Bump release-toolkit to 14.4.1, drop direct nokogiri dep#22844
Open
Bump release-toolkit to 14.4.1, drop direct nokogiri dep#22844
Conversation
Carries the fix for [GHSA-c4rq-3m3g-8wgx][advisory] (high-severity ReDoS in Nokogiri's CSS selector tokenizer; vulnerable `< 1.19.3`). release-toolkit 14.4.1's gemspec floor of `nokogiri >= 1.19.3` forces bundler to advance nokogiri 1.19.1 → 1.19.3. Removes the unconstrained `gem 'nokogiri'` line from the `Gemfile`. With the toolkit's floor in place, an explicit dependency is redundant and risks drifting against the toolkit's own constraint. Run via `bundle update fastlane-plugin-wpmreleasetoolkit --conservative`. [advisory]: GHSA-c4rq-3m3g-8wgx --- Generated with the help of Claude Code, https://claude.com/claude-code Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the repository’s Ruby/fastlane dependency graph to pick up a Nokogiri security fix by upgrading fastlane-plugin-wpmreleasetoolkit and relying on its now-explicit Nokogiri constraint, while removing a redundant direct Nokogiri dependency.
Changes:
- Bumps
fastlane-plugin-wpmreleasetoolkitto14.4.1(and updates its resolved dependency set). - Advances
nokogirifrom1.19.1to1.19.3via the plugin’s gemspec floor (>= 1.19.3). - Removes the direct
gem 'nokogiri'entry fromGemfileand fromGemfile.locktop-level dependencies.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| Gemfile.lock | Updates resolved gems to fastlane-plugin-wpmreleasetoolkit 14.4.1 and nokogiri 1.19.3, and removes now-unneeded direct/transitive entries. |
| Gemfile | Drops the redundant direct nokogiri dependency and continues to source it transitively via the release toolkit plugin. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
iangmaia
approved these changes
May 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Bumps
fastlane-plugin-wpmreleasetoolkitfrom14.0.0to14.4.1to pull in the fix for GHSA-c4rq-3m3g-8wgx — a high-severity ReDoS in Nokogiri's CSS selector tokenizer (vulnerable< 1.19.3).release-toolkit 14.4.1 added a
nokogiri >= 1.19.3floor to its gemspec, so bundler advances nokogiri1.19.1→1.19.3along with the toolkit bump.Also removes the unconstrained
gem 'nokogiri'line fromGemfile. With the toolkit's floor in place that explicit dependency is redundant, and risks drifting against the toolkit's own constraint over time.The 14.0 → 14.4 jump also drops
activesupport,i18n,tzinfo, and a few of their transitive deps from the runtime graph — release-toolkit moved them to development-only.Generated as part of the nokogiri 1.19.3 Orchard campaign covering all release-toolkit consumers.
Testing instructions
bundle installfrom a clean checkoutGemfile.lockresolvesfastlane-plugin-wpmreleasetoolkitto14.4.1andnokogirito1.19.3bundle exec fastlane lanesPosted by Claude Code (Opus 4.7) on behalf of @mokagio with approval.