DevHeads.net

Postings by Mike Dalessio

nokogiri v1.10.1 released

Nokogiri version v1.10.1 has been released

This release contains bugfixes, better support for the latest version of
XCode, and a small performance improvement.

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser.

nokogiri v1.10.0 released

Nokogiri version v1.10.0 has been released.

This is a maintenance update focused on Ruby version support and updating
vendored CRuby libraries.

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser.

nokogiri 1.9.0 Released

nokogiri version 1.9.0 has been released!

For CRuby users, this is a feature and bugfix release.

For JRuby users, you're encouraged to upgrade because of the Xerces upgrade
to mitigate a vulnerability.

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser.

hoe-bundler 1.5.0 Released

hoe-bundler version 1.5.0 has been released!

* <a href="http://github.com/flavorjones/hoe-bundler" title="http://github.com/flavorjones/hoe-bundler">http://github.com/flavorjones/hoe-bundler</a>
* <a href="https://ci.nokogiri.org/teams/nokogiri-core/pipelines/hoe-bundler" title="https://ci.nokogiri.org/teams/nokogiri-core/pipelines/hoe-bundler">https://ci.nokogiri.org/teams/nokogiri-core/pipelines/hoe-bundler</a>

Generate a Gemfile based on a Hoe spec's declared dependencies.

Changes:

## 1.5.0 / 2018-11-17

Enhancements:

* The `bundler:gemfile` rake task accepts optional arguments to specify the
gem source, and whether to invoke `gemspec`. (Thanks, @adangel!)

nokogiri security update 1.8.5

Nokogiri 1.8.5 has been released.

This is a security and bugfix release. It addresses two CVEs in upstream
libxml2 rated as "medium" by Red Hat, for which details are below.

If you're using your distro's system libraries, rather than Nokogiri's
vendored libraries, there's no security need to upgrade at this time,
though you may want to check with your distro whether they've patched this
(Canonical has patched Ubuntu packages).

chromedriver-helper 2.0.0 released

chromedriver-helper 2.0.0 has been released!

<a href="http://github.com/flavorjones/chromedriver-helper" title="http://github.com/flavorjones/chromedriver-helper">http://github.com/flavorjones/chromedriver-helper</a>

Easy installation and use of chromedriver, the Chromium project's Selenium
webdriver adapter.

2.0.0 - 2019-09-15
**Backwards-incompatible change:**

The installed shadow executable `chromedriver` has been renamed to
`chromedriver-helper` to work around issues with projects _not_ using the
gem on a system on which the gem is installed.

nokogiri 1.8.4 Released

Nokogiri version 1.8.4 has been released!

This release fixes a memory leak related to creating namespaced nodes which
was introduced waaaaay back in v1.5.7 (March 2013). If you're building or
modifying XML documents by inserting nodes with namespaces, it's probably
worth upgrading.

Thanks to @paddor for finding this memory leak!

# 1.8.4 / 2018-07-03

## Bug fixes

* [MRI] Fix memory leak when creating nodes with namespaces. (Introduced in
v1.5.7) [#1771]

nokogiri 1.8.3 released

Nokogiri version 1.8.3 has been released!

TL;DR: This is a feature and bugfix release. There's also a commit reverted
in the vendored upstream libxml2 that the Nokogiri maintainers feel
introduced unnecessary security risk involving sanitizing HTML attributes.
You're encouraged to read the release notes and the related documents if
you're curious or want to evaluate whether you should upgrade.

The release is being made from NYC, at the twelfth and final GORUCO.

Loofah vulnerability reporting process

Hi all,

The Loofah project has published a vulnerability reporting process, to
allow private disclosure of security vulnerabilities.

More details are at
<a href="https://github.com/flavorjones/loofah/blob/master/SECURITY.md" title="https://github.com/flavorjones/loofah/blob/master/SECURITY.md">https://github.com/flavorjones/loofah/blob/master/SECURITY.md</a>

Or you can report vulnerabilities directly at <a href="https://hackerone.com/loofah" title="https://hackerone.com/loofah">https://hackerone.com/loofah</a>

Special thanks to HackerOne for their support of OSS projects.

Thanks for reading,
-m

Nokogiri vulnerability reporting process

Hi all,

The Nokogiri core contributors have published a vulnerability reporting
process, to allow private disclosure of security vulnerabilities.

More details are at <a href="http://www.nokogiri.org/tutorials/security.html" title="http://www.nokogiri.org/tutorials/security.html">http://www.nokogiri.org/tutorials/security.html</a>

Or you can report vulnerabilities directly at <a href="https://hackerone.com/nokogiri" title="https://hackerone.com/nokogiri">https://hackerone.com/nokogiri</a>

Special thanks to HackerOne for their support of OSS projects.

Thanks for reading,
-m

loofah v2.2.0 released

loofah version 2.2.0 has been released!

* <https://github.com/flavorjones/loofah>
* <http://rubydoc.info/github/flavorjones/loofah/master/frames>
* <http://librelist.com/browser/loofah>

Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It's built on top of Nokogiri and libxml2, so
it's fast and has a nice API.

Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
most likely won't make your codes less secure.

nokogiri security update 1.8.2 released

nokogiri version 1.8.2 has been released.

This release contains a few new features and bugfixes in addition to the
security update, wherein the vendored libxml2 and libxslt versions have
been updated:

* libxml2 is updated from 2.9.5 to 2.9.7

* libxslt is updated from 1.1.30 to 1.1.32

which addresses at least one published vulnerability, [CVE-2017-15412][],
which rates a "priority:medium" from Canonical.

loofah 2.1.0 released

loofah version 2.1.0 has been released!

TL;DR: CSS property parsing and sanitization has been re-implemented on top
of Crass:

<a href="https://github.com/rgrove/crass" title="https://github.com/rgrove/crass">https://github.com/rgrove/crass</a>

replacing the regexes that were lifted from html5lib back in 2009. I'm
relatively sure this is a good thing.

Note that Loofah underlies Rails sanitization since 4.2, so please do let
me know via Github issue if this breaks any behavior for you.

nokogiri security update 1.8.1 Released

nokogiri version 1.8.1 has been released.

This is primarily a security update, wherein the vendored libxml2 and
libxslt versions have been updated:

- libxml 2.9.5
- libxslt 1.1.30

which address the CVEs called out in USN3424-1 [1].

These patches only apply when using Nokogiri's vendored libxml2 library.

nokogiri 1.8.0 Released

Nokogiri version 1.8.0 has been released!

* <a href="http://nokogiri.org" title="http://nokogiri.org">http://nokogiri.org</a>
* Installation: <a href="http://nokogiri.org/tutorials/installing_nokogiri.html" title="http://nokogiri.org/tutorials/installing_nokogiri.html">http://nokogiri.org/tutorials/installing_nokogiri.html</a>
* Tutorials: <a href="http://nokogiri.org" title="http://nokogiri.org">http://nokogiri.org</a>
* README: <a href="https://github.com/sparklemotion/nokogiri" title="https://github.com/sparklemotion/nokogiri">https://github.com/sparklemotion/nokogiri</a>
* Mailing List: <a href="https://groups.google.com/group/nokogiri-talk" title="https://groups.google.com/group/nokogiri-talk">https://groups.google.com/group/nokogiri-talk</a>
* Bug Reports: <a href="https://github.com/sparklemotion/nokogiri/issues" title="https://github.com/sparklemotion/nokogiri/issues">https://github.com/sparklemotion/nokogiri/issues</a>

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser.

*# 1.8.0 / 2017-06-04*

*## Backwards incompatibilities*

This release ends support for Ruby 2.1 on Windows in the `x86-mingw32` and
`x64-mingw32` platform gems (containing pre-compiled DLLs).

nokogiri security update 1.7.2 released

nokogiri version 1.7.2 has been released.

This is a security update based on 1.7.1, addressing two upstream libxslt
1.1.29 vulnerabilities classified as "Medium" by Canonical and given a
CVSS3 score of "6.5 Medium" and "8.8 High" by RedHat.

These patches only apply when using Nokogiri's vendored libxslt package.

nokogiri security update 1.7.1 released

nokogiri version 1.7.1 has been released.

This is a security update based on 1.7.0.1, addressing two upstream libxml
2.9.4 vulnerabilities classified as "Medium" by Canonical, and CVSS3 score
of "5.3 Medium" by RedHat.

These patches only apply when using Nokogiri's vendored libxml2 package.

CFP: GORUCO 2017, NYC, June 24th

*# GORUCO 2017 is now accepting talk proposals!*

On Saturday, June 24th, [GORUCO][] is celebrating its 11th convocation as
NYC's premier regional software conference. It's a one-day, single-track
event geared toward highly motivated and experienced developers that's been
celebrated for its warm, personal spirit and strong sense of community.

[GORUCO]: <a href="http://goruco.com" title="http://goruco.com">http://goruco.com</a>

You can start submitting your proposals at <a href="http://cfp.goruco.com/" title="http://cfp.goruco.com/">http://cfp.goruco.com/</a>. If you
have questions, please email <a href="mailto: ... at goruco dot com"> ... at goruco dot com</a>.

hoe-debugging 1.3.0 released

hoe-debugging version 1.3.0 has been released!

* <http://github.com/jbarnette/hoe-debugging>

A Hoe plugin to help you debug your C extensions. This plugin provides
`test:gdb` and `test:valgrind` tasks (plus a few variants).

See the Hoe::Debugging module for a few configuration options.

This plugin expects you to have `gdb` and `valgrind` available in your PATH.

Changes:

### 1.3.0 / 2017-01-20

* The rake task now fails if valgrind detects any errors during the run.

nokogiri 1.7.0.1 Released

nokogiri version 1.7.0.1 has been released!

* Tutorials: <a href="http://nokogiri.org" title="http://nokogiri.org">http://nokogiri.org</a>
* README: <a href="https://github.com/sparklemotion/nokogiri" title="https://github.com/sparklemotion/nokogiri">https://github.com/sparklemotion/nokogiri</a>
* Mailing List: <a href="https://groups.google.com/group/nokogiri-talk" title="https://groups.google.com/group/nokogiri-talk">https://groups.google.com/group/nokogiri-talk</a>
* Bug Reports: <a href="https://github.com/sparklemotion/nokogiri/issues" title="https://github.com/sparklemotion/nokogiri/issues">https://github.com/sparklemotion/nokogiri/issues</a>

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.

Changes:

* Fix OpenBSD support. (#1569) (related to #1543)

nokogiri 1.7.0 Released

nokogiri version 1.7.0 has been released!

No meaningful functional changes in this release. This release is primarily
serving as a bridge release for ending support of versions of Ruby that are
no longer supported, and introducing support for Ruby 2.4.0 without
deprecation warnings.

loofah-activerecord 2.0.0 Released

loofah-activerecord version 2.0.0 has been released!

* <http://github.com/flavorjones/loofah-activerecord>
* <http://rubydoc.info/github/flavorjones/loofah-activerecord/master/frames>
* <http://librelist.com/browser/loofah>

`loofah-activerecord` extends `loofah`'s HTML sanitization into Rails
ActiveRecord models.

See more about `loofah` at: <a href="http://github.com/flavorjones/loofah" title="http://github.com/flavorjones/loofah">http://github.com/flavorjones/loofah</a>

Changes:

## 2.0 (2016-11-22)

Backwards incompatibilities:

* Removed support for Rails <= 3.0.

Features:

* Added support for Rails 5.

nokogiri 1.6.8.1 Released

nokogiri version 1.6.8.1 has been released!

Changes:

=== 1.6.8.1 / 2016-10-03

==== Dependency License Notes

Removes required dependency on the `pkg-config` gem. This dependency was
introduced in v1.6.8 and, because it's distributed under LGPL, was
objectionable to some Nokogiri users (#1488, #1496).

This version makes `pkg-config` an optional dependency. If it's installed,
it's used; but otherwise Nokogiri will attempt to work around its absence.

This gem was only used when building Nokogiri against system libraries when
the Linux tool `pkg-config` was not present.

nokogiri 1.6.8 Released

nokogiri version 1.6.8 has been released!

* Tutorials: <a href="http://nokogiri.org" title="http://nokogiri.org">http://nokogiri.org</a>
* Installation: <a href="http://nokogiri.org/tutorials/installing_nokogiri.html" title="http://nokogiri.org/tutorials/installing_nokogiri.html">http://nokogiri.org/tutorials/installing_nokogiri.html</a>
* Mailing List: <a href="https://groups.google.com/group/nokogiri-talk" title="https://groups.google.com/group/nokogiri-talk">https://groups.google.com/group/nokogiri-talk</a>

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's
many features is the ability to search documents via XPath or CSS3
selectors.

Changes:

*==== Security Notes*

[MRI] Bundled libxml2 is upgraded to 2.9.4, which fixes many security
issues.

GORUCO 2016 tickets and speaker line-up

Hello Rubyists,

I'm excited to invite you to GORUCO -- one of the U.S.'s largest regional
Ruby conferences, happening on Saturday, June 25. For the past 10 years,
GORUCO has been organized by Ruby developers (just like you and me) who
volunteer within the community to bring people together to share and learn
in exciting technical sessions.

license_finder 2.1.0 released

LicenseFinder v2.1.0 has been released!

LicenseFinder works with your package managers to find dependencies,
detect the licenses of the packages in them, compare those licenses
against a user-defined whitelist, and give you an actionable exception
report.

* code: <a href="https://github.com/pivotal/LicenseFinder" title="https://github.com/pivotal/LicenseFinder">https://github.com/pivotal/LicenseFinder</a>
* support:
* <a href="mailto:license- ... at googlegroups dot com">license- ... at googlegroups dot com</a>
* https://groups.google.com/forum/#!forum/license-finder
* backlog: <a href="https://www.pivotaltracker.com/s/projects/234851" title="https://www.pivotaltracker.com/s/projects/234851">https://www.pivotaltracker.com/s/projects/234851</a>

### Supported project types

* Ruby Gems (via `bundler`)
* Python Eggs (via `pip`)
* Node.js (via `npm`)
* Bower
* Nuget (with

nokogiri security update - 1.6.7.2

Hello,

Nokogiri version 1.6.7.2 has been released, pulling in several upstream
patches to the vendored libxml2 to address the following CVE:

CVE-2015-7499

Ubuntu classifies this as "Priority: *Low*", RedHat classifies this as
"Impact: *Moderate*", and NIST classifies this as "Severity: 5.0 (*MEDIUM*
)".

Full details are included below.

Please note that although CVE-2015-7499 was partially addressed in the
1.6.7.1 release, an additional commit was included in the latest Canonical
security update from 2016-01-19 (along with two previous commits necessary
for that patch to apply cleanly) als

nokogiri security update - 1.6.7.1

Hello,

Nokogiri version 1.6.7.1 has been released, pulling in several upstream
patches to the vendored libxml2 to address the following CVEs:

CVE-2015-5312
CVE-2015-7497
CVE-2015-7498
CVE-2015-7499
CVE-2015-7500
CVE-2015-8241
CVE-2015-8242
CVE-2015-8317

These CVEs are all *low* or *medium* priority according to Canonical,
however NIST NVD gives CVE-2015-5312 a *high* severity score.

hoe-debugging 1.2.1 Released

hoe-debugging version 1.2.1 has been released!

* <http://github.com/jbarnette/hoe-debugging>

A Hoe plugin to help you debug your C extensions. This plugin provides
<tt>test:gdb</tt> and <tt>test:valgrind</tt> tasks (plus a few
variants).

Changes:

### 1.2.1 / 2015-12-16

Features:

* Set larger stack size (via `ulimit -s`) to properly support Ruby 2.1 and
later

nokogiri 1.6.7 Released

nokogiri version 1.6.7 has been released!

* <http://nokogiri.org>
* <README: https://github.com/sparklemotion/nokogiri>
* <Mailing List: https://groups.google.com/group/nokogiri-talk>
* <Bug Reports: https://github.com/sparklemotion/nokogiri/issues>

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.

Changes:

### 1.6.7 / 2015-11-29

==== Notes

This version supports native builds on Windows using the RubyInstaller
DevKit.