From bd9f96bb79af711833272c717cae308037fec9d5 Mon Sep 17 00:00:00 2001
From: Gio Lodi <gio@mokacoding.com>
Date: Fri, 8 May 2026 06:23:10 +1000
Subject: [PATCH] Pin nokogiri >= 1.19.3 (GHSA-c4rq-3m3g-8wgx)

Carries the fix for [GHSA-c4rq-3m3g-8wgx][advisory] (high-severity ReDoS
in Nokogiri's CSS selector tokenizer; vulnerable `< 1.19.3`).

This repo is on `fastlane-plugin-wpmreleasetoolkit ~> 13.8`, which
predates the toolkit's own `nokogiri >= 1.19.3` floor (added in 14.4.1).
Pinning explicitly here closes the gap until a future toolkit-major bump
makes the pin redundant.

[advisory]: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-c4rq-3m3g-8wgx

---

Generated with the help of Claude Code, https://claude.com/claude-code

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 Gemfile      | 5 +++++
 Gemfile.lock | 5 +++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/Gemfile b/Gemfile
index e0688b0f4..5e432f91f 100644
--- a/Gemfile
+++ b/Gemfile
@@ -4,3 +4,8 @@ source 'https://rubygems.org'
 
 gem 'fastlane', '~> 2.230'
 gem 'fastlane-plugin-wpmreleasetoolkit', '~> 13.8'
+
+# Pinned to pull in the fix for GHSA-c4rq-3m3g-8wgx (CSS selector ReDoS).
+# Drop once `fastlane-plugin-wpmreleasetoolkit` moves to >= 14.4.1, whose
+# gemspec carries this floor transitively.
+gem 'nokogiri', '>= 1.19.3'
diff --git a/Gemfile.lock b/Gemfile.lock
index c36d4f570..3a3095b08 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -228,7 +228,7 @@ GEM
     nanaimo (0.4.0)
     naturally (2.3.0)
     nkf (0.2.0)
-    nokogiri (1.19.1)
+    nokogiri (1.19.3)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     octokit (6.1.1)
@@ -305,6 +305,7 @@ PLATFORMS
 DEPENDENCIES
   fastlane (~> 2.230)
   fastlane-plugin-wpmreleasetoolkit (~> 13.8)
+  nokogiri (>= 1.19.3)
 
 CHECKSUMS
   CFPropertyList (3.0.8) sha256=2c99d0d980536d3d7ab252f7bd59ac8be50fbdd1ff487c98c949bb66bb114261
@@ -388,7 +389,7 @@ CHECKSUMS
   nanaimo (0.4.0) sha256=faf069551bab17f15169c1f74a1c73c220657e71b6e900919897a10d991d0723
   naturally (2.3.0) sha256=459923cf76c2e6613048301742363200c3c7e4904c324097d54a67401e179e01
   nkf (0.2.0) sha256=fbc151bda025451f627fafdfcb3f4f13d0b22ae11f58c6d3a2939c76c5f5f126
-  nokogiri (1.19.1) sha256=598b327f36df0b172abd57b68b18979a6e14219353bca87180c31a51a00d5ad3
+  nokogiri (1.19.3) sha256=78312cbac32a40c812780d9678221b79d51288eec00054c1a8d15f7ce05960e8
   octokit (6.1.1) sha256=920e4a9d820205f70738f58de6a7e6ef0e2f25b27db954b5806a63105207b0bf
   options (2.3.2) sha256=32413a4b9e363234eed2eecfb2a1a9deb32810f72c54820a37a62f65b905c5e8
   optparse (0.8.1) sha256=42bea10d53907ccff4f080a69991441d611fbf8733b60ed1ce9ee365ce03bd1a