From 244f19b7fb45626b37156ecb7d42e2122ab4d168 Mon Sep 17 00:00:00 2001 From: Zack Koppert Date: Tue, 10 Mar 2026 11:41:22 -0700 Subject: [PATCH 1/2] fix(deps): bump nokogiri to >= 1.19.1 to fix GHSA-wx95-c6cv-8532 Nokogiri < 1.19.1 does not check the return value from xmlC14NExecute, which is a medium-severity vulnerability. Updates the version constraint from ~> 1.18.9 (capped below 1.19.0) to >= 1.19.1 to resolve Dependabot alert #53. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- Gemfile | 2 +- Gemfile.lock | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/Gemfile b/Gemfile index bbb2290e..0ee6afe4 100644 --- a/Gemfile +++ b/Gemfile @@ -15,4 +15,4 @@ gem "twitter-text", "~> 1.14" gem "asciidoctor", "~> 2.0.5" gem "rake" gem "rexml" -gem "nokogiri", "~> 1.18.9" +gem "nokogiri", ">= 1.19.1" diff --git a/Gemfile.lock b/Gemfile.lock index ff1afeec..ddc85550 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -58,18 +58,18 @@ GEM mini_portile2 (2.8.9) minitest (5.25.5) mutex_m (0.3.0) - nokogiri (1.18.9) + nokogiri (1.19.1) mini_portile2 (~> 2.8.2) racc (~> 1.4) - nokogiri (1.18.9-aarch64-linux-gnu) + nokogiri (1.19.1-aarch64-linux-gnu) racc (~> 1.4) - nokogiri (1.18.9-arm-linux-gnu) + nokogiri (1.19.1-arm-linux-gnu) racc (~> 1.4) - nokogiri (1.18.9-arm64-darwin) + nokogiri (1.19.1-arm64-darwin) racc (~> 1.4) - nokogiri (1.18.9-x86_64-darwin) + nokogiri (1.19.1-x86_64-darwin) racc (~> 1.4) - nokogiri (1.18.9-x86_64-linux-gnu) + nokogiri (1.19.1-x86_64-linux-gnu) racc (~> 1.4) nokogiri-diff (0.3.0) nokogiri (~> 1.5) @@ -128,7 +128,7 @@ DEPENDENCIES html-pipeline (~> 1.0) kramdown minitest (~> 5.4, >= 5.4.3) - nokogiri (~> 1.18.9) + nokogiri (>= 1.19.1) nokogiri-diff (~> 0.3.0) org-ruby (= 0.9.12) rake @@ -140,4 +140,4 @@ DEPENDENCIES wikicloth (= 0.8.3) BUNDLED WITH - 2.5.9 + 2.4.10 From aef5252920c32f135327a99bb18d71df1e1e2a53 Mon Sep 17 00:00:00 2001 From: Zack Koppert Date: Tue, 10 Mar 2026 12:17:28 -0700 Subject: [PATCH 2/2] ci: drop Ruby 3.1 from test matrix (EOL since March 2025) Nokogiri 1.19.x requires Ruby >= 3.2, and Ruby 3.1 reached end of life on 2025-03-31. Remove it from the CI matrix. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/ci.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 50ccc50b..2adbe25b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,7 +14,6 @@ jobs: strategy: matrix: ruby: - - "3.1" - "3.2" - "3.3" - "3.4"