<p>Bumps <a href="https://github.com/sparklemotion/nokogiri">nokogiri</a> from 1.12.4 to 1.12.5.</p>

<details>

<summary>Release notes</summary>

<p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/releases">nokogiri's releases</a>.</em></p>

<blockquote>

<h2>1.12.5 / 2021-09-27</h2>

<h3>Security</h3>

<p>[JRuby] Address <a title="CVE-2021-41098" data-hovercard-type="advisory" data-hovercard-url="/advisories/GHSA-2rr5-8q37-2w7h/hovercard" href="https://github.com/advisories/GHSA-2rr5-8q37-2w7h">CVE-2021-41098</a> (<a href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h">GHSA-2rr5-8q37-2w7h</a>).</p>

<p>In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parsers resolve external entities (XXE) by default. This fix turns off entity-resolution-by-default in the JRuby SAX parsers to match the CRuby SAX parsers' behavior.</p>

<p>CRuby users are not affected by this CVE.</p>

<h3>Fixed</h3>

<ul>

<li>[CRuby] <code>Document#to_xhtml</code> properly serializes self-closing tags in libxml > 2.9.10. A behavior change introduced in libxml 2.9.11 resulted in emitting start and and tags (e.g., <code><br></br></code>) instead of a self-closing tag (e.g., <code><br/></code>) in previous Nokogiri versions. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2324" rel="nofollow">#2324</a>]</li>

</ul>

<hr>

<p>SHA256 checksums:</p>

<div class="snippet-clipboard-content position-relative" data-snippet-clipboard-copy-content="36bfa3a07aced069b3f3c9b39d9fb62cb0728d284d02b079404cd55780beaeff  nokogiri-1.12.5-arm64-darwin.gem

16b1a9ddbb70a9c998462912a5972097cbc79c3e01eb373906886ef8a469f589  nokogiri-1.12.5-java.gem

218dcc6edd1b49cc6244b5f88afb978739bb2f3f166c271557fe5f51e4bc713c  nokogiri-1.12.5-x64-mingw32.gem

e33bb919d64c16d931a5f26dc880969e587d225cfa97e6b56e790fb52179f527  nokogiri-1.12.5-x86-linux.gem

e13c2ed011b8346fbd589e96fe3542d763158bc2c7ad0f4f55f6d801afd1d9ff  nokogiri-1.12.5-x86-mingw32.gem

1ed64f7db7c1414b87fce28029f2a10128611d2037e0871ba298d00f9a00edd6  nokogiri-1.12.5-x86_64-darwin.gem

0868c8d0a147904d4dedaaa05af5f06656f2d3c67e4432601718559bf69d6cea  nokogiri-1.12.5-x86_64-linux.gem

2b20905942acc580697c8c496d0d1672ab617facb9d30d156b3c7676e67902ec  nokogiri-1.12.5.gem

"><pre><code>36bfa3a07aced069b3f3c9b39d9fb62cb0728d284d02b079404cd55780beaeff  nokogiri-1.12.5-arm64-darwin.gem

16b1a9ddbb70a9c998462912a5972097cbc79c3e01eb373906886ef8a469f589  nokogiri-1.12.5-java.gem

218dcc6edd1b49cc6244b5f88afb978739bb2f3f166c271557fe5f51e4bc713c  nokogiri-1.12.5-x64-mingw32.gem

e33bb919d64c16d931a5f26dc880969e587d225cfa97e6b56e790fb52179f527  nokogiri-1.12.5-x86-linux.gem

e13c2ed011b8346fbd589e96fe3542d763158bc2c7ad0f4f55f6d801afd1d9ff  nokogiri-1.12.5-x86-mingw32.gem

1ed64f7db7c1414b87fce28029f2a10128611d2037e0871ba298d00f9a00edd6  nokogiri-1.12.5-x86_64-darwin.gem

0868c8d0a147904d4dedaaa05af5f06656f2d3c67e4432601718559bf69d6cea  nokogiri-1.12.5-x86_64-linux.gem

2b20905942acc580697c8c496d0d1672ab617facb9d30d156b3c7676e67902ec  nokogiri-1.12.5.gem

</code></pre></div>

</blockquote>

</details>

<details>

<summary>Changelog</summary>

<p><em>Sourced from <a href="https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md">nokogiri's changelog</a>.</em></p>

<blockquote>

<h2>1.12.5 / 2021-09-27</h2>

<h3>Security</h3>

<p>[JRuby] Address <a title="CVE-2021-41098" data-hovercard-type="advisory" data-hovercard-url="/advisories/GHSA-2rr5-8q37-2w7h/hovercard" href="https://github.com/advisories/GHSA-2rr5-8q37-2w7h">CVE-2021-41098</a> (<a href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h">GHSA-2rr5-8q37-2w7h</a>).</p>

<p>In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parsers resolve external entities (XXE) by default. This fix turns off entity-resolution-by-default in the JRuby SAX parsers to match the CRuby SAX parsers' behavior.</p>

<p>CRuby users are not affected by this CVE.</p>

<h3>Fixed</h3>

<ul>

<li>[CRuby] <code>Document#to_xhtml</code> properly serializes self-closing tags in libxml > 2.9.10. A behavior change introduced in libxml 2.9.11 resulted in emitting start and and tags (e.g., <code><br></br></code>) instead of a self-closing tag (e.g., <code><br/></code>) in previous Nokogiri versions. [<a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2324" rel="nofollow">#2324</a>]</li>

</ul>

</blockquote>

</details>

<details>

<summary>Commits</summary>

<ul>

<li><a href="https://github.com/sparklemotion/nokogiri/commit/47f6a461fdc3e375b30522259e48569fb578dece"><code>47f6a46</code></a> version bump to v1.12.5</li>

<li><a href="https://github.com/sparklemotion/nokogiri/commit/2a0ac88518fdd1509d14c4cbdb9784c73dd8a839"><code>2a0ac88</code></a> update CHANGELOG</li>

<li><a href="https://github.com/sparklemotion/nokogiri/commit/6b6063782cefc42e527dc967c6119125cae0042d"><code>6b60637</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2329" rel="nofollow">#2329</a> from sparklemotion/flavorjones-<a title="GHSA-2rr5-8q37-2w7h" href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h">GHSA-2rr5-8q37-2w7h</a>_1...</li>

<li><a href="https://github.com/sparklemotion/nokogiri/commit/4bd943cae3039c51c3f54de9cd76abbfb647666b"><code>4bd943c</code></a> fix(jruby): SAX parser uses an entity resolver</li>

<li><a href="https://github.com/sparklemotion/nokogiri/commit/f943ee4108b007d225e00c3ac7da00df17b81b1a"><code>f943ee4</code></a> refactor(jruby): handle errors more consistently</li>

<li><a href="https://github.com/sparklemotion/nokogiri/commit/27901227488ea7e439777cfc907e52c68622e6a3"><code>2790122</code></a> format: test files</li>

<li><a href="https://github.com/sparklemotion/nokogiri/commit/01e1618f7551ae3c32c1a5790c1004c18a46b316"><code>01e1618</code></a> Merge pull request <a href="https://github-redirect.dependabot.com/sparklemotion/nokogiri/issues/2327" rel="nofollow">#2327</a> from sparklemotion/2324-xhtml-self-closing-tags_v1.12.x</li>

<li><a href="https://github.com/sparklemotion/nokogiri/commit/a0180c72c55c44b8e0db3a98040bd5f115742817"><code>a0180c7</code></a> fix: HTML4::Document.to_xhtml self-closing tags</li>

<li>See full diff in <a href="https://github.com/sparklemotion/nokogiri/compare/v1.12.4...v1.12.5">compare view</a></li>

</ul>

</details>

<br>

<p><a href="https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores"><img src="https://camo.githubusercontent.com/6ed3396d098f1ee4b8d0d61457750c151a25bb06769635f226080f7117738239/68747470733a2f2f646570656e6461626f742d6261646765732e6769746875626170702e636f6d2f6261646765732f636f6d7061746962696c6974795f73636f72653f646570656e64656e63792d6e616d653d6e6f6b6f67697269267061636b6167652d6d616e616765723d62756e646c65722670726576696f75732d76657273696f6e3d312e31322e34266e65772d76657273696f6e3d312e31322e35" alt="Dependabot compatibility score" data-canonical-src="https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=nokogiri&package-manager=bundler&previous-version=1.12.4&new-version=1.12.5" style="max-width: 100%;"></a></p>

<p>Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting <code>@dependabot rebase</code>.</p>

<hr>

<details>

<summary>Dependabot commands and options</summary>

<br>

<p>You can trigger Dependabot actions by commenting on this PR:</p>

<ul>

<li><code>@dependabot rebase</code> will rebase this PR</li>

<li><code>@dependabot recreate</code> will recreate this PR, overwriting any edits that have been made to it</li>

<li><code>@dependabot merge</code> will merge this PR after your CI passes on it</li>

<li><code>@dependabot squash and merge</code> will squash and merge this PR after your CI passes on it</li>

<li><code>@dependabot cancel merge</code> will cancel a previously requested merge and block automerging</li>

<li><code>@dependabot reopen</code> will reopen this PR if it is closed</li>

<li><code>@dependabot close</code> will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually</li>

<li><code>@dependabot ignore this major version</code> will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)</li>

<li><code>@dependabot ignore this minor version</code> will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)</li>

<li><code>@dependabot ignore this dependency</code> will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)<br>

You can disable automated security fix PRs for this repo from the <a href="https://github.com/openstreetmap/openstreetmap-website/network/alerts">Security Alerts page</a>.</li>

</ul>

</details>

<hr>

<h4>You can view, comment on, or merge this pull request online at:</h4>

<p>  <a href='https://github.com/openstreetmap/openstreetmap-website/pull/3330'>https://github.com/openstreetmap/openstreetmap-website/pull/3330</a></p>

<h4>Commit Summary</h4>

<ul>

  <li><a href="https://github.com/openstreetmap/openstreetmap-website/pull/3330/commits/2312dd902e96786649ad9289c425a22ec73fbd80">Bump nokogiri from 1.12.4 to 1.12.5</a></li>

</ul>

<h4>File Changes</h4>

<ul>

  <li>

    <strong>M</strong>

    <a href="https://github.com/openstreetmap/openstreetmap-website/pull/3330/files#diff-89cade48462044ee1b672dc5f4c3ec250fbd29effcd8932096a23c1283c6731f">Gemfile.lock</a>

    (2)

  </li>

</ul>

<h4>Patch Links:</h4>

<ul>

  <li><a href='https://github.com/openstreetmap/openstreetmap-website/pull/3330.patch'>https://github.com/openstreetmap/openstreetmap-website/pull/3330.patch</a></li>

  <li><a href='https://github.com/openstreetmap/openstreetmap-website/pull/3330.diff'>https://github.com/openstreetmap/openstreetmap-website/pull/3330.diff</a></li>

</ul>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/pull/3330">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAK2OLI3QUOYODXBHDIL4ZLUEDJNVANCNFSM5E3NSN6Q">unsubscribe</a>.<br />Triage notifications on the go with GitHub Mobile for <a href="https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675">iOS</a> or <a href="https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub">Android</a>.

<img src="https://github.com/notifications/beacon/AAK2OLNLB2RDLU75IMALCIDUEDJNVA5CNFSM5E3NSN62YY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4PA5ZZQQ.gif" height="1" width="1" alt="" /></p>

<script type="application/ld+json">[

{

"@context": "http://schema.org",

"@type": "EmailMessage",

"potentialAction": {

"@type": "ViewAction",

"target": "https://github.com/openstreetmap/openstreetmap-website/pull/3330",

"url": "https://github.com/openstreetmap/openstreetmap-website/pull/3330",

"name": "View Pull Request"

},

"description": "View this Pull Request on GitHub",

"publisher": {

"@type": "Organization",

"name": "GitHub",

"url": "https://github.com"

}

}

]</script>