🚨 [security] Update nokogiri 1.12.5 → 1.16.2 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ nokogiri (1.12.5 → 1.16.2) · Repo · Changelog

Security Advisories 🚨

🚨 Improper Handling of Unexpected Data Type in Nokogiri

Summary

Nokogiri v1.16.2 upgrades the version of its dependency libxml2 to v2.12.5.

libxml2 v2.12.5 addresses the following vulnerability:

CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.16.2, and only if the packaged libraries are being used. If
you've overridden defaults at installation time to use system libraries
instead of packaged libraries, you should instead pay attention to your
distro's libxml2 release announcements.

Severity

The Nokogiri maintainers have evaluated this as Moderate.

Mitigation

Upgrade to Nokogiri >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated
mitigation: compile and link Nokogiri against external libraries libxml2 >=
2.12.5 which will also address these same issues.

JRuby users are not affected.

Workarounds

🚨 Update packaged libxml2 to v2.10.4 to resolve multiple CVEs

Summary

Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to
v2.10.4 from v2.10.3.

libxml2 v2.10.4 addresses the following known vulnerabilities:

• CVE-2023-29469: Hashing of
  empty dict strings isn't deterministic
• CVE-2023-28484: Fix null deref
  in xmlSchemaFixupComplexType
• Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.14.3,
and only if the packaged libraries are being used. If you've overridden defaults at installation
time to use system libraries instead of packaged libraries, you should instead pay attention to
your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.14.3.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against external libraries libxml2 >= 2.10.4 which will also address these
same issues.

Impact

No public information has yet been published about the security-related issues other than the
upstream commits. Examination of those changesets indicate that the more serious issues relate to
libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.

The commits can be examined at:

• [CVE-2023-29469] Hashing of empty dict strings isn't deterministic (09a2dd45)
• [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType (647e072e)
• schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK (4c6922f7)

🚨 Unchecked return value from xmlTextReaderExpand

Summary

Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.

For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.

Mitigation

Upgrade to Nokogiri >= 1.13.10.

Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

• CWE - CWE-252: Unchecked Return Value (4.9)
• CWE - CWE-476: NULL Pointer Dereference (4.9)

Credit

This vulnerability was responsibly reported by @davidwilemski.

🚨 Improper Handling of Unexpected Data Type in Nokogiri

Summary

Nokogiri < v1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers.
For CRuby users, this may allow specially crafted untrusted inputs to cause illegal
memory access errors (segfault) or reads from unrelated memory.

Severity

The Nokogiri maintainers have evaluated this as High 8.2 (CVSS3.1).

Mitigation

CRuby users should upgrade to Nokogiri >= 1.13.6.

JRuby users are not affected.

Workarounds

To avoid this vulnerability in affected applications, ensure the untrusted input is a
String by calling #to_s or equivalent.

🚨 Integer Overflow or Wraparound in libxml2 affects Nokogiri

Summary

Nokogiri v1.13.5 upgrades the packaged version of its dependency libxml2 from
v2.9.13 to v2.9.14.

libxml2 v2.9.14 addresses CVE-2022-29824.
This version also includes several security-related bug fixes for which CVEs were not created,
including a potential double-free, potential memory leaks, and integer-overflow.

Please note that this advisory only applies to the CRuby implementation of Nokogiri
< 1.13.5, and only if the packaged libraries are being used. If you've overridden
defaults at installation time to use system libraries instead of packaged libraries,
you should instead pay attention to your distro's libxml2 and libxslt release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.5.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation:
compile and link Nokogiri against external libraries libxml2 >= 2.9.14 which will also
address these same issues.

Impact

libxml2 CVE-2022-29824

• CVSS3 score:
  • Unspecified upstream
  • Nokogiri maintainers evaluate at 8.6 (High) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H). Note that this is different from the CVSS assessed by NVD.
• Type: Denial of service, information disclosure
• Description: In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.
• Fixed: https://gitlab.gnome.org/GNOME/libxml2/-/commit/2554a24

All versions of libml2 prior to v2.9.14 are affected.

Applications parsing or serializing multi-gigabyte documents (in excess of INT_MAX bytes) may be vulnerable to an integer overflow bug in buffer handling that could lead to exposure of confidential data, modification of unrelated data, or a segmentation fault resulting in a denial-of-service.

References

• libxml2 v2.9.14 release notes
• CVE-2022-29824
• CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

🚨 XML Injection in Xerces Java affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored xerces:xercesImpl from 2.12.0 to
2.12.2, which addresses CVE-2022-23437.
That CVE is scored as CVSS 6.5 "Medium" on the NVD record.

Please note that this advisory only applies to the JRuby implementation
of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2022-23437 in xerces-J

• Severity: Medium
• Type: CWE-91 XML Injection (aka Blind XPath Injection)
• Description: There's a vulnerability within the Apache Xerces Java
  (XercesJ) XML parser when handling specially crafted XML document payloads.
  This causes, the XercesJ XML parser to wait in an infinite loop, which may
  sometimes consume system resources for prolonged duration. This vulnerability
  is present within XercesJ version 2.12.1 and the previous versions.
• See also: GHSA-h65f-jvqw-m9fj

🚨 Out-of-bounds Write in zlib affects Nokogiri

Summary

Nokogiri v1.13.4 updates the vendored zlib from 1.2.11
to 1.2.12, which addresses CVE-2018-25032.
That CVE is scored as CVSS 7.4 "High" on the NVD record as of 2022-04-05.

Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.13.4, and only if the packaged version of zlib is being used.
Please see this document
for a complete description of which platform gems vendor zlib. If you've
overridden defaults at installation time to use system libraries instead of
packaged libraries, you should instead pay attention to your distro's zlib
release announcements.

Mitigation

Upgrade to Nokogiri >= v1.13.4.

Impact

CVE-2018-25032 in zlib

• Severity: High
• Type: CWE-787
  Out of bounds write
• Description: zlib before 1.2.12 allows memory corruption when
  deflating (i.e., when compressing) if the input has many distant matches.

🚨 Denial of Service (DoS) in Nokogiri on JRuby

Summary

Nokogiri v1.13.4 updates the vendored org.cyberneko.html library to
1.9.22.noko2 which addresses CVE-2022-24839.
That CVE is rated 7.5 (High Severity).

See GHSA-9849-p7jc-9rmv
for more information.

Please note that this advisory only applies to the JRuby implementation of Nokogiri < 1.13.4.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

Impact

CVE-2022-24839 in nekohtml

• Severity: High 7.5
• Type: CWE-400 Uncontrolled Resource Consumption
• Description: The fork of org.cyberneko.html used by Nokogiri (Rubygem) raises a
  java.lang.OutOfMemoryError exception when parsing ill-formed HTML markup.
• See also: GHSA-9849-p7jc-9rmv

🚨 Inefficient Regular Expression Complexity in Nokogiri

Summary

Nokogiri < v1.13.4 contains an inefficient regular expression that is
susceptible to excessive backtracking when attempting to detect encoding
in HTML documents.

Mitigation

Upgrade to Nokogiri >= 1.13.4.

🚨 Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)

Summary

Nokogiri v1.13.2 upgrades two of its packaged dependencies:

• vendored libxml2 from v2.9.12 to v2.9.13
• vendored libxslt from v1.1.34 to v1.1.35

Those library versions address the following upstream CVEs:

• libxslt: CVE-2021-30560 (CVSS 8.8, High severity)
• libxml2: CVE-2022-23308 (Unspecified severity, see more information below)

Those library versions also address numerous other issues including performance
improvements, regression fixes, and bug fixes, as well as memory leaks and other
use-after-free issues that were not assigned CVEs.

Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.13.2, and only if the packaged libraries are being used. If you've
overridden defaults at installation time to use system libraries instead of
packaged libraries, you should instead pay attention to your distro's libxml2
and libxslt release announcements.

Mitigation

Upgrade to Nokogiri >= 1.13.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated
mitigation: compile and link an older version Nokogiri against external libraries
libxml2 >= 2.9.13 and libxslt >= 1.1.35, which will also address these same CVEs.

Impact

• libxslt CVE-2021-30560
• CVSS3 score: 8.8 (High)

Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c

All versions of libxslt prior to v1.1.35 are affected.

Applications using untrusted XSL stylesheets to transform XML are vulnerable to
a denial-of-service attack and should be upgraded immediately.

libxml2 CVE-2022-23308

• As of the time this security advisory was published, there is no officially
  published information available about this CVE's severity. The above NIST link
  does not yet have a published record, and the libxml2 maintainer has declined
  to provide a severity score.
• Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12
• Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html

The upstream commit and the explanation linked above indicate that an application
may be vulnerable to a denial of service, memory disclosure, or code execution if
it parses an untrusted document with parse options DTDVALID set to true, and NOENT
set to false.

An analysis of these parse options:

• While NOENT is off by default for Document, DocumentFragment, Reader, and
  Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri
  v1.12.0 and later.
• DTDVALID is an option that Nokogiri does not set for any operations, and so
  this CVE applies only to applications setting this option explicitly.

It seems reasonable to assume that any application explicitly setting the parse
option DTDVALID when parsing untrusted documents is vulnerable and should be
upgraded immediately.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_portile2 (indirect, 2.6.1 → 2.8.5) · Repo · Changelog

Release Notes

2.8.5

2.8.5 / 2023-10-22

Added

• New methods #lib_path and #include_path which point at the installed directories under ports. (by @flavorjones)
• Add config param for CMAKE_BUILD_TYPE, which now defaults to Release. (#136 by @Watson1978)

Experimental

Introduce experimental support for MiniPortile#mkmf_config which sets up MakeMakefile variables to properly link against the recipe. This should make it easier for C extensions to package third-party libraries. (by @flavorjones)

• With no arguments, will set up just $INCFLAGS, $libs, and $LIBPATH.
• Optionally, if provided a pkg-config file, will use that config to more precisely set $INCFLAGS, $libs, $LIBPATH, and $CFLAGS/$CXXFLAGS.
• Optionally, if provided the name of a static archive, will rewrite linker flags to ensure correct linkage.

Note that the behavior may change slightly before official support is announced. Please comment on #118 if you have feedback.

2.8.4

2.8.4 / 2023-07-18

• cmake: set CMAKE compile flags to configure cross-compilation similarly to autotools --host flag: SYSTEM_NAME, SYSTEM_PROCESSOR, C_COMPILER, and CXX_COMPILER. [#130] (Thanks, @stanhu!)

2.8.3

2.8.3 / 2023-07-18

Fixed

• cmake: only use MSYS/NMake generators when available. [#129] (Thanks, @stanhu!)

2.8.2

2.8.2 / 2023-04-30

Fixed

• Ensure that the source_directory option will work when given a Windows path to an autoconf directory. [#126]

2.8.1

2.8.1 / 2022-12-24

Fixed

• Support applying patches via git apply even when the working directory resembles a git directory. [#119] (Thanks, @h0tw1r3!)

2.8.0

2.8.0 / 2022-02-20

Added

• Support xz-compressed archives (recognized by an .xz file extension).
• When downloading a source archive, default open_timeout and read_timeout to 10 seconds, but allow configuration via open_timeout and read_timeout config parameters.

2.7.1

2.7.1 / 2021-10-20

Packaging

A test artifact that has been included in the gem was being flagged by some users' security scanners because it wasn't a real tarball. That artifact has been updated to be a real tarball. [#108]

2.7.0

2.7.0 / 2021-08-31

Added

The commands used for "make", "compile", and "cmake" are configurable via keyword arguments. [#107] (Thanks, @cosmo0920!)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 68 commits:

• version bump to 2.8.5
• doc: update README with cmake_build_type documentation
• Merge pull request #137 from flavorjones/flavorjones-update-gemspec
• dev: gemspec has better desc and uses require_relative
• Merge pull request #136 from Watson1978/release-build
• Add config param for CMAKE_BUILD_TYPE
• Create release binary with cmake explicitly
• Merge pull request #135 from amatsuda/warning
• warning: method redefined; discarding old source_directory=
• version bump to v2.8.5.rc2
• Merge pull request #134 from flavorjones/flavorjones-improve-mkmf-config-20230917
• introduce the "static" parameter to mkmf_config
• extract `lib_path` and `include_path` methods
• version bump to v2.8.5.rc1
• Merge pull request #133 from flavorjones/flavorjones-more-precise-pkg-config
• feat: more precise implementation of mkmf_config for pkg-config
• version bump to v2.9.0.rc1
• Merge pull request #131 from flavorjones/118-fedora-pkgconf
• feat: introduce MiniPortile.mkmf_config
• test: add an example that uses MakeMakefile.pkg_config
• ci: add a fedora job to the test suite
• test: backfill coverage for MiniPortile#activate
• Merge pull request #132 from flavorjones/flavorjones-uninitialized-ivar-warnings
• fix: avoid uninitialized ivar warnings
• version bump to v2.8.4
• Merge pull request #130 from stanhu/sh-cmake-cross-compile-vars
• version bump to v2.8.3
• Remap x64 processor type to x86_64
• [cmake] Automatically add required cross-compilation variables
• Merge pull request #129 from stanhu/sh-cmake-msys
• Update CHANGELOG.md
• Add CHANGELOG.md for CMake fix
• cmake: only use MSYS/NMake generators when available
• version bump to v2.8.2
• Merge pull request #126 from flavorjones/flavorjones-better-config-failure-log
• convert source_directory into a posix path
• omit misleading version number when using source_directory
• feat: output complete logs on error, including "config.log"
• Merge pull request #125 from petergoldstein/feature/add_ruby_3_2_to_ci
• Adds Ruby 3.2 to CI. Updates checkout action version.
• Merge pull request #124 from flavorjones/flavorjones-update-github-actions-v3
• ci: update github actions to avoid node version warnings
• version bump to v2.8.1
• Merge pull request #122 from flavorjones/119-improve-patching
• fix: handle patching in dirs that resemble an actual git dir
• Merge pull request #121 from flavorjones/flavorjones-exercise-patching-in-examples
• test: `rake test:examples` now exercises patching
• Merge pull request #117 from flavorjones/flavorjones-loosen-bundler-dependency
• dep(dev): loosen bundler dependency
• version bump to 2.8.0
• Merge pull request #114 from flavorjones/flavorjones-support-xz-files
• ci: skip examples that won't build on arm64-darwin
• feat: support xz-compressed archives
• Merge pull request #115 from flavorjones/flavorjones-add-darwin-to-ci-matrix
• feat: {open,read}_timeout defaults to 10, can be overridden
• ci: add darwin coverage to the ci matrix
• dev(dep): update development dependencies
• Merge pull request #113 from flavorjones/flavorjones-update-ci-to-ruby31
• ci: update to cover Ruby 3.1
• meta: Github Sponsors link
• version bump to v2.7.1
• update CHANGELOG for release
• Merge pull request #109 from flavorjones/108-make-it-a-real-tarball-plz
• fix: ensure test artifact is a real tarball
• version bump to v2.7.0
• Merge pull request #107 from cosmo0920/support-replace-cmake-command-via-initialize
• allow configuration of some commands
• ci: do not fail fast, cancel in progress

↗️ racc (indirect, 1.7.1 → 1.7.3) · Repo · Changelog

Release Notes

1.7.3

What's Changed

• Exclude CRuby extension from JRuby gem by @nobu in #244
• Fix for dummy rake/extensiontask.rb at ruby test-bundled-gems by @nobu in #245
• Fix jar file path by @nobu in #246
• Bump by @nobu in #247
• Add srcs target to prepare to build by @nobu in #248
• Make CI runnable for any push by @yui-knk in #249
• Check rake build on CI by @yui-knk in #250
• Bump up v1.7.3.pre.1 by @yui-knk in #251
• Fix locations of expect param in docs by @yui-knk in #252
• 'lib/racc/parser-text.rb' depends on 'lib/racc/info.rb' by @yui-knk in #253
• Bump up v1.7.3 by @yui-knk in #254

Full Changelog: v1.7.2...v1.7.3

1.7.2

What's Changed

• Update parser.rb, fixed typo by @jwillemsen in #224
• Remove leading newline from on_error exception messages. by @zenspider in #226
• Add --frozen to add frozen_string_literals to top of generated files. by @zenspider in #225
• Update development dependency to avoid ruby 2.5 failures by @flavorjones in #228
• dep: pin development dependencies, and enable dependabot for gems by @flavorjones in #229
• Clean embedded pragmas by @nobu in #230
• Embed grammar file name into generated file by @yui-knk in #231
• Bump actions/checkout from 3 to 4 by @dependabot in #232
• Fix a typo by @yui-knk in #234
• Add "Release flow" to README.rdoc by @yui-knk in #235
• Prepare 1.7.2 by @nobu in #236
• Remove install guide by setup.rb by @yui-knk in #237
• Fix tiny typos by @makenowjust in #238
• Remove old checks by @nobu in #240
• Remove MANIFEST which was used by ancient extmk.rb by @nobu in #242
• Extract Racc::VERSION from racc/info.rb at extconf.rb by @nobu in #241
• Use prototype declarations by @nobu in #243
• Bump up v1.7.2 by @yui-knk in #239

New Contributors

• @makenowjust made their first contribution in #238

Full Changelog: v1.7.1...v1.7.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 67 commits:

• Merge pull request #254 from yui-knk/v1.7.3
• Bump up v1.7.3
• Merge pull request #253 from yui-knk/add_dependency
• 'lib/racc/parser-text.rb' depends on 'lib/racc/info.rb'
• Merge pull request #252 from yui-knk/fix_doc_expect_param
• Fix locations of `expect` param in docs
• Merge pull request #251 from yui-knk/v1.7.3.pre.1
• Bump up v1.7.3.pre.1
• Merge pull request #250 from yui-knk/test_rake_compile_build
• Check `rake build` on CI
• Merge pull request #249 from yui-knk/always_run_ci
• Merge pull request #248 from nobu/srcs
• Make CI runnable for any push
• Add `srcs` target to prepare to build
• Make reproducible
• Merge pull request #247 from nobu/bump
• Update test-unit-ruby-core for ruby 2.5
• Prepare 1.7.3
• Add recipe to update RACC_VERSION in Cparse.java
• Merge pull request #246 from nobu/jruby-extdir
• Fix jar file path
• Merge pull request #245 from nobu/ruby-test
• Fix for dummy rake/extensiontask.rb at ruby test-bundled-gems
• Merge pull request #244 from nobu/cruby-ext
• Exclude CRuby extension from JRuby gem
• Merge pull request #239 from yui-knk/v1.7.2
• Merge pull request #243 from nobu/protoize
• Use prototype declarations
• Bump up v1.7.2
• Merge pull request #241 from nobu/info_version
• Merge pull request #242 from nobu/manifest
• [DOC] Update release flow
• Remove MANIFEST which was used by ancient extmk.rb
• Extract Racc::VERSION from racc/info.rb at extconf.rb
• Merge pull request #240 from nobu/old-checks
• Remove fallback code
• Remove old checks
• Rename CI file since it is not only Ubuntu now [ci skip]
• Merge pull request #238 from makenowjust/typos
• Fix tiny typos
• Merge pull request #237 from yui-knk/remove_install_guide_via_setup_rb
• Remove install guide by setup.rb
• Merge pull request #236 from nobu/bump-up
• Start 1.7.2
• Update `Gem::Specification#files`
• Merge pull request #235 from yui-knk/readme_release-flow
• Add "Release flow" to README.rdoc
• Merge pull request #234 from yui-knk/fix_typo
• Fix a typo
• Merge pull request #232 from ruby/dependabot/github_actions/actions/checkout-4
• Bump actions/checkout from 3 to 4
• Merge pull request #231 from yui-knk/embed_grammar_file_name_into_generated_file
• Embed grammar file name into generated file
• Merge pull request #230 from nobu/embedded-pragmas
• Remove frozen_string_literal pragmas from embedded runtime files
• Stop littering platform-independent directory with platform-dependent bianries
• Merge pull request #229 from ruby/flavorjones-pin-dev-dependencies
• dep: pin development dependencies, and enable dependabot for gems
• Merge pull request #228 from ruby/flavorjones-work-around-rake-compiler-ruby-2.5
• Update development dependency to avoid ruby 2.5 failures
• Merge pull request #225 from zenspider/zenspider/frozen_string_literals
• Merge pull request #226 from zenspider/zenspider/newline
• Remove NEWS files since they've not been updated in quite some time
• Add --frozen to add frozen_string_literals to top of generated files.
• Remove leading newline from on_error exception messages.
• Merge pull request #224 from jwillemsen/patch-4
• Update parser.rb, fixed typo

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[ngetahun]

@depfu recreate

[ngetahun]

@depfu pause

[depfu]

Pausing nokogiri updates for all future versions. Go to your Depfu dashboard or use the @depfu resume command to resume updates.