Subject: CVS commit: pkgsrc/textproc/ruby-nokogiri
From: Izumi Tsutsui
Date: 2022-05-14 16:33:31
Message id: 20220514143331.619FDFAEB@cvs.NetBSD.org

Log Message:
ruby-nokogiri: update to 1.13.6.

Upstream changes:
 https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.6
 https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.5

1.13.6 / 2022-05-08

Security

  * [CRuby] Address CVE-2022-29181, improper handling of unexpected data types,
    related to untrusted inputs to the SAX parsers. See GHSA-xh29-r2w5-wx8m for
    more information.

Improvements

  * {HTML4,XML}::SAX::{Parser,ParserContext} constructor methods now raise
    TypeError instead of segfaulting when an incorrect type is passed.

1.13.5 / 2022-05-04

Security

  * [CRuby] Vendored libxml2 is updated to address CVE-2022-29824. See
    GHSA-cgx6-hpwq-fhv5 for more information.

Dependencies

  * [CRuby] Vendored libxml2 is updated from v2.9.13 to v2.9.14.

Improvements

  * [CRuby] The libxml2 HTML4 parser no longer exhibits quadratic behavior when
    recovering some broken markup related to start-of-tag and bare <
    characters.

Changed

  * [CRuby] The libxml2 HTML4 parser in v2.9.14 recovers from some broken
    markup differently. Notably, the XML CDATA escape sequence <![CDATA[ and
    incorrectly-opened comments will result in HTML text nodes starting with &
    lt;! instead of skipping the invalid tag. This behavior is a direct result
    of the quadratic-behavior fix noted above. The behavior of downstream
    sanitizers relying on this behavior will also change. Some tests describing
    the changed behavior are in test/html4/test_comments.rb.

Files:
RevisionActionfile
1.51modifypkgsrc/textproc/ruby-nokogiri/distinfo
1.37modifypkgsrc/textproc/ruby-nokogiri/PLIST
1.71modifypkgsrc/textproc/ruby-nokogiri/Makefile