Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

Too many releases to show here. View the full release notes.

🚨 Active Support Possibly Discloses Locally Encrypted Files

There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5

Impact

ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

To work around this issue, you can set your umask to be more restrictive like this:

$ umask 0077

🚨 Active Support Possibly Discloses Locally Encrypted Files

There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5

Impact

ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

To work around this issue, you can set your umask to be more restrictive like this:

$ umask 0077

🚨 Possible XSS Security Vulnerability in SafeBuffer#bytesplice

There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
This vulnerability has been assigned the CVE identifier CVE-2023-28120.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3

Impact

ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized.
When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe.

Ruby 3.2 introduced a new bytesplice method which ActiveSupport did not yet understand to be a mutation.
Users on older versions of Ruby are likely unaffected.

All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.

Workarounds

Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.

🚨 Possible XSS Security Vulnerability in SafeBuffer#bytesplice

There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
This vulnerability has been assigned the CVE identifier CVE-2023-28120.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3

Impact

ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized.
When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe.

Ruby 3.2 introduced a new bytesplice method which ActiveSupport did not yet understand to be a mutation.
Users on older versions of Ruby are likely unaffected.

All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.

Workarounds

Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.

🚨 ReDoS based DoS vulnerability in Active Support's underscore

There is a possible regular expression based DoS vulnerability in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-22796.

Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem), 6.1.7.1, 7.0.4.1
Impact

A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

This affects String#underscore, ActiveSupport::Inflector.underscore, String#titleize, and any other methods using these.

All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases

The FIXED releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.

Users on Ruby 3.2.0 or greater may be able to reduce the impact by configuring Regexp.timeout.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

6-1-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 6.1 series
7-0-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

🚨 ReDoS based DoS vulnerability in Active Support's underscore

There is a possible regular expression based DoS vulnerability in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-22796.

Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem), 6.1.7.1, 7.0.4.1
Impact

A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

This affects String#underscore, ActiveSupport::Inflector.underscore, String#titleize, and any other methods using these.

All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases

The FIXED releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.

Users on Ruby 3.2.0 or greater may be able to reduce the impact by configuring Regexp.timeout.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

6-1-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 6.1 series
7-0-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 5 commits:

• Preparing for 8.1.1 release
• Merge pull request #56008 from chaadow/fix_nesting_loop_rails
• Merge pull request #55973 from rails/fix-ci
• Require 'rails' at the top of railltie files to ensure Rails is loaded first
• Merge pull request #55962 from coderhs/patch-1

🚨 Regular Expression Denial of Service in Addressable templates

Impact

Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.

Patches

The vulnerability was introduced in version 2.3.0 (previously yanked) and has been present in all subsequent versions up to, and including, 2.7.0. It is fixed in version 2.8.0.

Workarounds

The vulnerability can be avoided by only creating Template objects from trusted sources that have been validated not to produce catastrophic backtracking.

References

• https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS
• https://cwe.mitre.org/data/definitions/1333.html
• https://www.regular-expressions.info/catastrophic.html

For more information

If you have any questions or comments about this advisory:

• Open an issue

2.8.7 (from changelog)

• Allow public_suffix 6 (#535)

2.8.6 (from changelog)

• Memoize regexps for common character classes (#524)

2.8.5 (from changelog)

• Fix thread safety issue with encoding tables (#515)
• Define URI::NONE as a module to avoid serialization issues (#509)
• Fix YAML serialization (#508)

2.8.4 (from changelog)

• Restore Addressable::IDNA.unicode_normalize_kc as a deprecated method (#504)

2.8.3 (from changelog)

• Fix template expand level 2 hash support for non-string objects (#499, #498)

2.8.2 (from changelog)

• Improve cache hits and JIT friendliness (#486)
• Improve code style and test coverage (#482)
• Ensure reset of deferred validation (#481)
• Resolve normalization differences between IDNA::Native and IDNA::Pure (#408, #492)
• Remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438) (accidentally reverted by #449 merge but added back in #492)

2.8.1 (from changelog)

• refactor Addressable::URI.normalize_path to address linter offenses (#430)
• remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438)
• update gemspec to reflect supported Ruby versions (#466, #464, #463)
• compatibility w/ public_suffix 5.x (#466, #465, #460)
• fixes "invalid byte sequence in UTF-8" exception when unencoding URLs containing non UTF-8 characters (#459)
• Ractor compatibility (#449)
• use the whole string instead of a single line for template match (#431)
• force UTF-8 encoding only if needed (#341)

2.8.0 (from changelog)

• fixes ReDoS vulnerability in Addressable::Template#match
• no longer replaces + with spaces in queries for non-http(s) schemes
• fixed encoding ipv6 literals
• the :compacted flag for normalized_query now dedupes parameters
• fix broken escape_component alias
• dropping support for Ruby 2.0 and 2.1
• adding Ruby 3.0 compatibility for development tasks
• drop support for rack-mount and remove Addressable::Template#generate
• performance improvements
• switch CI/CD to GitHub Actions

Does any of this look wrong? Please let us know.

🚨 Several quadratic complexity bugs may lead to denial of service in Commonmarker

Impact

Several quadratic complexity bugs in commonmarker's underlying cmark-gfm library may lead to unbounded resource exhaustion and subsequent denial of service.

The following vulnerabilities were addressed:

• CVE-2023-37463

For more information, consult the release notes for version 0.29.0.gfm.12.

Mitigation

Users are advised to upgrade to commonmarker version 0.23.10.

🚨 Commonmarker vulnerable to to several quadratic complexity bugs that may lead to denial of service

Impact

Several quadratic complexity bugs in commonmarker's underlying cmark-gfm library may lead to unbounded resource exhaustion and subsequent denial of service.

The following vulnerabilities were addressed:

• CVE-2023-24824
• CVE-2023-26485

For more information, consult the release notes for version 0.23.0.gfm.10 and 0.23.0.gfm.11.

Mitigation

Users are advised to upgrade to commonmarker version 0.23.9.

🚨 Several quadratic complexity bugs may lead to denial of service in Commonmarker

Impact

Several quadratic complexity bugs in commonmarker's underlying cmark-gfm library may lead to unbounded resource exhaustion and subsequent denial of service.

The following vulnerabilities were addressed:

• CVE-2023-22483
• CVE-2023-22484
• CVE-2023-22485
• CVE-2023-22486

For more information, consult the release notes for version 0.23.0.gfm.7.

Mitigation

Users are advised to upgrade to commonmarker version 0.23.7.

🚨 Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service

Impact

CommonMarker uses cmark-gfm for rendering Github Flavored Markdown. A polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service.

Patches

This vulnerability has been patched in the following CommonMarker release:

• v0.23.6

Workarounds

Disable use of the autolink extension.

References

#190
GHSA-cgh3-p57x-9q7q
https://en.wikipedia.org/wiki/Time_complexity

For more information

If you have any questions or comments about this advisory:

• Open an issue in github/cmark-gfm

Acknowledgements

We would like to thank Legit Security for reporting this vulnerability.

🚨 Integer overflow in cmark-gfm table parsing extension leads to heap memory corruption

Impact

CommonMarker uses cmark-gfm for rendering Github Flavored Markdown. An integer overflow in cmark-gfm's table row parsing may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution.

If affected versions of CommonMarker are used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE).

Patches

This vulnerability has been patched in the following CommonMarker release:

• v0.23.4

Workarounds

The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling any use of the table extension will prevent this vulnerability from being triggered.

References

• GHSA-mc3g-88wq-6f4x

Acknowledgements

We would like to thank Felix Wilhelm of Google's Project Zero for reporting this vulnerability

For more information

If you have any questions or comments about this advisory:

• Open an issue in CommonMarker

0.23.12

Full Changelog: v0.23.11...v0.23.12

0.23.11

What's Changed

• [0.x] Fix memory leaks of string buffers by @jhawthorn in #320

New Contributors

• @jhawthorn made their first contribution in #320

Full Changelog: v0.23.10...v0.23.11

0.23.10

What's Changed

• Update to 0.29.0.gfm.13 by @anticomputer in #247

Full Changelog: v0.23.9...v0.23.10

0.23.9

What's Changed

• Update to 0.29.0.gfm.11 by @anticomputer in #236

Full Changelog: v0.23.8...v0.23.9

0.23.8

What's Changed

• Update cmark-upstream to 0.29.0.gfm.9 by @smockle in #227

New Contributors

• @smockle made their first contribution in #227

Full Changelog: v0.23.7...v0.23.8

0.23.7

What's Changed

• C API stable test by @gjtorikian in #201
• Update to 29.0.gfm.7 by @anticomputer in #224

Full Changelog: v0.23.6...v0.23.7

0.23.6

What's Changed

This release includes two updates from the upstream cmark-gfm library, namely:

• DoS vulnerability in autolink extension per GHSA-cgh3-p57x-9q7q
• Added xmpp: and mailto: support to the autolink extension

0.22.0

• Drop ruby-enum (#140)

0.21.0

• Add support for tasklist_item_checked=: #116

0.19.0

• Support tasklists: #94
• Indicate the context of a parse/render option error: #97

0.18.0

• Default to being safe: #81

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

1.3.5

What's Changed

• Remove dependency on logger by @eregon in #1062
• Avoid error when member is present on ancestor class by @francesmcmullin in #1068
• Set rake-compiler source and target to Java 8 by @headius in #1071
• chore: fix typos by @chenrui333 in #1076

New Contributors

• @francesmcmullin made their first contribution in #1068
• @chenrui333 made their first contribution in #1076

Full Changelog: v1.3.4...v1.3.5

1.3.4

What's Changed

• Update comment for JRuby variant of processor_count to reality by @meineerde in #1054
• Add Concurrent.cpu_requests that is cgroups aware. by @heka1024 in #1058
• Fix the doc of Concurrent.available_processor_count by @y-yagi in #1059
• Fix the return value of Concurrent.available_processor_count when cpu.cfs_quota_us is -1 by @y-yagi in #1060

New Contributors

• @heka1024 made their first contribution in #1058
• @y-yagi made their first contribution in #1059

Full Changelog: v1.3.3...v1.3.4

1.3.3

What's Changed

• Improve speed for windows Get-CimInstance by @Earlopain in #1053

Full Changelog: v1.3.2...v1.3.3

1.3.2

What's Changed

• Fix method name in CHANGELOG.md by @nertzy in #1049
• Remove dependency on win32ole by @Earlopain in #1051

New Contributors

• @nertzy made their first contribution in #1049
• @Earlopain made their first contribution in #1051

Full Changelog: v1.3.1...v1.3.2

1.3.1

This release is essentially v1.3.0, but with a properly packaged gem. There was an issue publishing v1.3.0 and that gem needed to be yanked to avoid breaking downstream projects. The v1.3.0 changelog is reproduced below.

What's Changed

• Add Concurrent.usable_processor_count that is cgroups aware by @casperisfine in #1038
• Align Java Executor Service behavior for shuttingdown?, shutdown? by @bensheldon in #1042

New Contributors

• @dependabot made their first contribution in #1028
• @kkohrt made their first contribution in #1037

Full Changelog: v1.2.3...v1.3.1

1.2.3

What's Changed

• Fix TimerTask :execution_interval docs by @freemanoid in #994
• Fix TimerTask docs to not refer to #execute as "blocking" by @bensheldon in #996
• Fix TimerTask example output by @bensheldon in #1003
• Fix broken CI due to rake-compiler error on Ruby < 2.6 by @mattbrictson in #1007
• Fix doc typo: yeild → yield by @mattbrictson in #1006
• Fix DaemonThreadFactory - reuse single Java thread factory by @obulkin in #1009
• Fix sporadic failures testing with JRuby by @headius in #1012
• Allow TimerSet to safely handle an executor raising RejectedExecutionError by @bensheldon in #999
• Use executor from arg in then_on/rescue_on/chain_on for Promises by @tgwizard in #1005
• Allow TimerTask to be initialized with a specified Executor by @bensheldon in #1000
• Create method ThreadPoolExecutor#active_count to expose the number of threads that are actively executing tasks by @bensheldon in #1002
• Drop dependency on mutex_m by @casperisfine in #1013
• Fix compile error on FreeBSD 14 by @janbiedermann in #1014
• Fix spurious return in Promises#wait_until_resolved by @eregon in #1016
• Remove AtomicReferenceMapBackend and CheapLockable by @eregon in #1018
• Add Ruby 3.3 in CI by @eregon in #1021
• docs: fix typo in throttle docs by @G-Rath in #1024
• docs: update promises grammar by @G-Rath in #1026
• Add TimerTask#interval_type option to configure interval calculation by @bensheldon in #997

New Contributors

• @freemanoid made their first contribution in #994
• @bensheldon made their first contribution in #996
• @mattbrictson made their first contribution in #1007
• @obulkin made their first contribution in #1009
• @headius made their first contribution in #1012
• @tgwizard made their first contribution in #1005
• @janbiedermann made their first contribution in #1014
• @G-Rath made their first contribution in #1024

Full Changelog: v1.2.2...v1.2.3

1.2.2

concurrent-ruby 1.2.2:

• (#993) Fix arguments passed to Concurrent::Map's default_proc.

1.2.1

concurrent-ruby 1.2.1:

• (#990) Add missing require 'fiber' for FiberLocalVar.
• (#989) Optimize Concurrent::Map#[] on CRuby by letting the backing Hash handle the default_proc.

1.2.0

concurrent-ruby 1.2.0:

• (#975) Set the Ruby compatibility version at 2.3
• (#962) Fix ReentrantReadWriteLock to use the same granularity for locals as for Mutex it uses.
• (#983) Add FiberLocalVar
• (#934) concurrent-ruby now supports requiring individual classes (public classes listed in the docs), e.g., require 'concurrent/map'
• (#976) Let Promises.any_fulfilled_future take an Event
• Improve documentation of various classes
• (#972) Remove Rubinius-related code

concurrent-ruby-edge 0.7.0:

• (#975) Set the Ruby compatibility version at 2.3
• (#934) concurrent-ruby now supports requiring individual classes (public classes listed in the docs), e.g., require 'concurrent/map'
• (#972) Remove Rubinius-related code

1.1.10

concurrent-ruby:

• (#951) Set the Ruby compatibility version at 2.2
• (#939, #933) The caller_runs fallback policy no longer blocks reads from the job queue by worker threads
• (#938, #761, #652) You can now explicitly prune_pool a thread pool (Sylvain Joyeux)
• (#937, #757, #670) We switched the Yahoo stock API for demos to Alpha Vantage (Gustavo Caso)
• (#932, #931) We changed how SafeTaskExecutor handles local jump errors (Aaron Jensen)
• (#927) You can use keyword arguments in your initialize when using Async (Matt Larraz)
• (#926, #639) We removed timeout from TimerTask because it wasn't sound, and now it's a no-op with a warning (Jacob Atzen)
• (#919) If you double-lock a re-entrant read-write lock, we promote to locked for writing (zp yuan)
• (#915) monotonic_time now accepts an optional unit parameter, as Ruby's clock_gettime (Jean Boussier)

1.1.9 (from changelog)

concurrent-ruby:

• (#866) Child promise state not set to :pending immediately after #execute when parent has completed
• (#905, #872) Fix RubyNonConcurrentPriorityQueue#delete method
• (2df0337d) Make sure locks are not shared on shared when objects are dup/cloned
• (#900, #906, #796, #847, #911) Fix Concurrent::Set tread-safety issues on CRuby
• (#907) Add new ConcurrentMap backend for TruffleRuby

1.1.8 (from changelog)

• (#885) Fix race condition in TVar for stale reads
• (#884) RubyThreadLocalVar: Do not iterate over hash which might conflict with new pair addition

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

See the full diff on Github. The new version differs by 24 commits:

• v0.5.3
• Merge pull request #156 from fagiani/patch-1
• Merge pull request #159 from JamesVorder/master
• Allow newer versions of http_parser until v1.0.0
• Allow newer versions of http_parser
• Add healthcheck endpoint
• rubyforge_project is deprecated, drop. closes #155
• Merge pull request #149 from pusher-community/delay-pong
• Delay pong responses to reduce number of pings from WebSocket clients sitting in a loop
• Merge pull request #146 from at1as/update-rspec
• test fix
• update rspec to be compatible with latest rake version
• Merge pull request #145 from bkoski/master
• added a 200 OK response at /healthcheck
• Merge pull request #134 from chrismar035/patch-1
• Add license to gemspec
• Merge pull request #132 from patriciomacadden/fix-broken-link
• Fix broken link.
• Added separate licence, closes #124
• Merge pull request #123 from zimbatm/outbound_limit
• Adds an optional :outbound_limit setting
• Record for which reason the connection got aborted
• Merge pull request #107 from janlelis/master
• Added remote_ip method closes #104

0.15.0 (from changelog)

Full Changelog

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

2.8.1

• Wait for STDOUT to be flushed before exiting the node runtime

2.8.0

• Fix Ruby 3.0 compatibility on Windows
• Undefine console, process and other globals. See #43
• Removed the RubyRacer runtime as it is no longer maintained and broken on recent rubies.
• Node runtime look for node before nodejs.

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

4.1.0

What's Changed

• Import Emoji 15.0 characters by @mislav in #261
• Support skin tones for 🧑‍🤝‍🧑 emoji by @mislav in #262

Full Changelog: v4.0.1...v4.1.0

4.0.1

What's Changed

• Fix Ruby 2.6 breakage by @perlun in #255

New Contributors

• @perlun made their first contribution in #255

Full Changelog: v4.0.0...v4.0.1

4.0.0

What's New

Warning
See the v4.0.0.pre0 release notes for the list of breaking changes since gemoji v3.x.

• Add skin tones support by @mislav in #165 ✌🏻✌🏼✌🏽✌🏾✌🏿

  • Emoji.find_by_unicode() now recognizes emoji sequences with skin tone modifiers.
  • Emoji::Character#skin_tones? returns true when an emoji supports skin tone modifiers.
  • Emoji::Character#raw_skin_tone_variants generates a list of all 5 skin tone variants for an emoji.

• Import Emoji 13.0 characters by @chvp in #173

• Import Emoji 13.1 characters by @franciscorode in #209

• Import Emoji 14.0 characters by @kardeslik in #244

What's Changed

• Fix ArgumentError in emoji-test-parser by @JuanitoFatas in #169
• Remove underscore from "piñata" by @PurpleBooth in #182
• Safely transliterate international characters for aliases by @PurpleBooth in #181
• Sort out envelope and email aliases by @jobveldhuis in #185
• Set up CI via GitHub Actions by @mislav in #183 #252
• Touch up emoji integrity tests by @mislav in #253

New Contributors

• @JuanitoFatas made their first contribution in #169
• @chvp made their first contribution in #173
• @PurpleBooth made their first contribution in #182
• @jobveldhuis made their first contribution in #185
• @franciscorode made their first contribution in #209
• @kardeslik made their first contribution in #244

Full Changelog: v4.0.0.pre0...v4.0.0

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

1.18.2

octokit upgrade

1.18.1

• Updates Cloudflare IPs to latest output of script/update-cloudflare-ips
• Add _ domain name validation

1.17.9

What's Changed

• Fix IPv6 support (AAAA records validation) in #140

Full Changelog: v1.17.8...v1.17.9

1.17.8

What's Changed

• Require bundler in script/check to avoid needing to run bundle exec. by @jriggins in #137
• Remove Travis builds by @jriggins in #138
• Add AAAA Support by @jriggins in #136
• Bump version to 1.17.8 by @jriggins in #139

Full Changelog: v1.17.7...v1.17.8

1.17.6

• Query DNS to Determine Apex Domains

1.17.2

Allows for non-200 requests to satisfy served_by_pages? if the response still looks like it was served by GitHub.

1.17.1

Update Cloudflare IPs.

1.17.0

• Fix CI which is broken on master #115 (by @kytrinyx)
• Silence warnings triggered by Ruby 2.7 #116 (by @kytrinyx)
• Update dependencies to be compatible with Ruby 2.7 #117 (by @kytrinyx)
• Update dotenv requirement from ~> 1.0 to ~> 2.7 #120 (dependabot)
• Update gem-release requirement from ~> 0.7 to ~> 2.1 #119 (dependabot)
• Update webmock requirement from ~> 1.21 to ~> 3.8 #118 (dependabot)
• Upgrade to Ruby 2.7 & incorporate a Dockerfile #121 (by @parkr & @MarkTiedemann)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

See the full diff on Github. The new version differs by more commits than we can show here.

See the full diff on Github. The new version differs by 53 commits:

• v0.8.0
• Merge pull request #73 from tmm1/fix-jruby-support
• Revert "CI: Add JRuby"
• spec: Use appropriate encoding to check request_url & status
• Make sure to inject rake task dependencies
• CI: Add JRuby
• Disable test for status on JRuby
• Revert "Add status support to JRuby"
• Merge pull request #74 from tagomoris/make-ractor-safe
• it does not need extreme performance
• check the number of arguments for the safe
• rename the unappropriate name
• update specs about Ractor/kwarg
• add kwarg to avoid specifying (nil, type)
• avoid referring class instance variable if possible
• mark all threads are ractor-safe
• Merge pull request #63 from jcoglan/check-header-value-type
• v0.7.0
• Add bundler/gem_tasks
• Merge pull request #71 from ashie/migrate-ci
• CI: Migrate from Travis CI to GitHub Actions
• Check value passed to set_header_value_type
• Merge pull request #59 from saper/https-submodules
• Use HTTPS to download submodules
• Fix path with spaces
• Merge pull request #54 from fantasticfears/dependency
• Merge branch 'master' into dependency
• Merge pull request #57 from ykzts/http-parser-v2.8.1
• Update http-parser to version 2.8.1
• test modern rubies
• Update dependency
• Merge pull request #42 from robertjpayne/master
• Merge pull request #48 from cosmo0920/follow-rspec-option-changes
• Follow rspec option name change and use long option
• Removed unfinished parse_url support
• Updated spec for status support
• Updated line folder spec as per joyent/http_parser
• Provide better safety around on_status and on_url
• Added statuses to spec responses
• Ensure HTTP parser uses later version
• Add status support to JRuby
• Added support for HTTP status reason
• Merge pull request #41 from robertjpayne/master
• Better handling on upgraded connections
• Updated / added test cases for aborting the parser
• Update rspec development dependency to >= 3
• Ignore Gemfile.lock
• Merge pull request #34 from tmaier/patch-1
• Link to https URIs in README
• Update URIs in gemspec
• Merge pull request #33 from rkh/travis
• update readme
• set up Travis CI

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

3.10.0 (from changelog)

Minor Enhancements

• Backport add-csv-dependency from #9522 to Jekyll 3 (#9616)
• 3.10-stable: Add webrick as a dependency (#9620)

3.9.4

Bug Fixes

• Backport #9392 for v3.9.x: Add support for Ruby 3.3 Logger (#9513)

3.9.3

Bug Fixes

• 3.9.x: Support i18n 1.x (#9269)
• Backport #8880 for v3.9.x: Support both tzinfo v1 and v2 alongwith
  non-half hour offsets (#9280)

Development Fixes

• v3.9.x: test under Ruby 3.2 #9272)
• v3.9.x: fix rdiscount test (#9277)

3.9.2

Bug Fixes

• Lock http_parser.rb gem to v0.6.x on JRuby (#8943)
• Backport #8756 for v3.9.x: Respect collections_dir config within include tag (#8795)
• Backport #8965 for v3.9.x: Fix response header for content served via jekyll serve (#8976)

Development Fixes

• Update and fix CI for 3.9-stable on Ruby 3.x (#8942)
• Fix CI for commits to 3.9-stable branch (#8788)

3.9.1

Bug Fixes

• Backport #8618 for v3.9.x: Update include tag to be more permissive (#8629)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 45 commits:

• Merge pull request #9624 from jekyll/3.10.0-release-ann
• Release Jekyll 3.10.0
• 3.10-stable: Add webrick as a dependency (#9620)
• Backport add-csv-dependency from #9522 to Jekyll 3 (#9616)
• Merge pull request #9551 from jekyll/3.9.5-release-post
• Release v3.9.5
• 3.9-stable: allow Pages to be Excerpted (#9550)
• Release :gem: v3.9.4
• Merge pull request #9513 from jekyll/3.9-stable-backport-9392
• Backport logger-1.4.3 from #9392 to 3.9-stable
• Merge pull request #9514 from jekyll/3.9-stable-update-ci
• Add Ruby 3.3 to Jekyll 3.9.x test matrix
• Merge pull request #9282 from jekyll/release-3-9-3
• Rephrase v3.9.3 release notes.
• Release :gem: v3.9.3
• Backport #8880 for v3.9.x: Support both tzinfo v1 and v2 alongwith non-half hour offsets (#9280)
• Merge pull request #9269 from jekyll/3.9-stable-i18n
• Allow :gem: i18n 1.x to be used
• Merge pull request #9272 from jekyll/3.9-add-ruby-3-2
• v3.9.x: test under Ruby 3.2
• Merge pull request #9277 from jekyll/3.9-fix-rdiscount
• v3.9.x: fix test for the latest version of rdiscount
• Merge pull request #9012 from jekyll/3-9-2
• 3.9.2 release post: fix time and mention adding webrick to gemfile
• Release Jekyll v3.9.2
• Update history to reflect merge of #8976 [ci skip]
• Merge pull request #8976 from jekyll/3.9-stable-backport-8965
• Fix response header for content served via `jekyll serve` (#8965)
• Bypass corrupted bundle-cache
• Update history to reflect merge of #8942 [ci skip]
• Update and fix CI for `3.9-stable` on Ruby 3.x (#8942)
• Update history to reflect merge of #8943 [ci skip]
• Lock `http_parser.rb` gem to `v0.6.x` on JRuby (#8943)
• Update history to reflect merge of #8795 [ci skip]
• Merge pull request #8795 from ashmaroli/3.9-stable-backport-8756
• Backport #8756 to 3.9-stable
• Update History.markdown [ci skip]
• Merge pull request #8788 from ashmaroli/ci-for-3.9-stable
• Fix CI for commits to `3.9-stable` branch
• Release :gem: 3.9.1
• Merge pull request #8631 from jekyll/3.9-stable-3-9-1-release-post
• Release post for v3.9.1
• Remove calls to Regexp#freeze as it's an immutable object.
• Merge pull request #8629 from jekyll/3.9-stable-backport-8618
• Backport update-include-tag-to-be-more-permissive from #8618 to 3.9-stable

0.8.0

0.8.0 / 2022-04-15

Minor Enhancements

• Use Kernel#format to render <img /> HTML tag (#46)
• Check if username and size matches a pattern once (#48)

Bug Fixes

• Reduce allocations from computing username (#44)
• Stringify keys of :attributes hash (#42)
• Parse tag markup once per instance (#40)
• Compute :srcset with an array of integer strings (#43)
• Assign string values for attributes (#47)
• Parse only custom-host provided through ENV (#45)

Development Fixes

• Profile memory usage from rendering avatars (#41)
• Bundle only relevant files in the gem (#50)
• Upgrade to GitHub-native Dependabot (#52)
• Remove redundant specifications (#56)
• Improve context in workflow job names (#57)
• Remove @benbalter-specific community health files (#58)
• Update gem specification (#60)
• Add workflow to release gem via GH Actions (#63)

Documentation

• Fix typo in README.md (#62)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

1.2.2

Bug Fixes

• Revert jekyll to be just a development_dependency for v1.x.x series.

1.2.1

Bug Fixes

• Re-introduce Ruby 2.3 support and test Jekyll 3.7+ (#33)

1.2.0

Development Fixes

• Require Ruby 2.3 (#27)

Major Enhancements

• style: Target Ruby 2.4 (#31)

Documentation

• Add essential step to readme (#32)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 26 commits:

• Release :gem: v1.2.2
• `jekyll` can't be a runtime_dependency in v1.x
• Release: v1.2.1
• Update history to reflect merge of #33 [ci skip]
• Re-introduce Ruby 2.3 support and test Jekyll 3.7+ (#33)
• Update History
• Release: v1.2.0
• chore (ci): remove deprecated `sudo: false` in .travis.yml
• Update history to reflect merge of #32 [ci skip]
• Add essential step to readme (#32)
• Update history to reflect merge of #31 [ci skip]
• style: Target Ruby 2.4 (#31)
• chore(ci): test against oldest and newest ruby versions only
• style: auto-gen-only-exclude
• style: safe-auto-correct
• chore(deps): jekyll-rubocop 0.4
• chore(deps): pessimistic version constraint
• style: remove useless declarations
• chore(deps): rubocop-jekyll 0.3.0
• chore(deps): bump coffee-script-source
• chore(deps): bump rubocop-jekyll
• Update README.md
• Lint with rubocop-jekyll
• Rubocop ~> 0.57.2
• Update history to reflect merge of #27 [ci skip]
• Require Ruby 2.3 (#27)

1.4.0

Minor Enhancements

• Require at least commonmarker-0.22 (#44)
• Highlight fenced code-block contents with Rouge (#29)

Bug Fixes

• Refactor away extra abstractions (#53)

Development Fixes

• DRY begin-rescue-end block with a private helper (#28)
• Fix failing CI builds (#33)
• Remove gemspec dependency on Jekyll (#34)
• Test rendering with invalid configuration (#27)
• Refactor to improve readability (#37)
• Set up Continuous Integration via GH Actions (#46)
• Clean up gemspec (#47)
• Add workflow to release gem via GH Actions (#54)

Documentation

• Update README to link to commonmarker (#38)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 42 commits:

• Release :gem: v1.4.0
• Update history to reflect merge of #54 [ci skip]
• Add workflow to release gem via GH Actions (#54)
• Update history to reflect merge of #53 [ci skip]
• Refactor away extra abstractions (#53)
• Update history to reflect merge of #47 [ci skip]
• Clean up gemspec (#47)
• Test gem build and gem install via GH Actions CI
• Fix interpolation in workflow `job.name`
• `matrix.include` should be `array` not `object`
• Update history to reflect merge of #46 [ci skip]
• Set up Continuous Integration via GH Actions (#46)
• Update history to reflect merge of #44 [ci skip]
• Merge pull request #44 from jekyll/support-cm-022
• Bump required minimum Ruby version to Ruby 2.6
• Require at least commonmarker-0.22
• chore(ci): test against latest versions
• Update history to reflect merge of #38 [ci skip]
• Update README to link to commonmarker (#38)
• Update history to reflect merge of #37 [ci skip]
• Refactor to improve readability (#37)
• Update history to reflect merge of #27 [ci skip]
• Test rendering with invalid configuration (#27)
• Merge pull request #35 from torrocus/master
• feat: Remove Ruby 2.3 from AppVeyor configuration (end support for Ruby 2.3 EOL)
• docs: Remove gemnasium badge (no longer available)
• chore(ci): test Ruby 2.7
• feat: end support for Ruby 2.3 EOL
• chore(ci): test current stable versions
• chore: test latest rubocop
• chore: ignore vendor/bundle
• chore(dev): simplify require for version
• Update history to reflect merge of #34 [ci skip]
• Merge pull request #34 from ashmaroli/remove-jekyll-dependency
• Update jekyll-commonmark.gemspec
• Remove gemspec dependency on Jekyll
• Update history to reflect merge of #33 [ci skip]
• Fix failing CI builds (#33)
• Update history to reflect merge of #28 [ci skip]
• DRY begin-rescue-end block with a private helper (#28)
• Update history to reflect merge of #29 [ci skip]
• Highlight fenced code-block contents with Rouge (#29)

0.5.1

What's Changed

• Loosen dependency to allow Jekyll < 4 by @yoannchaudet in #36

Full Changelog: v0.5.0...v0.5.1

0.5.0

What's Changed

• Remove garbage on unknown lang by @kou in #19
• Update commonmarker to 0.23.6 by @anticomputer in #23
• Bump version by @yoannchaudet in #24
• Add Dependabot config for Bundler and Actions usage by @JamesMGreene in #25
• Update rouge requirement from >= 2.0, < 4.0 to >= 2.0, < 5.0 by @dependabot in #26
• Security update: bump commonmarker to 0.23.7 by @anticomputer in #28
• Create pages-gem.yml by @tsusdere in #34
• Bump actions/checkout from 3 to 4 by @dependabot in #29
• Update commonmarker requirement from ~> 0.23.7 to >= 0.23.7, < 1.1.0 by @dependabot in #33
• Prep 0.5 release by @yoannchaudet in #35

New Contributors

• @kou made their first contribution in #19
• @anticomputer made their first contribution in #23
• @JamesMGreene made their first contribution in #25
• @dependabot made their first contribution in #26
• @tsusdere made their first contribution in #34

Full Changelog: v0.2.0...v0.5.0

0.2.0

What's Changed

• Bump commonmarker to the latest version by @yoannchaudet in #21

New Contributors

• @yoannchaudet made their first contribution in #21

Full Changelog: v0.1.6...v0.2.0

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 39 commits:

• Merge pull request #36 from github/loose
• Loosen dependency to allow Jekyll < 4
• Merge pull request #35 from github/bump-0.5
• Prep 0.5 release
• Merge pull request #33 from github/dependabot/bundler/commonmarker-gte-0.23.7-and-lt-1.1.0
• Merge branch 'master' into dependabot/bundler/commonmarker-gte-0.23.7-and-lt-1.1.0
• Merge pull request #29 from github/dependabot/github_actions/actions/checkout-4
• Merge pull request #34 from github/publish-gem
• Update pages-gem.yml
• Update pages-gem.yml
• Create pages-gem.yml
• Update commonmarker requirement from ~> 0.23.7 to >= 0.23.7, < 1.1.0
• Bump actions/checkout from 3 to 4
• Merge pull request #28 from github/anticomputer-patch-1
• Bump gem
• Merge branch 'master' into anticomputer-patch-1
• Merge pull request #26 from github/dependabot/bundler/rouge-gte-2.0-and-lt-5.0
• Security update: bump commonmarker to 0.23.7
• Update rouge requirement from >= 2.0, < 4.0 to >= 2.0, < 5.0
• Merge pull request #25 from github/dependabot-config
• Add Dependabot config for Bundler and Actions usage
• Merge pull request #24 from github/bump
• Bump version
• Merge pull request #23 from github/anticomputer-commonmarker-0236
• Merge pull request #19 from kou/remove-garabage-on-unknown-lang
• Update commonmarker to 0.23.6
• Merge pull request #21 from github/bump-commonmarker
• Also bump jekyll-commonmark
• Remove old CI
• Drop 2.5 and update rubygems
• Update actions
• Remove Ruby 2.5
• Add file
• More tweaks
• Install bundler in the ci
• Install dependencies
• Add draft ci
• Bump commonmarker to the latest
• Remove garbage on unknown lang

0.1.5

• Allow Jekyll 4.x dependency range (#12) @SUPERCILEX
• update documentation for Jekyll 3.5.0+ (#9) @kenman345
• Appease Rubocop 0.51 (#6) @DirtyF
• Update copyright notice (#8) @DirtyF
• CI: test against Ruby 2.4 (#7) @DirtyF

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

0.17.0

Documentation

• Update CI status badge (#363)

Development Fixes

• Add Ruby 3.1 to the CI matrix (#365)

Minor Enhancements

• Allow disabling of jekyll-feed while in development (#370)

0.16.0

Minor Enhancements

• Add support for page.description in front matter to become entry <summary> (#297)

Bug Fixes

• Fold private methods into the :render method as local variables (#327)
• Check post.categories instead of post.category (#357)
• Switched xml_escape for <![CDATA[]]> for post content (#332)

Development Fixes

• Add Ruby 3.0 to CI (#337)
• Lock RuboCop to v1.18.x (#348)
• Add workflow to release gem via GH Action (#355)

Documentation

• Use .atom extension in documented examples since we write an Atom feed (#359)

0.15.1

Bug Fixes

• MetaTag: when encoding for XML special characters, handle non-string objects (#326)

0.15.0

Minor Enhancements

• Add support for drafts (#316)

0.14.0

Minor Enhancements

• add support for categories (#153) (#233)
• add support for tags (#264)
• Make posts limit configurable (#314)
• XML escape the title field of feed_meta (#306)

Bug Fixes

• Fix feed link when post title contains HTML (#305)

Development Fixes

• Use Dir to list source files (#309)
• Require Ruby >=2.4.0 (#307)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 61 commits:

• Release :gem: v0.17.0
• Update history to reflect merge of #370 [ci skip]
• Allow disabling of jekyll-feed while in development (#370)
• Update history to reflect merge of #365 [ci skip]
• Add Ruby 3.1 to the CI matrix (#365)
• Update history to reflect merge of #363 [ci skip]
• Update CI status badge (#363)
• Release :gem: v0.16.0
• Improve readability of entries in History document
• Update history to reflect merge of #359 [ci skip]
• Use .atom extension since we write an Atom feed (#359)
• Update history to reflect merge of #332 [ci skip]
• Switched xml_escape for <![CDATA[]]> for post content (#332)
• Update history to reflect merge of #357 [ci skip]
• Check `post.categories` instead of `post.category` (#357)
• Update history to reflect merge of #355 [ci skip]
• Add workflow to release gem via GH Action (#355)
• Remove redundant CI entries
• Update history to reflect merge of #297 [ci skip]
• Add support for description in front matter (#297)
• Update history to reflect merge of #327 [ci skip]
• Fold private methods into the `:render` method as local variables (#327)
• Update history to reflect merge of #348 [ci skip]
• Lock RuboCop to v1.18.x (#348)
• Update history to reflect merge of #337 [ci skip]
• Add Ruby 3.0 to CI (#337)
• chore(ci): start simple
• fix: rss required by Ruby 3.0
• chore(ci): bundler
• fix: ruby-version 💎
• chore(ci): Test with GitHub Actions
• chore(ci): test against latest versions
• Release :gem: v0.15.1
• Update history to reflect merge of #326 [ci skip]
• MetaTag: when encoding for XML special characters, handle non-string objects (#326)
• docs: typo
• docs: style feed
• Conditionally load GFM parser in CI builds
• chore(release): :gem: 0.15.0
• Update history to reflect merge of #316 [ci skip]
• Add support to drafts (#316)
• chore(release): :gem: 0.14.0
• style: target Ruby 2.4
• Update history to reflect merge of #153 [ci skip]
• add support for categories frontmatter (#153)
• Update history to reflect merge of #264 [ci skip]
• Feed by tag (#264)
• Update history to reflect merge of #307 [ci skip]
• chore(deps): require Ruby >=2.4.0 (#307)
• Update history to reflect merge of #233 [ci skip]
• Dont forget about categories (#233)
• Update history to reflect merge of #314 [ci skip]
• Make posts limit configurable (#314)
• Update history to reflect merge of #309 [ci skip]
• chore: use Dir class to list files (#309)
• Update history to reflect merge of #306 [ci skip]
• XML escape the title field of feed_meta (#306)
• chore(deps): bump Ruby versions
• Update history to reflect merge of #305 [ci skip]
• Fix generation of feed when post title contains HTML (#305)
• chore(dev): simplify require for version

2.16.1

Bug Fixes

• Update references of help.github.com to docs.github.com (#260)

2.16.0

Minor Enhancements

• Update octokit requirement from ~> 4.0, != 4.4.0 to >= 4, != 4.4.0, < 7 (#243)
• Prevent loading all GH data on reset (#245)
• Deprecate unnecessary constant in GitHubMetadata::Client (#239)

Development Fixes

• Update rspec requirement from ~> 3.11.0 to ~> 3.12.0 (#244)
• Bump Ruby versions in AppVeyor jobs (#253)
• Bump rubocop-jekyll to 0.13.0 and fix rubocop issues (#252)

2.15.0

Bug Fixes

• Inject site.github via :pre_render step rather than :after_init (#238)

Documentation

• Add GitHub Actions badge and remove Travis one (#236)

2.14.0

Minor Enhancements

• Use owner name as site title for User and Organization sites. (#197)
• Add site.github.public_repositories[].releases (#224)
• Add site.github.public_repositories[].contributors (#234)

Documentation

• docs: Add dev docs (#212)
• set PAGES_GITHUB_HOSTNAME to hostname without protocol (#191)
• Add JEKYLL_ENV limitation for git remote (#185)

Development Fixes

• Restore log level after running tests that modify it. (#202)
• Add GitHub Actions CI (#211)
• Update rubocop-jekyll requirement from ~> 0.5.0 to ~> 0.12.0 (#226)
• Create dependabot.yml (#225)
• Add rubocop todo file (#230)
• Upgrade rspec to 3.11.x (#231)
• CI: use 'main' branch instead of 'master' (#232)
• Add release workflow (#235)

New Contributors

• @lardieri made their first contribution in #200
• @MichaelCurrin made their first contribution in #212
• @dependabot made their first contribution in #226
• @Shegox made their first contribution in #191
• @9bow made their first contribution in #234
• @at-ishikawa made their first contribution in #185

Full Changelog: v2.13.0...v2.14.0

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 66 commits:

• Merge pull request #270 from jekyll/release-2-16-1
• Release :gem: v2.16.1
• Update history to reflect merge of #260 [ci skip]
• Update references of help.github.com to docs.github.com (#260)
• Release :gem: v2.16.0 (#255)
• Update history to reflect merge of #239 [ci skip]
• Deprecate unnecessary constant in `GitHubMetadata::Client` (#239)
• Update history to reflect merge of #252 [ci skip]
• Bump rubocop-jekyll to 0.13.0 and fix rubocop issues (#252)
• Update history to reflect merge of #253 [ci skip]
• Bump Ruby versions in AppVeyor jobs (#253)
• Run GH Actions CI on Ubuntu only [skip appveyor]
• Update history to reflect merge of #245 [ci skip]
• Prevent loading all GH data on reset (#245)
• Update history to reflect merge of #243 [ci skip]
• Update octokit requirement from ~> 4.0, != 4.4.0 to >= 4, != 4.4.0, < 7 (#243)
• Update history to reflect merge of #244 [ci skip]
• Update rspec requirement from ~> 3.11.0 to ~> 3.12.0 (#244)
• Merge pull request #247 from jekyll/dependabot/github_actions/actions/checkout-3
• Add Ruby 3.1 and 3.2 to CI matrix
• Bump actions/checkout from 2 to 3
• Add GitHub Actions to Dependabot
• Release :gem: v2.15.0
• Update history to reflect merge of #238 [ci skip]
• Inject `site.github` via `:pre_render` step rather than `:after_init` (#238)
• Remove appveyor Ruby 2.4 test
• script/test-site: pass on extra arguments
• Add webrick when using Ruby 3
• yml -> yaml :)
• Update history to reflect merge of #236 [ci skip]
• Add GitHub Actions badge and remove Travis one (#236)
• Release :gem: v2.14.0
• Add release workflow (#235)
• Fix indentation rubocop violation
• Add JEKYLL_ENV limitation for git remote (#185)
• Add site.github.public_repositories[].contributors (#234)
• Add site.github.public_repositories[].releases (#224)
• set PAGES_GITHUB_HOSTNAME to hostname without protocol (#191)
• Update webmock requirement from ~> 2.0 to ~> 3.14 (#229)
• Update History to reflect recent changes
• Merge pull request #231 from jekyll/rspec-upgrade
• Stop passing procs to expect – rspec now prefers blocks
• Use Ruby 3.0, not Ruby 3
• Upgrade rspec to 3.11.x
• Merge pull request #232 from jekyll/sub-master-for-main
• CI: use 'main' branch instead of 'master'
• Merge pull request #230 from jekyll/rubocop-todo
• Add rubocop todo file
• Merge pull request #226 from jekyll/dependabot/bundler/rubocop-jekyll-tw-0.12.0
• Bump target ruby version to 2.5
• Update rubocop-jekyll requirement from ~> 0.5.0 to ~> 0.12.0
• Merge pull request #225 from jekyll/parkr-patch-1
• Create dependabot.yml
• Update history to reflect merge of #212 [ci skip]
• docs: Add dev docs (#212)
• Remove comma after last argument to method calls
• AppVeyor no longer builds with Ruby 2.3
• Update history to reflect merge of #197 [ci skip]
• Use owner name as site title for User and Organization sites. (#197)
• Update history to reflect merge of #211 [ci skip]
• Add GitHub Actions CI (#211)
• Update history to reflect merge of #202 [ci skip]
• Restore log level after running tests that modify it. (#202)
• Merge pull request #200 from lardieri/issue-199
• Resolve jekyll/github-metadata#199 - Git-ignore the Jekyll cache.
• Git-ignore the Jekyll cache.

1.6.0

Minor Enhancements

• Allow configuring base URL in page front matter (#72)
• Incorporate document data only if it has override (#73)

Development Fixes

• ci: test against Jekyll 4.0
• style: target Ruby 2.4
• ignore vendor/bundle

Bug Fixes

• Support handling body tag across multiple lines (#70)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 11 commits:

• chore(release): v1.6.0 :gem:
• style: target Ruby 2.4
• chore: ignore vendor/bundle
• chore(ci): use latest versions
• Update history to reflect merge of #73 [ci skip]
• Incorporate document data only if it has override (#73)
• Update history to reflect merge of #70 [ci skip]
• Support handling body tag across multiple lines (#70)
• Update history to reflect merge of #72 [ci skip]
• Allow configuring base URL in page front matter (#72)
• Enable Layout/IndentFirstArgument Cop

0.16.0

Minor Enhancements

• Allows generation of redirects.json to be disabled (#207)
• Allow redirects from and for subclasses of page and document (#204)

Bug Fixes

• Use Hash#key? instead of Hash#keys.any? (#201)

Development Fixes

• Target Ruby 2.4
• Stop testing with backwards-compatible site config (#211)

Documentation

• Simplifies YAML for redirect_to (#185)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 13 commits:

• chore(release): :gem: v0.16.0
• chore(deps): target Ruby 2.4
• chore: ignore vendor/bundle
• Update history to reflect merge of #204 [ci skip]
• Allow redirects from and for subclasses of page and document (#204)
• Update history to reflect merge of #207 [ci skip]
• Allows generation of redirects.json to be disabled (#207)
• Update history to reflect merge of #211 [ci skip]
• Stop testing with backwards-compatible site config (#211)
• Update history to reflect merge of #201 [ci skip]
• Use `Hash#key?` instead of `Hash#keys.any?` (#201)
• Update history to reflect merge of #185 [ci skip]
• Simplifies YAML for redirect_to (#185)

0.4.3

• Updated to use HEAD instead of master as default branch (#87) @IanLee1521
• Added extra context to error message when remote theme download fails (#85) @IanLee1521
• Require kramdown-parser-gfm to fix travis (#86) @benbalter
• Fixes #76 (#77) @orchardcc

0.4.2

Jekyll 4.0 support (#61)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 19 commits:

• Bump jekyll-remote-theme to 0.4.3
• Merge pull request #87 from IanLee1521/default-branch-head
• Updated README to denote that HEAD is a ref, not a branch
• Updated to use HEAD instead of master as default branch
• Merge pull request #85 from IanLee1521/better-msg-on-download-error
• Updated 404 message in test case
• Merge branch 'master' into better-msg-on-download-error
• Merge pull request #86 from benbalter/travis-fix
• require kramdown-parser-gfm to fix travis
• Added extra context to error message when remote theme download fails
• Merge pull request #77 from orchardcc/fix-76
• Fixes #76
• Bump jekyll-remote-theme to 0.4.2
• Merge pull request #61 from benbalter/jekyll-4-0
• just use ruby 2.5
• use released primer version
• clean up
• Merge branch 'master' into jekyll-4-0
• bump rubocop version

2.8.0

Minor Enhancements

• Allow to set type for author (#427)
• Allow setting author.url (#453)
• Implement Facebook domain verification (#455)
• Add og:image:alt and twitter:image:alt (#438)
• Sort JSON-LD data by key (#458)

Bug Fixes

• Set the default og:type to 'website' (#391)
• Template: Remove double new line (#454)

Development Fixes

• Fix typo in source code comment (#449)
• Set up Continuous Integration via GH Actions (#450)
• Bump RuboCop to v1.18.x (#452)
• Add workflow to release gem via GH Actions

2.7.1

Development Fixes

• refactor: mutate site payload instead of duplicating it (#419)

2.7.0

Minor Enhancements

• Change pagination message with seo_paginator_message option (#324)
• Make Twitter Summary Card without having Twitter account (#284)
• Prefer site.tagline to site.description for page title (#356)
• Render og:locale meta only when defined explicitly (#388)

Bug Fixes

• Ensure a single leading @ for twitter usernames (#367)

Development Fixes

• chore(deps): require Ruby > 2.4.0 EOL
• test: fix locale specs that use the fallback locale (#360)
• refactor: Replace read-only empty hash with private constant (#418)
• refactor: Mutate hash literals instead of duplicating them (#417)
• refactor: Reduce allocations of instance-agnostic objects (#376)
• refactor: Memoize #author_hash in SeoTag::AuthorDrop (#342)
• refactor: simplify conditional in SeoTag::Drop#date_modified (#343)
• chore(ci): profile seo-tag plugin on a third-party repository (#414)
• chore(ci): Jekyll v4.0 (#372)
• chore(ci): test against current stable Ruby 2.5 and 2.7 (#385)
• style: align with latest jekyll-rubocop (#382)
• fix: Travis builds for Jekyll 3.x (#415)

Documentation

• Structured Data Testing Tool is deprecated (#409)
• Rename Google webmaster tools to Google Search Console (#403)
• Improve documentation on plugin usage (#399)
• remove Google+ from example snippet (#358)
• HTTPS link to https://ogp.me/ (#359)
• HTTPS links to schema.org (#350)
• use example.com for example URL (#351)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

0.2.0

• Add head-custom.html to allow easier customization of the <head> #48

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 26 commits:

• Merge pull request #48 from pages-themes/head-custom
• Update head-custom.html
• Update head-custom.html
• Add head-custom.html to allow easier customization of the <head>
• Merge pull request #47 from pages-themes/repo-name-scss
• Replace _sass/architect.scss with a simple import
• Add _sass/architect.scss to allow importing with theme name while using jekyll-remote-theme
• Update README.md
• Fix cibuild and remove .jekyll-cache
• Fix rubocop to work with vendor/ gems
• Update .github/workflows/ci.yaml
• Rely on rubocop-github for Ruby formatting
• Update .github/settings.yml
• Update .github/workflows/ci.yaml
• Create .github/workflows/ci.yaml
• Update docs/CONTRIBUTING.md
• Update docs/SUPPORT.md
• Update .github/config.yml
• Fix linting errors & fix GitHub asset URL
• Ruby 2.6 & some frozen_string_literal comments
• lessen Jekyll dependency
• Merge pull request #29 from coliff/patch-1
• Fix html5shiv link
• bump ruby version in .travis.yml to 2.5ma
• Merge pull request #22 from askadu/hotfix-css
• Fixes #21

0.2.0

• Add head-custom.html to allow easier customization of the <head> #133

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 45 commits:

• Merge pull request #133 from pages-themes/head-custom
• Update head-custom.html
• Add head-custom.html to allow easier customization of the <head>
• Merge pull request #132 from pages-themes/repo-name-scss
• Fix CI error
• Add _sass/cayman.scss to allow importing with theme name while using jekyll-remote-theme
• Update README.md
• Allow script/cibuild to be executed
• Remove .jekyll-cache and fix script/cibuild
• Fix rubocop to work with vendor/ gems
• Update .github/workflows/ci.yaml
• Rely on rubocop-github for Ruby formatting
• Update .github/settings.yml
• Update .github/workflows/ci.yaml
• Merge pull request #101 from ogonkov/patch-1
• Fix param
• Add Google Fonts url to ignore
• Add Google fonts CSS preloading
• Use `font-display: swap`
• Create .github/workflows/ci.yaml
• Update docs/CONTRIBUTING.md
• Update docs/SUPPORT.md
• Update .github/config.yml
• Fix linting errors & fix GitHub asset URL
• lessen Jekyll dependency
• Merge pull request #64 from iBug/per-page-title
• Add demo in `another-page.md`
• Allow per-page title and description with Front Matter
• Merge pull request #63 from gebeto/patch-1
• Merge branch 'master' into patch-1
• bump ruby version in .travis.yml to 2.5ma
• Added GitHub `kbd` styles
• Merge pull request #59 from theryangeary/master
• Correct 'one' to 'once'
• Merge pull request #49 from secumod/master
• Move Google analytics code to the top of <head>
• Upgrade from analytics.js to gtag.js.
• Merge pull request #43 from sjparkinson/master
• Revert "Upgrade from analytics.js to gtag.js."
• Revert "Upgrade normalise.css from v3.0.2 to v8.0.0."
• Move gtag.js into the <head>.
• Convert to header, and main semantic elements.
• Add apple-mobile-web-app-status-bar-style meta tag.
• Upgrade normalise.css from v3.0.2 to v8.0.0.
• Upgrade from analytics.js to gtag.js.

0.2.0

• Add head-custom.html to allow easier customization of the <head> #22

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 21 commits:

• Update README.md
• Merge pull request #22 from pages-themes/head-custom
• Update head-custom.html
• Add head-custom.html to allow easier customization of the <head>
• Merge pull request #21 from pages-themes/repo-name-scss
• Add _sass/dinky.scss to allow importing with theme name while using jekyll-remote-theme
• Update README.md
• Allow script/cibuild to be executed
• Remove .jekyll-cache and fix script/cibuild
• Fix rubocop to work with vendor/ gems
• Update .github/workflows/ci.yaml
• Rely on rubocop-github for Ruby formatting
• Update .github/settings.yml
• Update .github/workflows/ci.yaml
• Create .github/workflows/ci.yaml
• Update docs/CONTRIBUTING.md
• Update docs/SUPPORT.md
• Update .github/config.yml
• Fix linting errors & fix GitHub asset URL
• lessen Jekyll dependency
• bump ruby version in .travis.yml to 2.5ma

0.2.0

• Add Google Analytics to head-custom.html to allow easier customization of the GA code #79

0.1.2

• Allow Jekyll v4
• Return to home on click page title #47
• Show full header h1 for smaller displays #49

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 39 commits:

• Merge pull request #79 from pages-themes/head-custom
• Add head-custom.html to allow easier customization of the <head>
• Merge pull request #78 from pages-themes/repo-name-scss
• Add _sass/hacker.scss to allow importing with theme name while using jekyll-remote-theme
• Merge pull request #69 from olifre/theme-color
• Improve wording in README.
• README: Add hint on how to customize by providing _includes.
• Improve comment in `head-custom.html`
• Add head-custom.html include, factor out theme-color setting.
• Merge branch 'master' into theme-color
• Update README.md
• Allow script/cibuild to be executed
• Remove .jekyll-cache and fix script/cibuild
• Fix rubocop to work with vendor/ gems
• Update .github/workflows/ci.yaml
• Rely on rubocop-github for Ruby formatting
• Update .github/settings.yml
• Update .github/workflows/ci.yaml
• Setup theme-color in head tags
• Merge pull request #59 from pages-themes/github-actions
• Merge branch 'master' into github-actions
• Create .github/workflows/ci.yaml
• Separate build & test
• Disable Gemspec/RequiredRubyVersion
• Update ci.yaml
• On: push
• Add test CI workflow
• Release :gem: v0.1.2
• Update docs/CONTRIBUTING.md
• Update docs/SUPPORT.md
• Update .github/config.yml
• Merge pull request #49 from tswfi/show_full_header_for_small_displays
• Show full header h1 for smaller displays
• Merge pull request #47 from malteada/master
• Separate style and relative_url on title a tag
• feat: Return to home on click page title
• Fix linting errors & fix GitHub asset URL
• lessen Jekyll dependency
• bump ruby version in .travis.yml to 2.5ma

0.2.0

• Added styled KBD tag, like in primer theme #47 (thanks, @gebeto)
• Remove 'auto' from padding since it's not a valid padding #57
• Add head-custom.html to allow easier customization of the <head> #56

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 34 commits:

• Merge pull request #56 from pages-themes/head-custom
• Merge branch 'master' into head-custom
• Merge pull request #57 from pages-themes/fix-css-validation-error
• Remove 'auto' from padding since it's not a valid padding
• Add head-custom.html to allow easier customization of the <head>
• Merge pull request #47 from gebeto/patch-1
• Merge pull request #55 from pages-themes/repo-name-scss
• Add _sass/leap-day.scss to allow importing with theme name while using jekyll-remote-theme
• Update README.md
• Allow script/cibuild to be executed
• Remove .jekyll-cache and fix script/cibuild
• Fix rubocop to work with vendor/ gems
• Update .github/workflows/ci.yaml
• Rely on rubocop-github for Ruby formatting
• Update .github/settings.yml
• Update .github/workflows/ci.yaml
• Add styled KBD tag, like in primer theme
• Create .github/workflows/ci.yaml
• Update docs/CONTRIBUTING.md
• Update docs/SUPPORT.md
• Update .github/config.yml
• Merge pull request #37 from iBug/patch-1
• Merge branch 'master' into patch-1
• Fix linting errors & fix GitHub asset URL
• Respect page.title and page.description if set
• lessen Jekyll dependency
• bump ruby version in .travis.yml to 2.5ma
• Merge pull request #31 from pages-themes/graham-update
• update twitter user name
• Merge pull request #30 from alexroseb/alexroseb-a11y-patch
• Darken body text
• Accessibility fixes
• Merge pull request #25 from lambdacasserole/bugfix-linear-gradient
• Fix calls to linear-gradient

0.2.0

Add head-custom.html to allow easier customization of the <head> #10

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 19 commits:

• Merge pull request #10 from pages-themes/head-custom
• Add head-custom.html to allow easier customization of the <head>
• Merge pull request #9 from pages-themes/repo-name-scss
• Add _sass/merlot.scss to allow importing with theme name while using jekyll-remote-theme
• Update README.md
• Allow script/cibuild to be executed
• Remove .jekyll-cache and fix script/cibuild
• Fix rubocop to work with vendor/ gems
• Update .github/workflows/ci.yaml
• Rely on rubocop-github for Ruby formatting
• Update .github/settings.yml
• Update .github/workflows/ci.yaml
• Create .github/workflows/ci.yaml
• Update docs/CONTRIBUTING.md
• Update docs/SUPPORT.md
• Update .github/config.yml
• Fix linting errors & fix GitHub asset URL
• lessen Jekyll dependency
• bump ruby version in .travis.yml to 2.5ma

0.2.0

• Add Google Analytics to head-custom.html to allow easier customization of the GA code #37

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 38 commits:

• Merge pull request #33 from olifre/migrate-readme-badge-to-gh-action
• Merge branch 'master' into migrate-readme-badge-to-gh-action
• Merge pull request #37 from pages-themes/head-custom
• Add head-custom.html to allow easier customization of the <head>
• Merge pull request #36 from pages-themes/repo-name-scss
• Add _sass/midnight.scss to allow importing with theme name while using jekyll-remote-theme
• Update README.md
• README: Use badge from github-action instead of Travis-CI.
• Merge pull request #30 from olifre/custom-heads
• head-custom: Use consistent names for custom header includes.
• Add head-custom.html for custom head tags.
• Merge pull request #31 from olifre/theme-color
• Merge branch 'master' into theme-color
• Merge pull request #32 from olifre/fix-li-in-nav
• Allow script/cibuild to be executed
• Remove .jekyll-cache and fix script/cibuild
• Fix rubocop to work with vendor/ gems
• Migrate theme-color meta tags to dedicated include file.
• Setup theme-color in head tags.
• Update .github/workflows/ci.yaml
• Rely on rubocop-github for Ruby formatting
• Update .github/settings.yml
• Merge branch 'master' into fix-li-in-nav
• Update .github/workflows/ci.yaml
• Wrap <li> in <ul>, not directly in <nav>.
• Create .github/workflows/ci.yaml
• Update docs/CONTRIBUTING.md
• Update docs/SUPPORT.md
• Update .github/config.yml
• Fix linting errors & fix GitHub asset URL
• lessen Jekyll dependency
• Merge pull request #18 from Gizmokid2005/patch-1
• Fix linear-gradient
• bump ruby version in .travis.yml to 2.5
• Merge pull request #17 from pages-themes/graham-update
• updating twitter handle
• Merge pull request #9 from coaxial/extend-font
• Support accentuated characters

0.2.0

• Add head-custom.html to allow easier customization of the <head> #119

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 28 commits:

• Merge pull request #117 from kmyk/patch-1
• Merge pull request #119 from pages-themes/head-custom
• Add head-custom.html to allow easier customization of the <head>
• Merge pull request #118 from pages-themes/repo-name-scss
• Add _sass/minimal.scss to allow importing with theme name while using jekyll-remote-theme
• Update Usage section of README.md
• Update README.md
• Allow script/cibuild to be executed
• Remove .jekyll-cache and fix script/cibuild
• Fix rubocop to work with vendor/ gems
• Update .github/workflows/ci.yaml
• Rely on rubocop-github for Ruby formatting
• Update .github/settings.yml
• Update .github/workflows/ci.yaml
• Merge pull request #87 from gebeto/master
• Add styled KBD tag, like in primer theme
• Create .github/workflows/ci.yaml
• Update docs/CONTRIBUTING.md
• Update docs/SUPPORT.md
• Update .github/config.yml
• Fix linting errors & fix GitHub asset URL
• lessen Jekyll dependency
• Merge pull request #53 from coliff/patch-1
• Always load html5shiv over HTTPS
• bump ruby version in .travis.yml to 2.5
• Merge pull request #35 from quytelda/downloads
• Add 'downloads' SCSS class for download lists
• Add "downloads" class to list of downloads

0.2.0

• Replace linear_gradient with linear-gradient() CSS function #17
• Add head-custom.html to allow easier customization of the <head> #16

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 27 commits:

• Merge pull request #16 from pages-themes/head-custom
• Merge branch 'master' into head-custom
• Merge pull request #17 from pages-themes/fix-linear-gradient
• Replace linear_gradient with linear-gradient() CSS function
• Add head-custom.html to allow easier customization of the <head>
• Merge pull request #15 from pages-themes/repo-name-scss
• Add _sass/modernist.scss to allow importing with theme name while using jekyll-remote-theme
• Update README.md
• Allow script/cibuild to be executed
• Remove .jekyll-cache and fix script/cibuild
• Fix rubocop to work with vendor/ gems
• Update .github/workflows/ci.yaml
• Rely on rubocop-github for Ruby formatting
• Update .github/settings.yml
• Update .github/workflows/ci.yaml
• Merge pull request #14 from gebeto/patch-1
• Add styled KBD tag, like in primer theme
• Create .github/workflows/ci.yaml
• Update docs/CONTRIBUTING.md
• Update docs/SUPPORT.md
• Update .github/config.yml
• Merge pull request #10 from Tekaoh/master
• Widen the page a bit
• Fix checker background
• Fix linting errors & fix GitHub asset URL
• lessen Jekyll dependency
• bump ruby version in .travis.yml to 2.5ma

0.6.0

• Add head-custom.html to allow easier customization of the #61

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 22 commits:

• Merge pull request #61 from pages-themes/head-custom
• Add head-custom.html to allow easier customization of the <head>
• Merge pull request #60 from pages-themes/repo-name-scss
• Add _sass/primer.scss to allow importing with theme name while using jekyll-remote-theme
• Update README.md
• Allow script/cibuild to be executed
• Remove .jekyll-cache and fix script/cibuild
• Fix rubocop to work with vendor/ gems
• Merge pull request #51 from pages-themes/dependabot/add-v2-config-file
• Update .github/workflows/ci.yaml
• Rely on rubocop-github for Ruby formatting
• Update .github/settings.yml
• Update .github/workflows/ci.yaml
• Upgrade to GitHub-native Dependabot
• Merge pull request #48 from pages-themes/dependabot/npm_and_yarn/y18n-4.0.3
• [Security] Bump y18n from 4.0.0 to 4.0.3
• Create .github/workflows/ci.yaml
• Update docs/CONTRIBUTING.md
• Update docs/SUPPORT.md
• Update .github/config.yml
• Merge pull request #36 from pages-themes/dependabot/npm_and_yarn/mixin-deep-1.3.2
• [Security] Bump mixin-deep from 1.3.1 to 1.3.2

0.2.0

• Add head-custom.html to allow easier customization of the <head> #66
• Added styled KBD tag, like in primer theme #47 (thanks, @gebeto)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 25 commits:

• Merge pull request #47 from gebeto/master
• Merge pull request #66 from pages-themes/head-custom
• Add head-custom.html to allow easier customization of the <head>
• Merge pull request #65 from pages-themes/repo-name-scss
• Add _sass/slate.scss to allow importing with theme name while using jekyll-remote-theme
• Update README.md
• Allow script/cibuild to be executed
• Remove .jekyll-cache and fix script/cibuild
• Fix rubocop to work with vendor/ gems
• Update .github/workflows/ci.yaml
• Rely on rubocop-github for Ruby formatting
• Update .github/settings.yml
• Update .github/workflows/ci.yaml
• Add styled KBD tag, like in primer theme
• Create .github/workflows/ci.yaml
• Update docs/CONTRIBUTING.md
• Update docs/SUPPORT.md
• Update .github/config.yml
• Merge pull request #34 from toughengineer/patch-1
• Make usage of <code> in headers *not* ugly
• Fix linting errors & fix GitHub asset URL
• lessen Jekyll dependency
• bump ruby version in .travis.yml to 2.5ma
• Merge pull request #22 from pdonias/master
• Show "View on GitHub" on project pages only

0.2.0

• Add head-custom.html to allow easier customization of the <head> #23
• Fall back code font-family to monospace #21 (thanks @lkslawek)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 24 commits:

• Merge pull request #21 from lkslawek/fall-back-code-font-family-to-monospace
• Merge branch 'master' into fall-back-code-font-family-to-monospace
• Merge pull request #23 from pages-themes/head-custom
• Add head-custom.html to allow easier customization of the <head>
• Merge pull request #22 from pages-themes/repo-name-scss
• Add _sass/tactile.scss to allow importing with theme name while using jekyll-remote-theme
• Update README.md
• Allow script/cibuild to be executed
• Remove .jekyll-cache and fix script/cibuild
• Fix rubocop to work with vendor/ gems
• Update .github/workflows/ci.yaml
• Rely on rubocop-github for Ruby formatting
• Update .github/settings.yml
• Update .github/workflows/ci.yaml
• Fall back code font-family to monospace
• Create .github/workflows/ci.yaml
• Update docs/CONTRIBUTING.md
• Update docs/SUPPORT.md
• Update .github/config.yml
• Fix linting errors & fix GitHub asset URL
• lessen Jekyll dependency
• Merge pull request #14 from mitchmac/mobile-style-tweak
• Set viewport and list margins for mobile friendly style
• bump ruby version in .travis.yml to 2.5

0.2.0

• Add head-custom.html to allow easier customization of the <head> #22
• Added styled KBD tag, like in primer theme #13 (thanks @gebeto)
• Fix show_downloads #16 (thanks @deargle)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 25 commits:

• Merge pull request #22 from pages-themes/head-custom
• Merge pull request #16 from deargle/pr-14-fix-show-downloads
• Merge branch 'master' into pr-14-fix-show-downloads
• Merge pull request #13 from gebeto/patch-1
• Add head-custom.html to allow easier customization of the <head>
• Merge pull request #21 from pages-themes/repo-name-scss
• Add _sass/time-machine.scss to allow importing with theme name while using jekyll-remote-theme
• Update README.md
• Allow script/cibuild to be executed
• Remove .jekyll-cache and fix script/cibuild
• Fix rubocop to work with vendor/ gems
• script/cibuild: Add --config flag to Rubocop execution in order to ignore the vendor/ directory
• Update .github/workflows/ci.yaml
• Rely on rubocop-github for Ruby formatting
• Update .github/settings.yml
• Update .github/workflows/ci.yaml
• * wrap scrolled nav download buttons in `show_downloads`
• Add styled KBD tag, like in primer theme
• Create .github/workflows/ci.yaml
• Update docs/CONTRIBUTING.md
• Update docs/SUPPORT.md
• Update .github/config.yml
• Fix linting errors & fix GitHub asset URL
• lessen Jekyll dependency
• bump ruby version in .travis.yml to 2.5

0.13.0 (from changelog)

Development Fixes

• Add Actions CI workflow (#127)
• Add release workflow (#128)
• Create dependabot config for rubygems upgrades (#126)
• Add github-actions to dependabot (#132)
• Bump actions/checkout from 2 to 3 (#133)
• Upgrade Rubocop target version to 2.7 (#134)
• Update rake requirement from ~> 12.0 to ~> 13.0 (#130)

Minor Enhancements

• Update gemoji requirement from ~> 3.0 to >= 3, < 5 & test with both major versions (#131)

0.12.0

Minor Enhancements

• perf: don't load Gemoji into memory immediately (#106)

Development Fixes

• deps: Ruby > 2.4 (EOL)
• ci: test with Ruby 2.7

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 33 commits:

• Merge pull request #135 from jekyll/release-1-0-0
• Release jemoji v0.13.0
• Update history to reflect merge of #131 [ci skip]
• Update gemoji requirement from ~> 3.0 to >= 3, < 5 & test with both major versions (#131)
• Update history to reflect merge of #130 [ci skip]
• Update rake requirement from ~> 12.0 to ~> 13.0 (#130)
• Update history to reflect merge of #134 [ci skip]
• Upgrade Rubocop target version to 2.7 (#134)
• Update history to reflect merge of #133 [ci skip]
• Bump actions/checkout from 2 to 3 (#133)
• Update History.markdown
• Merge pull request #132 from jekyll/parkr-patch-2
• Add github-actions to dependabot
• Merge pull request #127 from jekyll/parkr-patch-2
• Merge pull request #128 from jekyll/parkr-patch-3
• release.yaml: target master branch
• Merge pull request #126 from jekyll/parkr-patch-1
• Add support for running CI on PRs targeting the 'master' branch
• Add release workflow
• Add Actions CI workflow
• Create dependabot.yml
• chore(ci): GitHub Pages runs Ruby 2.7.1
• Remove RuboCop TODO config file
• Conditionally load GFM parser gem in CI builds
• chore(ci): bump Ruby versions
• chore(dev): simplify require for version
• chore(release): v0.12.0 :gem:
• chore(ci): Use latest versions
• styles: rubocop --auto-correct
• chore(deps): Ruby > 2.4
• chore: ignore vendor/bundle
• Update history to reflect merge of #106 [ci skip]
• Don't load Gemoji into memory immediately (#106)

🚨 Remote code execution in Kramdown

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

See the full diff on Github. The new version differs by 12 commits:

• Backport flaky no object allocation test fix
• Use the released version of the liquid-c 4-0-stable branch
• Add allowed_push_host to gemspec to allow releases
• Merge pull request #1668 from Shopify/4-0-backports
• rubocop: Exclude vendored dependencies in CI
• Update History.md
• Use 4-0-stable liquid-c branch to fix extension compilation in CI
• Backport CI migration
• Bump rake for ruby 3.2 compatibility
• Fix ParseTreeVisitorTest for ruby 3 compatibility
• Use liquid-c 4.0.0
• Remove use of ruby taint API for ruby 3.2 compatibility

3.9.0

• Issue #572: make kernel warn configurable -- see README (#579) @ColinDKelley @AlexB52
• drop ruby 2.6 and add ruby 3.3 to the test matrix (#578) @ColinDKelley
• Fix github workflows link in README (#577) @hotoolong

3.8.0

• Use the defined type to the default value of directory (#566) @y-yagi
• update ruby version matrix to drop 2.4, 2.5 and add 3.2 (#567) @ColinDKelley
• Update ruby version 3.0.4 (#562) @vickyprahastra
• Raise argument error when passing a file path (#563) @janko
• Fix kwargs matching with rspec-mock 3.12 and Ruby 3+ (#564) @voxik
• Disable fail-fast for CI matrix (#555) @ybiquitous
• Add Ruby 3.0/3.1 to CI (#554) @ybiquitous

3.7.1

• Issue #548: fix error when renaming folder (#552) @ColinDKelley
• issue #550: fix README to document start rather than unpause (#551) @ColinDKelley
• Issue #543: Ignore emacs backup/swap files by default. (#546) @zw963

3.7.0

• issue #509: raise Listen::Error::INotifyMaxWatchesExceeded rather than abort (#545) @ColinDKelley
• Plumb Silencer.new and use it #542 spec (#544) @ColinDKelley
• fix: Avoid scanning and building entries for silenced directories (#542) @ElMassimo

3.6.0

✨ New Features

• #452 for FIPS compatibility, use SHA256 instead of MD5 (#541) @ColinDKelley

3.5.1

• Bump required ruby version to v2.4.0 (#536) @cgunther

3.4.0

• Issue #510: use monotonic tick count (#512) @ColinDKelley

3.3.4

• Don't return incorrect files when there's a file whose name matches a dir (#526) @ghiculescu
• added correct link to help debug inotify workers error on linux (#527) @williamkennedy
• issue #473: use sudo sh -c so redirection works (#525) @ColinDKelley
• issue #473: update README for setting fs.inotify.max_user_watches (#522) @ColinDKelley
• issue #451: change windows install instructions to suggest platforms: instead of Gem.win_platform? (#523) @ColinDKelley
• put missing wiki content into README (#521) @ColinDKelley

3.3.3

• Add project metadata to the gemspec (#519) @orien

3.3.2

• Issue #504: tune .rubocop.yml and source code to make it pass all cops (#508) @ColinDKelley
• Fix description typo (#515) @ccouzens

3.3.1

• issue #513: allow stop when not started (#514) @ColinDKelley

3.3.0

✨ New Features

• Use file size to check for modifications (#336) @marawan31
• Ignore mutagen sync temporary files (#469) @nilbus
• Add GitHub Actions for development workflow. (#485) @ioquatix
• Allow Ruby 3 (#490) @yahonda
• Add Truffleruby head to CI (#493, #507) @gogainda
• Add magic # frozen_string_literal: true comment (#494) @ColinDKelley

🐛 Bug Fixes

• Fix: Linux driver listens for :modify events again (#450) @ColinDKelley
• Fix: Track removed subdirectories (#460) @bryanlira
• Use one fsevent_watch process per listener instead of one per dir (#471) @ioquatix
• Wrap Listener instances in WeakRef (#477) @jonathanhefner
• Include macOS Big Sur in Adapter::Darwin#usable? (#479) @christiankn
• Fix hanging race condition (#481, #500) @ColinDKelley
• Remove Listen::Internals::ThreadPool (#483) @jonathanhefner
• Tidy up thread killing. Remove JRuby workaround. (#484) @ioquatix
• Move thread caller stack and rescue+log to a common place (#487) @ColinDKelley
• Unify logging through Listen.logger; add missing logger_spec (#497) @ColinDKelley
• Rescue and log application exceptions raised from the Listen.to callback so listening doesn't break in process (#505) @ColinDKelley

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

🚨 Nokogiri patches vendored libxml2 to resolve multiple CVEs

Summary

Nokogiri v1.18.9 patches the vendored libxml2 to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796.

Impact and severity

CVE-2025-6021

A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.

NVD claims a severity of 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae

CVE-2025-6170

A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections.

NVD claims a severity of 2.5 Low (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c1

CVE-2025-49794

A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.

NVD claims a severity of 9.1 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5

CVE-2025-49795

A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.

NVD claims a severity of 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/62048278

CVE-2025-49796

A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.

NVD claims a severity of 9.1 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5

Affected Versions

• Nokogiri < 1.18.9 when using CRuby (MRI) with vendored libxml2

Patched Versions

• Nokogiri >= 1.18.9

Mitigation

Upgrade to Nokogiri v1.18.9 or later.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues.

References

• #3526
• https://nvd.nist.gov/vuln/detail/CVE-2025-6021
• https://nvd.nist.gov/vuln/detail/CVE-2025-6170
• https://nvd.nist.gov/vuln/detail/CVE-2025-49794
• https://nvd.nist.gov/vuln/detail/CVE-2025-49795
• https://nvd.nist.gov/vuln/detail/CVE-2025-49796

🚨 Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415

Summary

Nokogiri v1.18.8 upgrades its dependency libxml2 to v2.13.8.

libxml2 v2.13.8 addresses:

• CVE-2025-32414
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
• CVE-2025-32415
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890

Impact

CVE-2025-32414: No impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

There is no impact from this CVE for Nokogiri users.

CVE-2025-32415: Low impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

In the upstream issue, further context is provided by the maintainer:

The bug affects validation against untrusted XML Schemas (.xsd) and validation of untrusted
documents against trusted Schemas if they make use of xsd:keyref in combination with recursively
defined types that have additional identity constraints.

MITRE has published a severity score of 2.9 LOW (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE.

🚨 Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs

Summary

Nokogiri v1.18.4 upgrades its dependency libxslt to v1.1.43.

libxslt v1.1.43 resolves:

• CVE-2025-24855: Fix use-after-free of XPath context node
• CVE-2024-55549: Fix UAF related to excluded namespaces

Impact

CVE-2025-24855

• "Use-after-free due to xsltEvalXPathStringNs leaking xpathCtxt->node"
• MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
• Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128
• NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-24855

CVE-2024-55549

• "Use-after-free related to excluded result prefixes"
• MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
• Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127
• NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-55549

🚨 Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

• CVE-2025-24928
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
• CVE-2024-56171
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828

Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.

CVE-2024-56171

Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

🚨 Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

• described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
• patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53

Impact

There is no impact to Nokogiri users because the issue is present only in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

• 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
• 2024-05-13 08:30 EDT, nokogiri maintainers begin triage
• 2024-05-13 10:05 EDT, nokogiri v1.16.5 is released and this GHSA made public

🚨 Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062

Summary

Nokogiri upgrades its dependency libxml2 as follows:

• Nokogiri v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
• Nokogiri v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

• CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
  • patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

JRuby users are not affected.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Timeline

• 2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information
• 2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions
• 2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public
• 2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated "Impact" section
• 2024-03-16 09:03 EDT - v1.15.6 published (see discussion at #3146), updated mitigation information
• 2024-03-18 22:12 EDT - update "affected products" range with v1.15.6 information

🚨 Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062

Summary

Nokogiri upgrades its dependency libxml2 as follows:

• Nokogiri v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
• Nokogiri v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

• CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
  • patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

JRuby users are not affected.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Timeline

• 2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information
• 2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions
• 2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public
• 2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated "Impact" section
• 2024-03-16 09:03 EDT - v1.15.6 published (see discussion at #3146), updated mitigation information
• 2024-03-18 22:12 EDT - update "affected products" range with v1.15.6 information

🚨 Nokogiri updates packaged libxml2 to v2.10.4 to resolve multiple CVEs

Summary

Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to v2.10.4 from v2.10.3.

libxml2 v2.10.4 addresses the following known vulnerabilities:

• CVE-2023-29469: Hashing of empty dict strings isn't deterministic
• CVE-2023-28484: Fix null deref in xmlSchemaFixupComplexType
• Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.14.3, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.14.3.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.10.4 which will also address these same issues.

Impact

No public information has yet been published about the security-related issues other than the upstream commits. Examination of those changesets indicate that the more serious issues relate to libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.

The commits can be examined at:

• [CVE-2023-29469] Hashing of empty dict strings isn't deterministic (09a2dd45) · Commits · GNOME / libxml2 · GitLab
• [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType (647e072e) · Commits · GNOME / libxml2 · GitLab
• schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK (4c6922f7) · Commits · GNOME / libxml2 · GitLab

🚨 Unchecked return value from xmlTextReaderExpand

Summary

Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.

For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.

Mitigation

Upgrade to Nokogiri >= 1.13.10.

Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

• CWE - CWE-252: Unchecked Return Value (4.9)
• CWE - CWE-476: NULL Pointer Dereference (4.9)

Credit

This vulnerability was responsibly reported by @davidwilemski.

🚨 Update bundled libxml2 to v2.10.3 to resolve multiple CVEs

Summary

Nokogiri v1.13.9 upgrades the packaged version of its dependency libxml2 to v2.10.3 from v2.9.14.

libxml2 v2.10.3 addresses the following known vulnerabilities:

• CVE-2022-2309
• CVE-2022-40304
• CVE-2022-40303

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.9, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.9.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.10.3 which will also address these same issues.

Impact

libxml2 CVE-2022-2309

• CVSS3 score: Under evaluation
• Type: Denial of service
• Description: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Nokogiri maintainers investigated at #2620 and determined this CVE does not affect Nokogiri users.

libxml2 CVE-2022-40304

• CVSS3 score: Unspecified upstream
• Type: Data corruption, denial of service
• Description: When an entity reference cycle is detected, the entity content is cleared by setting its first byte to zero. But the entity content might be allocated from a dict. In this case, the dict entry becomes corrupted leading to all kinds of logic errors, including memory errors like double-frees.

See https://gitlab.gnome.org/GNOME/libxml2/-/commit/644a89e080bced793295f61f18aac8cfad6bece2

libxml2 CVE-2022-40303

• CVSS3 score: Unspecified upstream
• Type: Integer overflow
• Description: Integer overflows with XML_PARSE_HUGE

See https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0

References

• libxml2 release notes
• CVE-2022-2309
• CVE-2022-40304
• CVE-2022-40303

🚨 Nokogiri Implements libxml2 version vulnerable to use-after-free

There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.

🚨 Nokogiri has vulnerable dependencies on libxml2 and libxslt

Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

🚨 Nokogiri Implements libxml2 version vulnerable to null pointer dereferencing

A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.

🚨 Nokogiri contains libxml Out-of-bounds Write vulnerability

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.

Nokogiri prior to version 1.11.4 used a vulnerable version of libxml2. Nokogiri 1.11.4 updated libxml2 to version 2.9.11 to address this and other vulnerabilities in libxml2.

🚨 Nokogiri Improperly Handles Unexpected Data Type

Summary

Nokogiri < v1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers. For CRuby users, this may allow specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory.

Severity

The Nokogiri maintainers have evaluated this as High 8.2 (CVSS3.1).

Mitigation

CRuby users should upgrade to Nokogiri >= 1.13.6.

JRuby users are not affected.

Workarounds

To avoid this vulnerability in affected applications, ensure the untrusted input is a String by calling #to_s or equivalent.

Credit

This vulnerability was responsibly reported by @agustingianni and the Github Security Lab.

🚨 Integer Overflow or Wraparound in libxml2 affects Nokogiri

Summary

Nokogiri v1.13.5 upgrades the packaged version of its dependency libxml2 from v2.9.13 to v2.9.14.

libxml2 v2.9.14 addresses CVE-2022-29824. This version also includes several security-related bug fixes for which CVEs were not created, including a potential double-free, potential memory leaks, and integer-overflow.

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.5, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 and libxslt release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.5.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.9.14 which will also address these same issues.

Impact

libxml2 CVE-2022-29824

• CVSS3 score:
  • Unspecified upstream
  • Nokogiri maintainers evaluate at 8.6 (High) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H). Note that this is different from the CVSS assessed by NVD.
• Type: Denial of service, information disclosure
• Description: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
• Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a24

All versions of libml2 prior to v2.9.14 are affected.

Applications parsing or serializing multi-gigabyte documents (in excess of INT_MAX bytes) may be vulnerable to an integer overflow bug in buffer handling that could lead to exposure of confidential data, modification of unrelated data, or a segmentation fault resulting in a denial-of-service.

References

• libxml2 v2.9.14 release notes
• CVE-2022-29824
• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

🚨 Nokogiri Inefficient Regular Expression Complexity

Summary

Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

CWE-1333 Inefficient Regular Expression Complexity

Credit

This vulnerability was reported by HackerOne user ooooooo_q (ななおく).

🚨 Denial of Service (DoS) in Nokogiri on JRuby

Summary

Nokogiri v1.13.4 updates the vendored org.cyberneko.html library to 1.9.22.noko2 which addresses CVE-2022-24839. That CVE is rated 7.5 (High Severity).

See GHSA-9849-p7jc-9rmv for more information.

Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

Impact

CVE-2022-24839 in nekohtml

• Severity: High 7.5
• Type: CWE-400 Uncontrolled Resource Consumption
• Description: The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup.
• See also: GHSA-9849-p7jc-9rmv

🚨 Out-of-bounds Write in zlib affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12, which addresses CVE-2018-25032. That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.4, and only if the packaged version of zlib is being used. Please see this document for a complete description of which platform gems vendor zlib. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's zlib release announcements.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2018-25032 in zlib

• Severity: High
• Type: CWE-787 Out of bounds write
• Description: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

🚨 XML Injection in Xerces Java affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored xerces:xercesImpl from 2.12.0 to 2.12.2, which addresses CVE-2022-23437. That CVE is scored as CVSS 6.5 "Medium" on the NVD record.

Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2022-23437 in xerces-J

• Severity: Medium
• Type: CWE-91 XML Injection (aka Blind XPath Injection)
• Description: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
• See also: GHSA-h65f-jvqw-m9fj

🚨 Nokogiri affected by zlib's Out-of-bounds Write vulnerability

zlib 1.2.11 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

🚨 Vulnerable dependencies in Nokogiri

Summary

Nokogiri v1.13.2 upgrades two of its packaged dependencies:

• vendored libxml2 from v2.9.12 to v2.9.13
• vendored libxslt from v1.1.34 to v1.1.35

Those library versions address the following upstream CVEs:

• libxslt: CVE-2021-30560 (CVSS 8.8, High severity)
• libxml2: CVE-2022-23308 (Unspecified severity, see more information below)

Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs.

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.2, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 and libxslt release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 >= 2.9.13 and libxslt >= 1.1.35, which will also address these same CVEs.

Impact

libxslt CVE-2021-30560

• CVSS3 score: 8.8 (High)
• Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c

All versions of libxslt prior to v1.1.35 are affected.

Applications using untrusted XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately.

libxml2 CVE-2022-23308

• As of the time this security advisory was published, there is no officially published information available about this CVE's severity. The above NIST link does not yet have a published record, and the libxml2 maintainer has declined to provide a severity score.
• Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12
• Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html

The upstream commit and the explanation linked above indicate that an application may be vulnerable to a denial of service, memory disclosure, or code execution if it parses an untrusted document with parse options DTDVALID set to true, and NOENT set to false.

An analysis of these parse options:

• While NOENT is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later.
• DTDVALID is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly.

It seems reasonable to assume that any application explicitly setting the parse option DTDVALID when parsing untrusted documents is vulnerable and should be upgraded immediately.

🚨 Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.0) for JRuby users. (This security advisory does not apply to CRuby users.)

Impact

In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default.

Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected:

• Nokogiri::XML::SAX::Parser
• Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser
• Nokogiri::XML::SAX::PushParser
• Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser

Mitigation

JRuby users should upgrade to Nokogiri v1.12.5 or later. There are no workarounds available for v1.12.4 or earlier.

CRuby users are not affected.

🚨 Nokogiri updates packaged dependency on libxml2 from 2.9.10 to 2.9.12

Summary

Nokogiri v1.11.4 updates the vendored libxml2 from v2.9.10 to v2.9.12 which addresses:

• CVE-2019-20388 (Medium severity)
• CVE-2020-24977 (Medium severity)
• CVE-2021-3517 (Medium severity)
• CVE-2021-3518 (Medium severity)
• CVE-2021-3537 (Low severity)
• CVE-2021-3541 (Low severity)

Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.11.4, and only if the packaged version of libxml2 is being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.11.4.

Impact

I've done a brief analysis of the published CVEs that are addressed in this upstream release. The libxml2 maintainers have not released a canonical set of CVEs, and so this list is pieced together from secondary sources and may be incomplete.

All information below is sourced from security.archlinux.org, which appears to have the most up-to-date information as of this analysis.

CVE-2019-20388

• Severity: Medium
• Type: Denial of service
• Description: A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service.
• Fixed: https://gitlab.gnome.org/GNOME/libxml2/commit/7ffcd44d7e6c46704f8af0321d9314cd26e0e18a

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2020-7595

• Severity: Medium
• Type: Denial of service
• Description: xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
• Fixed: https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c8907645d2e155f0d89d4d9895ac5112b5

This has been patched in Nokogiri since v1.10.8 (see #1992).

CVE-2020-24977

• Severity: Medium
• Type: Information disclosure
• Description: GNOME project libxml2 <= 2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c.
• Fixed: https://gitlab.gnome.org/GNOME/libxml2/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3516

• Severity: Medium
• Type: Arbitrary code execution (no remote vector)
• Description: A use-after-free security issue was found libxml2 before version 2.9.11 when "xmllint --html --push" is used to process crafted files.
• Issue: https://gitlab.gnome.org/GNOME/libxml2/-/issues/230
• Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539

Verified that the fix commit first appears in v2.9.11. This vector does not exist within Nokogiri, which does not ship xmllint.

CVE-2021-3517

• Severity: Medium
• Type: Arbitrary code execution
• Description: A heap-based buffer overflow was found in libxml2 before version 2.9.11 when processing truncated UTF-8 input.
• Issue: https://gitlab.gnome.org/GNOME/libxml2/-/issues/235
• Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3518

• Severity: Medium
• Type: Arbitrary code execution
• Description: A use-after-free security issue was found in libxml2 before version 2.9.11 in xmlXIncludeDoProcess() in xinclude.c when processing crafted files.
• Issue: https://gitlab.gnome.org/GNOME/libxml2/-/issues/237
• Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3537

• Severity: Low
• Type: Denial of service
• Description: It was found that libxml2 before version 2.9.11 did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application.
• Issue: https://gitlab.gnome.org/GNOME/libxml2/-/issues/243
• Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3541

• Severity: Low
• Type: Denial of service
• Description: A security issue was found in libxml2 before version 2.9.11. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.
• Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4, however Nokogiri's default parse options prevent the attack from succeeding (it is necessary to opt into DTDLOAD which is off by default).

For more details supporting this analysis of this CVE, please visit #2233.

🚨 Nokogiri::XML::Schema trusts input by default, exposing risk of XXE vulnerability

Severity

Nokogiri maintainers have evaluated this as Low Severity (CVSS3 2.6).

Description

In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.

This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible.

Please note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be "Low Severity".

Affected Versions

Nokogiri <= 1.10.10 as well as prereleases 1.11.0.rc1, 1.11.0.rc2, and 1.11.0.rc3

Mitigation

There are no known workarounds for affected versions. Upgrade to Nokogiri 1.11.0.rc4 or later.

If, after upgrading to 1.11.0.rc4 or later, you wish to re-enable network access for resolution of external resources (i.e., return to the previous behavior):

1. Ensure the input is trusted. Do not enable this option for untrusted input.
2. When invoking the Nokogiri::XML::Schema constructor, pass as the second parameter an instance of Nokogiri::XML::ParseOptions with the NONET flag turned off.

So if your previous code was:

# in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network
# but in v1.11.0.rc4 and later, this call will disallow network access for external resources
schema = Nokogiri::XML::Schema.new(schema)

# in v1.11.0.rc4 and later, the following is equivalent to the code above
# (the second parameter is optional, and this demonstrates its default value)
schema = Nokogiri::XML::Schema.new(schema, Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA)

Then you can add the second parameter to indicate that the input is trusted by changing it to:

# in v1.11.0.rc3 and earlier, this would raise an ArgumentError 
# but in v1.11.0.rc4 and later, this allows resources to be accessed over the network
schema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet)

References

• This issue's public advisory
• Original Hackerone report (private)
• OWASP description of XXE attack
• OWASP description of SSRF attack

Credit

This vulnerability was independently reported by @eric-therond and @gucki.

The Nokogiri maintainers would like to thank HackerOne for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to us.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

🚨 Octokit gem published with world-writable files

Impact

Versions 4.23.0 and 4.24.0 of the octokit gem were published containing world-writeable files.

Specifically, the gem was packed with files having their permissions set to -rw-rw-rw- (i.e. 0666) instead of rw-r--r-- (i.e. 0644). This means everyone who is not the owner (Group and Public) with access to the instance where this release had been installed could modify the world-writable files from this gem.

Malicious code already present and running on your machine, separate from this package, could modify the gem’s files and change its behavior during runtime.

Patches

• octokit 4.25.0

Workarounds

Users can use the previous version of the gem v4.22.0. Alternatively, users can modify the file permissions manually until they are able to upgrade to the latest version.

4.25.1

• Stop configuring Faraday's retry middleware twice (@Edouard-chin)
• Fix various Ruby warnings (e.g. missing parentheses) (@coryf)

4.25.0

✅ NOTE: This remediates A security advisory was published on versions 4.23.0 and 4.24.0 of this gem. You can read more about this in the published security advisory. ✅

DX Improvements

• Rubocop improvements by @timrogers in #1441
• Require multi-factor authentication to push new releases to RubyGems by @timrogers in #1443

CI Improvements

Updates all build scripts to be more durable and adds details on how to run a manual file integrity check by @nickfloyd in #1446

Housekeeping

• Drop support for Ruby 1.9.2 in Octokit::Client::Contents#create_contents by @timrogers in #1442

Full Changelog: v4.24.0...v4.25.0

4.24.0

Known issues

Note: This release fixes the issue around autoloading modules causing some modules to not load before use #1428

---

Code improvements

• #1354, #1426 Enabling Ruby's immutable ("frozen") string literals i.e. --enable-frozen-string-literal via @timrogers and @olleolleolle

---

CI Improvements

• Adds Code QL analysis to octokit.rb via @nickfloyd

---

Bug fixes

• #1428 Fixes module loading issue with autoloading (this reverts #1351 ) - more information here via @collinsauve. @waiting-for-dev, @etiennebarrie, @timrogers, and @nickfloyd

---

Full Changelog: v4.23.0...v4.24.0

4.23.0

Code improvements

• #1382 Correctly raise Octokit::TooManyRequests when hitting secondary rate limit via @jasonopslevel
• #1411 Adds support for Faraday v2 usage via @skryukov

---

CI Improvements

• #1395 Adds Ruby 3.1 to CI via @petergoldstein

---

Performance improvements

• #1351 Make clients autoload via @gmcgibbon

---

Bug fixes

• #1297 Escape label names with URL characters via @Fryguy
• #1375 Escape ref in archive_link via @max611
• #1117 & #1419 Ensures that any nil parameters being passed in will initialize with Octokit's defaults instead of nil via @akerl, @nickfloyd
• #1321 & #1415 Fixed total_count calculation when paginating results for check runs and check suites via @a2ikm, @matiasalbarello
• #1121 Fixes service status methods via @vierarb

---

Documentation

• #1414 replace git.io link in source docs via @wonda-tea-coffee
• #1412 Document how and when the SDK raises exceptions via @timrogers
• #1356 Fixes grammar and style via @nikoandpiko

---

Full Changelog: v4.22.0...v4.23.0

4.22.0

Deprecation Fix

• #1359 Fix Faraday deprecation warning @ybiquitous

Code Improvements

• #1336 Update regex for create ref @thepwagner
• #1350 Support pagination in compare api @mrpinsky

CI and dependency updates

• #1353 Add Ruby 3.0 support for CI builds @olleolleolle
• #1387 Update pry-byebug requirement @ashishkeshan

Documentation

• #1376 Update example README code with token filtering @bencolon
• #1381 Update organization migration documentation links @rzhade3

4.21.0

API Support

• #1319 Add delete workflow run support @szemek
• #1322 Add match refs support @AHaymond
• #1329 Add rename branch support @gmcgibbon
• #1332 Add billing actions support @M-Yamashita01

Error handling

• #1324 Handle path diff too large errors @yykamei

Code clean up

• #1326 Remove graduated preview headers @ivailop

Documentation

• #1314 Update authentication usage @curquiza
• #1317 Fix logo link @gjtorikian
• #1318 Fix GitHub typo @bl-ue

4.20.0

API Support

• #1304 Added the ability to delete a deployment @jer-k
• #1308 Add repo vulnerability alerts related functionality for repositories @calvinhughes

Bug fixes

• #1309 Paginate outside_collaborators calls @sds
• #1316 Uses of FaradayMiddleware#on_complete should not be private @tarebyte

Code improvements

• #1131 Add CommitIsNotPartOfPullRequest error @wata727
• #1303 Remove integrations preview header @MichaelViveros
• #1307 Raise Octokit::InstallationSuspended when another error is received @yykamei

Documentation

• #1302 Add documentation on how to specify the ref option for RubyDoc @aomathwift
• #1311 Fix Code of Conduct link in Table of Contents @eduardoj

4.19.0

Code Improvements

• #1223 Ensure a boolean is returned for application_authenticated @zakallen
• #1255 Update api paths in the organization api to take ids @hmharvey
• #1260 Fix last_response behavior after failures @JackTLi
• #1253 Ensure adapters set SSL options properly @tjwallace
• #1270 Add context around rate limit errors @jatindhankhar

API Support

• #1252 Introduces support for the ActionWorkflow and ActionWorkflowRun APIs @petar-lazarov
• #1236 Support for ActionsSecrets API @jylitalo
• #1266 Support for get the authenticated app @kitop
• #1281 Support for create a workflow dispatch event @igfoo
• #1286 Support installation suspended failures @stmllr
• #1288 Support for user migration endpoints @stmllr

Documentation

• #1248 Fix documentation link for update a repository @spier
• #1269 Update some documentation param names @tarebyte
• #1276 Remove dangling phrase in CONTRIBUTING.md @igfoo
• #1278 Link related doc in CONTRIBUTING.md @igfoo
• #1279 Fix script typo in README.md @igfoo
• #1291 Fix typo in authorizations comments @ohbarye

CI and dependency updates

• #1206 Increased CI coverage @MSP-Greg
• #1243 Add Ruby 2.7 CI support @ybiquitous
• #1244 Removed coveralls dependency @hmharvey
• #1263 Remove duplicated CI coverage @hmharvey
• #1264 Keep running CI on PRs @hmharvey

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

3.1.1 (from changelog)

• fix: Ensure files directive in gemspec adds all files

3.1.0 (from changelog)

• Bad release: superseded by 3.1.1.
• added cross_out aka strike
• hexadecimal color names supported better, see #83
• gemspec: list files using a Ruby expression, avoiding git

(2020-08-26 was the planned release date, but the real release date is reflected in the heading.)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 29 commits:

• v3.1.1
• fix: Include all lib/ files
• Add screenshot of example in README
• Update .travis.yml
• Update .travis.yml
• RuboCop: configure new 0.81.0 rules
• Pin RuboCop to 0.81.0 to support Ruby 2.3
• v3.1.0
• v3.1.0 Changelog
• (chore) Add v0.80 RuboCop cops
• CI: Use JRuby 9.2.11.0
• CI: Update matrix
• Fix RuboCop offenses and warnings about .rubocop.yml
• Gemspec: List files using Ruby
• CI: Use 2.4.6, 2.5.5, 2.6.3, jruby-9.2.7.0 (#94)
• Use rubocop latest, drop support for Ruby 2.1, 2.2 (#91)
• CI: Allow Bundler 2, add Rubies to CI matrix (#89)
• Remove specific TargetRubyVersion from .rubocop.yml (#88)
• README: Add cross_out, strike to presenters docs
• Add test with non-existent :color (#86)
• introducing #cross_out (#84)
• Simplify `wrap_with_sgr` method (#85)
• Merge pull request #83 from chiting/add-hex-check
• Make rubocop happy
• Add hexadecimal format checking
• Add unit test for non hexadecimal string
• Merge pull request #81 from nicolasleger/patch-1
• [CI] Test against new Ruby 2.5 and patched
• Update changelog

0.11.2

• Avoid modifying string literals #91

0.11.1

• rescue Errno::EBADF when closing pipe #92

0.11.0

• Add arm64 arch to support Apple M1 guard/rb-fsevent#88

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 10 commits:

• Release version 0.11.2
• Merge pull request #91 from danielmorrison/frozen-string-literals
• Release version 0.11.1
• Merge pull request #92 from estraph/raph/rescue-errbadf-on-close
• rescue Errno::EBADF when closing pipe
• Avoid modifying string literals
• Release version 0.11.0
• Merge pull request #82 from richardkmichael/patch-1
• Merge pull request #88 from kevintom/add-m1-support
• add arm64 arch to support Apple M1

See the full diff on Github. The new version differs by 7 commits:

• Bump patch version.
• Improve crawling performance of `Notifier#watch` (#109)
• Bump minor version.
• Add GitHub actions. (#110)
• Prevent race condition in Notifier#run / #stop
• Clean up tests
• Test against Ruby 2.7.

🚨 REXML has DoS condition when parsing malformed XML file

Impact

The REXML gems from 3.3.3 to 3.4.1 have a DoS vulnerability when parsing XML containing multiple XML declarations.
If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

Patches

REXML gems 3.4.2 or later include the patches to fix these vulnerabilities.

Workarounds

Don't parse untrusted XMLs.

References

• https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767/ : An announcement on www.ruby-lang.org

🚨 REXML ReDoS vulnerability

Impact

The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;).

This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.

Patches

The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

Workarounds

Use Ruby 3.2 or later instead of Ruby 3.1.

References

• https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org

🚨 REXML denial of service vulnerability

Impact

The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.

If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.

Patches

The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

Workarounds

Don't parse untrusted XMLs with tree parser API.

References

• https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org

🚨 REXML DoS vulnerability

Impact

The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API.

If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability.

Patches

The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

Workarounds

Don't parse untrusted XMLs with SAX2 or pull parser API.

References

• https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability
• https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org

🚨 REXML DoS vulnerability

Impact

The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, >] and ]>.

If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

Patches

The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.

Workarounds

Don't parse untrusted XMLs.

References

• GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability
• GHSA-4xqq-m2hx-25v8 : This is a similar vulnerability
• https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/: An announce on www.ruby-lang.org

🚨 REXML denial of service vulnerability

Impact

The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as <, 0 and %>.

If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

Patches

The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities.

Workarounds

Don't parse untrusted XMLs.

References

• GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability
• https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/

🚨 REXML contains a denial of service vulnerability

Impact

The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many >s in an attribute value.

If you need to parse untrusted XMLs, you may be impacted to this vulnerability.

Patches

The REXML gem 3.2.7 or later include the patch to fix this vulnerability.

Workarounds

Don't parse untrusted XMLs.

References

• https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/

🚨 REXML round-trip instability

The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

3.30.0

We bring you 3 new exciting lexers in this release: Isabelle, Meson and Nial lexer. There are also some fixes and improvements on CPP, Dart, Groovy, JavaScript, Pascal, PHP and TOML lexer.

Thank you to all of the amazing contributors for your help and continuous support!

Full Changelog: v3.29.0...v3.30.0

3.29.0

We bring you 5 new exciting lexers in this release: Idris, Lean, Syzlang and Syzprog lexer. There are also some fixes and improvements on Docker, Matlab and Python lexer.

Furthermore, we have made some improvements in Rouge and Rouge CI. We are now running Ruby 3.1 as part of our CI. As part of this release, we also introduced Code of Conduct v2.1.

Thank you to all of the amazing contributors for your help and continuous support!

New Contributors

• @bmwant made their first contribution in #1464
• @petergoldstein made their first contribution in #1791
• @xairy made their first contribution in #1699
• @casperisfine made their first contribution in #1806
• @kunigami made their first contribution in #1798
• @bartbroere made their first contribution in #1809
• @siko1056 made their first contribution in #1669
• @chvp made their first contribution in #1801
• @lee-lindley made their first contribution in #1811

Full Changelog: v3.28.0...v3.29.0

3.28.0

This first release of 2022 introduces 3 new lexers: Fluent, Stan and Stata. There are also numerous fixes and improvements across C, Console, CPP, Cypher, Dart, HCL, JSX, Kotlin, Rust, SPARQL and TOML lexer. In addition, we have added support to run the visual test app in Ruby 3.0.

Thank you to everyone who has contributed to this release. It is wonderful to see some first-time contributors. May all your wishes come true in 2022!

3.27.0 (from changelog)

Comparison with the previous version

• Ceylon Lexer
  • Backtracking fix in interpolation regex (#1773 by thewoolleyman)
• Dafny Lexer
  • Add Dafny Lexer (#1647 by davidcok, mschlaipfer)
• Elixir Lexer
  • Add support for HEEX templates (#1736 by sineed
• Rust Lexer
  • Fix lexing of integers, escapes, identifiers, unicode idents, keywords and builtins, byte strings and multiline and doc comments (#1711 by thomcc)
• SQL Lexer
  • Curly brace support (#1714 by hawkfish)
  • Add more SQL dialects in visual samples (#1751 by tancnle)
  • Windowing keywords support (#1754 by hawkfish)
• Swift Lexer
  • Add 5.5 keywords (#1715 by johnfairh))
• Rouge CI
  • Migrate from Travis CI to GitHub (#1728 by Geod24)
• Documentation
  • Full list of supported languages (#1739 by gdubicki)
  • Various fixes and improvements (#1741, #1745, #1747, #1748, #1749, #1756 by tancnle)

3.26.1 (from changelog)

Comparison with the previous version

• CPP Lexer
  • Add year and date chrono literals, add std::complex literals, fix chrono literals with digit separator (#1665 by swheaton)
• Factor and GHC Core Lexer
  • Fix catastrophic backtrack (#1690 by Ravlen)
• JSL Lexer
  • Fix single line block comments, scoped variables and functions (#1663 by BenPH)
• YAML Lexer
  • Fix YAML key containing special character (#1667 by tancnle)
• Fix Ruby 2.7 keyword parameter deprecation warning (#1597 by stanhu)
• Updated README (#1666 by dchacke)

3.26.0

There are two things to report in this release.

The first are the usual notes. We have two new lexers: one for OCL and one for ReScript. There are also fixes for the CMake, Crystal, JSL, Python, ReasonML and Rust lexers. Thank you to all the contributors!

The second is that I'd like to announce that this will be my last release as a maintainer of Rouge. It's been a terrific experience and I'd like to thank @jneen and the other maintainers for making me feel very welcome. I wish them all the best as Rouge moves to version 4!

3.25.0

No new lexers this time but we do have a lot of updates. There are fixes for the Batchfile, C++, Docker, JavaScript, Kotlin, Perl, PowerShell, Ruby, Rust and Velocity lexers. Enjoy!

3.24.0

This release has two new lexers: one for e-mails (yes, I am aware it is only me that spells it that way) and one for J (why not another language starting with J?). There's also fixes for the Apex, HTTP, Janet, JavaScript and Rust lexers. And on top of all of that, there are some improvements to Rouge itself, including a new CLI debug command and a line highlighting option.

Thanks to everyone who contributed bug reports and pull requests. Stay safe and lex responsibly!

3.23.0

This release has two new lexers: one for PostScript and one for systemd unit files. There's also fixes for the Kotlin, Ruby and Rust lexers. Thanks to all the contributors who help make Rouge better. Don't forget to wear a mask!

3.22.0

This is a small release with just one update: a major rewrite of the PHP lexer. Hopefully the improved level of detail makes your PHP code look prettier but do report any issues you find with it!

3.21.0

This release has three new lexers, one for BrightScript, one for Janet and one for SSH Config. There's also fixes for the Batchfile, C++, Jinja, Perl, PowerShell, Rego, Sass, SCSS and Twig lexers. Happy highlighting!

3.20.0

We've got some new lexers again! This release includes lexers for Augeas, BibTeX, HLSL, LiveScript, Velocity and Zig. On top of that, we have fixes for the C++, Diff, Haskell, HTML, JavaScript, JSX, OpenType Feature File, PowerShell, TSX and TypeScript lexers.

I'd like to especially call out @lkinasiewicz for the LiveScript lexer. This was originally submitted back in 2017 and it's great to have it finally part of Rouge! The backlog of outstanding PRs is still too long but we are slowly making progress. As I like to say: forward, not backward; upward, not forward; and always twirling, twirling, twirling towards freedom!

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

2.3.2 (from changelog)

• A "dummy" release to warn about breaking changes coming in version 3.0. This updated version uses the Gem post_install_message instead of printing to STDERR.

2.3.1

This is a "dummy" release to warn about breaking changes coming in version 3.0.

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 38 commits:

• Move to version `2.4.1` due to clash with `2.4`.
• Opt-in for MFA requirement explicitly on 2.4
• Make sure version number is 2.4.0.
• Bump version and Changelog for release.
• Update actions with latest rubies.
• Update actions dependencies.
• Update earliest Ruby version for MacOS builds in CI.
• Suppress "literal string will be frozen in the future" warning
• Fix setting and restoring `RUBYZIP_V3_API_WARN` in tests.
• Improve version 3 API messages.
• Fix deprecation in Entry#get_input_stream
• Fix `File#write_buffer` to always return the given `io`
• Bump version, Changelog and README for release.
• Ensure compatibility with `--enable-frozen-string-literal`
• Add `DOSTime` to the post_install message.
• Ensure `File.open_buffer` doesn't rewrite unchanged data.
• Handle the `extract` methods in `Entry` and `File`.
• Add `DOSTime#<=>` and a warning message to `DOSTime#dos_equals`.
• Add warning messages to `File#get_output_stream`.
• Add warning messages to the `File` class methods.
• Update gemspec.
• Remove Coveralls/Simplecov from this branch.
• Add warning messages to `InputStream.open`.
• Add warning messages to deprectated methods.
• Update rubocop fails.
• Minor updates to the Actions workflow.
• Update File.split API to allow v3.0 calling style.
• Add a warning when run on Ruby < 3.0.
• Add warning message (and tests) to OutputStream.
• Add warning message to InputStream.
• Add a switchable warning message re the v3 API.
• Update Entry#new API to allow v3.0 calling style.
• Update InputStream API to allow v3.0 calling style.
• Update OutputStream API to allow v3.0 calling style.
• Switch to GitHub Actions on the `2.3.2` branch.
• Move to using a post install message for 3.0 warning.
• Print banner text re v3.0.0 when `zip` is required.
• Bump version number and Changelog.

0.9.3

What's Changed

• Use https in Gemfile source by @gecunps in #76
• CI: Tell dependabot to update GH Actions by @olleolleolle in #77
• Bump actions/checkout from 4 to 5 by @dependabot[bot] in #78
• Rakefile: add Bundler gem tasks by @olleolleolle in #80

New Contributors

• @gecunps made their first contribution in #76
• @olleolleolle made their first contribution in #77
• @dependabot[bot] made their first contribution in #78

Full Changelog: v0.9.2...v0.9.3

0.9.1

What's Changed

• Specify correct minimal Faraday version by @skryukov in #73

New Contributors

• @skryukov made their first contribution in #73

Full Changelog: v0.9.0...v0.9.1

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 20 commits:

• Merge pull request #80 from lostisland/add-bundle-gem-tasks-to-rakefile
• Rakefile: add Bundler gem tasks
• Version bump to 0.9.3
• Fix agent_test.rb
• Create publish.yml
• Merge pull request #78 from lostisland/dependabot/github_actions/actions/checkout-5
• Bump actions/checkout from 4 to 5
• Merge pull request #77 from lostisland/ci-gh-actions-update
• CI: Tell dependabot to update GH Actions
• Merge pull request #76 from gecunps/master
• Use https
• CI: Use actions/checkout@v4
• Release 0.9.2
• Version bump to 0.9.2
• Add `dig` and `fetch` to `Sawyer::Resource` (#74)
• Version bump to 0.9.1
• Specify correct minimal Faraday version (#73)
• Version bump to 0.9.0
• Enhance Faraday Support (#72)
• Allow closing underlying connection. (#67)

1.5.0 (from changelog)

Full Changelog

• Update gemspec with metadata and remove extra files from the bundled gem. (Felipe Mesquita, #734)
• Require Ruby 2.6+ and simplify Gemfile. (Felipe Mesquita, #733)
• Add support for URI objects in Typhoeus.stub(). (Katelyn Schiesser, #732)
• Add explicit require for logger and ostruct gems for Ruby 3.5+ compatibility. (Felipe Mesquita, #729)
• Add Ruby 3.4 to CI matrix. (y-yagi, #728)
• Support curl 8.9 error message changes in tests. (Mamoru TASAKA, #724)
• Add Ruby 3.2 and 3.3 to CI, drop Ruby 2.5, lock ethon < 0.16.0. (y-yagi, #716)
• Fix typo in comment: "reponse" → "response". (George Brocklehurst, #700)

1.4.0 (from changelog)

Full Changelog

1 feature

• Faraday adapter exceptions namespace compatibility with Faraday v1 (@iMacTia in #616)

3 Others

• Yard warning fixes (@olleolleolle in #622)
• Add more Ruby versions in CI matrix (@olleolleolle in #623)
• Use of argument passed in function instead of attr_reader (@v-kolesnikov in #625)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

🚨 TZInfo relative path traversal vulnerability allows loading of arbitrary files

Impact

Affected versions

• 0.3.60 and earlier.
• 1.0.0 to 1.2.9 when used with the Ruby data source (tzinfo-data).

Vulnerability

With the Ruby data source (the tzinfo-data gem for tzinfo version 1.0.0 and later and built-in to earlier versions), time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with require on demand. In the affected versions, TZInfo::Timezone.get fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process.

For example, with version 1.2.9, you can run the following to load a file with path /tmp/payload.rb:

TZInfo::Timezone.get("foo\n/../../../../../../../../../../../../../../../../tmp/payload")

The exact number of parent directory traversals needed will vary depending on the location of the tzinfo-data gem.

TZInfo versions 1.2.6 to 1.2.9 can be made to load files from outside of the Ruby load path. Versions up to and including 1.2.5 can only be made to load files from directories within the load path.

This could be exploited in, for example, a Ruby on Rails application using tzinfo version 1.2.9, that allows file uploads and has a time zone selector that accepts arbitrary time zone identifiers. The CVSS score and severity have been set on this basis.

Versions 2.0.0 and later are not vulnerable.

Patches

Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers (commit 9eddbb5 for 0.3.x and commit 9905ca9 for 1.2.x).

Note that version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of tzinfo/definition within a directory in the load path. For example if /tmp/upload was in the load path, then TZInfo::Timezone.get('foo') could load a file with path /tmp/upload/tzinfo/definition/foo.rb. Applications should ensure that untrusted files are not placed in a directory on the load path.

Workarounds

As a workaround, the time zone identifier can be validated before passing to TZInfo::Timezone.get by ensuring it matches the regular expression \A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z.

For more information

If you have any questions or comments about this advisory:

• Open an issue in the tzinfo repository.

2.0.6

• Eliminate Object#untaint deprecation warnings on JRuby 9.4.0.0. #145.

TZInfo v2.0.6 on RubyGems.org

2.0.5

• Changed DateTime results to always use the proleptic Gregorian calendar. This affects DateTime results prior to 1582-10-15 and any arithmetic performed on the results that would produce a secondary result prior to 1582-10-15.
• Added support for eager loading all the time zone and country data by calling either TZInfo::DataSource#eager_load! or TZInfo.eager_load!. Compatible with Ruby On Rails' eager_load_namespaces. #129.
• Ignore the SECURITY file from Arch Linux's tzdata package. #134.

TZInfo v2.0.5 on RubyGems.org

2.0.4

• Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

TZInfo v2.0.4 on RubyGems.org

2.0.3

• Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. #120.
• Fixed TimeWithOffset#getlocal returning a TimeWithOffset with the timezone_offset still assigned when called with an offset argument on JRuby 9.3.
• Rubinius is no longer supported.

TZInfo v2.0.3 on RubyGems.org

2.0.2

• Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
• Fixed warnings when running on Ruby 2.8. #113.

TZInfo v2.0.2 on RubyGems.org

2.0.1

• Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode. #100.
• Fixed warnings when running on Ruby 2.7. #109.
• Add a TZInfo::Timezone#=~ method that performs a regex match on the time zone identifier. #99.
• Add a TZInfo::Country#=~ method that performs a regex match on the country code.

TZInfo v2.0.1 on RubyGems.org

2.0.0

Added

• to_local and period_for instance methods have been added to TZInfo::Timezone. These are similar to utc_to_local and period_for_utc, but take the UTC offset of the given time into account.
• abbreviation, dst?, base_utc_offset and observed_utc_offset instance methods have been added to TZInfo::Timezone, returning the abbreviation, whether daylight savings time is in effect and the UTC offset of the time zone at a specified time.
• A TZInfo::Timestamp class has been added. It can be used with TZInfo::Timezone in place of a Time or DateTime.
• local_time, local_datetime and local_timestamp instance methods have been added to TZInfo::Timezone. These methods construct local Time, DateTime and TZInfo::Timestamp instances with the correct UTC offset and abbreviation for the time zone.
• Support for a (yet to be released) version 2 of tzinfo-data has been added, in addition to support for version 1. The new version will remove the (no longer needed) DateTime parameters from transition times, reduce memory consumption and improve the efficiency of loading timezone and country indexes.
• A TZInfo::VERSION constant has been added, indicating the TZInfo version number.

Changed

• The minimum supported Ruby versions are now Ruby MRI 1.9.3, JRuby 1.7 (in 1.9 or later mode) and Rubinius 3.
• Local times are now returned using the correct UTC offset (instead of using UTC). #49 and #52.
• Local times are returned as instances of TimeWithOffset, DateTimeWithOffset or TZInfo::TimestampWithOffset. These classes subclass Time, DateTime and TZInfo::Timestamp respectively. They override the default behaviour of the base classes to return information about the observed offset at the indicated time. For example, the zone abbreviation is returned when using the %Z directive with strftime.
• The transitions_up_to, offsets_up_to and strftime instance methods of TZInfo::Timezone now take the UTC offsets of given times into account (instead of ignoring them as was previously the case).
• The TZInfo::TimezonePeriod class has been split into two subclasses: TZInfo::OffsetTimezonePeriod and TZInfo::TransitionsTimezonePeriod. TZInfo::OffsetTimezonePeriod is returned for time zones that only have a single offset. TZInfo::TransitionsTimezonePeriod is returned for periods that start or end with a transition.
• TZInfo::TimezoneOffset#abbreviation, TZInfo::TimezonePeriod#abbreviation and TZInfo::TimezonePeriod#zone_identifier now return frozen String instances instead of instances of Symbol.
• The utc_offset and utc_total_offset attributes of TZInfo::TimezonePeriod and TZInfo::TimezoneOffset have been renamed base_utc_offset and observed_utc_offset respectively. The former names have been retained as aliases.
• TZInfo::Timezone.get, TZInfo::Timezone.get_proxy and TZInfo::Country.get can now be used with strings having any encoding. Previously, only encodings that are directly comparable with UTF-8 were supported.
• The requested identifier is included in TZInfo::InvalidTimezoneIdentifier exception messages.
• The requested country code is included in TZInfo::InvalidCountryCode exception messages.
• The full range of transitions is now loaded from zoneinfo files. Zoneinfo files produced with version 2014c of the zic tool contain an initial transition 2**63 seconds before the epoch. Zoneinfo files produced with version 2014d or later of zic contain an initial transition 2**59 seconds before the epoch. These transitions would previously have been ignored, but are now returned in methods such as TZInfo::Timezone#transitions_up_to.
• The TZInfo::RubyDataSource and TZInfo::ZoneinfoDataSource classes have been moved into a new TZInfo::DataSources module. Code that is setting TZInfo::ZoneinfoDataSource.search_path or TZInfo::ZoneinfoDataSource.alternate_iso3166_tab_search_path will need to be updated accordingly.
• The TZInfo::InvalidZoneinfoDirectory and TZInfo::ZoneinfoDirectoryNotFound exception classes raised by TZInfo::DataSources::ZoneinfoDataSource have been moved into the TZInfo::DataSources module.
• Setting the data source to :ruby or instantiating TZInfo::DataSources::RubyDataSource will now immediately raise a TZInfo::DataSources::TZInfoDataNotFound exception if require 'tzinfo/data' fails. Previously, a failure would only occur later when accessing an index or loading a timezone or country.
• The DEFAULT_SEARCH_PATH and DEFAULT_ALTERNATE_ISO3166_TAB_SEARCH_PATH constants of TZInfo::DataSources::ZoneinfoDataSource have been made private.
• The TZInfo::Country.data_source, TZInfo::DataSource.create_default_data_source, TZInfo::DataSources::ZoneinfoDataSource.process_search_path, TZInfo::Timezone.get_proxies and TZInfo::Timezone.data_source methods have been made private.
• The performance of loading zoneinfo files and the associated indexes has been improved.
• Memory use has been decreased by deduplicating String instances when loading country and time zone data.
• The dependency on the deprecated thread_safe gem as been removed and replaced by concurrent-ruby.
• The Info classes used to return time zone and country information from TZInfo::DataSource implementations have been moved into the TZInfo::DataSources module.
• The TZInfo::TransitionDataTimezoneInfo class has been removed and replaced with TZInfo::DataSources::TransitionsDataTimezoneInfo and TZInfo::DataSources::ConstantOffsetDataTimezoneInfo. TZInfo::DataSources::TransitionsDataTimezoneInfo is constructed with an Array of TZInfo::TimezoneTransition instances representing times when the offset changes. TZInfo::DataSources::ConstantOffsetDataTimezoneInfo is constructed with a TZInfo::TimezoneOffset instance representing the offset constantly observed in a time zone.
• The TZInfo::DataSource#timezone_identifiers method should no longer be overridden in custom data source implementations. The implementation in the base class now calculates a result from TZInfo::DataSource#data_timezone_identifiers and TZInfo::DataSource#linked_timezone_identifiers.
• The results of the TZInfo::DataSources::RubyDataSource to_s and inspect methods now include the time zone database and tzinfo-data versions.

Removed

• Methods of TZInfo::Timezone that accept time arguments no longer allow Integer timestamp values. Time, DateTime or TZInfo::Timestamp values or objects that respond to to_i, subsec and optionally utc_offset must be used instead.
• The %:::z format directive can now only be used with TZInfo::Timezone#strftime if it is supported by Time#strftime on the runtime platform.
• Using TZInfo::Timezone.new(identifier) and TZInfo::Country.new(code) to obtain a specific TZInfo::Timezone or TZInfo::Country will no longer work. TZInfo::Timezone.get(identifier) and TZInfo::Country.get(code) should be used instead.
• The TZInfo::TimeOrDateTime class has been removed.
• The valid_for_utc?, utc_after_start?, utc_before_end?, valid_for_local?, local_after_start? and local_before_end? instance methods of TZInfo::TimezonePeriod have been removed. Comparisons can be performed with the results of the starts_at, ends_at, local_starts_at and local_ends_at methods instead.
• The to_local and to_utc instance methods of TZInfo::TimezonePeriod and TZInfo::TimezoneOffset have been removed. Conversions should be performed using the TZInfo::Timezone class instead.
• The TZInfo::TimezonePeriod#utc_total_offset_rational method has been removed. Equivalent information can be obtained using the TZInfo::TimezonePeriod#observed_utc_offset method.
• The datetime, time, local_end, local_end_time, local_start and local_start_time instance methods of TZInfo::TimezoneTransition have been removed. The at, local_end_at and local_start_at methods should be used instead and the result (a TZInfo::TimestampWithOffset) converted to either a DateTime or Time by calling to_datetime or to_time on the result.
• The us_zones and us_zone_identifiers class methods of TZInfo::Timezone have been removed. TZInfo::Country.get('US').zones and TZInfo::Country.get('US').zone_identifiers should be used instead.

TZInfo v2.0.0 on RubyGems.org

1.2.11

• Eliminate Object#untaint deprecation warnings on JRuby 9.4.0.0. #145.

TZInfo v1.2.11 on RubyGems.org

1.2.10

• Fixed a relative path traversal bug that could cause arbitrary files to be loaded with require when used with RubyDataSource. Please refer to
  GHSA-5cm2-9h8c-rvfx for details. CVE-2022-31163.
• Ignore the SECURITY file from Arch Linux's tzdata package. #134.

TZInfo v1.2.10 on RubyGems.org

1.2.9

• Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

TZInfo v1.2.9 on RubyGems.org

1.2.8

• Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. The 64-bit section is now always used regardless of whether Time has support for 64-bit times. #120.
• Rubinius is no longer supported.

TZInfo v1.2.8 on RubyGems.org

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by more commits than we can show here.

1.8.0 (from changelog)

• Unicode 14.0 (last release of 1.x)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 4 commits:

• Release v1.8.0
• Update CHANGELOG
• Update Unicode version number
• Unicode 14.0

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.