dep: bump Nokogiri dependency to address the foreign style issue

flavorjones · flavorjones · commit b0220b8850d5 · 2024-11-30T16:53:37.000-05:00
https://hackerone.com/reports/2503220
diff --git a/Gemfile b/Gemfile
@@ -14,7 +14,3 @@ group :rubocop do
   gem "rubocop-performance", require: false
   gem "rubocop-rails", require: false
 end
-
-# specify gem versions for old rubies
-gem "nokogiri", ">= 1.7"
-gem "activesupport", ">= 5"
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -3,7 +3,7 @@ PATH
   specs:
     rails-html-sanitizer (1.6.0)
       loofah (~> 2.21)
-      nokogiri (~> 1.14)
+      nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
 
 GEM
   remote: https://rubygems.org/
@@ -34,18 +34,10 @@ GEM
     loofah (2.22.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
+    mini_portile2 (2.8.8)
     minitest (5.24.1)
-    nokogiri (1.16.7-aarch64-linux)
-      racc (~> 1.4)
-    nokogiri (1.16.7-arm-linux)
-      racc (~> 1.4)
-    nokogiri (1.16.7-arm64-darwin)
-      racc (~> 1.4)
-    nokogiri (1.16.7-x86-linux)
-      racc (~> 1.4)
-    nokogiri (1.16.7-x86_64-darwin)
-      racc (~> 1.4)
-    nokogiri (1.16.7-x86_64-linux)
+    nokogiri (1.16.8)
+      mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     parallel (1.26.2)
     parser (3.3.4.2)
@@ -98,9 +90,7 @@ PLATFORMS
   x86_64-linux
 
 DEPENDENCIES
-  activesupport (>= 5)
   minitest
-  nokogiri (>= 1.7)
   rails-html-sanitizer!
   rake
   rubocop (>= 1.25.1)
diff --git a/rails-html-sanitizer.gemspec b/rails-html-sanitizer.gemspec
@@ -26,8 +26,10 @@ Gem::Specification.new do |spec|
   spec.test_files    = Dir["test/**/*"]
   spec.require_paths = ["lib"]
 
-  # NOTE: There's no need to update dependencies for CVEs in minor releases
-  # when users can simply run `bundle update loofah`.
   spec.add_dependency "loofah", "~> 2.21"
-  spec.add_dependency "nokogiri", "~> 1.14"
+
+  # A fix was shipped in nokogiri v1.15.7 and v1.16.8 without which there is a vulnerability in this gem.
+  spec.add_dependency "nokogiri", [">=1.15.7",
+                                   "!=1.16.0", "!=1.16.0.rc1", "!=1.16.1", "!=1.16.2", "!=1.16.3",
+                                   "!=1.16.4", "!=1.16.5", "!=1.16.6", "!=1.16.7"]
 end
