fix(deps): bump nokogiri to >= 1.19.1 to fix GHSA-wx95-c6cv-8532#2031
fix(deps): bump nokogiri to >= 1.19.1 to fix GHSA-wx95-c6cv-8532#2031
Conversation
Nokogiri < 1.19.1 does not check the return value from xmlC14NExecute, which is a medium-severity vulnerability. Updates the version constraint from ~> 1.18.9 (capped below 1.19.0) to >= 1.19.1 to resolve Dependabot alert #53. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Nokogiri 1.19.x requires Ruby >= 3.2, and Ruby 3.1 reached end of life on 2025-03-31. Remove it from the CI matrix. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Updates Nokogiri to address GHSA-wx95-c6cv-8532 and adjusts CI to reflect the supported Ruby versions.
Changes:
- Bump
nokogiriconstraint to>= 1.19.1and updateGemfile.lockaccordingly. - Remove Ruby 3.1 from the GitHub Actions CI matrix.
- Update the lockfile’s recorded Bundler version.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| Gemfile | Raises Nokogiri minimum version to include the security fix. |
| Gemfile.lock | Locks Nokogiri 1.19.1 across platforms and updates the recorded Bundler version. |
| .github/workflows/ci.yml | Drops Ruby 3.1 from the test matrix. |
Comments suppressed due to low confidence (1)
Gemfile:18
- Using an unbounded lower constraint (>= 1.19.1) allows future major releases of nokogiri to be selected automatically, which can introduce breaking changes. If the intent is to stay on the 1.x line while picking up security fixes, consider bounding the requirement (e.g., pessimistic constraint or an explicit < 2 upper bound).
gem "nokogiri", ">= 1.19.1"
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| gem "rake" | ||
| gem "rexml" | ||
| gem "nokogiri", "~> 1.18.9" | ||
| gem "nokogiri", ">= 1.19.1" |
There was a problem hiding this comment.
Gemfile now requires nokogiri >= 1.19.1, but the gemspec still declares a development dependency constraint of nokogiri '~> 1.18.4' (github-markup.gemspec:28). Having two conflicting sources of truth is error-prone (and can cause Bundler resolution failures depending on how dependencies are evaluated). Align the gemspec constraint with the new minimum version (or remove the gemspec entry if Gemfile is the intended source).
This issue also appears on line 18 of the same file.
| gem "nokogiri", ">= 1.19.1" | |
| gem "nokogiri", "~> 1.18.4" |
| @@ -14,7 +14,6 @@ jobs: | |||
| strategy: | |||
| matrix: | |||
| ruby: | |||
There was a problem hiding this comment.
CI no longer tests Ruby 3.1, but the gemspec still declares required_ruby_version '>= 3.1.0' (github-markup.gemspec:16). Either update required_ruby_version to match the supported/tested range, or keep 3.1 in the matrix if it remains supported.
| ruby: | |
| ruby: | |
| - "3.1" |
Summary
Fixes Dependabot alert #53 (medium severity).
Vulnerability: Nokogiri < 1.19.1 does not check the return value from
xmlC14NExecute(GHSA-wx95-c6cv-8532).Changes
nokogiriversion constraint inGemfilefrom~> 1.18.9(capped below 1.19.0) to>= 1.19.1Gemfile.lockto resolve nokogiri 1.19.1Note
The existing Dependabot PR #2017 bumps nokogiri to
~> 1.18.10, which is still capped below 1.19.0 and does not resolve this alert.