Bump nokogiri from 1.10.4 to 1.11.0.rc3

[dependabot]

Bumps nokogiri from 1.10.4 to 1.11.0.rc3.

Release notes

Sourced from nokogiri's releases.

v1.11.0.rc3 / 2020-09-08

To try out release candidates, use gem install --prerelease or gem install nokogiri -v1.11.0.rc3

If you're using bundler, try updating your Gemfile with:

gem "nokogiri", "~> 1.11.0.rc3"`

---

Delta since v1.11.0.rc2:

Notes

Added precompiled native gem support for OSX/Darwin platform x86_64-darwin19.

Fixed

• [Windows Visual C++] Fixed compiler warnings and errors. [#2061, #2068]

v1.11.0.rc2 / 2020-04-01

To try out release candidates, use gem install --prerelease. Latest is v1.11.0.rc2.

Delta since v1.11.0.rc1:

Notes

Note that the linux-native gems for v1.11.0.rc2 and later support musl systems (e.g., alpine).

Dependencies

• [MRI] Upgrade mini_portile2 dependency from ~> 2.4.0 to ~> 2.5.0 [#2005] (Thanks, @​alejandroperea!)

Added

• Add Node methods for manipulating keyword attributes (like class and rel): #kwattr_values, #kwattr_add, #kwattr_append, and #kwattr_remove. [#2000]

Fixed

• The switch to turn off the CSS-to-XPath cache is now thread-local, rather than being shared mutable state. [#1935]
• The switch to turn off the CSS-to-XPath cache is now thread-local, rather than being shared mutable state. [#1935]

Removed

• The internal method Nokogiri::CSS::Parser.cache_on= has been removed. Use .set_cache if you need to muck with the cache internals.

... (truncated)

Changelog

Sourced from nokogiri's changelog.

Nokogiri Changelog

Nokogiri follows Semantic Versioning, please see the https://github.com/sparklemotion/nokogiri/blob/main/README.md for details.

---

next / unreleased

Dependencies

• [CRuby] Vendored libiconv is updated from 1.15 to 1.16. (https://github.com/sparklemotion/nokogiri/blob/main/Note that libiconv is only redistributed in the native windows and native darwin gems, see LICENSE-DEPENDENCIES.md for more information.) [#2206]
• [CRuby] Upgrade mini_portile2 dependency from ~> 2.6.1 to ~> 2.7.0. ("ruby" platform gem only.)

Improved

• [CRuby] Handle abruptly-closed HTML comments as WHATWG recommends for browsers. (Thanks to HackerOne user tehryanx for reporting this!)
• [CRuby] Node#line is no longer capped at 65535. libxml v2.9.0 and later support a new parse option, exposed as Nokogiri::XML::ParseOptions::PARSE_BIG_LINES and set in ParseOptions::DEFAULT_XML, ::DEFAULT_XSLT, ::DEFAULT_HTML, and ::DEFAULT_SCHEMA. (Note that JRuby never had this problem.) [#1764, #1493, #1617, #1505, #1003, #533]
• [CRuby] If a cycle is introduced when reparenting a node (i.e., the node becomes its own ancestor), a RuntimeError is raised. libxml2 does no checking for this, which means cycles would otherwise result in infinite loops on subsequent operations. (Note: JRuby/Xerces already does this.) [#1912]

1.12.5 / 2021-09-27

Security

[JRuby] Address CVE-2021-41098 (GHSA-2rr5-8q37-2w7h).

In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parsers resolve external entities (XXE) by default. This fix turns off entity-resolution-by-default in the JRuby SAX parsers to match the CRuby SAX parsers' behavior.

CRuby users are not affected by this CVE.

Fixed

• [CRuby] Document#to_xhtml properly serializes self-closing tags in libxml > 2.9.10. A behavior change introduced in libxml 2.9.11 resulted in emitting start and and tags (e.g., <br></br>) instead of a self-closing tag (e.g., <br/>) in previous Nokogiri versions. [#2324]

1.12.4 / 2021-08-29

Notable fix: Namespace inheritance

Namespace behavior when reparenting nodes has historically been poorly specified and the behavior diverged between CRuby and JRuby. As a result, making this behavior consistent in v1.12.0 introduced a breaking change.

This patch release reverts the Builder behavior present in v1.12.0..v1.12.3 but keeps the Document behavior. This release also introduces a Document attribute to allow affected users to easily change this behavior for their legacy code without invasive changes.

Compensating Feature in XML::Document

This release of Nokogiri introduces a new Document boolean attribute, namespace_inheritance, which controls whether children should inherit a namespace when they are reparented. Nokogiri::XML:Document defaults this attribute to false meaning "do not inherit," thereby making explicit the behavior change introduced in v1.12.0.

... (truncated)

Commits

• 959db1d version bump to v1.11.0.rc3
• 7b0c056 dev: update .hoerc to ignore issue- and sorbet-related temp dirs
• 5c0fbfa Merge pull request #2073 from sparklemotion/2063-darwin-native-gem
• ade7ec1 gem: verify_dll now checks for allowed references
• 0a495a4 gem: verify_dll for darwin native gem libraries
• 96de09f gem: improve verify_dll so linux does same checks as windows
• d0befd1 dev: clean up CrossRuby and prepare for darwin verify_dll
• 7d9b7ca dev: move dll staging path logic into CrossRuby
• 1e6e972 dev: clean up verify_dll tests of native gem shared libraries
• 94ecf99 gem: rake tasks for native darwin gem
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.