Pin nokogiri >= 1.19.3 (GHSA-c4rq-3m3g-8wgx)

mokagio · claude · mokagio · commit bd9f96bb79af · 2026-05-08T06:23:10.000+10:00
Carries the fix for [GHSA-c4rq-3m3g-8wgx][advisory] (high-severity ReDoS in Nokogiri's CSS selector tokenizer; vulnerable `< 1.19.3`). This repo is on `fastlane-plugin-wpmreleasetoolkit ~> 13.8`, which predates the toolkit's own `nokogiri >= 1.19.3` floor (added in 14.4.1). Pinning explicitly here closes the gap until a future toolkit-major bump makes the pin redundant. [advisory]: GHSA-c4rq-3m3g-8wgx --- Generated with the help of Claude Code, https://claude.com/claude-code Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/Gemfile b/Gemfile
@@ -4,3 +4,8 @@ source 'https://rubygems.org'
 
 gem 'fastlane', '~> 2.230'
 gem 'fastlane-plugin-wpmreleasetoolkit', '~> 13.8'
+
+# Pinned to pull in the fix for GHSA-c4rq-3m3g-8wgx (CSS selector ReDoS).
+# Drop once `fastlane-plugin-wpmreleasetoolkit` moves to >= 14.4.1, whose
+# gemspec carries this floor transitively.
+gem 'nokogiri', '>= 1.19.3'
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -228,7 +228,7 @@ GEM
     nanaimo (0.4.0)
     naturally (2.3.0)
     nkf (0.2.0)
-    nokogiri (1.19.1)
+    nokogiri (1.19.3)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     octokit (6.1.1)
@@ -305,6 +305,7 @@ PLATFORMS
 DEPENDENCIES
   fastlane (~> 2.230)
   fastlane-plugin-wpmreleasetoolkit (~> 13.8)
+  nokogiri (>= 1.19.3)
 
 CHECKSUMS
   CFPropertyList (3.0.8) sha256=2c99d0d980536d3d7ab252f7bd59ac8be50fbdd1ff487c98c949bb66bb114261
@@ -388,7 +389,7 @@ CHECKSUMS
   nanaimo (0.4.0) sha256=faf069551bab17f15169c1f74a1c73c220657e71b6e900919897a10d991d0723
   naturally (2.3.0) sha256=459923cf76c2e6613048301742363200c3c7e4904c324097d54a67401e179e01
   nkf (0.2.0) sha256=fbc151bda025451f627fafdfcb3f4f13d0b22ae11f58c6d3a2939c76c5f5f126
-  nokogiri (1.19.1) sha256=598b327f36df0b172abd57b68b18979a6e14219353bca87180c31a51a00d5ad3
+  nokogiri (1.19.3) sha256=78312cbac32a40c812780d9678221b79d51288eec00054c1a8d15f7ce05960e8
   octokit (6.1.1) sha256=920e4a9d820205f70738f58de6a7e6ef0e2f25b27db954b5806a63105207b0bf
   options (2.3.2) sha256=32413a4b9e363234eed2eecfb2a1a9deb32810f72c54820a37a62f65b905c5e8
   optparse (0.8.1) sha256=42bea10d53907ccff4f080a69991441d611fbf8733b60ed1ce9ee365ce03bd1a
