Gradle plugin that creates FindBugs reports for android projects

Overview

Logo

findbugs-android

A Gradle plugin that creates FindBugs tasks for each variant of android application or library project

Project site: https://findbugs-android.chaitanyapramod.com

Why

In order to create FindBugs report for Android projects, you need to create FindBugs tasks and configure them by providing paths to source code, compiled classes and classpath. It can be troublesome since Android projects can have different flavors and build types, thus requiring additional paths to be set. This plugin provides those tasks already configured for you.

In addition, the plugin automatically excludes Generated classes from Android databinding library, android resource, Butterknife and Dagger 2. If you want more added to this list or want it configurable, open an issue.

Usage

Apply the plugin after the Android gradle plugin. The FindBugs tasks are already hooked to the check task.

buildscript {
  repositories {
    // ...
    jcenter()
  }
  dependencies {
    // ...
    classpath 'com.chaitanyapramod.gradle:findbugs-android:1.0'
  }
}

apply plugin: 'com.android.application'
apply plugin: 'com.chaitanyapramod.findbugs-android'

android {
  // ...
  productFlavors {
    free {}
    paid {}
  }
}

This would create the following Gradle tasks:

  • findbugsFreeDebug
  • findbugsFreeRelease
  • findbugsPaidDebug
  • findbugsPaidRelease

Note that running check task runs all these findbugs tasks as well.

Configuration

Use the standard findbugs extension to configure the FindBugs tasks

buildscript {
  repositories {
    // ...
    jcenter()
  }
  dependencies {
    // ...
    classpath 'com.chaitanyapramod.gradle:findbugs-android:1.0'
  }
}

apply plugin: 'com.android.application'
apply plugin: 'com.chaitanyapramod.findbugs-android'

findbugs {
  toolVersion '3.0.1'
  ignoreFailures true
  effort 'max'
  reportLevel 'high'
  excludeBugsFilter = file("$rootProject.projectDir/config/findbugs/excludeBugsFilter.xml")
}

android {
  // ...
  productFlavors {
    free {}
    paid {}
  }
}

Report Format

By default, XML reports are generated. You can add the following snippet to get HTML reports

tasks.withType(FindBugs) {
    reports {
        xml.enabled = false
        html.enabled = true
    }
}

Contributing

Contributers will find looking through sources of FindBugs, FindBugsExtension and FindBugsPlugin useful.

This plugin has been heavily inspired by jacoco-android-gradle-plugin

License

MIT License

Copyright (c) 2016 Chaitanya Pramod

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Comments
  • Logo/Icon Proposal

    Logo/Icon Proposal

    Greetings, Im a graphics designer here on Github and I would like to ask for your permission to design for your logo/icon that you maybe used for your future plans in your project. I want to help open source projects by designing logos or banners for there project. Thank you for your time reading this

    Best regards -jbeguna04

    opened by jbeguna04 9
  • Bump nokogiri from 1.8.2 to 1.13.6 in /docs

    Bump nokogiri from 1.8.2 to 1.13.6 in /docs

    Bumps nokogiri from 1.8.2 to 1.13.6.

    Release notes

    Sourced from nokogiri's releases.

    1.13.6 / 2022-05-08

    Security

    • [CRuby] Address CVE-2022-29181, improper handling of unexpected data types, related to untrusted inputs to the SAX parsers. See GHSA-xh29-r2w5-wx8m for more information.

    Improvements

    • {HTML4,XML}::SAX::{Parser,ParserContext} constructor methods now raise TypeError instead of segfaulting when an incorrect type is passed.

    sha256:

    58417c7c10f78cd1c0e1984f81538300d4ea98962cfd3f46f725efee48f9757a  nokogiri-1.13.6-aarch64-linux.gem
    a2b04ec3b1b73ecc6fac619b41e9fdc70808b7a653b96ec97d04b7a23f158dbc  nokogiri-1.13.6-arm64-darwin.gem
    4437f2d03bc7da8854f4aaae89e24a98cf5c8b0212ae2bc003af7e65c7ee8e27  nokogiri-1.13.6-java.gem
    99d3e212bbd5e80aa602a1f52d583e4f6e917ec594e6aa580f6aacc253eff984  nokogiri-1.13.6-x64-mingw-ucrt.gem
    a04f6154a75b6ed4fe2d0d0ff3ac02f094b54e150b50330448f834fa5726fbba  nokogiri-1.13.6-x64-mingw32.gem
    a13f30c2863ef9e5e11240dd6d69ef114229d471018b44f2ff60bab28327de4d  nokogiri-1.13.6-x86-linux.gem
    63a2ca2f7a4f6bd9126e1695037f66c8eb72ed1e1740ef162b4480c57cc17dc6  nokogiri-1.13.6-x86-mingw32.gem
    2b266e0eb18030763277b30dc3d64337f440191e2bd157027441ac56a59d9dfe  nokogiri-1.13.6-x86_64-darwin.gem
    3fa37b0c3b5744af45f9da3e4ae9cbd89480b35e12ae36b5e87a0452e0b38335  nokogiri-1.13.6-x86_64-linux.gem
    b1512fdc0aba446e1ee30de3e0671518eb363e75fab53486e99e8891d44b8587  nokogiri-1.13.6.gem
    

    1.13.5 / 2022-05-04

    Security

    Dependencies

    • [CRuby] Vendored libxml2 is updated from v2.9.13 to v2.9.14.

    Improvements

    • [CRuby] The libxml2 HTML4 parser no longer exhibits quadratic behavior when recovering some broken markup related to start-of-tag and bare < characters.

    Changed

    • [CRuby] The libxml2 HTML4 parser in v2.9.14 recovers from some broken markup differently. Notably, the XML CDATA escape sequence <![CDATA[ and incorrectly-opened comments will result in HTML text nodes starting with &lt;! instead of skipping the invalid tag. This behavior is a direct result of the quadratic-behavior fix noted above. The behavior of downstream sanitizers relying on this behavior will also change. Some tests describing the changed behavior are in test/html4/test_comments.rb.

    ... (truncated)

    Changelog

    Sourced from nokogiri's changelog.

    1.13.6 / 2022-05-08

    Security

    • [CRuby] Address CVE-2022-29181, improper handling of unexpected data types, related to untrusted inputs to the SAX parsers. See GHSA-xh29-r2w5-wx8m for more information.

    Improvements

    • {HTML4,XML}::SAX::{Parser,ParserContext} constructor methods now raise TypeError instead of segfaulting when an incorrect type is passed.

    1.13.5 / 2022-05-04

    Security

    Dependencies

    • [CRuby] Vendored libxml2 is updated from v2.9.13 to v2.9.14.

    Improvements

    • [CRuby] The libxml2 HTML parser no longer exhibits quadratic behavior when recovering some broken markup related to start-of-tag and bare < characters.

    Changed

    • [CRuby] The libxml2 HTML parser in v2.9.14 recovers from some broken markup differently. Notably, the XML CDATA escape sequence <![CDATA[ and incorrectly-opened comments will result in HTML text nodes starting with &lt;! instead of skipping the invalid tag. This behavior is a direct result of the quadratic-behavior fix noted above. The behavior of downstream sanitizers relying on this behavior will also change. Some tests describing the changed behavior are in test/html4/test_comments.rb.

    1.13.4 / 2022-04-11

    Security

    Dependencies

    • [CRuby] Vendored zlib is updated from 1.2.11 to 1.2.12. (See LICENSE-DEPENDENCIES.md for details on which packages redistribute this library.)
    • [JRuby] Vendored Xerces-J (xerces:xercesImpl) is updated from 2.12.0 to 2.12.2.
    • [JRuby] Vendored nekohtml (org.cyberneko.html) is updated from a fork of 1.9.21 to 1.9.22.noko2. This fork is now publicly developed at https://github.com/sparklemotion/nekohtml

    ... (truncated)

    Commits
    • b7817b6 version bump to v1.13.6
    • 61b1a39 Merge pull request #2530 from sparklemotion/flavorjones-check-parse-memory-ty...
    • 83cc451 fix: {HTML4,XML}::SAX::{Parser,ParserContext} check arg types
    • 22c9e5b version bump to v1.13.5
    • 6155881 doc: update CHANGELOG for v1.13.5
    • c519a47 Merge pull request #2527 from sparklemotion/2525-update-libxml-2_9_14-v1_13_x
    • 66c2886 dep: update libxml2 to v2.9.14
    • b7c4cc3 test: unpend the LIBXML_LOADED_VERSION test on freebsd
    • eac7934 dev: require yaml
    • f3521ba style(rubocop): pend Style/FetchEnvVar for now
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 1
  • Bump nokogiri from 1.8.2 to 1.13.4 in /docs

    Bump nokogiri from 1.8.2 to 1.13.4 in /docs

    Bumps nokogiri from 1.8.2 to 1.13.4.

    Release notes

    Sourced from nokogiri's releases.

    1.13.4 / 2022-04-11

    Security

    Dependencies

    • [CRuby] Vendored zlib is updated from 1.2.11 to 1.2.12. (See LICENSE-DEPENDENCIES.md for details on which packages redistribute this library.)
    • [JRuby] Vendored Xerces-J (xerces:xercesImpl) is updated from 2.12.0 to 2.12.2.
    • [JRuby] Vendored nekohtml (org.cyberneko.html) is updated from a fork of 1.9.21 to 1.9.22.noko2. This fork is now publicly developed at https://github.com/sparklemotion/nekohtml

    sha256sum:

    095ff1995ed3dda3ea98a5f08bdc54bef02be1ce4e7c81034c4812e5e7c6e7e3  nokogiri-1.13.4-aarch64-linux.gem
    7ebfc7415c819bcd4e849627e879cef2fb328bec90e802e50d74ccd13a60ec75  nokogiri-1.13.4-arm64-darwin.gem
    41efd87c121991de26ef0393ac713d687e539813c3b79e454a2e3ffeecd107ea  nokogiri-1.13.4-java.gem
    ab547504692ada0cec9d2e4e15afab659677c3f4c1ac3ea639bf5212b65246a1  nokogiri-1.13.4-x64-mingw-ucrt.gem
    fa5c64cfdb71642ed647428e4d0d75ee0f4d189cfb63560c66fd8bdf99eb146b  nokogiri-1.13.4-x64-mingw32.gem
    d6f07cbcbc28b75e8ac5d6e729ffba3602dffa0ad16ffac2322c9b4eb9b971fc  nokogiri-1.13.4-x86-linux.gem
    0f7a4fd13e25abe3f98663fef0d115d58fdeff62cf23fef12d368e42adad2ce6  nokogiri-1.13.4-x86-mingw32.gem
    3eef282f00ad360304fbcd5d72eb1710ff41138efda9513bb49eec832db5fa3e  nokogiri-1.13.4-x86_64-darwin.gem
    3978610354ec67b59c128d23259c87b18374ee1f61cb9ed99de7143a88e70204  nokogiri-1.13.4-x86_64-linux.gem
    0d46044eb39271e3360dae95ed6061ce17bc0028d475651dc48db393488c83bc  nokogiri-1.13.4.gem
    

    1.13.3 / 2022-02-21

    Fixed

    • [CRuby] Revert a HTML4 parser bug in libxml 2.9.13 (introduced in Nokogiri v1.13.2). The bug causes libxml2's HTML4 parser to fail to recover when encountering a bare < character in some contexts. This version of Nokogiri restores the earlier behavior, which is to recover from the parse error and treat the < as normal character data (which will be serialized as &lt; in a text node). The bug (and the fix) is only relevant when the RECOVER parse option is set, as it is by default. [#2461]

    SHA256 checksums:

    025a4e333f6f903072a919f5f75b03a8f70e4969dab4280375b73f9d8ff8d2c0  nokogiri-1.13.3-aarch64-linux.gem
    b9cb59c6a6da8cf4dbee5dbb569c7cc95a6741392e69053544e0f40b15ab9ad5  nokogiri-1.13.3-arm64-darwin.gem
    e55d18cee64c19d51d35ad80634e465dbcdd46ac4233cb42c1e410307244ebae  nokogiri-1.13.3-java.gem
    53e2d68116cd00a873406b8bdb90c78a6f10e00df7ddf917a639ac137719b67b  nokogiri-1.13.3-x64-mingw-ucrt.gem
    b5f39ebb662a1be7d1c61f8f0a2a683f1bb11690a6f00a99a1aa23a071f80145  nokogiri-1.13.3-x64-mingw32.gem
    7c0de5863aace4bbbc73c4766cf084d1f0b7a495591e46d1666200cede404432  nokogiri-1.13.3-x86-linux.gem
    </tr></table> 
    

    ... (truncated)

    Changelog

    Sourced from nokogiri's changelog.

    1.13.4 / 2022-04-11

    Security

    Dependencies

    • [CRuby] Vendored zlib is updated from 1.2.11 to 1.2.12. (See LICENSE-DEPENDENCIES.md for details on which packages redistribute this library.)
    • [JRuby] Vendored Xerces-J (xerces:xercesImpl) is updated from 2.12.0 to 2.12.2.
    • [JRuby] Vendored nekohtml (org.cyberneko.html) is updated from a fork of 1.9.21 to 1.9.22.noko2. This fork is now publicly developed at https://github.com/sparklemotion/nekohtml

    1.13.3 / 2022-02-21

    Fixed

    • [CRuby] Revert a HTML4 parser bug in libxml 2.9.13 (introduced in Nokogiri v1.13.2). The bug causes libxml2's HTML4 parser to fail to recover when encountering a bare < character in some contexts. This version of Nokogiri restores the earlier behavior, which is to recover from the parse error and treat the < as normal character data (which will be serialized as &lt; in a text node). The bug (and the fix) is only relevant when the RECOVER parse option is set, as it is by default. [#2461]

    1.13.2 / 2022-02-21

    Security

    • [CRuby] Vendored libxml2 is updated from 2.9.12 to 2.9.13. This update addresses CVE-2022-23308.
    • [CRuby] Vendored libxslt is updated from 1.1.34 to 1.1.35. This update addresses CVE-2021-30560.

    Please see GHSA-fq42-c5rg-92c2 for more information about these CVEs.

    Dependencies

    1.13.1 / 2022-01-13

    Fixed

    • Fix Nokogiri::XSLT.quote_params regression in v1.13.0 that raised an exception when non-string stylesheet parameters were passed. Non-string parameters (e.g., integers and symbols) are now explicitly supported and both keys and values will be stringified with #to_s. [#2418]
    • Fix CSS selector query regression in v1.13.0 that raised an Nokogiri::XML::XPath::SyntaxError when parsing XPath attributes mixed into the CSS query. Although this mash-up of XPath and CSS syntax previously worked unintentionally, it is now an officially supported feature and is documented as such. [#2419]

    1.13.0 / 2022-01-06

    ... (truncated)

    Commits
    • 4e2c4b2 version bump to v1.13.4
    • 6a20ee4 Merge pull request #2510 from sparklemotion/flavorjones-encoding-reader-perfo...
    • b848031 Merge pull request #2509 from sparklemotion/flavorjones-parse-processing-inst...
    • c0ecf3b test: pend the LIBXML_LOADED_VERSION test on freebsd
    • e444525 fix(perf): HTML4::EncodingReader detection
    • 1eb5580 style(rubocop): allow intentional use of empty initializer
    • 0feac5a fix(dep): HTML parsing of processing instructions
    • db72b90 test: recent nekohtml versions do not consider 'a' to be inline
    • 2af2a87 style(rubocop): allow intentional use of empty initializer
    • ba7a28c Merge pull request #2499 from sparklemotion/2441-xerces-2.12.2-backport-v1.13.x
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 1
  • Bump nokogiri from 1.8.2 to 1.13.3 in /docs

    Bump nokogiri from 1.8.2 to 1.13.3 in /docs

    Bumps nokogiri from 1.8.2 to 1.13.3.

    Release notes

    Sourced from nokogiri's releases.

    1.13.3 / 2022-02-21

    Fixed

    • [CRuby] Revert a HTML4 parser bug in libxml 2.9.13 (introduced in Nokogiri v1.13.2). The bug causes libxml2's HTML4 parser to fail to recover when encountering a bare < character in some contexts. This version of Nokogiri restores the earlier behavior, which is to recover from the parse error and treat the < as normal character data (which will be serialized as &lt; in a text node). The bug (and the fix) is only relevant when the RECOVER parse option is set, as it is by default. [#2461]

    SHA256 checksums:

    025a4e333f6f903072a919f5f75b03a8f70e4969dab4280375b73f9d8ff8d2c0  nokogiri-1.13.3-aarch64-linux.gem
    b9cb59c6a6da8cf4dbee5dbb569c7cc95a6741392e69053544e0f40b15ab9ad5  nokogiri-1.13.3-arm64-darwin.gem
    e55d18cee64c19d51d35ad80634e465dbcdd46ac4233cb42c1e410307244ebae  nokogiri-1.13.3-java.gem
    53e2d68116cd00a873406b8bdb90c78a6f10e00df7ddf917a639ac137719b67b  nokogiri-1.13.3-x64-mingw-ucrt.gem
    b5f39ebb662a1be7d1c61f8f0a2a683f1bb11690a6f00a99a1aa23a071f80145  nokogiri-1.13.3-x64-mingw32.gem
    7c0de5863aace4bbbc73c4766cf084d1f0b7a495591e46d1666200cede404432  nokogiri-1.13.3-x86-linux.gem
    675cc3e7d7cca0d6790047a062cd3aa3eab59e3cb9b19374c34f98bade588c66  nokogiri-1.13.3-x86-mingw32.gem
    f445596a5a76941a9d1980747535ab50d3399d1b46c32989bc26b7dd988ee498  nokogiri-1.13.3-x86_64-darwin.gem
    3f6340661c2a283b337d227ea224f859623775b2f5c09a6bf197b786563958df  nokogiri-1.13.3-x86_64-linux.gem
    bf1b1bceff910abb0b7ad825535951101a0361b859c2ad1be155c010081ecbdc  nokogiri-1.13.3.gem
    

    1.13.2 / 2022-02-21

    Security

    • [CRuby] Vendored libxml2 is updated from 2.9.12 to 2.9.13. This update addresses CVE-2022-23308.
    • [CRuby] Vendored libxslt is updated from 1.1.34 to 1.1.35. This update addresses CVE-2021-30560.

    Please see GHSA-fq42-c5rg-92c2 for more information about these CVEs.

    Dependencies


    SHA256 checksums:

    63469a9bb56a21c62fbaea58d15f54f8f167ff6fde51c5c2262072f939926fdd  nokogiri-1.13.2-aarch64-linux.gem
    2986617f982f645c06f22515b721e6d2613dd69493e5c41ddd03c4830c3b3065  nokogiri-1.13.2-arm64-darwin.gem
    aca1d66206740b29d0d586b1d049116adcb31e6cdd7c4dd3a96eb77da215a0c4  nokogiri-1.13.2-java.gem
    b9e4eea1a200d9a927a5bc7d662c427e128779cba0098ea49ddbdb3ffc3ddaec  nokogiri-1.13.2-x64-mingw-ucrt.gem
    48d5493fec495867c5516a908a068c1387a1d17c5aeca6a1c98c089d9d9fdcf8  nokogiri-1.13.2-x64-mingw32.gem
    62034d7aaaa83fbfcb8876273cc5551489396841a66230d3200b67919ef76cf9  nokogiri-1.13.2-x86-linux.gem
    e07237b82394017c2bfec73c637317ee7dbfb56e92546151666abec551e46d1d  nokogiri-1.13.2-x86-mingw32.gem
    </tr></table> 
    

    ... (truncated)

    Changelog

    Sourced from nokogiri's changelog.

    1.13.3 / 2022-02-21

    Fixed

    • [CRuby] Revert a HTML4 parser bug in libxml 2.9.13 (introduced in Nokogiri v1.13.2). The bug causes libxml2's HTML4 parser to fail to recover when encountering a bare < character in some contexts. This version of Nokogiri restores the earlier behavior, which is to recover from the parse error and treat the < as normal character data (which will be serialized as &lt; in a text node). The bug (and the fix) is only relevant when the RECOVER parse option is set, as it is by default. [#2461]

    1.13.2 / 2022-02-21

    Security

    • [CRuby] Vendored libxml2 is updated from 2.9.12 to 2.9.13. This update addresses CVE-2022-23308.
    • [CRuby] Vendored libxslt is updated from 1.1.34 to 1.1.35. This update addresses CVE-2021-30560.

    Please see GHSA-fq42-c5rg-92c2 for more information about these CVEs.

    Dependencies

    1.13.1 / 2022-01-13

    Fixed

    • Fix Nokogiri::XSLT.quote_params regression in v1.13.0 that raised an exception when non-string stylesheet parameters were passed. Non-string parameters (e.g., integers and symbols) are now explicitly supported and both keys and values will be stringified with #to_s. [#2418]
    • Fix CSS selector query regression in v1.13.0 that raised an Nokogiri::XML::XPath::SyntaxError when parsing XPath attributes mixed into the CSS query. Although this mash-up of XPath and CSS syntax previously worked unintentionally, it is now an officially supported feature and is documented as such. [#2419]

    1.13.0 / 2022-01-06

    Notes

    Ruby

    This release introduces native gem support for Ruby 3.1. Please note that Windows users should use the x64-mingw-ucrt platform gem for Ruby 3.1, and x64-mingw32 for Ruby 2.6–3.0 (see RubyInstaller 3.1.0 release notes).

    This release ends support for:

    Faster, more reliable installation: Native Gem for ARM64 Linux

    This version of Nokogiri ships experimental native gem support for the aarch64-linux platform, which should support AWS Graviton and other ARM Linux platforms. We don't yet have CI running for this platform, and so we're interested in hearing back from y'all whether this is working, and what problems you're seeing. Please send us feedback here: Feedback: Have you used the aarch64-linux native gem?

    ... (truncated)

    Commits
    • 7d74ced version bump to v1.13.3
    • 5970fd9 fix: revert libxml2 regression with HTML4 recovery
    • 49b8663 version bump to v1.13.2
    • 4729133 Merge pull request #2457 from sparklemotion/flavorjones-libxml-2.9.13-v1.13.x
    • 379f757 dev(package): work around gnome mirrors with expired certs
    • 95cf66c dep: upgrade libxml2 2.9.12 → 2.9.13
    • d37dd02 dep: upgrade libxslt 1.1.34 → 1.1.35
    • 59a9398 dep: upgrade mini_portile 2.7 to 2.8
    • e885463 dev(package): handle either .tar.gz or .tar.xz archive names
    • 7957c7b style: rubocop
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 1
  • Bump nokogiri from 1.8.2 to 1.12.5 in /docs

    Bump nokogiri from 1.8.2 to 1.12.5 in /docs

    Bumps nokogiri from 1.8.2 to 1.12.5.

    Release notes

    Sourced from nokogiri's releases.

    1.12.5 / 2021-09-27

    Security

    [JRuby] Address CVE-2021-41098 (GHSA-2rr5-8q37-2w7h).

    In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parsers resolve external entities (XXE) by default. This fix turns off entity-resolution-by-default in the JRuby SAX parsers to match the CRuby SAX parsers' behavior.

    CRuby users are not affected by this CVE.

    Fixed

    • [CRuby] Document#to_xhtml properly serializes self-closing tags in libxml > 2.9.10. A behavior change introduced in libxml 2.9.11 resulted in emitting start and and tags (e.g., <br></br>) instead of a self-closing tag (e.g., <br/>) in previous Nokogiri versions. [#2324]

    SHA256 checksums:

    36bfa3a07aced069b3f3c9b39d9fb62cb0728d284d02b079404cd55780beaeff  nokogiri-1.12.5-arm64-darwin.gem
    16b1a9ddbb70a9c998462912a5972097cbc79c3e01eb373906886ef8a469f589  nokogiri-1.12.5-java.gem
    218dcc6edd1b49cc6244b5f88afb978739bb2f3f166c271557fe5f51e4bc713c  nokogiri-1.12.5-x64-mingw32.gem
    e33bb919d64c16d931a5f26dc880969e587d225cfa97e6b56e790fb52179f527  nokogiri-1.12.5-x86-linux.gem
    e13c2ed011b8346fbd589e96fe3542d763158bc2c7ad0f4f55f6d801afd1d9ff  nokogiri-1.12.5-x86-mingw32.gem
    1ed64f7db7c1414b87fce28029f2a10128611d2037e0871ba298d00f9a00edd6  nokogiri-1.12.5-x86_64-darwin.gem
    0868c8d0a147904d4dedaaa05af5f06656f2d3c67e4432601718559bf69d6cea  nokogiri-1.12.5-x86_64-linux.gem
    2b20905942acc580697c8c496d0d1672ab617facb9d30d156b3c7676e67902ec  nokogiri-1.12.5.gem
    

    1.12.4 / 2021-08-29

    Notable fix: Namespace inheritance

    Namespace behavior when reparenting nodes has historically been poorly specified and the behavior diverged between CRuby and JRuby. As a result, making this behavior consistent in v1.12.0 introduced a breaking change.

    This patch release reverts the Builder behavior present in v1.12.0..v1.12.3 but keeps the Document behavior. This release also introduces a Document attribute to allow affected users to easily change this behavior for their legacy code without invasive changes.

    Compensating Feature in XML::Document

    This release of Nokogiri introduces a new Document boolean attribute, namespace_inheritance, which controls whether children should inherit a namespace when they are reparented. Nokogiri::XML:Document defaults this attribute to false meaning "do not inherit," thereby making explicit the behavior change introduced in v1.12.0.

    CRuby users who desire the pre-v1.12.0 behavior may set document.namespace_inheritance = true before reparenting nodes.

    See https://nokogiri.org/rdoc/Nokogiri/XML/Document.html#namespace_inheritance-instance_method for example usage.

    Fix for XML::Builder

    ... (truncated)

    Changelog

    Sourced from nokogiri's changelog.

    1.12.5 / 2021-09-27

    Security

    [JRuby] Address CVE-2021-41098 (GHSA-2rr5-8q37-2w7h).

    In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parsers resolve external entities (XXE) by default. This fix turns off entity-resolution-by-default in the JRuby SAX parsers to match the CRuby SAX parsers' behavior.

    CRuby users are not affected by this CVE.

    Fixed

    • [CRuby] Document#to_xhtml properly serializes self-closing tags in libxml > 2.9.10. A behavior change introduced in libxml 2.9.11 resulted in emitting start and and tags (e.g., <br></br>) instead of a self-closing tag (e.g., <br/>) in previous Nokogiri versions. [#2324]

    1.12.4 / 2021-08-29

    Notable fix: Namespace inheritance

    Namespace behavior when reparenting nodes has historically been poorly specified and the behavior diverged between CRuby and JRuby. As a result, making this behavior consistent in v1.12.0 introduced a breaking change.

    This patch release reverts the Builder behavior present in v1.12.0..v1.12.3 but keeps the Document behavior. This release also introduces a Document attribute to allow affected users to easily change this behavior for their legacy code without invasive changes.

    Compensating Feature in XML::Document

    This release of Nokogiri introduces a new Document boolean attribute, namespace_inheritance, which controls whether children should inherit a namespace when they are reparented. Nokogiri::XML:Document defaults this attribute to false meaning "do not inherit," thereby making explicit the behavior change introduced in v1.12.0.

    CRuby users who desire the pre-v1.12.0 behavior may set document.namespace_inheritance = true before reparenting nodes.

    See https://nokogiri.org/rdoc/Nokogiri/XML/Document.html#namespace_inheritance-instance_method for example usage.

    Fix for XML::Builder

    However, recognizing that we want Builder-created children to inherit namespaces, Builder now will set namespace_inheritance=true on the underlying document for both JRuby and CRuby. This means that, on CRuby, the pre-v1.12.0 behavior is restored.

    Users who want to turn this behavior off may pass a keyword argument to the Builder constructor like so:

    Nokogiri::XML::Builder.new(namespace_inheritance: false)
    

    See https://nokogiri.org/rdoc/Nokogiri/XML/Builder.html#label-Namespace+inheritance for example usage.

    Downstream gem maintainers

    Note that any downstream gems may want to specifically omit Nokogiri v1.12.0--v1.12.3 from their dependency specification if they rely on child namespace inheritance:

    ... (truncated)

    Commits
    • 47f6a46 version bump to v1.12.5
    • 2a0ac88 update CHANGELOG
    • 6b60637 Merge pull request #2329 from sparklemotion/flavorjones-GHSA-2rr5-8q37-2w7h_1...
    • 4bd943c fix(jruby): SAX parser uses an entity resolver
    • f943ee4 refactor(jruby): handle errors more consistently
    • 2790122 format: test files
    • 01e1618 Merge pull request #2327 from sparklemotion/2324-xhtml-self-closing-tags_v1.12.x
    • a0180c7 fix: HTML4::Document.to_xhtml self-closing tags
    • 564ac17 release v1.12.4
    • 4d5754b backport #2320
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 1
  • Bump addressable from 2.5.2 to 2.8.0 in /docs

    Bump addressable from 2.5.2 to 2.8.0 in /docs

    Bumps addressable from 2.5.2 to 2.8.0.

    Changelog

    Sourced from addressable's changelog.

    Addressable 2.8.0

    • fixes ReDoS vulnerability in Addressable::Template#match
    • no longer replaces + with spaces in queries for non-http(s) schemes
    • fixed encoding ipv6 literals
    • the :compacted flag for normalized_query now dedupes parameters
    • fix broken escape_component alias
    • dropping support for Ruby 2.0 and 2.1
    • adding Ruby 3.0 compatibility for development tasks
    • drop support for rack-mount and remove Addressable::Template#generate
    • performance improvements
    • switch CI/CD to GitHub Actions

    Addressable 2.7.0

    • added :compacted flag to normalized_query
    • heuristic_parse handles mailto: more intuitively
    • dropped explicit support for JRuby 9.0.5.0
    • compatibility w/ public_suffix 4.x
    • performance improvements

    Addressable 2.6.0

    • added tld= method to allow assignment to the public suffix
    • most heuristic_parse patterns are now case-insensitive
    • heuristic_parse handles more file:// URI variations
    • fixes bug in heuristic_parse when uri starts with digit
    • fixes bug in request_uri= with query strings
    • fixes template issues with nil and ? operator
    • frozen_string_literal pragmas added
    • minor performance improvements in regexps
    • fixes to eliminate warnings
    Commits
    • 6469a23 Updating gemspec again
    • 2433638 Merge branch 'main' of github.com:sporkmonger/addressable into main
    • e9c76b8 Merge pull request #378 from ashmaroli/flat-map
    • 56c5cf7 Update the gemspec
    • c1fed1c Require a non-vulnerable rake
    • 0d8a312 Adding note about ReDoS vulnerability
    • 89c7613 Merge branch 'template-regexp' into main
    • cf8884f Note about alias fix
    • bb03f71 Merge pull request #371 from charleystran/add_missing_encode_component_doc_entry
    • 6d1d809 Adding note about :compacted normalization
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 1
  • Bump nokogiri from 1.8.2 to 1.11.4 in /docs

    Bump nokogiri from 1.8.2 to 1.11.4 in /docs

    Bumps nokogiri from 1.8.2 to 1.11.4.

    Release notes

    Sourced from nokogiri's releases.

    1.11.4 / 2021-05-14

    Security

    [CRuby] Vendored libxml2 upgraded to v2.9.12 which addresses:

    Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).

    Please see nokogiri/GHSA-7rrm-v45f-jp64 or #2233 for a more complete analysis of these CVEs and patches.

    Dependencies

    • [CRuby] vendored libxml2 is updated from 2.9.10 to 2.9.12. (Note that 2.9.11 was skipped because it was superseded by 2.9.12 a few hours after its release.)

    1.11.3 / 2021-04-07

    Fixed

    • [CRuby] Passing non-Node objects to Document#root= now raises an ArgumentError exception. Previously this likely segfaulted. [#1900]
    • [JRuby] Passing non-Node objects to Document#root= now raises an ArgumentError exception. Previously this raised a TypeError exception.
    • [CRuby] arm64/aarch64 systems (like Apple's M1) can now compile libxml2 and libxslt from source (though we continue to strongly advise users to install the native gems for the best possible experience)

    1.11.2 / 2021-03-11

    Fixed

    • [CRuby] NodeSet may now safely contain Node objects from multiple documents. Previously the GC lifecycle of the parent Document objects could lead to nodes being GCed while still in scope. [#1952]
    • [CRuby] Patch libxml2 to avoid "huge input lookup" errors on large CDATA elements. (See upstream GNOME/libxml2#200 and GNOME/libxml2!100.) [#2132].
    • [CRuby+Windows] Enable Nokogumbo (and other downstream gems) to compile and link against nokogiri.so by including LDFLAGS in Nokogiri::VERSION_INFO. [#2167]
    • [CRuby] {XML,HTML}::Document.parse now invokes #initialize exactly once. Previously #initialize was invoked twice on each object.
    • [JRuby] {XML,HTML}::Document.parse now invokes #initialize exactly once. Previously #initialize was not called, which was a problem for subclassing such as done by Loofah.

    Improved

    • Reduce the number of object allocations needed when parsing an HTML::DocumentFragment. [#2087] (Thanks, @​ashmaroli!)
    • [JRuby] Update the algorithm used to calculate Node#line to be wrong less-often. The underlying parser, Xerces, does not track line numbers, and so we've always used a hacky solution for this method. [#1223, #2177]
    • Introduce --enable-system-libraries and --disable-system-libraries flags to extconf.rb. These flags provide the same functionality as --use-system-libraries and the NOKOGIRI_USE_SYSTEM_LIBRARIES environment variable, but are more idiomatic. [#2193] (Thanks, @​eregon!)
    • [TruffleRuby] --disable-static is now the default on TruffleRuby when the packaged libraries are used. This is more flexible and compiles faster. (Note, though, that the default on TR is still to use system libraries.) [#2191, #2193] (Thanks, @​eregon!)

    ... (truncated)

    Changelog

    Sourced from nokogiri's changelog.

    1.11.4 / 2021-05-14

    Security

    [CRuby] Vendored libxml2 upgraded to v2.9.12 which addresses:

    Note that two additional CVEs were addressed upstream but are not relevant to this release. CVE-2021-3516 via xmllint is not present in Nokogiri, and CVE-2020-7595 has been patched in Nokogiri since v1.10.8 (see #1992).

    Please see nokogiri/GHSA-7rrm-v45f-jp64 or #2233 for a more complete analysis of these CVEs and patches.

    Dependencies

    • [CRuby] vendored libxml2 is updated from 2.9.10 to 2.9.12. (Note that 2.9.11 was skipped because it was superseded by 2.9.12 a few hours after its release.)

    1.11.3 / 2021-04-07

    Fixed

    • [CRuby] Passing non-Node objects to Document#root= now raises an ArgumentError exception. Previously this likely segfaulted. [#1900]
    • [JRuby] Passing non-Node objects to Document#root= now raises an ArgumentError exception. Previously this raised a TypeError exception.
    • [CRuby] arm64/aarch64 systems (like Apple's M1) can now compile libxml2 and libxslt from source (though we continue to strongly advise users to install the native gems for the best possible experience)

    1.11.2 / 2021-03-11

    Fixed

    • [CRuby] NodeSet may now safely contain Node objects from multiple documents. Previously the GC lifecycle of the parent Document objects could lead to nodes being GCed while still in scope. [#1952]
    • [CRuby] Patch libxml2 to avoid "huge input lookup" errors on large CDATA elements. (See upstream GNOME/libxml2#200 and GNOME/libxml2!100.) [#2132].
    • [CRuby+Windows] Enable Nokogumbo (and other downstream gems) to compile and link against nokogiri.so by including LDFLAGS in Nokogiri::VERSION_INFO. [#2167]
    • [CRuby] {XML,HTML}::Document.parse now invokes #initialize exactly once. Previously #initialize was invoked twice on each object.
    • [JRuby] {XML,HTML}::Document.parse now invokes #initialize exactly once. Previously #initialize was not called, which was a problem for subclassing such as done by Loofah.

    Improved

    • Reduce the number of object allocations needed when parsing an HTML::DocumentFragment. [#2087] (Thanks, @​ashmaroli!)
    • [JRuby] Update the algorithm used to calculate Node#line to be wrong less-often. The underlying parser, Xerces, does not track line numbers, and so we've always used a hacky solution for this method. [#1223, #2177]
    • Introduce --enable-system-libraries and --disable-system-libraries flags to extconf.rb. These flags provide the same functionality as --use-system-libraries and the NOKOGIRI_USE_SYSTEM_LIBRARIES environment variable, but are more idiomatic. [#2193] (Thanks, @​eregon!)
    • [TruffleRuby] --disable-static is now the default on TruffleRuby when the packaged libraries are used. This is more flexible and compiles faster. (Note, though, that the default on TR is still to use system libraries.) [#2191, #2193] (Thanks, @​eregon!)

    ... (truncated)

    Commits
    • 9d69b44 version bump to v1.11.4
    • 058e87f update CHANGELOG with complete CVE information
    • 9285251 Merge pull request #2234 from sparklemotion/2233-upgrade-to-libxml-2-9-12
    • 5436f61 update CHANGELOG
    • 761d320 patch: renumber libxml2 patches
    • 889ee2a test: update behavior of namespaces in HTML
    • 9751d85 test: remove low-value HTML::SAX::PushParser encoding test
    • 9fcb7d2 test: adjust xpath gc test to libxml2's max recursion depth
    • 1c99019 patch: backport libxslt configure.ac change for libxml2 config
    • 82a253f patch: fix isnan/isinf patch to apply cleanly to libxml 2.9.12
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 1
  • Bump nokogiri from 1.8.2 to 1.10.8 in /docs

    Bump nokogiri from 1.8.2 to 1.10.8 in /docs

    Bumps nokogiri from 1.8.2 to 1.10.8.

    Release notes

    Sourced from nokogiri's releases.

    1.10.8 / 2020-02-10

    Security

    [MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in #1992. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.

    1.10.7 / 2019-12-03

    Bug

    • [MRI] Ensure the patch applied in v1.10.6 works with GNU patch. #1954

    1.10.6 / 2019-12-03

    Bug

    • [MRI] Fix FreeBSD installation of vendored libxml2. [#1941, #1953] (Thanks, @​nurse!)

    1.10.5 / 2019-10-31

    Dependencies

    • [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
    • [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

    1.10.4 / 2019-08-11

    Security

    Address CVE-2019-5477 (#1915)

    A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

    This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

    This CVE's public notice is sparklemotion/nokogiri#1915

    1.10.3 / 2019-04-22

    Security Notes

    ... (truncated)
    Changelog

    Sourced from nokogiri's changelog.

    1.10.8 / 2020-02-10

    Security

    [MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in #1992. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.

    1.10.7 / 2019-12-03

    Fixed

    • [MRI] Ensure the patch applied in v1.10.6 works with GNU patch. [#1954]

    1.10.6 / 2019-12-03

    Fixed

    1.10.5 / 2019-10-31

    Security

    [MRI] Vendored libxslt upgraded to v1.1.34 which addresses three CVEs for libxslt:

    • CVE-2019-13117
    • CVE-2019-13118
    • CVE-2019-18197
    • CVE-2019-19956

    More details are available at #1943.

    Dependencies

    • [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
    • [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

    1.10.4 / 2019-08-11

    Security

    Address CVE-2019-5477 (#1915).

    A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

    This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

    ... (truncated)
    Commits
    • 6ce10d1 version bump to v1.10.8
    • 2320f5b update CHANGELOG for v1.10.8
    • 4a77fdb remove patches from the hoe Manifest
    • 570b6cb update to use rake-compiler ~1.1.0
    • 2cdb68e backport libxml2 patch for CVE-2020-7595
    • e6b3229 version bump to v1.10.7
    • 4f9d443 update CHANGELOG
    • 80e67ef Fix the patch from #1953 to work with both git and patch
    • 7cf1b85 Fix typo in generated metadata
    • d76180d add gem metadata
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 1
  • Bump nokogiri from 1.8.2 to 1.10.4 in /docs

    Bump nokogiri from 1.8.2 to 1.10.4 in /docs

    Bumps nokogiri from 1.8.2 to 1.10.4.

    Release notes

    Sourced from nokogiri's releases.

    1.10.4 / 2019-08-11

    Security

    Address CVE-2019-5477 (#1915)

    A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

    This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

    This CVE's public notice is sparklemotion/nokogiri#1915

    1.10.3 / 2019-04-22

    Security Notes

    [MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in #1892. Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.

    1.10.2 / 2019-03-24

    Security

    • [MRI] Remove support from vendored libxml2 for future script macros. #1871
    • [MRI] Remove support from vendored libxml2 for server-side includes within attributes. #1877

    Bug fixes

    • [JRuby] Fix node ownership in duplicated documents. #1060
    • [JRuby] Rethrow exceptions caught by Java SAX handler. [#1847, #1872] (Thanks, @​adjam!)

    1.10.1 / 2019-01-13

    Features

    Bug fixes

    • CSS selector :has() now correctly matches against any descendant. Previously this selector matched against only direct children). #350 (Thanks, @​Phrogz!)
    • NodeSet#attr now returns nil if it's empty. Previously this raised a NoMethodError.
    • [MRI] XPath errors are no longer suppressed during XSLT::Stylesheet#transform. Previously these errors were suppressed which led to silent failures and a subsequent segfault. #1802
    ... (truncated)
    Changelog

    Sourced from nokogiri's changelog.

    1.10.4 / 2019-08-11

    Security

    Address CVE-2019-5477 (#1915)

    A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

    This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

    This CVE's public notice is sparklemotion/nokogiri#1915

    1.10.3 / 2019-04-22

    Security Notes

    [MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in #1892. Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.

    1.10.2 / 2019-03-24

    Security

    • [MRI] Remove support from vendored libxml2 for future script macros. #1871
    • [MRI] Remove support from vendored libxml2 for server-side includes within attributes. #1877

    Bug fixes

    • [JRuby] Fix node ownership in duplicated documents. #1060
    • [JRuby] Rethrow exceptions caught by Java SAX handler. [#1847, #1872] (Thanks, @​adjam!)

    1.10.1 / 2019-01-13

    Features

    Bug fixes

    • CSS selector :has() now correctly matches against any descendant. Previously this selector matched against only direct children). #350 (Thanks, @​Phrogz!)
    • NodeSet#attr now returns nil if it's empty. Previously this raised a NoMethodError.
    • [MRI] XPath errors are no longer suppressed during XSLT::Stylesheet#transform. Previously these errors were suppressed which led to silent failures and a subsequent segfault. #1802

    1.10.0 / 2019-01-04

    ... (truncated)
    Commits
    • beb832e version bump to v1.10.4
    • 5d30128 Merge branch '1915-css-tokenizer-load-file-vulnerability_v1.10.x' into v1.10.x
    • c86b5fc update CHANGELOG
    • 5fe449f regenerate lexical scanner using rexical 1.0.7
    • 6777008 eliminate eval from Builder#initialize
    • 47a7bc7 rufo formatting
    • 094ecb1 rubocop security scan is run as part of the test rake target
    • d068cd4 add rubocop as a dev dependency
    • 45ee92b adding a temporary pipeline for v1.10.x
    • 8e24af5 version bump to v1.10.3
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 1
  • Fixed a typo in README.md

    Fixed a typo in README.md

    I found a typo in README.md when setting up your plugin. FindBugsExtension doesn't have a toolsVersion method but has a toolVersion method.

    ref: https://github.com/gradle/gradle/blob/6dcb7ac681f814f3bf6f10ed3550e29285933313/subprojects/code-quality/src/main/groovy/org/gradle/api/plugins/quality/CodeQualityExtension.java#L43

    Thanks.

    opened by jmatsu 1
  • Bump nokogiri from 1.8.2 to 1.13.9 in /docs

    Bump nokogiri from 1.8.2 to 1.13.9 in /docs

    Bumps nokogiri from 1.8.2 to 1.13.9.

    Release notes

    Sourced from nokogiri's releases.

    1.13.9 / 2022-10-18

    Security

    Dependencies

    • [CRuby] Vendored libxml2 is updated to v2.10.3 from v2.9.14.
    • [CRuby] Vendored libxslt is updated to v1.1.37 from v1.1.35.
    • [CRuby] Vendored zlib is updated from 1.2.12 to 1.2.13. (See LICENSE-DEPENDENCIES.md for details on which packages redistribute this library.)

    Fixed

    • [CRuby] Nokogiri::XML::Namespace objects, when compacted, update their internal struct's reference to the Ruby object wrapper. Previously, with GC compaction enabled, a segmentation fault was possible after compaction was triggered. [#2658] (Thanks, @​eightbitraptor and @​peterzhu2118!)
    • [CRuby] Document#remove_namespaces! now defers freeing the underlying xmlNs struct until the Document is GCed. Previously, maintaining a reference to a Namespace object that was removed in this way could lead to a segfault. [#2658]

    sha256 checksums:

    9b69829561d30c4461ea803baeaf3460e8b145cff7a26ce397119577a4083a02  nokogiri-1.13.9-aarch64-linux.gem
    e76ebb4b7b2e02c72b2d1541289f8b0679fb5984867cf199d89b8ef485764956  nokogiri-1.13.9-arm64-darwin.gem
    15bae7d08bddeaa898d8e3f558723300137c26a2dc2632a1f89c8574c4467165  nokogiri-1.13.9-java.gem
    f6a1dbc7229184357f3129503530af73cc59ceba4932c700a458a561edbe04b9  nokogiri-1.13.9-x64-mingw-ucrt.gem
    36d935d799baa4dc488024f71881ff0bc8b172cecdfc54781169c40ec02cbdb3  nokogiri-1.13.9-x64-mingw32.gem
    ebaf82aa9a11b8fafb67873d19ee48efb565040f04c898cdce8ca0cd53ff1a12  nokogiri-1.13.9-x86-linux.gem
    11789a2a11b28bc028ee111f23311461104d8c4468d5b901ab7536b282504154  nokogiri-1.13.9-x86-mingw32.gem
    01830e1646803ff91c0fe94bc768ff40082c6de8cfa563dafd01b3f7d5f9d795  nokogiri-1.13.9-x86_64-darwin.gem
    8e93b8adec22958013799c8690d81c2cdf8a90b6f6e8150ab22e11895844d781  nokogiri-1.13.9-x86_64-linux.gem
    96f37c1baf0234d3ae54c2c89aef7220d4a8a1b03d2675ff7723565b0a095531  nokogiri-1.13.9.gem
    

    1.13.8 / 2022-07-23

    Deprecated

    • XML::Reader#attribute_nodes is deprecated due to incompatibility between libxml2's xmlReader memory semantics and Ruby's garbage collector. Although this method continues to exist for backwards compatibility, it is unsafe to call and may segfault. This method will be removed in a future version of Nokogiri, and callers should use #attribute_hash instead. [#2598]

    Improvements

    • XML::Reader#attribute_hash is a new method to safely retrieve the attributes of a node from XML::Reader. [#2598, #2599]

    Fixed

    ... (truncated)

    Changelog

    Sourced from nokogiri's changelog.

    1.13.9 / 2022-10-18

    Security

    Dependencies

    • [CRuby] Vendored libxml2 is updated to v2.10.3 from v2.9.14.
    • [CRuby] Vendored libxslt is updated to v1.1.37 from v1.1.35.
    • [CRuby] Vendored zlib is updated from 1.2.12 to 1.2.13. (See LICENSE-DEPENDENCIES.md for details on which packages redistribute this library.)

    Fixed

    • [CRuby] Nokogiri::XML::Namespace objects, when compacted, update their internal struct's reference to the Ruby object wrapper. Previously, with GC compaction enabled, a segmentation fault was possible after compaction was triggered. [#2658] (Thanks, @​eightbitraptor and @​peterzhu2118!)
    • [CRuby] Document#remove_namespaces! now defers freeing the underlying xmlNs struct until the Document is GCed. Previously, maintaining a reference to a Namespace object that was removed in this way could lead to a segfault. [#2658]

    1.13.8 / 2022-07-23

    Deprecated

    • XML::Reader#attribute_nodes is deprecated due to incompatibility between libxml2's xmlReader memory semantics and Ruby's garbage collector. Although this method continues to exist for backwards compatibility, it is unsafe to call and may segfault. This method will be removed in a future version of Nokogiri, and callers should use #attribute_hash instead. [#2598]

    Improvements

    • XML::Reader#attribute_hash is a new method to safely retrieve the attributes of a node from XML::Reader. [#2598, #2599]

    Fixed

    • [CRuby] Calling XML::Reader#attributes is now safe to call. In Nokogiri <= 1.13.7 this method may segfault. [#2598, #2599]

    1.13.7 / 2022-07-12

    Fixed

    XML::Node objects, when compacted, update their internal struct's reference to the Ruby object wrapper. Previously, with GC compaction enabled, a segmentation fault was possible after compaction was triggered. [#2578] (Thanks, @​eightbitraptor!)

    1.13.6 / 2022-05-08

    Security

    • [CRuby] Address CVE-2022-29181, improper handling of unexpected data types, related to untrusted inputs to the SAX parsers. See GHSA-xh29-r2w5-wx8m for more information.

    ... (truncated)

    Commits
    • 897759c version bump to v1.13.9
    • aeb1ac3 doc: update CHANGELOG
    • c663e49 Merge pull request #2671 from sparklemotion/flavorjones-update-zlib-1.2.13_v1...
    • 212e07d ext: hack to cross-compile zlib v1.2.13 on darwin
    • 76dbc8c dep: update zlib to v1.2.13
    • 24e3a9c doc: update CHANGELOG
    • 4db3b4d Merge pull request #2668 from sparklemotion/flavorjones-namespace-scopes-comp...
    • 73d73d6 fix: Document#remove_namespaces! use-after-free bug
    • 5f58b34 fix: namespace nodes behave properly when compacted
    • b08a858 test: repro namespace_scopes compaction issue
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Bump addressable from 2.5.2 to 2.8.1 in /docs

    Bump addressable from 2.5.2 to 2.8.1 in /docs

    Bumps addressable from 2.5.2 to 2.8.1.

    Changelog

    Sourced from addressable's changelog.

    Addressable 2.8.1

    • refactor Addressable::URI.normalize_path to address linter offenses (#430)
    • remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438)
    • update gemspec to reflect supported Ruby versions (#466, #464, #463)
    • compatibility w/ public_suffix 5.x (#466, #465, #460)
    • fixes "invalid byte sequence in UTF-8" exception when unencoding URLs containing non UTF-8 characters (#459)
    • Ractor compatibility (#449)
    • use the whole string instead of a single line for template match (#431)
    • force UTF-8 encoding only if needed (#341)

    #460: sporkmonger/addressable#460 #463: sporkmonger/addressable#463 #464: sporkmonger/addressable#464 #465: sporkmonger/addressable#465 #466: sporkmonger/addressable#466

    Addressable 2.8.0

    • fixes ReDoS vulnerability in Addressable::Template#match
    • no longer replaces + with spaces in queries for non-http(s) schemes
    • fixed encoding ipv6 literals
    • the :compacted flag for normalized_query now dedupes parameters
    • fix broken escape_component alias
    • dropping support for Ruby 2.0 and 2.1
    • adding Ruby 3.0 compatibility for development tasks
    • drop support for rack-mount and remove Addressable::Template#generate
    • performance improvements
    • switch CI/CD to GitHub Actions

    Addressable 2.7.0

    • added :compacted flag to normalized_query
    • heuristic_parse handles mailto: more intuitively
    • dropped explicit support for JRuby 9.0.5.0
    • compatibility w/ public_suffix 4.x
    • performance improvements

    Addressable 2.6.0

    • added tld= method to allow assignment to the public suffix
    • most heuristic_parse patterns are now case-insensitive
    • heuristic_parse handles more file:// URI variations
    • fixes bug in heuristic_parse when uri starts with digit
    • fixes bug in request_uri= with query strings
    • fixes template issues with nil and ? operator
    • frozen_string_literal pragmas added
    • minor performance improvements in regexps
    • fixes to eliminate warnings
    Commits
    • 8657465 Update version, gemspec, and CHANGELOG for 2.8.1 (#474)
    • 4fc5bb6 CI: remove Ubuntu 18.04 job (#473)
    • 860fede Force UTF-8 encoding only if needed (#341)
    • 99810af Merge pull request #431 from ojab/ct-_do_not_parse_multiline_strings
    • 7ce0f48 Merge branch 'main' into ct-_do_not_parse_multiline_strings
    • 7ecf751 Merge pull request #449 from okeeblow/freeze_concatenated_strings
    • 41f12dd Merge branch 'main' into freeze_concatenated_strings
    • 068f673 Merge pull request #459 from jarthod/iso-encoding-problem
    • b4c9882 Merge branch 'main' into iso-encoding-problem
    • 08d27e8 Merge pull request #471 from sporkmonger/sporkmonger-enable-codeql
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Bump tzinfo from 1.2.5 to 1.2.10 in /docs

    Bump tzinfo from 1.2.5 to 1.2.10 in /docs

    Bumps tzinfo from 1.2.5 to 1.2.10.

    Release notes

    Sourced from tzinfo's releases.

    v1.2.10

    TZInfo v1.2.10 on RubyGems.org

    v1.2.9

    • Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

    TZInfo v1.2.9 on RubyGems.org

    v1.2.8

    • Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. The 64-bit section is now always used regardless of whether Time has support for 64-bit times. #120.
    • Rubinius is no longer supported.

    TZInfo v1.2.8 on RubyGems.org

    v1.2.7

    • Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
    • Fixed warnings when running on Ruby 2.8. #112.

    TZInfo v1.2.7 on RubyGems.org

    v1.2.6

    • Timezone#strftime('%s', time) will now return the correct number of seconds since the epoch. #91.
    • Removed the unused TZInfo::RubyDataSource::REQUIRE_PATH constant.
    • Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode.
    • Fixed warnings when running on Ruby 2.7. #106 and #111.

    TZInfo v1.2.6 on RubyGems.org

    Changelog

    Sourced from tzinfo's changelog.

    Version 1.2.10 - 19-Jul-2022

    Version 1.2.9 - 16-Dec-2020

    • Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

    Version 1.2.8 - 8-Nov-2020

    • Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. The 64-bit section is now always used regardless of whether Time has support for 64-bit times. #120.
    • Rubinius is no longer supported.

    Version 1.2.7 - 2-Apr-2020

    • Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
    • Fixed warnings when running on Ruby 2.8. #112.

    Version 1.2.6 - 24-Dec-2019

    • Timezone#strftime('%s', time) will now return the correct number of seconds since the epoch. #91.
    • Removed the unused TZInfo::RubyDataSource::REQUIRE_PATH constant.
    • Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode.
    • Fixed warnings when running on Ruby 2.7. #106 and #111.
    Commits
    • 0814dcd Fix the release date.
    • fd05e2a Preparing v1.2.10.
    • b98c32e Merge branch 'fix-directory-traversal-1.2' into 1.2
    • ac3ee68 Remove unnecessary escaping of + within regex character classes.
    • 9d49bf9 Fix relative path loading tests.
    • 394c381 Remove private_constant for consistency and compatibility.
    • 5e9f990 Exclude Arch Linux's SECURITY file from the time zone index.
    • 17fc9e1 Workaround for 'Permission denied - NUL' errors with JRuby on Windows.
    • 6bd7a51 Update copyright years.
    • 9905ca9 Fix directory traversal in Timezone.get when using Ruby data source
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 0
  • Warning about variant.getJavaCompile() being obsolete

    Warning about variant.getJavaCompile() being obsolete

    Thanks for the nice integration of FindBugs. However, once I add

    buildscript {
        repositories {
            jcenter()
            // ...
        }
    
        dependencies {
            classpath 'com.chaitanyapramod.gradle:findbugs-android:1.0'
            // ...
        }
    }
    apply plugin: 'com.android.application'
    apply plugin: 'com.chaitanyapramod.findbugs-android'
    

    to my build.gradle the following warning shows up:

    WARNING: API 'variant.getJavaCompile()' is obsolete and has been replaced with 'variant.getJavaCompileProvider()'.
    It will be removed at the end of 2019.
    For more information, see https://d.android.com/r/tools/task-configuration-avoidance.
    

    After removing the "apply", the warning is gone.

    Considering that "end of 2019" is in a few months this probably should be addressed in the near future.

    opened by roskakori 0
  • Update to SpotBugs

    Update to SpotBugs

    Hello,

    First of all, thanks for your work!

    I was wondering if you plan to support also SpotBugs or stick to FindBugs only.. since FindBugs support is now stopped in favor of SpotBugs.

    Cheers!

    enhancement 
    opened by CatalinPrata 1
Releases(v1.1)
Owner
Chaitanya Pramod
Tech Lead at @betterworldtech
Chaitanya Pramod
:ballot_box_with_check: [Cheatsheet] Tips and tricks for Android Development

Cheatsheet about tips and tricks for Android Development. This is a simple set of tips and tricks regarding Android Development which I have gathered

Nishant Srivastava 4.6k Dec 24, 2022
[] Easily create a simple, attractive and seamless custom action bar style for your Android application

Android Action Bar Style Generator ####DEPRECATED: Consider using Toolbar or its support library equivalent.#### The Android Action Bar Style Generato

Jeff Gilfelt 1k Nov 10, 2022
Blogs about Android

Android Blogs See also: https://github.com/vbauer/java-blogs Groups & Companies Androcid http://www.androcid.com Androidized http://www.androidized.co

Vladislav Bauer 499 Nov 13, 2022
Learn How to use Google Map API for Android from Basic to Advance with complete examples.

Complete-Google-Map-API-Tutorial Learn How to use Google Map API for Android from Basic to Advance. Satellite View 3D Building Map and StreetView Lear

Next 117 Dec 8, 2022
Convenience extension methods for android's auto-generated /res folder R. class.

Android Resource Extensions Convenience extension methods for android's auto-generated /res folder R. class. Basically everything in your res/ and /as

Jan Rabe 41 Jul 21, 2022
ResOf is an android resource wrapper library.

An android resource wrapper library.

Joseph Wang 26 Jun 13, 2022
Gradle plugin to ease Kotlin IR plugin development and usage in multimodule gradle projects

Gradle plugin to ease Kotlin IR plugin development and usage in multimodule gradle projects. Former: kotlin-ir-plugin-adapter-gradle

null 2 Mar 8, 2022
Graphfity is a Gradle Plugin which creates a dependency node diagram graph about your internal modules dependencies, specially useful if you are developing a multi-module application

Graphfity creates a dependency nodes diagram graph about your internal modules dependencies, specially useful if you are developing a multi-module app

Iván Carrasco 27 Dec 20, 2022
Setup CheckStyle, FindBugs, PMD and Lint for your Android project easily

android-quality-starter setup CheckStyle, FindBugs, PMD and Lint for your Android project easily This project adds gradle setup for quality tools ment

Piotr Wittchen 29 Sep 27, 2022
A POC for spring app using testng, cucumber, findbugs, and jacoco framework with failsafe and surefire plugins.

A POC for spring app using testng, cucumber, findbugs, and jacoco framework with failsafe and surefire plugins.

null 0 Feb 1, 2022
Kotlin cli maven spring failsafe findbugs cucumber mockito junit car data

Kotlin cli maven spring failsafe findbugs cucumber mockito junit car data

null 0 Feb 1, 2022
Gradle Replace In Place (GRIP): a gradle plugin to update your documentation or any file with a simple gradle task

GRIP (Gradle Replace In-Place) A gradle tool to update some values in your (documentation) files by running a task. (inspired by Knit) Directives Inse

Grégory Lureau 2 Oct 18, 2022
This is an android studio plugin that allows you to creates new color in hex format based on a percentage (0-100) and a base color you specify.

alpha-color Description This is an android studio plugin that allows you to creates new color in hex format based on a percentage (0-100) and a base c

null 1 Nov 12, 2021
gradle-android-scala-plugin adds scala language support to official gradle android plugin

gradle-android-scala-plugin gradle-android-scala-plugin adds scala language support to official gradle android plugin. See also sample projects at htt

saturday06 345 Dec 10, 2022
Ownership-gradle-plugin - Gradle code ownership verification plugin

Gradle code ownership verification plugin A gradle plugin that will verify owner

null 4 Dec 15, 2022
A Gradle plugin that generates plugin.yml for Bukkit/BungeeCord/Nukkit plugins based on the Gradle project

plugin-yml is a simple Gradle plugin that generates the plugin.yml plugin description file for Bukkit plugins, bungee.yml for Bungee plugins or nukkit.yml for Nukkit plugins based on the Gradle project. Various properties are set automatically (e.g. project name, version or description) and additional properties can be added using a simple DSL.

Plexus 0 Apr 10, 2022
A Gradle Plugin that removes unused resources in Android projects.

#Lint Cleaner Plugin Removes unused resources reported by Android lint including strings, colors and dimensions. Depracated As of Android Studio 2.0+

Marco RS 705 Nov 25, 2022
A gradle plugin that generates Material Design 3 theme for Android projects.

Same as Google's Material Theme Builder, but as a gradle plugin.

Rikka apps 41 Dec 6, 2022
simple-flank is a Gradle plugin to use Flank in Android projects with no configuration needed

simple-flank simple-flank is a new gradle plugin with a clear focus: make the setup as simple as possible. Applied to any application or library modul

Flank 8 May 10, 2022