Update dependency rexml to v3.3.2 [SECURITY] #250
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.2.8
->3.3.2
GitHub Vulnerability Alerts
CVE-2024-39908
Impact
The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as
<
,0
and%>
.If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.
Patches
The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities.
Workarounds
Don't parse untrusted XMLs.
References
Release Notes
ruby/rexml (rexml)
v3.3.2
: REXML 3.3.2 - 2024-07-16Compare Source
Improvements
Improved parse performance.
Improved parse performance.
Added support for raising a parse exception when an XML has extra
content after the root element.
Added support for raising a parse exception when an XML
declaration exists in wrong position.
Removed needless a space after XML declaration in pretty print mode.
Stopped to emit
:text
event after the root element.Fixes
characters
callback.Thanks
NAITOH Jun
Watson
v3.3.1
: REXML 3.3.1 - 2024-06-25Compare Source
Improvements
Added support for detecting malformed top-level comments.
Improved
REXML::Element#attribute
performance.Added support for detecting malformed
<!-->
comments.Added support for detecting unclosed
DOCTYPE
.Added
changlog_uri
metadata to gemspec.Improved parse performance.
Fixes
Fixed a bug that large XML can't be parsed.
Fixed a bug that private constants are visible.
Thanks
Hiroya Fujinami
NAITOH Jun
fynsta
v3.3.0
: REXML 3.3.0 - 2024-06-11Compare Source
Improvements
Thanks
v3.2.9
: REXML 3.2.9 - 2024-06-09Compare Source
Improvements
Added support for old strscan.
Improved attribute value parse performance.
Improved
REXML::Node#each_recursive
performance.Improved text parse performance.
Thanks
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.