🚨 [security] Update loofah: 2.2.2 → 2.2.3 (patch)

[depfu]

⚠️ No CI detected ⚠️

You don't seem to have any Continuous Integration service set up!

Without a service that will test the Depfu branches and pull requests, we can't inform you if incoming updates actually work with your app. We think that this degrades the service we're trying to provide down to a point where it is more or less meaningless.

This is fine if you just want to give Depfu a quick try. If you want to really let Depfu help you keep your app up-to-date, we recommend setting up a CI system:

• Our friends at Travis-CI provide excellent service.
• Circle CI are good, too, and have a free plan that will cover basic needs.
• If you use something like Jenkins, make sure that you're using the Github integration correctly so that it reports status data back to Github.
• If you have already set up a CI for this repository, you might need to check your configuration. Make sure it will run on all new branches. If you don’t want it to run on every branch, you can whitelist branches starting with depfu/.

It might be necessary to once deactivate and reactivate your project in Depfu for the CI service to be properly detected.

---

---

🚨 Your version of loofah has known security vulnerabilities 🚨

Advisory: CVE-2018-16468
Disclosed: October 30, 2018
URL: https://github.com/flavorjones/loofah/issues/154

Loofah XSS Vulnerability

In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Loofah maintainers have evaluated this as Medium (CVSS3 6.4).

🚨 We recommend to merge and deploy this update as soon as possible! 🚨

---

We've updated a dependency and here is what you need to know:

name	version specification	old version	new version
loofah	indirect dependency	2.2.2	2.2.3

Additionally, the update changed a few other dependencies as well:

action	name	old version	new version
updated	nokogiri	1.8.4	1.8.5

You should probably take a good look at the info here and the test results before merging this pull request, of course.

What changed?

↗️ loofah (indirect, 2.2.2 → 2.2.3) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 5 commits:

• version bump to v2.2.3 and update CHANGELOG
• remove the svg animate attribute `from` from the allowlist
• add formatting to CHANGELOG
• updated mailing list to a new Google Group
• extract msword html data into an asset file

↗️ nokogiri (indirect, 1.8.4 → 1.8.5) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 11 commits:

• version bump to v1.8.5
• update changelog
• Merge branch 'fix-1773'
• Organize imports in XmlNode.java.
• Allow reparenting nodes to be a child of an empty document.
• Merge pull request #1786 from sparklemotion/1785-canonical-usns
• pull in upstream libxml2 patches
• changelog
• changelog
• remove `-Wextra` CFLAG
• add tests for pkg-config failure scenario

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #120.