Update dependency nokogiri to v1.16.2 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
nokogiri	'1.15.5' -> '1.16.2'

GitHub Vulnerability Alerts

GHSA-xc9x-jj77-9p9j

Summary

Nokogiri v1.16.2 upgrades the version of its dependency libxml2 to v2.12.5.

libxml2 v2.12.5 addresses the following vulnerability:

• CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
  • patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.16.2, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.12.5 which will also address these same issues.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Timeline

• 2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information
• 2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions
• 2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public
• 2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated "Impact" section

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (a627116) 34.88% compared to head (9c8e927) 34.88%.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #569   +/-   ##
=======================================
  Coverage   34.88%   34.88%           
=======================================
  Files          47       47           
  Lines        1307     1307           
=======================================
  Hits          456      456           
  Misses        851      851           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[yegor256]

@rultor please, try to merge, since 4 checks have passed

[rultor]

@rultor please, try to merge, since 4 checks have passed

@yegor256 OK, I'll try to merge now. You can check the progress of the merge here

[rultor]

@rultor please, try to merge, since 4 checks have passed

@renovate[bot] @yegor256 Oops, I failed. You can see the full log here (spent 5min)

'pid' file is absent on the server after the end of operation; it seems that we didn't manage to start Docker container correctly