[Security] Bump nokogiri from 1.8.2 to 1.8.4

[greysteil]

Bumps nokogiri from 1.8.2 to 1.8.4. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Revert libxml2 behavior in Nokogiri gem that could cause XSS
[MRI] Behavior in libxml2 has been reverted which caused
CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and
CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is
here:

GNOME/libxml2@960f0e2

and more information is available about this commit and its impact
here:

https://github-redirect.dependabot.com/flavorjones/loofah/issues/144

This release simply reverts the libxml2 commit in question to protect
users of Nokogiri's vendored libraries from similar vulnerabilities.

If you're offended by what happened here, I'd kindly ask that you
comment on the upstream bug report here:

https://bugzilla.gnome.org/show_bug.cgi?id=769760

Patched versions: >= 1.8.3
Unaffected versions: none

Changelog

Sourced from nokogiri's changelog.

1.8.4 / 2018-07-03

Bug fixes

• [MRI] Fix memory leak when creating nodes with namespaces. (Introduced in v1.5.7) [#1771]

1.8.3 / 2018-06-16

Security Notes

[MRI] Behavior in libxml2 has been reverted which caused CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is here:

GNOME/libxml2@960f0e2

and more information is available about this commit and its impact here:

https://github-redirect.dependabot.com/flavorjones/loofah/issues/144

This release simply reverts the libxml2 commit in question to protect users of Nokogiri's vendored libraries from similar vulnerabilities.

If you're offended by what happened here, I'd kindly ask that you comment on the upstream bug report here:

https://bugzilla.gnome.org/show_bug.cgi?id=769760

Dependencies

• [MRI] libxml2 is updated from 2.9.7 to 2.9.8

Features

• Node#classes, #add_class, #append_class, and #remove_class are added.
• NodeSet#append_class is added.
• NodeSet#remove_attribute is a new alias for NodeSet#remove_attr.
• NodeSet#each now returns an Enumerator when no block is passed (Thanks, park53kr!)
• [JRuby] General improvements in JRuby implementation (Thanks, kares!)

Bug fixes

• CSS attribute selectors now gracefully handle queries using integers. [Release v4.3.0 #711]
• Handle ASCII-8BIT encoding on fragment input [Remove offers controller specs which were already on offers view specs #553]
• Handle non-string return values within Reader [#898]
• [JRuby] Allow Node#replace to insert Comment and CDATA nodes. [#1666]
• [JRuby] Stability and speed improvements to Node, Sax::PushParser, and the JRuby implementation [#1708, #1710, #1501]

Commits

• 254f341 version bump to v1.8.4
• 056f66d enforcing formatting in xml_node.c
• ca4f9b2 Merge branch '1771-memory-leak'
• 0d26561 fix memory leak with creating nodes with a namespace
• 117ca2e README format
• 20e11c3 version bump to 1.8.3
• be8a240 update CHANGELOG
• 06ac6ba Merge branch '1765-enumerator'
• 00bafb7 add test coverage for NodeSet#each enum
• 75517e0 '#each' returns enumerator when no block given
• Additional commits viewable in compare view

[greysteil]

(FYI, I generated this by running Dependabot on my fork. Was the only dependency with a security vulnerability.)

[enricostano]

Many thanks @greysteil !

[greysteil]

My pleasure! Would you be up for running Dependabot on this repo to keep the Gemfile and Gemfile.lock up-to-date? I'm trying to get more open source repos using it, because I can then use the results of your CI runs to flag any bugs in new dependency releases and report them back to the maintainers.

I'd happily pitch in fixing up any updates with breaking changes to get you up-to-date.

[enricostano]

Hi @greysteil , is Dependabot fully open source?

[greysteil]

The core is here. The nitty gritty of the webapp that wraps up that core and stores a DB of users etc. isn't, mainly because it's a faff to setup and I didn't want to open source something useless.

About 90% of the work I do day-to-day is in that repo, and technically it's source-available rather than fully open-source, as I have a Prosperity Public License on it (basically, you can use it to host your own bot for your company, but if you want to build a company that sells what I have built then you need to get in touch with me). I wouldn't be able to justify working on it full time if I wasn't accruing some capital value, but I try to give back as much as possible - hence all the work I've done on Bundler over the last year.