful about this release.

โ†—๏ธ zeitwerk (indirect, 2.4.0 โ†’ 2.7.3) ยท Repo ยท Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

๐Ÿ†• Ascii85 (added, 2.0.1)

๐Ÿ†• afm (added, 1.0.0)

๐Ÿ†• async (added, 2.34.0)

๐Ÿ†• base64 (added, 0.3.0)

๐Ÿ†• bigdecimal (added, 3.3.1)

๐Ÿ†• connection_pool (added, 2.5.4)

๐Ÿ†• console (added, 1.34.2)

๐Ÿ†• csv (added, 3.3.5)

๐Ÿ†• drb (added, 2.2.3)

๐Ÿ†• faraday-net_http (added, 3.4.1)

๐Ÿ†• fiber-annotation (added, 0.2.0)

๐Ÿ†• fiber-local (added, 1.1.0)

๐Ÿ†• fiber-storage (added, 1.0.1)

๐Ÿ†• hashery (added, 2.1.2)

๐Ÿ†• io-event (added, 1.14.0)

๐Ÿ†• jekyll-include-cache (added, 0.2.1)

๐Ÿ†• json (added, 2.15.2)

๐Ÿ†• logger (added, 1.7.0)

๐Ÿ†• metrics (added, 0.15.0)

๐Ÿ†• net-http (added, 0.7.0)

๐Ÿ†• pdf-reader (added, 2.15.0)

๐Ÿ†• racc (added, 1.8.1)

๐Ÿ†• ruby-rc4 (added, 0.1.5)

๐Ÿ†• securerandom (added, 0.4.1)

๐Ÿ†• traces (added, 0.18.2)

๐Ÿ†• ttfunk (added, 1.8.0)

๐Ÿ†• uri (added, 1.1.1)

๐Ÿ†• webrick (added, 1.9.1)

๐Ÿ—‘๏ธ multipart-post (removed)

๐Ÿ—‘๏ธ parallel (removed)

๐Ÿ—‘๏ธ ruby-enum (removed)

๐Ÿ—‘๏ธ thread_safe (removed)

๐Ÿ—‘๏ธ unf (removed)

๐Ÿ—‘๏ธ unf_ext (removed)