🚨 [security] Update activesupport 4.2.11.1 β†’ 8.1.2.1 (major)

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ activesupport (indirect, 4.2.11.1 β†’ 8.1.2.1) Β· Repo Β· Changelog

Security Advisories 🚨

🚨 Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

Impact

SafeBuffer#% does not propagate the @html_unsafe flag to the newly created buffer. If a SafeBuffer is mutated in place (e.g. via gsub!) and then formatted with % using untrusted arguments, the result incorrectly reports html_safe? == true, bypassing ERB auto-escaping and possibly leading to XSS.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible ReDoS vulnerability in number_to_delimited

Impact

NumberToDelimitedConverter used a regular expression with gsub! to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible ReDoS vulnerability in number_to_delimited

Impact

NumberToDelimitedConverter used a regular expression with gsub! to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

Impact

SafeBuffer#% does not propagate the @html_unsafe flag to the newly created buffer. If a SafeBuffer is mutated in place (e.g. via gsub!) and then formatted with % using untrusted arguments, the result incorrectly reports html_safe? == true, bypassing ERB auto-escaping and possibly leading to XSS.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible XSS vulnerability in SafeBuffer#%

Impact

SafeBuffer#% does not propagate the @html_unsafe flag to the newly created buffer. If a SafeBuffer is mutated in place (e.g. via gsub!) and then formatted with % using untrusted arguments, the result incorrectly reports html_safe? == true, bypassing ERB auto-escaping and possibly leading to XSS.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible DoS vulnerability in its number helpers

Impact

Active Support number helpers accept strings containing scientific notation (e.g. 1e10000), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible DoS vulnerability in its number helpers

Impact

Active Support number helpers accept strings containing scientific notation (e.g. 1e10000), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible ReDoS vulnerability in number_to_delimited

Impact

NumberToDelimitedConverter used a regular expression with gsub! to insert thousands delimiters. This could produce quadratic time complexity on long digit strings.

Releases

The fixed releases are available at the normal locations.

🚨 Rails Active Support has a possible DoS vulnerability in its number helpers

Impact

Active Support number helpers accept strings containing scientific notation (e.g. 1e10000), which when converted to a string could be expanded into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability.

Releases

The fixed releases are available at the normal locations.

🚨 Active Support Possibly Discloses Locally Encrypted Files

There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5

Impact

ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

To work around this issue, you can set your umask to be more restrictive like this:

$ umask 0077

🚨 Active Support Possibly Discloses Locally Encrypted Files

There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5

Impact

ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

To work around this issue, you can set your umask to be more restrictive like this:

$ umask 0077

🚨 Possible XSS Security Vulnerability in SafeBuffer#bytesplice

There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
This vulnerability has been assigned the CVE identifier CVE-2023-28120.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3

Impact

ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized.
When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe.

Ruby 3.2 introduced a new bytesplice method which ActiveSupport did not yet understand to be a mutation.
Users on older versions of Ruby are likely unaffected.

All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.

Workarounds

Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.

🚨 Possible XSS Security Vulnerability in SafeBuffer#bytesplice

There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
This vulnerability has been assigned the CVE identifier CVE-2023-28120.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3

Impact

ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized.
When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe.

Ruby 3.2 introduced a new bytesplice method which ActiveSupport did not yet understand to be a mutation.
Users on older versions of Ruby are likely unaffected.

All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.

Workarounds

Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.

🚨 ReDoS based DoS vulnerability in Active Support's underscore

There is a possible regular expression based DoS vulnerability in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-22796.

Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem), 6.1.7.1, 7.0.4.1
Impact

A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

This affects String#underscore, ActiveSupport::Inflector.underscore, String#titleize, and any other methods using these.

All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases

The FIXED releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.

Users on Ruby 3.2.0 or greater may be able to reduce the impact by configuring Regexp.timeout.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

6-1-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 6.1 series
7-0-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

🚨 ReDoS based DoS vulnerability in Active Support's underscore

There is a possible regular expression based DoS vulnerability in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-22796.

Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem), 6.1.7.1, 7.0.4.1
Impact

A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

This affects String#underscore, ActiveSupport::Inflector.underscore, String#titleize, and any other methods using these.

All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases

The FIXED releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.

Users on Ruby 3.2.0 or greater may be able to reduce the impact by configuring Regexp.timeout.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

6-1-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 6.1 series
7-0-Avoid-regex-backtracking-in-Inflector.underscore.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

🚨 ActiveSupport potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore

In ActiveSupport, there is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
untrusted user input is written to the cache store using the raw: true parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:

data = cache.fetch("demo", raw: true) { untrusted_string }

Versions Affected: rails < 5.2.5, rails < 6.0.4
Not affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the raw option when storing untrusted user input.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.
In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
they are calling Rails.cache.fetch they are using consistent values of the raw parameter for both
reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
detect if data was serialized using the raw option upon deserialization.

Workarounds

It is recommended that application developers apply the suggested patch or upgrade to the latest release as
soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
the raw argument should be double-checked to ensure that they conform to the expected format.

🚨 ActiveSupport potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore

In ActiveSupport, there is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
untrusted user input is written to the cache store using the raw: true parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:

data = cache.fetch("demo", raw: true) { untrusted_string }

Versions Affected: rails < 5.2.5, rails < 6.0.4
Not affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the raw option when storing untrusted user input.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.
In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
they are calling Rails.cache.fetch they are using consistent values of the raw parameter for both
reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
detect if data was serialized using the raw option upon deserialization.

Workarounds

It is recommended that application developers apply the suggested patch or upgrade to the latest release as
soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
the raw argument should be double-checked to ensure that they conform to the expected format.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 5 commits:

✳️ github-pages (200 β†’ 232) Β· Repo

Release Notes

Too many releases to show here. View the full release notes.

Sorry, we couldn’t find anything useful about this release.

✳️ html-proofer (3.11.1 β†’ 5.2.0) Β· Repo Β· Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ addressable (indirect, 2.7.0 β†’ 2.8.9) Β· Repo Β· Changelog

Security Advisories 🚨

🚨 Regular Expression Denial of Service in Addressable templates

Impact

Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.

Patches

The vulnerability was introduced in version 2.3.0 (previously yanked) and has been present in all subsequent versions up to, and including, 2.7.0. It is fixed in version 2.8.0.

Workarounds

The vulnerability can be avoided by only creating Template objects from trusted sources that have been validated not to produce catastrophic backtracking.

References

For more information

If you have any questions or comments about this advisory:

Release Notes

2.8.9 (from changelog)

  • Reduce gem size by excluding test files (#569)
  • No need for bundler as development dependency (#571, 5fc1d93)
  • idna/pure: stop building the useless COMPOSITION_TABLE (removes the Addressable::IDNA::COMPOSITION_TABLE constant) (#564)

2.8.8 (from changelog)

  • Replace the unicode.data blob by a ruby constant (#561)
  • Allow public_suffix 7 (#558)

2.8.7 (from changelog)

  • Allow public_suffix 6 (#535)

2.8.6 (from changelog)

  • Memoize regexps for common character classes (#524)

2.8.5 (from changelog)

  • Fix thread safety issue with encoding tables (#515)
  • Define URI::NONE as a module to avoid serialization issues (#509)
  • Fix YAML serialization (#508)

2.8.4 (from changelog)

  • Restore Addressable::IDNA.unicode_normalize_kc as a deprecated method (#504)

2.8.3 (from changelog)

  • Fix template expand level 2 hash support for non-string objects (#499, #498)

2.8.2 (from changelog)

  • Improve cache hits and JIT friendliness (#486)
  • Improve code style and test coverage (#482)
  • Ensure reset of deferred validation (#481)
  • Resolve normalization differences between IDNA::Native and IDNA::Pure (#408, #492)
  • Remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438) (accidentally reverted by #449 merge but added back in #492)

2.8.1 (from changelog)

  • refactor Addressable::URI.normalize_path to address linter offenses (#430)
  • remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438)
  • update gemspec to reflect supported Ruby versions (#466, #464, #463)
  • compatibility w/ public_suffix 5.x (#466, #465, #460)
  • fixes "invalid byte sequence in UTF-8" exception when unencoding URLs containing non UTF-8 characters (#459)
  • Ractor compatibility (#449)
  • use the whole string instead of a single line for template match (#431)
  • force UTF-8 encoding only if needed (#341)

2.8.0 (from changelog)

  • fixes ReDoS vulnerability in Addressable::Template#match
  • no longer replaces + with spaces in queries for non-http(s) schemes
  • fixed encoding ipv6 literals
  • the :compacted flag for normalized_query now dedupes parameters
  • fix broken escape_component alias
  • dropping support for Ruby 2.0 and 2.1
  • adding Ruby 3.0 compatibility for development tasks
  • drop support for rack-mount and remove Addressable::Template#generate
  • performance improvements
  • switch CI/CD to GitHub Actions

Does any of this look wrong? Please let us know.

↗️ coffee-script-source (indirect, 1.11.1 β†’ 1.12.2) Β· Repo

Sorry, we couldn’t find anything useful about this release.

↗️ commonmarker (indirect, 0.17.13 β†’ 0.23.12) Β· Repo Β· Changelog

Security Advisories 🚨

🚨 Several quadratic complexity bugs may lead to denial of service in Commonmarker

Impact

Several quadratic complexity bugs in commonmarker's underlying cmark-gfm library may lead to unbounded resource exhaustion and subsequent denial of service.

The following vulnerabilities were addressed:

For more information, consult the release notes for version 0.29.0.gfm.12.

Mitigation

Users are advised to upgrade to commonmarker version 0.23.10.

🚨 Commonmarker vulnerable to to several quadratic complexity bugs that may lead to denial of service

Impact

Several quadratic complexity bugs in commonmarker's underlying cmark-gfm library may lead to unbounded resource exhaustion and subsequent denial of service.

The following vulnerabilities were addressed:

For more information, consult the release notes for version 0.23.0.gfm.10 and 0.23.0.gfm.11.

Mitigation

Users are advised to upgrade to commonmarker version 0.23.9.

🚨 Several quadratic complexity bugs may lead to denial of service in Commonmarker

Impact

Several quadratic complexity bugs in commonmarker's underlying cmark-gfm library may lead to unbounded resource exhaustion and subsequent denial of service.

The following vulnerabilities were addressed:

For more information, consult the release notes for version 0.23.0.gfm.7.

Mitigation

Users are advised to upgrade to commonmarker version 0.23.7.

🚨 Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service

Impact

CommonMarker uses cmark-gfm for rendering Github Flavored Markdown. A polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service.

Patches

This vulnerability has been patched in the following CommonMarker release:

  • v0.23.6

Workarounds

Disable use of the autolink extension.

References

#190
GHSA-cgh3-p57x-9q7q
https://en.wikipedia.org/wiki/Time_complexity

For more information

If you have any questions or comments about this advisory:

Acknowledgements

We would like to thank Legit Security for reporting this vulnerability.

🚨 Integer overflow in cmark-gfm table parsing extension leads to heap memory corruption

Impact

CommonMarker uses cmark-gfm for rendering Github Flavored Markdown. An integer overflow in cmark-gfm's table row parsing may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution.

If affected versions of CommonMarker are used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE).

Patches

This vulnerability has been patched in the following CommonMarker release:

  • v0.23.4

Workarounds

The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling any use of the table extension will prevent this vulnerability from being triggered.

References

Acknowledgements

We would like to thank Felix Wilhelm of Google's Project Zero for reporting this vulnerability

For more information

If you have any questions or comments about this advisory:

Release Notes

0.23.12

Full Changelog: v0.23.11...v0.23.12

0.23.11

What's Changed

New Contributors

Full Changelog: v0.23.10...v0.23.11

0.23.10

What's Changed

Full Changelog: v0.23.9...v0.23.10

0.23.9

What's Changed

Full Changelog: v0.23.8...v0.23.9

0.23.8

What's Changed

New Contributors

Full Changelog: v0.23.7...v0.23.8

0.23.7

What's Changed

Full Changelog: v0.23.6...v0.23.7

0.23.6

What's Changed

This release includes two updates from the upstream cmark-gfm library, namely:

0.22.0

  • Drop ruby-enum (#140)

0.21.0

  • Add support for tasklist_item_checked=: #116

0.19.0

  • Support tasklists: #94
  • Indicate the context of a parse/render option error: #97

0.18.0

  • Default to being safe: #81

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.1.5 β†’ 1.3.6) Β· Repo Β· Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ dnsruby (indirect, 1.61.3 β†’ 1.73.1) Β· Repo

Sorry, we couldn’t find anything useful about this release.

↗️ em-websocket (indirect, 0.5.1 β†’ 0.5.3) Β· Repo Β· Changelog

Commits

See the full diff on Github. The new version differs by 24 commits:

↗️ ethon (indirect, 0.12.0 β†’ 0.18.0) Β· Repo Β· Changelog

Release Notes

0.18.0 (from changelog)

Full Changelog

0.17.0 (from changelog)

Full Changelog

0.15.0 (from changelog)

Full Changelog

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ execjs (indirect, 2.7.0 β†’ 2.10.0) Β· Repo

Release Notes

2.8.1

  • Wait for STDOUT to be flushed before exiting the node runtime

2.8.0

  • Fix Ruby 3.0 compatibility on Windows
  • Undefine console, process and other globals. See #43
  • Removed the RubyRacer runtime as it is no longer maintained and broken on recent rubies.
  • Node runtime look for node before nodejs.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ faraday (indirect, 0.16.2 β†’ 2.14.1) Β· Repo Β· Changelog

Security Advisories 🚨

🚨 Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url

Impact

Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's
URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986,
protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references
that override the base URL's host/authority component.

This means that if any application passes user-controlled input to Faraday's get(),
post(), build_url(), or other request methods, an attacker can supply a
protocol-relative URL like //attacker.com/endpoint to redirect the request to an
arbitrary host, enabling Server-Side Request Forgery (SSRF).

The ./ prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with
/, so protocol-relative URLs bypass it entirely.

Example:

conn = Faraday.new(url: 'https://api.internal.com')
conn.get('//evil.com/steal')
# Request is sent to https://evil.com/steal instead of api.internal.com

Patches

Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected.

Workarounds

NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.

Applications should validate and sanitize any user-controlled input before passing it to
Faraday request methods. Specifically:

  • Reject or strip input that starts with // followed by a non-/ character
  • Use an allowlist of permitted path prefixes
  • Alternatively, prepend ./ to all user-supplied paths before passing them to Faraday

Example validation:

def safe_path(user_input)
  raise ArgumentError, "Invalid path" if user_input.match?(%r{\A//[^/]})
  user_input
end

🚨 Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url

Impact

Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's
URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986,
protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references
that override the base URL's host/authority component.

This means that if any application passes user-controlled input to Faraday's get(),
post(), build_url(), or other request methods, an attacker can supply a
protocol-relative URL like //attacker.com/endpoint to redirect the request to an
arbitrary host, enabling Server-Side Request Forgery (SSRF).

The ./ prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with
/, so protocol-relative URLs bypass it entirely.

Example:

conn = Faraday.new(url: 'https://api.internal.com')
conn.get('//evil.com/steal')
# Request is sent to https://evil.com/steal instead of api.internal.com

Patches

Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected.

Workarounds

NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.

Applications should validate and sanitize any user-controlled input before passing it to
Faraday request methods. Specifically:

  • Reject or strip input that starts with // followed by a non-/ character
  • Use an allowlist of permitted path prefixes
  • Alternatively, prepend ./ to all user-supplied paths before passing them to Faraday

Example validation:

def safe_path(user_input)
  raise ArgumentError, "Invalid path" if user_input.match?(%r{\A//[^/]})
  user_input
end
Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ffi (indirect, 1.11.1 β†’ 1.17.3) Β· Repo Β· Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ gemoji (indirect, 3.0.1 β†’ 4.1.0) Β· Repo

Release Notes

4.1.0

What's Changed

  • Import Emoji 15.0 characters by @mislav in #261
  • Support skin tones for πŸ§‘β€πŸ€β€πŸ§‘ emoji by @mislav in #262

Full Changelog: v4.0.1...v4.1.0

4.0.1

What's Changed

New Contributors

Full Changelog: v4.0.0...v4.0.1

4.0.0

What's New

Warning
See the v4.0.0.pre0 release notes for the list of breaking changes since gemoji v3.x.

  • Add skin tones support by @mislav in #165 ✌🏻✌🏼✌🏽✌🏾✌🏿

    • Emoji.find_by_unicode() now recognizes emoji sequences with skin tone modifiers.
    • Emoji::Character#skin_tones? returns true when an emoji supports skin tone modifiers.
    • Emoji::Character#raw_skin_tone_variants generates a list of all 5 skin tone variants for an emoji.

  • Import Emoji 13.0 characters by @chvp in #173

  • Import Emoji 13.1 characters by @franciscorode in #209

  • Import Emoji 14.0 characters by @kardeslik in #244

What's Changed

New Contributors

Full Changelog: v4.0.0.pre0...v4.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ github-pages-health-check (indirect, 1.16.1 β†’ 1.18.2) Β· Repo

Release Notes

1.18.2

octokit upgrade

1.18.1

  • Updates Cloudflare IPs to latest output of script/update-cloudflare-ips
  • Add _ domain name validation

1.17.9

What's Changed

  • Fix IPv6 support (AAAA records validation) in #140

Full Changelog: v1.17.8...v1.17.9

1.17.8

What's Changed

Full Changelog: v1.17.7...v1.17.8

1.17.6

  • Query DNS to Determine Apex Domains

1.17.2

Allows for non-200 requests to satisfy served_by_pages? if the response still looks like it was served by GitHub.

1.17.1

Update Cloudflare IPs.

1.17.0

  • Fix CI which is broken on master #115 (by @kytrinyx)
  • Silence warnings triggered by Ruby 2.7 #116 (by @kytrinyx)
  • Update dependencies to be compatible with Ruby 2.7 #117 (by @kytrinyx)
  • Update dotenv requirement from ~> 1.0 to ~> 2.7 #120 (dependabot)
  • Update gem-release requirement from ~> 0.7 to ~> 2.1 #119 (dependabot)
  • Update webmock requirement from ~> 1.21 to ~> 3.8 #118 (dependabot)
  • Upgrade to Ruby 2.7 & incorporate a Dockerfile #121 (by @parkr & @MarkTiedemann)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ html-pipeline (indirect, 2.12.0 β†’ 2.14.3) Β· Repo Β· Changelog

Release Notes

2.14.0

  • Make Rinku configurable: #335

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 54 commits:

↗️ http_parser.rb (indirect, 0.6.0 β†’ 0.8.1) Β· Repo

Commits

See the full diff on Github. The new version differs by 69 commits:

↗️ i18n (indirect, 0.9.5 β†’ 1.14.8) Β· Repo Β· Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll (indirect, 3.8.5 β†’ 3.10.0) Β· Repo Β· Changelog

Release Notes

3.10.0 (from changelog)

Minor Enhancements

  • Backport add-csv-dependency from #9522 to Jekyll 3 (#9616)
  • 3.10-stable: Add webrick as a dependency (#9620)

3.9.4

Bug Fixes

  • Backport #9392 for v3.9.x: Add support for Ruby 3.3 Logger (#9513)

3.9.3

Bug Fixes

  • 3.9.x: Support i18n 1.x (#9269)
  • Backport #8880 for v3.9.x: Support both tzinfo v1 and v2 alongwith
    non-half hour offsets (#9280)

Development Fixes

  • v3.9.x: test under Ruby 3.2 #9272)
  • v3.9.x: fix rdiscount test (#9277)

3.9.2

Bug Fixes

  • Lock http_parser.rb gem to v0.6.x on JRuby (#8943)
  • Backport #8756 for v3.9.x: Respect collections_dir config within include tag (#8795)
  • Backport #8965 for v3.9.x: Fix response header for content served via jekyll serve (#8976)

Development Fixes

  • Update and fix CI for 3.9-stable on Ruby 3.x (#8942)
  • Fix CI for commits to 3.9-stable branch (#8788)

3.9.1

Bug Fixes

  • Backport #8618 for v3.9.x: Update include tag to be more permissive (#8629)

3.9.0

Minor Enhancements

  • Allow use of kramdown v2 (#8322)
  • Add default language for kramdown syntax highlighting (#8325)

3.8.7

Fixes

  • Prevent console warnings with Ruby 2.7 (#7948)

3.8.6

Bug Fixes

  • Update log output for an invalid theme directory (#7734)
  • Memoize SiteDrop#documents to reduce allocations (#7722)
  • Excerpt handling of custom and intermediate tags (#7467)
  • Escape valid special chars in a site's path name (#7573)
  • Revert memoizing Site#docs_to_write and refactor #documents (#7689)
  • Fix broken include_relative usage in excerpt (#7690)
  • Install platform-specific gems as required (3c06609)

Security Fixes

  • Theme gems: ensure directories aren't symlinks (#7424)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-avatar (indirect, 0.6.0 β†’ 0.8.0) Β· Repo Β· Changelog

Release Notes

0.8.0

0.8.0 / 2022-04-15

Minor Enhancements

  • Use Kernel#format to render <img /> HTML tag (#46)
  • Check if username and size matches a pattern once (#48)

Bug Fixes

  • Reduce allocations from computing username (#44)
  • Stringify keys of :attributes hash (#42)
  • Parse tag markup once per instance (#40)
  • Compute :srcset with an array of integer strings (#43)
  • Assign string values for attributes (#47)
  • Parse only custom-host provided through ENV (#45)

Development Fixes

  • Profile memory usage from rendering avatars (#41)
  • Bundle only relevant files in the gem (#50)
  • Upgrade to GitHub-native Dependabot (#52)
  • Remove redundant specifications (#56)
  • Improve context in workflow job names (#57)
  • Remove @benbalter-specific community health files (#58)
  • Update gem specification (#60)
  • Add workflow to release gem via GH Actions (#63)

Documentation

  • Fix typo in README.md (#62)

0.7.0

What's Changed

  • Update rubocop-jekyll requirement from ~> 0.9.0 to ~> 0.10.0 (#38) @dependabot-preview
  • Cache parsed host url to reduce allocations (#36) @ashmaroli
  • Avoid unnecessary allocations for empty strings (#34) @ashmaroli
  • Allow use and testing with Jekyll 4.0 (#32) @ashmaroli
  • Lint with rubocop-jekyll (#33) @ashmaroli
  • Update rake requirement from ~> 10.0 to ~> 12.3 (#22) @dependabot-preview
  • Fix passing username as variable docs in README.md (#20) @chrismytton
  • update readme (#19) @kenman345

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 57 commits:

↗️ jekyll-coffeescript (indirect, 1.1.1 β†’ 1.2.2) Β· Repo Β· Changelog

Release Notes

1.2.2

Bug Fixes

  • Revert jekyll to be just a development_dependency for v1.x.x series.

1.2.1

Bug Fixes

  • Re-introduce Ruby 2.3 support and test Jekyll 3.7+ (#33)

1.2.0

Development Fixes

  • Require Ruby 2.3 (#27)

Major Enhancements

  • style: Target Ruby 2.4 (#31)

Documentation

  • Add essential step to readme (#32)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 26 commits:

↗️ jekyll-commonmark (indirect, 1.3.1 β†’ 1.4.0) Β· Repo Β· Changelog

Release Notes

1.4.0

Minor Enhancements

  • Require at least commonmarker-0.22 (#44)
  • Highlight fenced code-block contents with Rouge (#29)

Bug Fixes

  • Refactor away extra abstractions (#53)

Development Fixes

  • DRY begin-rescue-end block with a private helper (#28)
  • Fix failing CI builds (#33)
  • Remove gemspec dependency on Jekyll (#34)
  • Test rendering with invalid configuration (#27)
  • Refactor to improve readability (#37)
  • Set up Continuous Integration via GH Actions (#46)
  • Clean up gemspec (#47)
  • Add workflow to release gem via GH Actions (#54)

Documentation

  • Update README to link to commonmarker (#38)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 42 commits:

↗️ jekyll-commonmark-ghpages (indirect, 0.1.5 β†’ 0.5.1) Β· Repo

Release Notes

0.5.1

What's Changed

Full Changelog: v0.5.0...v0.5.1

0.5.0

What's Changed

New Contributors

Full Changelog: v0.2.0...v0.5.0

0.2.0

What's Changed

New Contributors

Full Changelog: v0.1.6...v0.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 53 commits:

↗️ jekyll-default-layout (indirect, 0.1.4 β†’ 0.1.5) Β· Repo

Release Notes

0.1.5

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-feed (indirect, 0.11.0 β†’ 0.17.0) Β· Repo Β· Changelog

Release Notes

0.17.0

Documentation

  • Update CI status badge (#363)

Development Fixes

  • Add Ruby 3.1 to the CI matrix (#365)

Minor Enhancements

  • Allow disabling of jekyll-feed while in development (#370)

0.16.0

Minor Enhancements

  • Add support for page.description in front matter to become entry <summary> (#297)

Bug Fixes

  • Fold private methods into the :render method as local variables (#327)
  • Check post.categories instead of post.category (#357)
  • Switched xml_escape for <![CDATA[]]> for post content (#332)

Development Fixes

  • Add Ruby 3.0 to CI (#337)
  • Lock RuboCop to v1.18.x (#348)
  • Add workflow to release gem via GH Action (#355)

Documentation

  • Use .atom extension in documented examples since we write an Atom feed (#359)

0.15.1

Bug Fixes

  • MetaTag: when encoding for XML special characters, handle non-string objects (#326)

0.15.0

Minor Enhancements

  • Add support for drafts (#316)

0.14.0

Minor Enhancements

  • add support for categories (#153) (#233)
  • add support for tags (#264)
  • Make posts limit configurable (#314)
  • XML escape the title field of feed_meta (#306)

Bug Fixes

  • Fix feed link when post title contains HTML (#305)

Development Fixes

  • Use Dir to list source files (#309)
  • Require Ruby >=2.4.0 (#307)

0.13.0

Minor Enhancements

  • Excerpt only flag (#287)
  • Add media:content tag (#290)

Development Fixes

  • test: use categories in post (#249)

0.12.1

  • Release: v0.12.0 (#271)

Bug Fixes

  • Re-introduce Ruby 2.3 support and test Jekyll 3.7+ (#272)

0.12.0

  • Allow Jekyll v4 (still alpha)

Development Fixes

  • style: fix offenses in specs (#248)
  • dev: update CI and style settings (#258)
  • Enable testing for Windows platform (#265)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-github-metadata (indirect, 2.12.1 β†’ 2.16.1) Β· Repo Β· Changelog

Release Notes

2.16.1

Bug Fixes

  • Update references of help.github.com to docs.github.com (#260)

2.16.0

Minor Enhancements

  • Update octokit requirement from ~> 4.0, != 4.4.0 to >= 4, != 4.4.0, < 7 (#243)
  • Prevent loading all GH data on reset (#245)
  • Deprecate unnecessary constant in GitHubMetadata::Client (#239)

Development Fixes

  • Update rspec requirement from ~> 3.11.0 to ~> 3.12.0 (#244)
  • Bump Ruby versions in AppVeyor jobs (#253)
  • Bump rubocop-jekyll to 0.13.0 and fix rubocop issues (#252)

2.15.0

Bug Fixes

  • Inject site.github via :pre_render step rather than :after_init (#238)

Documentation

  • Add GitHub Actions badge and remove Travis one (#236)

2.14.0

Minor Enhancements

  • Use owner name as site title for User and Organization sites. (#197)
  • Add site.github.public_repositories[].releases (#224)
  • Add site.github.public_repositories[].contributors (#234)

Documentation

  • docs: Add dev docs (#212)
  • set PAGES_GITHUB_HOSTNAME to hostname without protocol (#191)
  • Add JEKYLL_ENV limitation for git remote (#185)

Development Fixes

  • Restore log level after running tests that modify it. (#202)
  • Add GitHub Actions CI (#211)
  • Update rubocop-jekyll requirement from ~> 0.5.0 to ~> 0.12.0 (#226)
  • Create dependabot.yml (#225)
  • Add rubocop todo file (#230)
  • Upgrade rspec to 3.11.x (#231)
  • CI: use 'main' branch instead of 'master' (#232)
  • Add release workflow (#235)

New Contributors

Full Changelog: v2.13.0...v2.14.0

2.13.0

Minor Enhancements

  • Lessen Jekyll dependency (#164)
  • Enable support for topics property (#166)
  • Allow detecting archived or disabled repos (#176)

Bug Fixes

  • Conditionally memoize certain private methods in EditLinkTag (#163)
  • Fix faraday connectionfailed issue (#178)
  • MetadataDrop: don't use instance variable to check mutations (#173)

Documentation Fixes

  • List the fields this repo generates for site.github (#171)
  • Use HTML entities to prevent Liquid from processing this documentation (#172)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-mentions (indirect, 1.4.1 β†’ 1.6.0) Β· Repo Β· Changelog

Release Notes

1.6.0

Minor Enhancements

  • Allow configuring base URL in page front matter (#72)
  • Incorporate document data only if it has override (#73)

Development Fixes

  • ci: test against Jekyll 4.0
  • style: target Ruby 2.4
  • ignore vendor/bundle

Bug Fixes

  • Support handling body tag across multiple lines (#70)

1.5.1

Bug Fixes

  • Re-introduce Ruby 2.3 support and test with Jekyll 3.7 and beyond (#69)

1.5.0

Development Fixes

  • Allow Jekyll v4 (still alpha)
  • Drop support for Ruby 2.3
  • chore(deps): rubocop-jekyll 0.3 (#65)
  • Reintroduce style checks (#67)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

↗️ jekyll-optional-front-matter (indirect, 0.3.0 β†’ 0.3.2) Β· Repo Β· Changelog

Release Notes

0.3.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 46 commits:

↗️ jekyll-readme-index (indirect, 0.2.0 β†’ 0.3.0) Β· Repo

Release Notes

0.3.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 46 commits:

↗️ jekyll-redirect-from (indirect, 0.14.0 β†’ 0.16.0) Β· Repo Β· Changelog

Release Notes

0.16.0

Minor Enhancements

  • Allows generation of redirects.json to be disabled (#207)
  • Allow redirects from and for subclasses of page and document (#204)

Bug Fixes

  • Use Hash#key? instead of Hash#keys.any? (#201)

Development Fixes

  • Target Ruby 2.4
  • Stop testing with backwards-compatible site config (#211)

Documentation

  • Simplifies YAML for redirect_to (#185)

0.15.0

Development Fixes

  • chore(deps): rubocop-jekyll 0.3 (#187)

Bug Fixes

  • Allow testing and using with Jekyll 4.x (#196)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 28 commits:

↗️ jekyll-relative-links (indirect, 0.6.0 β†’ 0.6.1) Β· Repo

Release Notes

0.6.1

Support for Jekyll 4.x

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

↗️ jekyll-remote-theme (indirect, 0.4.0 β†’ 0.4.3) Β· Repo

Release Notes

0.4.3

0.4.2

Jekyll 4.0 support (#61)

0.4.1

  • Update jekyll requirement from ~> 3.5 to >= 3.5, < 5.0 (#54) @dependabot-preview
  • Require rubyzip to version 1.3.0 or later

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 28 commits:

↗️ jekyll-seo-tag (indirect, 2.5.0 β†’ 2.8.0) Β· Repo Β· Changelog

Release Notes

2.8.0

Minor Enhancements

  • Allow to set type for author (#427)
  • Allow setting author.url (#453)
  • Implement Facebook domain verification (#455)
  • Add og:image:alt and twitter:image:alt (#438)
  • Sort JSON-LD data by key (#458)

Bug Fixes

  • Set the default og:type to 'website' (#391)
  • Template: Remove double new line (#454)

Development Fixes

  • Fix typo in source code comment (#449)
  • Set up Continuous Integration via GH Actions (#450)
  • Bump RuboCop to v1.18.x (#452)
  • Add workflow to release gem via GH Actions

2.7.1

Development Fixes

  • refactor: mutate site payload instead of duplicating it (#419)

2.7.0

Minor Enhancements

  • Change pagination message with seo_paginator_message option (#324)
  • Make Twitter Summary Card without having Twitter account (#284)
  • Prefer site.tagline to site.description for page title (#356)
  • Render og:locale meta only when defined explicitly (#388)

Bug Fixes

  • Ensure a single leading @ for twitter usernames (#367)

Development Fixes

  • chore(deps): require Ruby > 2.4.0 EOL
  • test: fix locale specs that use the fallback locale (#360)
  • refactor: Replace read-only empty hash with private constant (#418)
  • refactor: Mutate hash literals instead of duplicating them (#417)
  • refactor: Reduce allocations of instance-agnostic objects (#376)
  • refactor: Memoize #author_hash in SeoTag::AuthorDrop (#342)
  • refactor: simplify conditional in SeoTag::Drop#date_modified (#343)
  • chore(ci): profile seo-tag plugin on a third-party repository (#414)
  • chore(ci): Jekyll v4.0 (#372)
  • chore(ci): test against current stable Ruby 2.5 and 2.7 (#385)
  • style: align with latest jekyll-rubocop (#382)
  • fix: Travis builds for Jekyll 3.x (#415)

Documentation

  • Structured Data Testing Tool is deprecated (#409)
  • Rename Google webmaster tools to Google Search Console (#403)
  • Improve documentation on plugin usage (#399)
  • remove Google+ from example snippet (#358)
  • HTTPS link to https://ogp.me/ (#359)
  • HTTPS links to schema.org (#350)
  • use example.com for example URL (#351)

2.6.1

Development Fixes

  • Test against Jekyll 4.x (#336)

2.6.0

Minor Enhancements

  • Twitter Image and Title (#330)

Bug Fixes

  • Do not cache the drop payload for SeoTag (#306)
  • Update url of schema website (#296)

Development Fixes

  • Relax version constraint on Bundler (#325)
  • chore(ci): Add Ruby 2.6, drop Ruby 2.3 (#326)
  • chore (ci): remove deprecated sudo: false in .travis.yml (#333)
  • Lint Ruby code with rubocop-jekyll gem (#302)
  • chore(deps): bump rubocop-jekyll to v0.4 (#320)
  • chore(deps): bump rubocop-jekyll to v0.3 (#316)
  • Correct RuboCop offenses in spec files (#319)

Documentation

  • Rectify error in Usage documentation (#328)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-sitemap (indirect, 1.2.0 β†’ 1.4.0) Β· Repo Β· Changelog

Release Notes

1.4.0

Minor Enhancements

  • Avoid overwriting an existing robots.txt (#246)

Bug Fixes

  • Simulate last_modified_at injection by plugin (#256)

1.3.1

Bug Fixes

  • Update plugin metadata and dev environment (#244)

Development Fixes

  • Lock requirement for jekyll-last-modified-at to >= 1.0

1.3.0

  • Allow Jekyll v4 (still alpha)

Documentation

  • Add PDF file exclusion documentation (#213)
  • Correct capitalization of GitHub (#207)

Development Fixes

  • Use Ruby 2.3 and Rubocop 0.55 (#214)
  • chore(deps): rubocop-jekyll-0.3 (#227)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 38 commits:

↗️ jekyll-swiss (indirect, 0.4.0 β†’ 1.0.0) Β· Repo

Sorry, we couldn’t find anything useful about this release.

↗️ jekyll-theme-architect (indirect, 0.1.1 β†’ 0.2.0) Β· Repo

Release Notes

0.2.0

  • Add head-custom.html to allow easier customization of the <head> #48

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 26 commits:

↗️ jekyll-theme-cayman (indirect, 0.1.1 β†’ 0.2.0) Β· Repo

Release Notes

0.2.0

  • Add head-custom.html to allow easier customization of the <head> #133

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 45 commits:

↗️ jekyll-theme-dinky (indirect, 0.1.1 β†’ 0.2.0) Β· Repo

Release Notes

0.2.0

  • Add head-custom.html to allow easier customization of the <head> #22

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 21 commits:

↗️ jekyll-theme-hacker (indirect, 0.1.1 β†’ 0.2.0) Β· Repo

Release Notes

0.2.0

  • Add Google Analytics to head-custom.html to allow easier customization of the GA code #79

0.1.2

  • Allow Jekyll v4
  • Return to home on click page title #47
  • Show full header h1 for smaller displays #49

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 39 commits:

↗️ jekyll-theme-leap-day (indirect, 0.1.1 β†’ 0.2.0) Β· Repo

Release Notes

0.2.0

  • Added styled KBD tag, like in primer theme #47 (thanks, @gebeto)
  • Remove 'auto' from padding since it's not a valid padding #57
  • Add head-custom.html to allow easier customization of the <head> #56

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 34 commits:

↗️ jekyll-theme-merlot (indirect, 0.1.1 β†’ 0.2.0) Β· Repo

Release Notes

0.2.0

Add head-custom.html to allow easier customization of the <head> #10

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 19 commits:

↗️ jekyll-theme-midnight (indirect, 0.1.1 β†’ 0.2.0) Β· Repo

Release Notes

0.2.0

  • Add Google Analytics to head-custom.html to allow easier customization of the GA code #37

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 38 commits:

↗️ jekyll-theme-minimal (indirect, 0.1.1 β†’ 0.2.0) Β· Repo

Release Notes

0.2.0

  • Add head-custom.html to allow easier customization of the <head> #119

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 28 commits:

↗️ jekyll-theme-modernist (indirect, 0.1.1 β†’ 0.2.0) Β· Repo

Release Notes

0.2.0

  • Replace linear_gradient with linear-gradient() CSS function #17
  • Add head-custom.html to allow easier customization of the <head> #16

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 27 commits:

↗️ jekyll-theme-primer (indirect, 0.5.3 β†’ 0.6.0) Β· Repo

Release Notes

0.6.0

  • Add head-custom.html to allow easier customization of the #61

0.5.4

  • Update Primer CSS
  • Add default layout to post, page, and home layouts
  • Lessen Jekyll dependency

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 40 commits:

↗️ jekyll-theme-slate (indirect, 0.1.1 β†’ 0.2.0) Β· Repo

Release Notes

0.2.0

  • Add head-custom.html to allow easier customization of the <head> #66
  • Added styled KBD tag, like in primer theme #47 (thanks, @gebeto)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

↗️ jekyll-theme-tactile (indirect, 0.1.1 β†’ 0.2.0) Β· Repo

Release Notes

0.2.0

  • Add head-custom.html to allow easier customization of the <head> #23
  • Fall back code font-family to monospace #21 (thanks @lkslawek)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 24 commits:

↗️ jekyll-theme-time-machine (indirect, 0.1.1 β†’ 0.2.0) Β· Repo

Release Notes

0.2.0

  • Add head-custom.html to allow easier customization of the <head> #22
  • Added styled KBD tag, like in primer theme #13 (thanks @gebeto)
  • Fix show_downloads #16 (thanks @deargle)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

↗️ jekyll-titles-from-headings (indirect, 0.5.1 β†’ 0.5.3) Β· Repo

Release Notes

0.5.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 33 commits:

↗️ jemoji (indirect, 0.10.2 β†’ 0.13.0) Β· Repo Β· Changelog

Release Notes

0.13.0 (from changelog)

Development Fixes

  • Add Actions CI workflow (#127)
  • Add release workflow (#128)
  • Create dependabot config for rubygems upgrades (#126)
  • Add github-actions to dependabot (#132)
  • Bump actions/checkout from 2 to 3 (#133)
  • Upgrade Rubocop target version to 2.7 (#134)
  • Update rake requirement from ~> 12.0 to ~> 13.0 (#130)

Minor Enhancements

  • Update gemoji requirement from ~> 3.0 to >= 3, < 5 & test with both major versions (#131)

0.12.0

Minor Enhancements

  • perf: don't load Gemoji into memory immediately (#106)

Development Fixes

  • deps: Ruby > 2.4 (EOL)
  • ci: test with Ruby 2.7

0.11.1

Bug fix

  • Support handling body tag across multiple lines (#96)

0.11.0

Development fixes

  • Test against Jekyll v4
  • Remove deprecated sudo:false in Travis config

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 41 commits:

↗️ kramdown (indirect, 1.17.0 β†’ 2.4.0) Β· Repo Β· Changelog

Security Advisories 🚨

🚨 Remote code execution in Kramdown

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

🚨 Unintended read access in kramdown gem

The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

↗️ liquid (indirect, 4.0.0 β†’ 4.0.4) Β· Repo Β· Changelog

Release Notes

4.0.3 (from changelog)

Fixed

  • Fix break and continue tags inside included templates in loops (#1072) [Justin Li]

4.0.2 (from changelog)

Changed

  • Add where filter (#1026) [Samuel Doiron]
  • Add ParseTreeVisitor to iterate the Liquid AST (#1025) [Stephen Paul Weber]
  • Improve strip_html performance (#1032) [printercu]

Fixed

  • Add error checking for invalid combinations of inputs to sort, sort_natural, where, uniq, map, compact filters (#1059) [Garland Zhang]
  • Validate the character encoding in url_decode (#1070) [Clayton Smith]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ listen (indirect, 3.1.5 β†’ 3.10.0) Β· Repo Β· Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_portile2 (indirect, 2.4.0 β†’ 2.8.9) Β· Repo Β· Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minima (indirect, 2.5.0 β†’ 2.5.1) Β· Repo Β· Changelog

Release Notes

2.5.1

Minor enhancements

  • Allow use and testing with Jekyll 4.x (#398)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 2 commits:

↗️ minitest (indirect, 5.12.2 β†’ 6.0.2) Β· Repo Β· Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.10.4 β†’ 1.19.2) Β· Repo Β· Changelog

Security Advisories 🚨

🚨 Nokogiri does not check the return value from xmlC14NExecute

Summary

Nokogiri's CRuby extension fails to check the return value from xmlC14NExecute in the method Nokogiri::XML::Document#canonicalize and Nokogiri::XML::Node#canonicalize. When canonicalization fails, an empty string is returned instead of raising an exception. This incorrect return value may allow downstream libraries to accept invalid or incomplete canonicalized XML, which has been demonstrated to enable signature validation bypass in SAML libraries.

JRuby is not affected, as the Java implementation correctly raises RuntimeError on canonicalization failure.

Mitigation

Upgrade to Nokogiri >= 1.19.1.

Severity

The maintainers have assessed this as Medium severity. Nokogiri itself is a parsing library without a clear security boundary related to canonicalization, so the direct impact is that a method returns incorrect data on invalid input. However, this behavior was exploited in practice to bypass SAML signature validation in downstream libraries (see References).

Credit

This vulnerability was responsibly reported by HackerOne researcher d4d.

🚨 Nokogiri patches vendored libxml2 to resolve multiple CVEs

Summary

Nokogiri v1.18.9 patches the vendored libxml2 to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796.

Impact and severity

CVE-2025-6021

A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.

NVD claims a severity of 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae

CVE-2025-6170

A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections.

NVD claims a severity of 2.5 Low (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c1

CVE-2025-49794

A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.

NVD claims a severity of 9.1 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5

CVE-2025-49795

A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.

NVD claims a severity of 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/62048278

CVE-2025-49796

A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.

NVD claims a severity of 9.1 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5

Affected Versions

  • Nokogiri < 1.18.9 when using CRuby (MRI) with vendored libxml2

Patched Versions

  • Nokogiri >= 1.18.9

Mitigation

Upgrade to Nokogiri v1.18.9 or later.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues.

References

🚨 Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415

Summary

Nokogiri v1.18.8 upgrades its dependency libxml2 to v2.13.8.

libxml2 v2.13.8 addresses:

Impact

CVE-2025-32414: No impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

There is no impact from this CVE for Nokogiri users.

CVE-2025-32415: Low impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

In the upstream issue, further context is provided by the maintainer:

The bug affects validation against untrusted XML Schemas (.xsd) and validation of untrusted
documents against trusted Schemas if they make use of xsd:keyref in combination with recursively
defined types that have additional identity constraints.

MITRE has published a severity score of 2.9 LOW (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE.

🚨 Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs

Summary

Nokogiri v1.18.4 upgrades its dependency libxslt to v1.1.43.

libxslt v1.1.43 resolves:

Impact

CVE-2025-24855

CVE-2024-55549

🚨 Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.

CVE-2024-56171

Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

🚨 Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

Impact

There is no impact to Nokogiri users because the issue is present only in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

  • 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
  • 2024-05-13 08:30 EDT, nokogiri maintainers begin triage
  • 2024-05-13 10:05 EDT, nokogiri v1.16.5 is released and this GHSA made public

🚨 Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062

Summary

Nokogiri upgrades its dependency libxml2 as follows:

  • Nokogiri v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
  • Nokogiri v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

JRuby users are not affected.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Timeline

  • 2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information
  • 2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions
  • 2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public
  • 2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated "Impact" section
  • 2024-03-16 09:03 EDT - v1.15.6 published (see discussion at #3146), updated mitigation information
  • 2024-03-18 22:12 EDT - update "affected products" range with v1.15.6 information

🚨 Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062

Summary

Nokogiri upgrades its dependency libxml2 as follows:

  • Nokogiri v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
  • Nokogiri v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

JRuby users are not affected.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Timeline

  • 2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information
  • 2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions
  • 2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public
  • 2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated "Impact" section
  • 2024-03-16 09:03 EDT - v1.15.6 published (see discussion at #3146), updated mitigation information
  • 2024-03-18 22:12 EDT - update "affected products" range with v1.15.6 information

🚨 Nokogiri updates packaged libxml2 to v2.10.4 to resolve multiple CVEs

Summary

Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to v2.10.4 from v2.10.3.

libxml2 v2.10.4 addresses the following known vulnerabilities:

  • CVE-2023-29469: Hashing of empty dict strings isn't deterministic
  • CVE-2023-28484: Fix null deref in xmlSchemaFixupComplexType
  • Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.14.3, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.14.3.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.10.4 which will also address these same issues.

Impact

No public information has yet been published about the security-related issues other than the upstream commits. Examination of those changesets indicate that the more serious issues relate to libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.

The commits can be examined at:

🚨 Unchecked return value from xmlTextReaderExpand

Summary

Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.

For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.

Mitigation

Upgrade to Nokogiri >= 1.13.10.

Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

Credit

This vulnerability was responsibly reported by @davidwilemski.

🚨 Update bundled libxml2 to v2.10.3 to resolve multiple CVEs

Summary

Nokogiri v1.13.9 upgrades the packaged version of its dependency libxml2 to v2.10.3 from v2.9.14.

libxml2 v2.10.3 addresses the following known vulnerabilities:

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.9, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.9.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.10.3 which will also address these same issues.

Impact

libxml2 CVE-2022-2309

  • CVSS3 score: Under evaluation
  • Type: Denial of service
  • Description: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Nokogiri maintainers investigated at #2620 and determined this CVE does not affect Nokogiri users.

libxml2 CVE-2022-40304

  • CVSS3 score: Unspecified upstream
  • Type: Data corruption, denial of service
  • Description: When an entity reference cycle is detected, the entity content is cleared by setting its first byte to zero. But the entity content might be allocated from a dict. In this case, the dict entry becomes corrupted leading to all kinds of logic errors, including memory errors like double-frees.

See https://gitlab.gnome.org/GNOME/libxml2/-/commit/644a89e080bced793295f61f18aac8cfad6bece2

libxml2 CVE-2022-40303

  • CVSS3 score: Unspecified upstream
  • Type: Integer overflow
  • Description: Integer overflows with XML_PARSE_HUGE

See https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0

References

🚨 libxslt Type Confusion vulnerability that affects Nokogiri

In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data.

Nokogiri prior to version 1.10.5 used a vulnerable version of libxslt. Nokogiri 1.10.5 updated libxslt to version 1.1.34 to address this and other vulnerabilities in libxslt.

🚨 Uninitialized read in Nokogiri gem

In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.

🚨 Nokogiri Implements libxml2 version vulnerable to null pointer dereferencing

A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.

🚨 Nokogiri affected by libxslt Use of Uninitialized Resource/Use After Free vulnerability

In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.

Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.

🚨 Nokogiri implementation of libxslt vulnerable to heap corruption

Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.

Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.

🚨 Nokogiri Implements libxml2 version vulnerable to use-after-free

There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.

🚨 Nokogiri contains libxml Out-of-bounds Write vulnerability

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.

Nokogiri prior to version 1.11.4 used a vulnerable version of libxml2. Nokogiri 1.11.4 updated libxml2 to version 2.9.11 to address this and other vulnerabilities in libxml2.

🚨 Nokogiri has vulnerable dependencies on libxml2 and libxslt

Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

🚨 Nokogiri Improperly Handles Unexpected Data Type

Summary

Nokogiri < v1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers. For CRuby users, this may allow specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory.

Severity

The Nokogiri maintainers have evaluated this as High 8.2 (CVSS3.1).

Mitigation

CRuby users should upgrade to Nokogiri >= 1.13.6.

JRuby users are not affected.

Workarounds

To avoid this vulnerability in affected applications, ensure the untrusted input is a String by calling #to_s or equivalent.

Credit

This vulnerability was responsibly reported by @agustingianni and the Github Security Lab.

🚨 Integer Overflow or Wraparound in libxml2 affects Nokogiri

Summary

Nokogiri v1.13.5 upgrades the packaged version of its dependency libxml2 from v2.9.13 to v2.9.14.

libxml2 v2.9.14 addresses CVE-2022-29824. This version also includes several security-related bug fixes for which CVEs were not created, including a potential double-free, potential memory leaks, and integer-overflow.

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.5, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 and libxslt release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.5.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.9.14 which will also address these same issues.

Impact

libxml2 CVE-2022-29824

  • CVSS3 score:
  • Type: Denial of service, information disclosure
  • Description: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
  • Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a24

All versions of libml2 prior to v2.9.14 are affected.

Applications parsing or serializing multi-gigabyte documents (in excess of INT_MAX bytes) may be vulnerable to an integer overflow bug in buffer handling that could lead to exposure of confidential data, modification of unrelated data, or a segmentation fault resulting in a denial-of-service.

References

🚨 Out-of-bounds Write in zlib affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12, which addresses CVE-2018-25032. That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.4, and only if the packaged version of zlib is being used. Please see this document for a complete description of which platform gems vendor zlib. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's zlib release announcements.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2018-25032 in zlib

  • Severity: High
  • Type: CWE-787 Out of bounds write
  • Description: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

🚨 XML Injection in Xerces Java affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored xerces:xercesImpl from 2.12.0 to 2.12.2, which addresses CVE-2022-23437. That CVE is scored as CVSS 6.5 "Medium" on the NVD record.

Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2022-23437 in xerces-J

  • Severity: Medium
  • Type: CWE-91 XML Injection (aka Blind XPath Injection)
  • Description: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
  • See also: GHSA-h65f-jvqw-m9fj

🚨 Nokogiri Inefficient Regular Expression Complexity

Summary

Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

CWE-1333 Inefficient Regular Expression Complexity

Credit

This vulnerability was reported by HackerOne user ooooooo_q (γͺγͺおく).

🚨 Denial of Service (DoS) in Nokogiri on JRuby

Summary

Nokogiri v1.13.4 updates the vendored org.cyberneko.html library to 1.9.22.noko2 which addresses CVE-2022-24839. That CVE is rated 7.5 (High Severity).

See GHSA-9849-p7jc-9rmv for more information.

Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

Impact

CVE-2022-24839 in nekohtml

  • Severity: High 7.5
  • Type: CWE-400 Uncontrolled Resource Consumption
  • Description: The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup.
  • See also: GHSA-9849-p7jc-9rmv

🚨 Nokogiri affected by zlib's Out-of-bounds Write vulnerability

zlib 1.2.11 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

🚨 Vulnerable dependencies in Nokogiri

Summary

Nokogiri v1.13.2 upgrades two of its packaged dependencies:

  • vendored libxml2 from v2.9.12 to v2.9.13
  • vendored libxslt from v1.1.34 to v1.1.35

Those library versions address the following upstream CVEs:

Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs.

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.2, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 and libxslt release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 >= 2.9.13 and libxslt >= 1.1.35, which will also address these same CVEs.

Impact

libxslt CVE-2021-30560

All versions of libxslt prior to v1.1.35 are affected.

Applications using untrusted XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately.

libxml2 CVE-2022-23308

The upstream commit and the explanation linked above indicate that an application may be vulnerable to a denial of service, memory disclosure, or code execution if it parses an untrusted document with parse options DTDVALID set to true, and NOENT set to false.

An analysis of these parse options:

  • While NOENT is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later.
  • DTDVALID is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly.

It seems reasonable to assume that any application explicitly setting the parse option DTDVALID when parsing untrusted documents is vulnerable and should be upgraded immediately.

🚨 Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.0) for JRuby users. (This security advisory does not apply to CRuby users.)

Impact

In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default.

Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected:

  • Nokogiri::XML::SAX::Parser
  • Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser
  • Nokogiri::XML::SAX::PushParser
  • Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser

Mitigation

JRuby users should upgrade to Nokogiri v1.12.5 or later. There are no workarounds available for v1.12.4 or earlier.

CRuby users are not affected.

🚨 Nokogiri updates packaged dependency on libxml2 from 2.9.10 to 2.9.12

Summary

Nokogiri v1.11.4 updates the vendored libxml2 from v2.9.10 to v2.9.12 which addresses:

Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.11.4, and only if the packaged version of libxml2 is being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.11.4.

Impact

I've done a brief analysis of the published CVEs that are addressed in this upstream release. The libxml2 maintainers have not released a canonical set of CVEs, and so this list is pieced together from secondary sources and may be incomplete.

All information below is sourced from security.archlinux.org, which appears to have the most up-to-date information as of this analysis.

CVE-2019-20388

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2020-7595

This has been patched in Nokogiri since v1.10.8 (see #1992).

CVE-2020-24977

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3516

Verified that the fix commit first appears in v2.9.11. This vector does not exist within Nokogiri, which does not ship xmllint.

CVE-2021-3517

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3518

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3537

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3541

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4, however Nokogiri's default parse options prevent the attack from succeeding (it is necessary to opt into DTDLOAD which is off by default).

For more details supporting this analysis of this CVE, please visit #2233.

🚨 Nokogiri::XML::Schema trusts input by default, exposing risk of XXE vulnerability

Severity

Nokogiri maintainers have evaluated this as Low Severity (CVSS3 2.6).

Description

In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.

This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible.

Please note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be "Low Severity".

Affected Versions

Nokogiri <= 1.10.10 as well as prereleases 1.11.0.rc1, 1.11.0.rc2, and 1.11.0.rc3

Mitigation

There are no known workarounds for affected versions. Upgrade to Nokogiri 1.11.0.rc4 or later.

If, after upgrading to 1.11.0.rc4 or later, you wish to re-enable network access for resolution of external resources (i.e., return to the previous behavior):

  1. Ensure the input is trusted. Do not enable this option for untrusted input.
  2. When invoking the Nokogiri::XML::Schema constructor, pass as the second parameter an instance of Nokogiri::XML::ParseOptions with the NONET flag turned off.

So if your previous code was:

# in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network
# but in v1.11.0.rc4 and later, this call will disallow network access for external resources
schema = Nokogiri::XML::Schema.new(schema)

# in v1.11.0.rc4 and later, the following is equivalent to the code above
# (the second parameter is optional, and this demonstrates its default value)
schema = Nokogiri::XML::Schema.new(schema, Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA)

Then you can add the second parameter to indicate that the input is trusted by changing it to:

# in v1.11.0.rc3 and earlier, this would raise an ArgumentError 
# but in v1.11.0.rc4 and later, this allows resources to be accessed over the network
schema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet)

References

Credit

This vulnerability was independently reported by @eric-therond and @gucki.

The Nokogiri maintainers would like to thank HackerOne for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to us.

🚨 libxml as used in Nokogiri has an infinite loop in a certain end-of-file situation

xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
The Nokogiri RubyGem has patched its vendored copy of libxml2 in order to prevent this issue from affecting nokogiri.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ octokit (indirect, 4.14.0 β†’ 4.25.1) Β· Repo Β· Changelog

Security Advisories 🚨

🚨 Octokit gem published with world-writable files

Impact

Versions 4.23.0 and 4.24.0 of the octokit gem were published containing world-writeable files.

Specifically, the gem was packed with files having their permissions set to -rw-rw-rw- (i.e. 0666) instead of rw-r--r-- (i.e. 0644). This means everyone who is not the owner (Group and Public) with access to the instance where this release had been installed could modify the world-writable files from this gem.

Malicious code already present and running on your machine, separate from this package, could modify the gem’s files and change its behavior during runtime.

Patches

Workarounds

Users can use the previous version of the gem v4.22.0. Alternatively, users can modify the file permissions manually until they are able to upgrade to the latest version.

Release Notes

4.25.1

  • Stop configuring Faraday's retry middleware twice (@Edouard-chin)
  • Fix various Ruby warnings (e.g. missing parentheses) (@coryf)

4.25.0

βœ… NOTE: This remediates A security advisory was published on versions 4.23.0 and 4.24.0 of this gem. You can read more about this in the published security advisory. βœ…

DX Improvements

CI Improvements

Updates all build scripts to be more durable and adds details on how to run a manual file integrity check by @nickfloyd in #1446

Housekeeping

  • Drop support for Ruby 1.9.2 in Octokit::Client::Contents#create_contents by @timrogers in #1442

Full Changelog: v4.24.0...v4.25.0

4.24.0

Known issues

Note: This release fixes the issue around autoloading modules causing some modules to not load before use #1428

Code improvements

CI Improvements

  • Adds Code QL analysis to octokit.rb via @nickfloyd

Bug fixes

Full Changelog: v4.23.0...v4.24.0

4.23.0

Code improvements

CI Improvements

Performance improvements

Bug fixes

Documentation

Full Changelog: v4.22.0...v4.23.0

4.22.0

Deprecation Fix

Code Improvements

CI and dependency updates

Documentation

4.21.0

API Support

Error handling

Code clean up

Documentation

4.20.0

API Support

Bug fixes

  • #1309 Paginate outside_collaborators calls @sds
  • #1316 Uses of FaradayMiddleware#on_complete should not be private @tarebyte

Code improvements

Documentation

4.19.0

Code Improvements

API Support

Documentation

CI and dependency updates

4.18.0

Documentation

Preview Header Support

Bug Fixes

4.17.0

Documentation

Preview Header Support

Bug Fixes

4.16.0

New features

Resolve deprecation warnings

  • #1192 Fix deprecation notice for authentication via query parameters @tarebyte

Documentation

Tooling updates

4.15.0

Preview header support
#1114 Adds drafts preview header @andrew
#1132 Update branch protection preview @spikex

New features
#1133 Support for template repositories @EricPickup
#1136 Add method to find team by name @gallexi
#1153 Add method to delete installation @yykamei
#1151 Add method to update pull request review @eric-silverman
#1162 Support for Commit pulls @tgmachina

Improved error handling
#1115 Add BillingIssue error @stmllr
#1106 Add TooLargeContent error @ybiquitous
#1164 Add SAMLProtected error @tarebyte

Resolve deprecation warnings
#1152 Fix version deprecation warning in ci builds @hmharvey
#1154 Fix faraday error subclass @Gasparila

Documentation
#1123 Add option in the pull request state parameter @4geru
#1135 Fix the contributing doc steps @gallexi
#1134 Fix the code example for update branch @rmacklin
#1139 Add assignee params @4geru
#1138 Update link to new collaborators api @shaunakpp
#1129 Add code of conduct @spikex
#1102 Update readme to point directly to v3 api @binhums

Tooling updates
#1142 Migrated to actions @tarebyte

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ public_suffix (indirect, 3.1.1 β†’ 5.1.1) Β· Repo Β· Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rainbow (indirect, 3.0.0 β†’ 3.1.1) Β· Repo Β· Changelog

Release Notes

3.1.1 (from changelog)

  • fix: Ensure files directive in gemspec adds all files

3.1.0 (from changelog)

  • Bad release: superseded by 3.1.1.
  • added cross_out aka strike
  • hexadecimal color names supported better, see #83
  • gemspec: list files using a Ruby expression, avoiding git

(2020-08-26 was the planned release date, but the real release date is reflected in the heading.)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 29 commits:

↗️ rb-fsevent (indirect, 0.10.3 β†’ 0.11.2) Β· Repo

Release Notes

0.11.2

  • Avoid modifying string literals #91

0.11.1

  • rescue Errno::EBADF when closing pipe #92

0.11.0

0.10.4

  • Remove bundler development dependency #85

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 14 commits:

↗️ rb-inotify (indirect, 0.10.0 β†’ 0.11.1) Β· Repo

Commits

See the full diff on Github. The new version differs by 14 commits:

↗️ rouge (indirect, 2.2.1 β†’ 3.30.0) Β· Repo Β· Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rubyzip (indirect, 2.0.0 β†’ 2.4.1) Β· Repo Β· Changelog

Release Notes

2.3.2 (from changelog)

  • A "dummy" release to warn about breaking changes coming in version 3.0. This updated version uses the Gem post_install_message instead of printing to STDERR.

2.3.1

This is a "dummy" release to warn about breaking changes coming in version 3.0.

2.3.0

  • Fix frozen string literal error #431
  • Set OutputStream.write_buffer's buffer to binmode #439
  • Upgrade rubocop and fix various linting complaints #437 #440

Tooling:

  • Add a bin/console script for development #420
  • Update rake requirement (development dependency only) to fix a security alert.

2.2.0

  • Add support for decompression plugin gems #427

2.1.0

  • Fix (at least partially) the restore_times and restore_permissions options to Zip::File.new #413
    • Previously, neither option did anything, regardless of what it was set to. We have therefore defaulted them to false to preserve the current behavior, for the time being. If you have explicitly set either to true, it will now have an effect.
    • Fix handling of UniversalTime (mtime, atime, ctime) fields. #421
    • Previously, Zip::File did not pass the options to Zip::Entry in some cases. #423
    • Note that restore_times in this release does nothing on Windows and only restores mtime, not atime or ctime.
  • Allow Zip::File.open to take an options hash like Zip::File.new #418
  • Always print warnings with warn, instead of a mix of puts and warn #416
  • Create temporary files in the system temporary directory instead of the directory of the zip file #411
  • Drop unused tmpdir requirement #411

Tooling

  • Move CI to xenial and include jruby on JDK11 #419

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sawyer (indirect, 0.8.2 β†’ 0.9.3) Β· Repo

Release Notes

0.9.3

What's Changed

New Contributors

Full Changelog: v0.9.2...v0.9.3

0.9.1

What's Changed

  • Specify correct minimal Faraday version by @skryukov in #73

New Contributors

Full Changelog: v0.9.0...v0.9.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 20 commits:

↗️ typhoeus (indirect, 1.3.1 β†’ 1.6.0) Β· Repo Β· Changelog

Release Notes

1.6.0 (from changelog)

Full Changelog

1.5.0 (from changelog)

Full Changelog

1.4.0 (from changelog)

Full Changelog

1 feature

  • Faraday adapter exceptions namespace compatibility with Faraday v1 (@iMacTia in #616)

3 Others

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tzinfo (indirect, 1.2.5 β†’ 2.0.6) Β· Repo Β· Changelog

Security Advisories 🚨

🚨 TZInfo relative path traversal vulnerability allows loading of arbitrary files

Impact

Affected versions

  • 0.3.60 and earlier.
  • 1.0.0 to 1.2.9 when used with the Ruby data source (tzinfo-data).

Vulnerability

With the Ruby data source (the tzinfo-data gem for tzinfo version 1.0.0 and later and built-in to earlier versions), time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with require on demand. In the affected versions, TZInfo::Timezone.get fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process.

For example, with version 1.2.9, you can run the following to load a file with path /tmp/payload.rb:

TZInfo::Timezone.get("foo\n/../../../../../../../../../../../../../../../../tmp/payload")

The exact number of parent directory traversals needed will vary depending on the location of the tzinfo-data gem.

TZInfo versions 1.2.6 to 1.2.9 can be made to load files from outside of the Ruby load path. Versions up to and including 1.2.5 can only be made to load files from directories within the load path.

This could be exploited in, for example, a Ruby on Rails application using tzinfo version 1.2.9, that allows file uploads and has a time zone selector that accepts arbitrary time zone identifiers. The CVSS score and severity have been set on this basis.

Versions 2.0.0 and later are not vulnerable.

Patches

Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers (commit 9eddbb5 for 0.3.x and commit 9905ca9 for 1.2.x).

Note that version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of tzinfo/definition within a directory in the load path. For example if /tmp/upload was in the load path, then TZInfo::Timezone.get('foo') could load a file with path /tmp/upload/tzinfo/definition/foo.rb. Applications should ensure that untrusted files are not placed in a directory on the load path.

Workarounds

As a workaround, the time zone identifier can be validated before passing to TZInfo::Timezone.get by ensuring it matches the regular expression \A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z.

For more information

If you have any questions or comments about this advisory:

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ unicode-display_width (indirect, 1.6.0 β†’ 1.8.0) Β· Repo Β· Changelog

Release Notes

1.8.0 (from changelog)

  • Unicode 14.0 (last release of 1.x)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 13 commits:

↗️ yell (indirect, 2.2.0 β†’ 2.2.2) Β· Repo

Sorry, we couldn’t find anything useful about this release.

πŸ†• Ascii85 (added, 2.0.1)

πŸ†• afm (added, 1.0.0)

πŸ†• async (added, 2.38.1)

πŸ†• base64 (added, 0.3.0)

πŸ†• benchmark (added, 0.5.0)

πŸ†• bigdecimal (added, 3.3.1)

πŸ†• connection_pool (added, 3.0.2)

πŸ†• console (added, 1.34.3)

πŸ†• csv (added, 3.3.5)

πŸ†• drb (added, 2.2.3)

πŸ†• faraday-net_http (added, 3.4.2)

πŸ†• fiber-annotation (added, 0.2.0)

πŸ†• fiber-local (added, 1.1.0)

πŸ†• fiber-storage (added, 1.0.1)

πŸ†• hashery (added, 2.1.2)

πŸ†• io-event (added, 1.14.4)

πŸ†• jekyll-include-cache (added, 0.2.1)

πŸ†• json (added, 2.19.2)

πŸ†• kramdown-parser-gfm (added, 1.1.0)

πŸ†• logger (added, 1.7.0)

πŸ†• metrics (added, 0.15.0)

πŸ†• net-http (added, 0.9.1)

πŸ†• pdf-reader (added, 2.15.1)

πŸ†• prism (added, 1.9.0)

πŸ†• racc (added, 1.8.1)

πŸ†• rexml (added, 3.4.4)

πŸ†• ruby-rc4 (added, 0.1.5)

πŸ†• securerandom (added, 0.4.1)

πŸ†• simpleidn (added, 0.2.3)

πŸ†• traces (added, 0.18.2)

πŸ†• ttfunk (added, 1.8.0)

πŸ†• uri (added, 1.1.1)

πŸ†• webrick (added, 1.9.2)

πŸ†• zeitwerk (added, 2.7.5)

πŸ—‘οΈ multipart-post (removed)

πŸ—‘οΈ parallel (removed)

πŸ—‘οΈ ruby-enum (removed)

πŸ—‘οΈ ruby_dep (removed)

πŸ—‘οΈ thread_safe (removed)