Skip to content

Pin nokogiri >= 1.19.3 (GHSA-c4rq-3m3g-8wgx)#497

Closed
mokagio wants to merge 1 commit intotrunkfrom
mokagio/nokogiri-1.19.3
Closed

Pin nokogiri >= 1.19.3 (GHSA-c4rq-3m3g-8wgx)#497
mokagio wants to merge 1 commit intotrunkfrom
mokagio/nokogiri-1.19.3

Conversation

@mokagio
Copy link
Copy Markdown
Contributor

@mokagio mokagio commented May 7, 2026
edited
Loading

Note

Closed in favor of #498

Summary

Adds gem 'nokogiri', '>= 1.19.3' to Gemfile to pull in the fix for GHSA-c4rq-3m3g-8wgx — high-severity ReDoS in Nokogiri's CSS selector tokenizer (vulnerable < 1.19.3).

This repo is on fastlane-plugin-wpmreleasetoolkit ~> 13.8, which predates the toolkit's own nokogiri >= 1.19.3 floor (added in 14.4.1). The explicit pin closes the gap without requiring a release-toolkit major bump.

Generated as part of the nokogiri 1.19.3 Orchard campaign.

Testing

bundle install. Gemfile.lock resolves nokogiri to 1.19.3.

Posted by Claude Code (Opus 4.7) on behalf of @mokagio with approval.

@mokagio @claude
Pin nokogiri >= 1.19.3 (GHSA-c4rq-3m3g-8wgx)
bd9f96b 
Carries the fix for [GHSA-c4rq-3m3g-8wgx][advisory] (high-severity ReDoS
in Nokogiri's CSS selector tokenizer; vulnerable `< 1.19.3`).

This repo is on `fastlane-plugin-wpmreleasetoolkit ~> 13.8`, which
predates the toolkit's own `nokogiri >= 1.19.3` floor (added in 14.4.1).
Pinning explicitly here closes the gap until a future toolkit-major bump
makes the pin redundant.

[advisory]: GHSA-c4rq-3m3g-8wgx

---

Generated with the help of Claude Code, https://claude.com/claude-code

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 7, 2026 20:23
@mokagio mokagio self-assigned this May 7, 2026
Copilot AI reviewed May 7, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR mitigates GHSA-c4rq-3m3g-8wgx by ensuring the project resolves Nokogiri to a non-vulnerable version (>= 1.19.3), without requiring an upgrade of fastlane-plugin-wpmreleasetoolkit.

Changes:

  • Add an explicit nokogiri (>= 1.19.3) dependency to the Gemfile.
  • Update Gemfile.lock to resolve nokogiri from 1.19.1 to 1.19.3 (including checksum and dependency list entry).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.

File Description
Gemfile Adds explicit Nokogiri minimum version requirement and rationale comment.
Gemfile.lock Updates resolved Nokogiri version and records it under dependencies/checksums.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Gemfile
# Pinned to pull in the fix for GHSA-c4rq-3m3g-8wgx (CSS selector ReDoS).
# Drop once `fastlane-plugin-wpmreleasetoolkit` moves to >= 14.4.1, whose
# gemspec carries this floor transitively.
gem 'nokogiri', '>= 1.19.3'
@mokagio mokagio marked this pull request as draft May 8, 2026 00:38
@mokagio
Copy link
Copy Markdown
Contributor Author

mokagio commented May 8, 2026

Holding this in draft. The CI failures here look like an infrastructure/cache-logic issue specific to this repo, not a problem with the lockfile bump:

  • xcode-build-xcframework fails with tar: vendor/bundle: Cannot stat: No such file or directory while the cache-store step runs (No existing cache entry for gutenbergkit-...-storing in cache). The cache key changes because Gemfile.lock changed, so it's a cache miss; the storage step then fails because vendor/bundle isn't where the cache-store expects it. This would hit any Gemfile.lock-touching change, not just this one.
  • The android-test-android-e2e and android-publish-android-library failures are likely cascade failures from the same root.
  • The GHA validate failure should be inspected separately by someone with repo familiarity.

trunk's recent CI is healthy (#2236 passed), so this is specific to my PR's interaction with the cache logic. Recipe is identical to the rest of the campaign: gem 'nokogiri', '>= 1.19.3' in Gemfile, then bundle install. Gemfile.lock resolves nokogiri from 1.19.1 to 1.19.3 cleanly.

Once the CI cache logic is fixed (or someone with repo knowledge confirms the safe path), this PR can be re-monitored and merged.

Posted by Claude Code (Opus 4.7) on behalf of @mokagio with approval.

@mokagio mokagio mentioned this pull request May 8, 2026
Open
2 tasks
@mokagio
Copy link
Copy Markdown
Contributor Author

mokagio commented May 8, 2026

Closing in favor of #498

@mokagio mokagio closed this May 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@mokagio mokagio

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mokagio