I have a Ruby 2.5.1 application that uses Nokogiri 1.12.5. bundle audit
says I should upgrade to Nokogiri 1.13.2, however "Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)" states
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.13.2
The Wikipedia page for CRuby states that Ruby 2.x uses YARV as its interpreter rather than CRuby.
Am I right to conclude that my application is not vulnerable to this issue with Nokogiri?
Please note, I'm aware that Nokogiri 1.13.3 has since been released which reverts one of these fixes, and that I should be on a more up to date Ruby.
CodePudding user response:
You should upgrade nokogiri
to the latest possible for your project, especially when dealing with security issues. There are some caveats to this particular advisory, so you might not be vulnerable, but when dealing with security it's better to be overly cautious.
The note on Wikipedia refers to the MRI CRuby
implementation as opposed to the others (like jruby
).