DevHeads.net

Postings by Mike Dalessio

chromedriver-helper 2.0.0 released

chromedriver-helper 2.0.0 has been released!

<a href="http://github.com/flavorjones/chromedriver-helper" title="http://github.com/flavorjones/chromedriver-helper">http://github.com/flavorjones/chromedriver-helper</a>

Easy installation and use of chromedriver, the Chromium project's Selenium
webdriver adapter.

2.0.0 - 2019-09-15
**Backwards-incompatible change:**

The installed shadow executable `chromedriver` has been renamed to
`chromedriver-helper` to work around issues with projects _not_ using the
gem on a system on which the gem is installed.

nokogiri 1.8.4 Released

Nokogiri version 1.8.4 has been released!

This release fixes a memory leak related to creating namespaced nodes which
was introduced waaaaay back in v1.5.7 (March 2013). If you're building or
modifying XML documents by inserting nodes with namespaces, it's probably
worth upgrading.

Thanks to @paddor for finding this memory leak!

# 1.8.4 / 2018-07-03

## Bug fixes

* [MRI] Fix memory leak when creating nodes with namespaces. (Introduced in
v1.5.7) [#1771]

nokogiri 1.8.3 released

Nokogiri version 1.8.3 has been released!

TL;DR: This is a feature and bugfix release. There's also a commit reverted
in the vendored upstream libxml2 that the Nokogiri maintainers feel
introduced unnecessary security risk involving sanitizing HTML attributes.
You're encouraged to read the release notes and the related documents if
you're curious or want to evaluate whether you should upgrade.

The release is being made from NYC, at the twelfth and final GORUCO.

Loofah vulnerability reporting process

Hi all,

The Loofah project has published a vulnerability reporting process, to
allow private disclosure of security vulnerabilities.

More details are at
<a href="https://github.com/flavorjones/loofah/blob/master/SECURITY.md" title="https://github.com/flavorjones/loofah/blob/master/SECURITY.md">https://github.com/flavorjones/loofah/blob/master/SECURITY.md</a>

Or you can report vulnerabilities directly at <a href="https://hackerone.com/loofah" title="https://hackerone.com/loofah">https://hackerone.com/loofah</a>

Special thanks to HackerOne for their support of OSS projects.

Thanks for reading,
-m

Nokogiri vulnerability reporting process

Hi all,

The Nokogiri core contributors have published a vulnerability reporting
process, to allow private disclosure of security vulnerabilities.

More details are at <a href="http://www.nokogiri.org/tutorials/security.html" title="http://www.nokogiri.org/tutorials/security.html">http://www.nokogiri.org/tutorials/security.html</a>

Or you can report vulnerabilities directly at <a href="https://hackerone.com/nokogiri" title="https://hackerone.com/nokogiri">https://hackerone.com/nokogiri</a>

Special thanks to HackerOne for their support of OSS projects.

Thanks for reading,
-m

loofah v2.2.0 released

loofah version 2.2.0 has been released!

* <https://github.com/flavorjones/loofah>
* <http://rubydoc.info/github/flavorjones/loofah/master/frames>
* <http://librelist.com/browser/loofah>

Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It's built on top of Nokogiri and libxml2, so
it's fast and has a nice API.

Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
most likely won't make your codes less secure.

nokogiri security update 1.8.2 released

nokogiri version 1.8.2 has been released.

This release contains a few new features and bugfixes in addition to the
security update, wherein the vendored libxml2 and libxslt versions have
been updated:

* libxml2 is updated from 2.9.5 to 2.9.7

* libxslt is updated from 1.1.30 to 1.1.32

which addresses at least one published vulnerability, [CVE-2017-15412][],
which rates a "priority:medium" from Canonical.

loofah 2.1.0 released

loofah version 2.1.0 has been released!

TL;DR: CSS property parsing and sanitization has been re-implemented on top
of Crass:

<a href="https://github.com/rgrove/crass" title="https://github.com/rgrove/crass">https://github.com/rgrove/crass</a>

replacing the regexes that were lifted from html5lib back in 2009. I'm
relatively sure this is a good thing.

Note that Loofah underlies Rails sanitization since 4.2, so please do let
me know via Github issue if this breaks any behavior for you.

nokogiri security update 1.8.1 Released

nokogiri version 1.8.1 has been released.

This is primarily a security update, wherein the vendored libxml2 and
libxslt versions have been updated:

- libxml 2.9.5
- libxslt 1.1.30

which address the CVEs called out in USN3424-1 [1].

These patches only apply when using Nokogiri's vendored libxml2 library.

nokogiri 1.8.0 Released

Nokogiri version 1.8.0 has been released!

* <a href="http://nokogiri.org" title="http://nokogiri.org">http://nokogiri.org</a>
* Installation: <a href="http://nokogiri.org/tutorials/installing_nokogiri.html" title="http://nokogiri.org/tutorials/installing_nokogiri.html">http://nokogiri.org/tutorials/installing_nokogiri.html</a>
* Tutorials: <a href="http://nokogiri.org" title="http://nokogiri.org">http://nokogiri.org</a>
* README: <a href="https://github.com/sparklemotion/nokogiri" title="https://github.com/sparklemotion/nokogiri">https://github.com/sparklemotion/nokogiri</a>
* Mailing List: <a href="https://groups.google.com/group/nokogiri-talk" title="https://groups.google.com/group/nokogiri-talk">https://groups.google.com/group/nokogiri-talk</a>
* Bug Reports: <a href="https://github.com/sparklemotion/nokogiri/issues" title="https://github.com/sparklemotion/nokogiri/issues">https://github.com/sparklemotion/nokogiri/issues</a>

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser.

*# 1.8.0 / 2017-06-04*

*## Backwards incompatibilities*

This release ends support for Ruby 2.1 on Windows in the `x86-mingw32` and
`x64-mingw32` platform gems (containing pre-compiled DLLs).

nokogiri security update 1.7.2 released

nokogiri version 1.7.2 has been released.

This is a security update based on 1.7.1, addressing two upstream libxslt
1.1.29 vulnerabilities classified as "Medium" by Canonical and given a
CVSS3 score of "6.5 Medium" and "8.8 High" by RedHat.

These patches only apply when using Nokogiri's vendored libxslt package.

nokogiri security update 1.7.1 released

nokogiri version 1.7.1 has been released.

This is a security update based on 1.7.0.1, addressing two upstream libxml
2.9.4 vulnerabilities classified as "Medium" by Canonical, and CVSS3 score
of "5.3 Medium" by RedHat.

These patches only apply when using Nokogiri's vendored libxml2 package.

CFP: GORUCO 2017, NYC, June 24th

*# GORUCO 2017 is now accepting talk proposals!*

On Saturday, June 24th, [GORUCO][] is celebrating its 11th convocation as
NYC's premier regional software conference. It's a one-day, single-track
event geared toward highly motivated and experienced developers that's been
celebrated for its warm, personal spirit and strong sense of community.

[GORUCO]: <a href="http://goruco.com" title="http://goruco.com">http://goruco.com</a>

You can start submitting your proposals at <a href="http://cfp.goruco.com/" title="http://cfp.goruco.com/">http://cfp.goruco.com/</a>. If you
have questions, please email <a href="mailto: ... at goruco dot com"> ... at goruco dot com</a>.

hoe-debugging 1.3.0 released

hoe-debugging version 1.3.0 has been released!

* <http://github.com/jbarnette/hoe-debugging>

A Hoe plugin to help you debug your C extensions. This plugin provides
`test:gdb` and `test:valgrind` tasks (plus a few variants).

See the Hoe::Debugging module for a few configuration options.

This plugin expects you to have `gdb` and `valgrind` available in your PATH.

Changes:

### 1.3.0 / 2017-01-20

* The rake task now fails if valgrind detects any errors during the run.

nokogiri 1.7.0.1 Released

nokogiri version 1.7.0.1 has been released!

* Tutorials: <a href="http://nokogiri.org" title="http://nokogiri.org">http://nokogiri.org</a>
* README: <a href="https://github.com/sparklemotion/nokogiri" title="https://github.com/sparklemotion/nokogiri">https://github.com/sparklemotion/nokogiri</a>
* Mailing List: <a href="https://groups.google.com/group/nokogiri-talk" title="https://groups.google.com/group/nokogiri-talk">https://groups.google.com/group/nokogiri-talk</a>
* Bug Reports: <a href="https://github.com/sparklemotion/nokogiri/issues" title="https://github.com/sparklemotion/nokogiri/issues">https://github.com/sparklemotion/nokogiri/issues</a>

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.

Changes:

* Fix OpenBSD support. (#1569) (related to #1543)

nokogiri 1.7.0 Released

nokogiri version 1.7.0 has been released!

No meaningful functional changes in this release. This release is primarily
serving as a bridge release for ending support of versions of Ruby that are
no longer supported, and introducing support for Ruby 2.4.0 without
deprecation warnings.

loofah-activerecord 2.0.0 Released

loofah-activerecord version 2.0.0 has been released!

* <http://github.com/flavorjones/loofah-activerecord>
* <http://rubydoc.info/github/flavorjones/loofah-activerecord/master/frames>
* <http://librelist.com/browser/loofah>

`loofah-activerecord` extends `loofah`'s HTML sanitization into Rails
ActiveRecord models.

See more about `loofah` at: <a href="http://github.com/flavorjones/loofah" title="http://github.com/flavorjones/loofah">http://github.com/flavorjones/loofah</a>

Changes:

## 2.0 (2016-11-22)

Backwards incompatibilities:

* Removed support for Rails <= 3.0.

Features:

* Added support for Rails 5.

nokogiri 1.6.8.1 Released

nokogiri version 1.6.8.1 has been released!

Changes:

=== 1.6.8.1 / 2016-10-03

==== Dependency License Notes

Removes required dependency on the `pkg-config` gem. This dependency was
introduced in v1.6.8 and, because it's distributed under LGPL, was
objectionable to some Nokogiri users (#1488, #1496).

This version makes `pkg-config` an optional dependency. If it's installed,
it's used; but otherwise Nokogiri will attempt to work around its absence.

This gem was only used when building Nokogiri against system libraries when
the Linux tool `pkg-config` was not present.

nokogiri 1.6.8 Released

nokogiri version 1.6.8 has been released!

* Tutorials: <a href="http://nokogiri.org" title="http://nokogiri.org">http://nokogiri.org</a>
* Installation: <a href="http://nokogiri.org/tutorials/installing_nokogiri.html" title="http://nokogiri.org/tutorials/installing_nokogiri.html">http://nokogiri.org/tutorials/installing_nokogiri.html</a>
* Mailing List: <a href="https://groups.google.com/group/nokogiri-talk" title="https://groups.google.com/group/nokogiri-talk">https://groups.google.com/group/nokogiri-talk</a>

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's
many features is the ability to search documents via XPath or CSS3
selectors.

Changes:

*==== Security Notes*

[MRI] Bundled libxml2 is upgraded to 2.9.4, which fixes many security
issues.

GORUCO 2016 tickets and speaker line-up

Hello Rubyists,

I'm excited to invite you to GORUCO -- one of the U.S.'s largest regional
Ruby conferences, happening on Saturday, June 25. For the past 10 years,
GORUCO has been organized by Ruby developers (just like you and me) who
volunteer within the community to bring people together to share and learn
in exciting technical sessions.

license_finder 2.1.0 released

LicenseFinder v2.1.0 has been released!

LicenseFinder works with your package managers to find dependencies,
detect the licenses of the packages in them, compare those licenses
against a user-defined whitelist, and give you an actionable exception
report.

* code: <a href="https://github.com/pivotal/LicenseFinder" title="https://github.com/pivotal/LicenseFinder">https://github.com/pivotal/LicenseFinder</a>
* support:
* <a href="mailto:license- ... at googlegroups dot com">license- ... at googlegroups dot com</a>
* https://groups.google.com/forum/#!forum/license-finder
* backlog: <a href="https://www.pivotaltracker.com/s/projects/234851" title="https://www.pivotaltracker.com/s/projects/234851">https://www.pivotaltracker.com/s/projects/234851</a>

### Supported project types

* Ruby Gems (via `bundler`)
* Python Eggs (via `pip`)
* Node.js (via `npm`)
* Bower
* Nuget (with

nokogiri security update - 1.6.7.2

Hello,

Nokogiri version 1.6.7.2 has been released, pulling in several upstream
patches to the vendored libxml2 to address the following CVE:

CVE-2015-7499

Ubuntu classifies this as "Priority: *Low*", RedHat classifies this as
"Impact: *Moderate*", and NIST classifies this as "Severity: 5.0 (*MEDIUM*
)".

Full details are included below.

Please note that although CVE-2015-7499 was partially addressed in the
1.6.7.1 release, an additional commit was included in the latest Canonical
security update from 2016-01-19 (along with two previous commits necessary
for that patch to apply cleanly) als

nokogiri security update - 1.6.7.1

Hello,

Nokogiri version 1.6.7.1 has been released, pulling in several upstream
patches to the vendored libxml2 to address the following CVEs:

CVE-2015-5312
CVE-2015-7497
CVE-2015-7498
CVE-2015-7499
CVE-2015-7500
CVE-2015-8241
CVE-2015-8242
CVE-2015-8317

These CVEs are all *low* or *medium* priority according to Canonical,
however NIST NVD gives CVE-2015-5312 a *high* severity score.

hoe-debugging 1.2.1 Released

hoe-debugging version 1.2.1 has been released!

* <http://github.com/jbarnette/hoe-debugging>

A Hoe plugin to help you debug your C extensions. This plugin provides
<tt>test:gdb</tt> and <tt>test:valgrind</tt> tasks (plus a few
variants).

Changes:

### 1.2.1 / 2015-12-16

Features:

* Set larger stack size (via `ulimit -s`) to properly support Ruby 2.1 and
later

nokogiri 1.6.7 Released

nokogiri version 1.6.7 has been released!

* <http://nokogiri.org>
* <README: https://github.com/sparklemotion/nokogiri>
* <Mailing List: https://groups.google.com/group/nokogiri-talk>
* <Bug Reports: https://github.com/sparklemotion/nokogiri/issues>

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among
Nokogiri's many features is the ability to search documents via XPath
or CSS3 selectors.

Changes:

### 1.6.7 / 2015-11-29

==== Notes

This version supports native builds on Windows using the RubyInstaller
DevKit.

nokogiri 1.6.6.4 Released (security)

nokogiri version 1.6.6.4 has been released!

Changes:

### 1.6.6.4 / 2015-11-19

This version pulls in an upstream patch to the vendored libxml2 to address:

* unclosed comment uninitialized access issue (#1376)

This issue does not have a CVE assigned to it as this time. Background at
<a href="https://bugzilla.gnome.org/show_bug.cgi?id=746048" title="https://bugzilla.gnome.org/show_bug.cgi?id=746048">https://bugzilla.gnome.org/show_bug.cgi?id=746048</a>

Please also note that Canonical has not yet pulled this patch in to their
backport, to our knowledge.

nokogiri 1.6.6.3 Released (security update)

nokogiri version 1.6.6.3 has been released!

Changes:

### 1.6.6.3 / 2015-11-16

This version pulls in several upstream patches to the vendored libxml2 and
libxslt to address:

* CVE-2015-1819
* CVE-2015-7941_1
* CVE-2015-7941_2
* CVE-2015-7942
* CVE-2015-7942-2
* CVE-2015-8035
* CVE-2015-7995

See #1374 (<a href="https://github.com/sparklemotion/nokogiri/issues/1374" title="https://github.com/sparklemotion/nokogiri/issues/1374">https://github.com/sparklemotion/nokogiri/issues/1374</a>) for
details.

nokogiri 1.6.7.rc2 Released

nokogiri version 1.6.7.rc2 has been released!

This is intended as a "request for comments" release focused on improved
Windows support. If no known blockers are raised by Friday, 4 Sept 2015,
this will be released as 1.6.7 final.

If you have ever complained about Windows support, this is your opportunity
to contribute.

mini_portile 0.7.0.rc1 released

mini_portile v0.7.0.rc1 has been released!

Many thanks to @larskanis, @knu, and @kirikak2, who all contributed
code, ideas, or both to this release.

This release improves portability, focusing on the Windows platform.

loofah 2.1.0.rc1 released

loofah version 2.1.0.rc1 has been released!

TL;DR: CSS property parsing and sanitization has been re-implemented on top
of Crass:

<a href="https://github.com/rgrove/crass" title="https://github.com/rgrove/crass">https://github.com/rgrove/crass</a>

replacing the regexes that were lifted from html5lib back in 2009. I'm
relatively sure this is a good thing.

I would very much like feedback on this implementation before cutting an
actual release, as Loofah is the underlying implementation for Rails
sanitization, and thus has a large surface area.