Bump nokogiri floor to 1.19.3 (GHSA-c4rq-3m3g-8wgx)#714
Merged
Conversation
Pull in the fix for [GHSA-c4rq-3m3g-8wgx][advisory] (high-severity ReDoS in Nokogiri's CSS selector tokenizer; vulnerable: `< 1.19.3`). Adds `>= 1.19.3` alongside the existing `~> 1.11` constraint so consumers that bump `fastlane-plugin-wpmreleasetoolkit` automatically resolve to nokogiri >= 1.19.3 going forward. Existing consumer Gemfile.lock entries still need a `bundle update` per repo to actually advance their pinned version — Dependabot reads the consumer's lockfile, not the plugin gemspec. [advisory]: GHSA-c4rq-3m3g-8wgx --- Generated with the help of Claude Code, https://claude.com/claude-code Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the Release Toolkit Fastlane plugin’s Nokogiri dependency constraints to ensure downstream consumers resolve a patched Nokogiri version addressing GHSA-c4rq-3m3g-8wgx (CSS selector tokenizer ReDoS).
Changes:
- Raise the runtime Nokogiri requirement to
>= 1.19.3(within Nokogiri 1.x). - Refresh
Gemfile.lockto resolve Nokogiri1.19.3. - Add a Trunk changelog entry documenting the security-motivated dependency floor bump.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| Gemfile.lock | Updates resolved Nokogiri version and dependency constraint in the local path spec to >= 1.19.3. |
| fastlane-plugin-wpmreleasetoolkit.gemspec | Tightens runtime dependency constraint to ensure Nokogiri >= 1.19.3 is selected. |
| CHANGELOG.md | Records the Nokogiri security floor bump under Trunk → Bug Fixes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
Author
|
Admin-merging to move forward with the Internal ref: p1778137169508249-slack-C02KLTL3MKM |
Contributor
|
LGTM, by the way 👍 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does it do?
Tightens the
nokogiriruntime dependency infastlane-plugin-wpmreleasetoolkit.gemspecfrom~> 1.11to~> 1.11, >= 1.19.3to pull in the fix for GHSA-c4rq-3m3g-8wgx — a high-severity ReDoS in Nokogiri's CSS selector tokenizer (vulnerable:< 1.19.3, patched:1.19.3).Why
Several Automattic mobile repos consume nokogiri transitively through this plugin and have open Dependabot alerts on
< 1.19.3— e.g.pocket-casts-androidalert #125.Adding the floor here doesn't directly close those alerts (Dependabot reads the consumer's
Gemfile.lock, not this gemspec), but it ensures that any future toolkit bump in a downstream repo carries the security fix along: bundler will refuse to resolve nokogiri below1.19.3once the consumer picks up this version of the plugin.How to test
Gemfile.lockwas refreshed viabundle install;nokogiriresolves to1.19.3.bundle exec rspec— 851 examples, 0 failures.bundle exec rubocop— 195 files, no offenses.Checklist before requesting a review
bundle exec rubocopto test for code style violations and recommendations.specs/*_spec.rb) if applicable. (N/A — dependency bump.)bundle exec rspecto run the whole test suite and ensure all your tests pass.CHANGELOG.mdfile under the## Trunk→### Bug Fixessection.MIGRATION.md. (N/A — no breaking change.)Posted by Claude Code (Opus 4.7) on behalf of @mokagio with approval.