[Security] Bump nokogiri from 1.8.4 to 1.8.5

[greysteil]

Bumps nokogiri from 1.8.4 to 1.8.5. This update includes security fixes.

Vulnerabilities fixed

Sourced from The Ruby Advisory Database.

Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Nokogiri 1.8.5 has been released.

This is a security and bugfix release. It addresses two CVEs in upstream
libxml2 rated as "medium" by Red Hat, for which details are below.

If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time,
though you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages). Note that these patches are not
yet (as of 2018-10-04) in an upstream release of libxml2.

Full details about the security update are available in Github Issue #1785.
[#1785]: https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/1785

---

[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404
and CVE-2018-14567. Full details are available in #1785. Note that these
patches are not yet (as of 2018-10-04) in an upstream release of libxml2.

... (truncated)

Patched versions: >= 1.8.5
Unaffected versions: none

Changelog

Sourced from nokogiri's changelog.

1.8.5 / 2018-10-04

Security Notes

[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in #1785. Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2.

Bug fixes

• [MRI] Fix regression in installation when building against system libraries, where some systems would not be able to find libxml2 or libxslt when present. (Regression introduced in v1.8.3.) [#1722]
• [JRuby] Fix node reparenting when the destination doc is empty. [#1773]

Commits

• e28fa4b version bump to v1.8.5
• 712edef update changelog
• 7feb4c1 Merge branch 'fix-1773'
• 7cc6cf6 Organize imports in XmlNode.java.
• 1697442 Allow reparenting nodes to be a child of an empty document.
• 7b8cd0f Merge pull request #1786 from sparklemotion/1785-canonical-usns
• 5bff4bb pull in upstream libxml2 patches
• c232226 changelog
• 862b88f changelog
• b3750eb remove -Wextra CFLAG
• Additional commits viewable in compare view

@enricostano - I kept Dependabot running on my fork and it generated this last night after the Nokogiri security advisory was announced. Would still love you to run it on this repo directly.

[enricostano]

Thanks @greysteil , I just added this PR to our testing queue 💪

[sseerrggii]

I don't know how tot test that, becouse come from unknown repository origin 🤔

I tried to change the same line in Gemfile.lock and execute bundle install and everything went fine.

Can I merge it and we will test full application before the new release?

[greysteil]

Sorry, this is a little old now and I deleted my fork. You should definitely be fine to merge, though!