🚨 [security] Update nokogiri: 1.13.6 → 1.14.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ nokogiri (1.13.6 → 1.14.0) · Repo · Changelog

Security Advisories 🚨

🚨 Unchecked return value from xmlTextReaderExpand

Summary

Nokogiri 1.13.8, 1.13.9 fails to check the return value from xmlTextReaderExpand in the method Nokogiri::XML::Reader#attribute_hash. This can lead to a null pointer exception when invalid markup is being parsed.

For applications using XML::Reader to parse untrusted inputs, this may potentially be a vector for a denial of service attack.

Mitigation

Upgrade to Nokogiri >= 1.13.10.

Users may be able to search their code for calls to either XML::Reader#attributes or XML::Reader#attribute_hash to determine if they are affected.

Severity

The Nokogiri maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

• CWE - CWE-252: Unchecked Return Value (4.9)
• CWE - CWE-476: NULL Pointer Dereference (4.9)

Credit

This vulnerability was responsibly reported by @davidwilemski.

Release Notes

1.14.0

1.14.0 / 2023-01-12

Notable Changes

Ruby

This release introduces native gem support for Ruby 3.2. (Also see "Technical note" under "Changed" below.)

This release ends support for:

• Ruby 2.6, for which upstream support ended 2022-04-12.
• JRuby 9.3, which is not fully compatible with Ruby 2.7+

Faster, more reliable installation: Native Gem for aarch64-linux (aka linux/arm64/v8)

This version of Nokogiri ships official native gem support for the aarch64-linux platform, which should support AWS Graviton and other ARM64 Linux platforms. Please note that glibc >= 2.29 is required for aarch64-linux systems, see Supported Platforms for more information.

Faster, more reliable installation: Native Gem for arm-linux (aka linux/arm/v7)

This version of Nokogiri ships experimental native gem support for the arm-linux platform. Please note that glibc >= 2.29 is required for arm-linux systems, see Supported Platforms for more information.

Pattern matching

This version introduces an experimental pattern matching API for XML::Attr, XML::Document, XML::DocumentFragment, XML::Namespace, XML::Node, and XML::NodeSet (and their subclasses).

Some documentation on what can be matched:

• XML::Attr#deconstruct_keys
• XML::Document#deconstruct_keys
• XML::Namespace#deconstruct_keys
• XML::Node#deconstruct_keys
• XML::DocumentFragment#deconstruct
• XML::NodeSet#deconstruct

We welcome feedback on this API at #2360.

Dependencies

CRuby

• Vendored libiconv is updated to v1.17

JRuby

• This version of Nokogiri uses jar-dependencies to manage most of the vendored Java dependencies. nokogiri -v now outputs maven metadata for all Java dependencies, and Nokogiri::VERSION_INFO also contains this metadata. [#2432]
• HTML parsing is now provided by net.sourceforge.htmlunit:neko-htmlunit:2.61.0 (previously Nokogiri used a fork of org.cyberneko.html:nekohtml)
• Vendored Jing is updated from com.thaiopensource:jing:20091111 to nu.validator:jing:20200702VNU.
• New dependency on net.sf.saxon:Saxon-HE:9.6.0-4 (via nu.validator:jing:20200702VNU).

Added

• Node#wrap and NodeSet#wrap now also accept a Node type argument, which will be duped for each wrapper. For cases where many nodes are being wrapped, creating a Node once using Document#create_element and passing that Node multiple times is significantly faster than re-parsing markup on each call. [#2657]
• [CRuby] Invocation of custom XPath or CSS handler functions may now use the nokogiri namespace prefix. Historically, the JRuby implementation required this namespace but the CRuby implementation did not support it. It's recommended that all XPath and CSS queries use the nokogiri namespace going forward. Invocation without the namespace is planned for deprecation in v1.15.0 and removal in a future release. [#2147]
• HTML5::Document#quirks_mode and HTML5::DocumentFragment#quirks_mode expose the quirks mode used by the parser.

Improved

Functional

• HTML5 parser update to reflect changes to the living specification:
  • Add the <search> element by domenic · whatwg/html
  • Remove parse error for <template><tr></tr> </template> by zcorpan · whatwg/html

Performance

• Serialization of HTML5 documents and fragments has been re-implemented and is ~10x faster than previous versions. [#2596, #2569]
• Parsing of HTML5 documents is ~90% faster thanks to additional compiler optimizations being applied. [#2639]
• Compare Encoding objects rather than compare their names. This is a slight performance improvement and is future-proof. [#2454] (Thanks, @casperisfine!)

Error handling

• Document#canonicalize now raises an exception if inclusive_namespaces is non-nil and the mode is inclusive, i.e. XML_C14N_1_0 or XML_C14N_1_1. inclusive_namespaces can only be passed with exclusive modes, and previously this silently failed.
• Empty CSS selectors now raise a clearer Nokogiri::CSS::SyntaxError message, "empty CSS selector". Previously the exception raised from the bowels of racc was "unexpected '$' after ''". [#2700]
• [CRuby] XML::Reader parsing errors encountered during Reader#attribute_hash and Reader#namespaces now raise an XML::SyntaxError. Previously these methods would return nil and users would generally experience NoMethodErrors from elsewhere in the code.
• Prefer ruby_xmalloc to malloc within the C extension. [#2480] (Thanks, @Garfield96!)

Installation

• Avoid compile-time conflict with system-installed gumbo.h on OpenBSD. [#2464]
• Remove calls to vasprintf in favor of platform-independent rb_vsprintf
• Installation from source on systems missing libiconv will once again generate a helpful error message (broken since v1.11.0). [#2505]
• [CRuby+OSX] Compiling from source on MacOS will use the clang option -Wno-unknown-warning-option to avoid errors when Ruby injects options that clang doesn't know about. [#2689]

Fixed

• SAX::Parser's encoding attribute will not be clobbered when an alternative encoding is passed into SAX::Parser#parse_io. [#1942] (Thanks, @kp666!)
• Serialized HTML4::DocumentFragment will now be properly encoded. Previously this empty string was encoded as US-ASCII. [#2649]
• Node#wrap now uses the parent as the context node for parsing wrapper markup, falling back to the document for unparented nodes. Previously the document was always used.
• [CRuby] UTF-16-encoded documents longer than ~4000 code points now serialize properly. Previously the serialized document was corrupted when it exceeded the length of libxml2's internal string buffer. [#752]
• [CRuby] The HTML5 parser now correctly handles text at the end of form elements.
• [CRuby] HTML5::Document#fragment now always uses body as the parsing context. Previously, fragments were parsed in the context of the associated document's root node, which allowed for inconsistent parsing. [#2553]
• [CRuby] Nokogiri::HTML5::Document#url now correctly returns the URL passed to the constructor method. Previously it always returned nil. [#2583]
• [CRuby] HTML5 encoding detection is now case-insensitive with respect to meta tag charset declaration. [#2693]
• [CRuby] HTML5 fragment parsing in context of an annotation-xml node now works. Previously this rarely-used path invoked rb_funcall with incorrect parameters, resulting in an exception, a fatal error, or potentially a segfault. [#2692]
• [CRuby] HTML5 quirks mode during fragment parsing more closely matches document parsing. [#2646]
• [JRuby] Fixed a bug with adding the same namespace to multiple nodes via #add_namespace_definition. [#1247]
• [JRuby] NodeSet#[] now raises a TypeError if passed an invalid parameter type. [#2211]

Deprecated

• Nokogiri.install_default_aliases is deprecated in favor of Nokogiri::EncodingHandler.install_default_aliases. This is part of a private API and is probably not called by anybody, but we'll go through a deprecation cycle before removal anyway. [#2643, #2446]

Changed

• [CRuby+OSX] Technical note: On MacOS Ruby 3.2, the symbols from libxml2 and libxslt are no longer exported. Ruby 3.2 adopted new features from the Darwin toolchain that make it challenging to continue to support this rarely-used binary API. A future minor release of Nokogiri may remove these symbols (and others) entirely. Feedback from downstream gem maintainers is welcome at #2746, where you'll also be able to read deeper context on this decision.

Thank you!

The following people and organizations were kind enough to sponsor @flavorjones or the Nokogiri project during the development of v1.14.0:

• Götz Görisch @GoetzGoerisch
• Airbnb @airbnb
• Kyohei Nanba @kyo-nanba
• Maxime Gauthier @biximilien
• @renuo
• @dbootyfvrt
• YOSHIDA Katsuhiko @kyoshidajp
• Homebrew @Homebrew
• David Vrensk @dvrensk
• Alex Daragiu @daragiu
• Github @github
• Julian Joseph @Julian88Tex
• Charles Simon-Meunier @csimonmeunier
• Ben Slaughter @benSlaughter
• Garen Torikian @gjtorikian
• Frank Groeneveld @frenkel
• Hiroshi SHIBATA @hsbt

---

sha256 checksums:

c87564f5f8fbfb72fbcb7ed9781f6472ceabe2f288ede6b9c37071dc32320ba6  nokogiri-1.14.0-aarch64-linux.gem
33617e8a94993b8130a50bd59d6141a8d4d2aa4d4053f5c7874c71608e6e6dcc  nokogiri-1.14.0-arm-linux.gem
5c0cd4eeb8501526e7e2aaba93b60ebf3dda37bfda665691196d4e9bb87adb1a  nokogiri-1.14.0-arm64-darwin.gem
772936bf635b33b99bc89828de8e7077de47009638fe5ff11795f8b1d578465c  nokogiri-1.14.0-java.gem
ee11c092b2cf2b137e71f623746162c578b53483dccf4c6209c80f5ba47927fe  nokogiri-1.14.0-x64-mingw-ucrt.gem
9b91eede6155eb8891d7d95d8087d514f3007dd19813982104ed77452a2a7ace  nokogiri-1.14.0-x64-mingw32.gem
649019d961b0ea8aee1bc8aa2573ab8ffb77d3f5e9c333aa2462a79fc56745fc  nokogiri-1.14.0-x86-linux.gem
40985fc46315ea3d33ed900a649c0bb77484035ea882b7c9e55aef436b1958a8  nokogiri-1.14.0-x86-mingw32.gem
5d328c0d0c5f6f37a26c75b0282f9014c9686d4c10578ec8dfbbfcbea7da8b95  nokogiri-1.14.0-x86_64-darwin.gem
faa88b2bca46adaa3420c6e27eb8eb71f5b8d9f454ed7488a194a00c5ef52fbe  nokogiri-1.14.0-x86_64-linux.gem
55ca6e87ae85e944a5901dd5a6cacbb961eaaf8b8dd3901b57475665396914bb  nokogiri-1.14.0.gem

1.13.10

1.13.10 / 2022-12-07

Security

• [CRuby] Address CVE-2022-23476, unchecked return value from xmlTextReaderExpand. See GHSA-qv4q-mr5r-qprj for more information.

Improvements

• [CRuby] XML::Reader#attribute_hash now returns nil on parse errors. This restores the behavior of #attributes from v1.13.7 and earlier. [#2715]

---

sha256 checksums:

777ce2e80f64772e91459b943e531dfef387e768f2255f9bc7a1655f254bbaa1  nokogiri-1.13.10-aarch64-linux.gem
b432ff47c51386e07f7e275374fe031c1349e37eaef2216759063bc5fa5624aa  nokogiri-1.13.10-arm64-darwin.gem
73ac581ddcb680a912e92da928ffdbac7b36afd3368418f2cee861b96e8c830b  nokogiri-1.13.10-java.gem
916aa17e624611dddbf2976ecce1b4a80633c6378f8465cff0efab022ebc2900  nokogiri-1.13.10-x64-mingw-ucrt.gem
0f85a1ad8c2b02c166a6637237133505b71a05f1bb41b91447005449769bced0  nokogiri-1.13.10-x64-mingw32.gem
91fa3a8724a1ce20fccbd718dafd9acbde099258183ac486992a61b00bb17020  nokogiri-1.13.10-x86-linux.gem
d6663f5900ccd8f72d43660d7f082565b7ffcaade0b9a59a74b3ef8791034168  nokogiri-1.13.10-x86-mingw32.gem
81755fc4b8130ef9678c76a2e5af3db7a0a6664b3cba7d9fe8ef75e7d979e91b  nokogiri-1.13.10-x86_64-darwin.gem
51d5246705dedad0a09b374d09cc193e7383a5dd32136a690a3cd56e95adf0a3  nokogiri-1.13.10-x86_64-linux.gem
d3ee00f26c151763da1691c7fc6871ddd03e532f74f85101f5acedc2d099e958  nokogiri-1.13.10.gem

1.13.9

1.13.9 / 2022-10-18

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2022-2309, CVE-2022-40304, and CVE-2022-40303. See GHSA-2qc6-mcvw-92cw for more information.
• [CRuby] Vendored zlib is updated to address CVE-2022-37434. Nokogiri was not affected by this vulnerability, but this version of zlib was being flagged up by some vulnerability scanners, see #2626 for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.10.3 from v2.9.14.
• [CRuby] Vendored libxslt is updated to v1.1.37 from v1.1.35.
• [CRuby] Vendored zlib is updated from 1.2.12 to 1.2.13. (See LICENSE-DEPENDENCIES.md for details on which packages redistribute this library.)

Fixed

• [CRuby] Nokogiri::XML::Namespace objects, when compacted, update their internal struct's reference to the Ruby object wrapper. Previously, with GC compaction enabled, a segmentation fault was possible after compaction was triggered. [#2658] (Thanks, @eightbitraptor and @peterzhu2118!)
• [CRuby] Document#remove_namespaces! now defers freeing the underlying xmlNs struct until the Document is GCed. Previously, maintaining a reference to a Namespace object that was removed in this way could lead to a segfault. [#2658]

---

sha256 checksums:

9b69829561d30c4461ea803baeaf3460e8b145cff7a26ce397119577a4083a02  nokogiri-1.13.9-aarch64-linux.gem
e76ebb4b7b2e02c72b2d1541289f8b0679fb5984867cf199d89b8ef485764956  nokogiri-1.13.9-arm64-darwin.gem
15bae7d08bddeaa898d8e3f558723300137c26a2dc2632a1f89c8574c4467165  nokogiri-1.13.9-java.gem
f6a1dbc7229184357f3129503530af73cc59ceba4932c700a458a561edbe04b9  nokogiri-1.13.9-x64-mingw-ucrt.gem
36d935d799baa4dc488024f71881ff0bc8b172cecdfc54781169c40ec02cbdb3  nokogiri-1.13.9-x64-mingw32.gem
ebaf82aa9a11b8fafb67873d19ee48efb565040f04c898cdce8ca0cd53ff1a12  nokogiri-1.13.9-x86-linux.gem
11789a2a11b28bc028ee111f23311461104d8c4468d5b901ab7536b282504154  nokogiri-1.13.9-x86-mingw32.gem
01830e1646803ff91c0fe94bc768ff40082c6de8cfa563dafd01b3f7d5f9d795  nokogiri-1.13.9-x86_64-darwin.gem
8e93b8adec22958013799c8690d81c2cdf8a90b6f6e8150ab22e11895844d781  nokogiri-1.13.9-x86_64-linux.gem
96f37c1baf0234d3ae54c2c89aef7220d4a8a1b03d2675ff7723565b0a095531  nokogiri-1.13.9.gem

1.13.8

1.13.8 / 2022-07-23

Deprecated

• XML::Reader#attribute_nodes is deprecated due to incompatibility between libxml2's xmlReader memory semantics and Ruby's garbage collector. Although this method continues to exist for backwards compatibility, it is unsafe to call and may segfault. This method will be removed in a future version of Nokogiri, and callers should use #attribute_hash instead. [#2598]

Improvements

• XML::Reader#attribute_hash is a new method to safely retrieve the attributes of a node from XML::Reader. [#2598, #2599]

Fixed

• [CRuby] Calling XML::Reader#attributes is now safe to call. In Nokogiri <= 1.13.7 this method may segfault. [#2598, #2599]

---

sha256 checksums:

d6b2c45a57738f12fe27783939fe1394e7049246288c7770d3b1fee7f49432a6  nokogiri-1.13.8-aarch64-linux.gem
00217e48a6995e81dd83014325c0ea0b015023a8922c7bdb2ef1416aa87c1f43  nokogiri-1.13.8-arm64-darwin.gem
9d04c616900e2b5118e501436ebb9bc48520d08f3695d012a314006e28082f72  nokogiri-1.13.8-java.gem
98f7dac7583f07a84ec3fcc01dc03a66fce10f412cd363fce7de749acdb2a42d  nokogiri-1.13.8-x64-mingw-ucrt.gem
117a71b37f2e1d774a9f031d393e72d5d04b92af8036e0c1a8dd509c247b2013  nokogiri-1.13.8-x64-mingw32.gem
6d04342456edfb8fbc041d0c2cf5a59baaa7aacdda414b2333100b02f85d441d  nokogiri-1.13.8-x86-linux.gem
0529d558b4280a55bc7af500d3d4d590b7c059c814a0cea52e4e18cb30c25d15  nokogiri-1.13.8-x86-mingw32.gem
8966d79e687b271df87a4b240456597c43cd98584e3f783fc35de4f066486421  nokogiri-1.13.8-x86_64-darwin.gem
344f1bc66feac787e5b2053c6e9095d1f33605083e58ddf2b8d4eef257bccc5f  nokogiri-1.13.8-x86_64-linux.gem
79c279298b2f22fd4e760f49990c7930436bac1b1cfeff7bacff192f30edea3c  nokogiri-1.13.8.gem

1.13.7

1.13.7 / 2022-07-12

Fixed

XML::Node objects, when compacted, update their internal struct's reference to the Ruby object wrapper. Previously, with GC compaction enabled, a segmentation fault was possible after compaction was triggered. [#2578] (Thanks, @eightbitraptor!)

---

sha256 checksums:

16facd06367325b75bba1575ee87ee4c695e017ab7d447106ed2c00d6211db43  nokogiri-1.13.7-aarch64-linux.gem
69a1705a1f2be838bd0a778c1ff04ea58f847a41c3b5159de012617abba53f86  nokogiri-1.13.7-arm64-darwin.gem
6f26c7ed388406541ddc10cf7ea670cebe8f08a37e69be60503687374f835e1a  nokogiri-1.13.7-java.gem
3952cb78db8d107942ec7f3096d417f4d5d77bf44ae812c488bc49269d1dde6a  nokogiri-1.13.7-x64-mingw-ucrt.gem
e836c387eae9c6c93d4870db0d50e4d9505edd28100eef80c38a70d4481c09ed  nokogiri-1.13.7-x64-mingw32.gem
194484866cd0d100ee6e207a69611a63ece9e0cf305e42d449f244526e102f63  nokogiri-1.13.7-x86-linux.gem
f75903e7a1fbb896b8bd6e4ed895a0fc1760e7334b9c7faf2593f491907a9e26  nokogiri-1.13.7-x86-mingw32.gem
d41b8c9f609b3eecb129da52b9605bc833e464b9b9132c29a0c2115e5ea0ab57  nokogiri-1.13.7-x86_64-darwin.gem
dcb36fd4e75782e7b1b3315f464a0942b230497cd21d296a24d90b0d3620a9d0  nokogiri-1.13.7-x86_64-linux.gem
6ca1d753334418e749beb9bb69515a906451c9abfb9a5b060a36650419b61052  nokogiri-1.13.7.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_portile2 (indirect, 2.8.0 → 2.8.1) · Repo · Changelog

Release Notes

2.8.1

2.8.1 / 2022-12-24

Fixed

• Support applying patches via git apply even when the working directory resembles a git directory. [#119] (Thanks, @h0tw1r3!)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

• version bump to v2.8.1
• Merge pull request #122 from flavorjones/119-improve-patching
• fix: handle patching in dirs that resemble an actual git dir
• Merge pull request #121 from flavorjones/flavorjones-exercise-patching-in-examples
• test: `rake test:examples` now exercises patching
• Merge pull request #117 from flavorjones/flavorjones-loosen-bundler-dependency
• dep(dev): loosen bundler dependency

↗️ racc (indirect, 1.6.0 → 1.6.2) · Repo · Changelog

Release Notes

1.6.2

What's Changed

• Fixed typo in racc.en.rhtml by @jwillemsen in #200
• Removed old Id tag by @jwillemsen in #204
• Removed old originalId in comment by @jwillemsen in #203
• Adjust Racc parser version with gem version. by @hsbt in #205

Full Changelog: v1.6.1...v1.6.2

1.6.1

What's Changed

• CI: Add JRuby 9.3, use bundler-cache by @olleolleolle in #173
• Fix names by @nobu in #178
• Update README.rdoc by @jwillemsen in #179
• s/RubyVM::JIT/RubyVM::MJIT/g by @k0kubun in #180
• ci: update to cover Ruby 3.1 by @flavorjones in #181
• Fix typo in sample/calc.y. by @simi in #184
• Added dependabot.yml for actions by @hsbt in #186
• Bump actions/checkout from 2 to 3 by @dependabot in #187
• [DOC] Remove stale Object::ParseError documentation by @nobu in #188
• Strip trailing spaces by @nobu in #189
• Fix flag to Regexp.new by @nobu in #191
• Fix documentation directory name in README by @okuramasafumi in #193
• Make racc test more flexible (for JRuby). by @enebo in #194
• Update racc.en.rhtml by @jwillemsen in #195
• Update README.rdoc by @jwillemsen in #196
• Update racc.gemspec by @jwillemsen in #197
• ci: update jruby versions and add truffleruby by @flavorjones in #198

New Contributors

• @jwillemsen made their first contribution in #179
• @k0kubun made their first contribution in #180
• @simi made their first contribution in #184
• @dependabot made their first contribution in #187
• @okuramasafumi made their first contribution in #193

Full Changelog: v1.6.0...v1.6.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 50 commits:

• Bump version to 1.6.2
• Merge pull request #205 from ruby/racc-version
• Removed Original ID constant from Java impl
• Bump up Racc parser version
• Always issue deprecation warning when calling Regexp.new with 3rd positional argument
• Merge pull request #203 from jwillemsen/patch-3
• Merge pull request #204 from jwillemsen/patch-4
• Removed old Id tag
• Removed old originalId in comment
• Merge pull request #200 from jwillemsen/patch-3
• Fixed typo in racc.en.rhtml
• Bump version to 1.6.1
• Merge pull request #198 from ruby/flavorjones-update-ci-pipeline-20221123
• ci: update jruby versions and add truffleruby
• Merge pull request #197 from jwillemsen/patch-3
• Update racc.gemspec
• Merge pull request #196 from jwillemsen/patch-3
• Update README.rdoc
• Merge pull request #195 from jwillemsen/patch-3
• Update racc.en.rhtml
• Merge pull request #194 from enebo/jruby_racc_find
• Merge pull request #193 from okuramasafumi/patch-1
• Make racc test more flexible (for JRuby).
• Fix documentation directory name in README
• Merge pull request #191 from nobu/fix-regexp-option
• Fix flag to `Regexp.new`
• Merge pull request #189 from nobu/strip-trailing-spaces
• Strip trailing whitespaces [ci skip]
• Show diffs
• Strip trailing whitespaces at the last line of actions
• Merge pull request #188 from nobu/nodoc-parseerror
• [DOC] Remove stale `Object::ParseError` documentation
• Merge pull request #187 from ruby/dependabot/github_actions/actions/checkout-3
• Bump actions/checkout from 2 to 3
• Merge pull request #186 from ruby/add-dependabot
• Added dependabot
• Merge pull request #184 from simi/patch-1
• Fix typo in sample/calc.y.
• ci: fix name of default branch
• Merge pull request #181 from ruby/flavorjones-update-ci-with-ruby31
• ci: update to cover Ruby 3.1
• Merge pull request #180 from k0kubun/rubyvm-mjit
• s/RubyVM::JIT/RubyVM::MJIT/g
• Merge pull request #179 from jwillemsen/patch-3
• Update README.rdoc
• Merge pull request #178 from nobu/fix-names
• Fix a private method name
• Fix typo in a local variable name
• Merge pull request #173 from ruby/ci-use-cache-add-jruby93
• CI: Add JRuby 9.3, use bundler-cache

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #279.