[ANN] Nokogiri security update v1.13.5

Nokogiri v1.13.5 has been released with a security update for CRuby users.

The changelog entry
<Release 1.13.5 / 2022-05-04 · sparklemotion/nokogiri · GitHub> is
reproduced here for your convenience, and interested readers are encouraged
to click through to the security advisory
<Update packaged libxml2 to 2.9.14 · Advisory · sparklemotion/nokogiri · GitHub>
for more details.

···

---

1.13.5 / 2022-05-04Security

   - [CRuby] Vendored libxml2 is updated to address CVE-2022-29824
   <NVD - CVE-2022-29824>. See
   GHSA-cgx6-hpwq-fhv5
   <Update packaged libxml2 to 2.9.14 · Advisory · sparklemotion/nokogiri · GitHub>
for
   more information.

Dependencies

   - [CRuby] Vendored libxml2 is updated from v2.9.13 to v2.9.14
   <libxml2 2.9.14 · GNOME / libxml2 · GitLab>.

Improvements

   - [CRuby] The libxml2 HTML4 parser no longer exhibits quadratic behavior
   when recovering some broken markup related to start-of-tag and bare <
    characters.

Changed

   - [CRuby] The libxml2 HTML4 parser in v2.9.14 recovers from some broken
   markup differently. Notably, the XML CDATA escape sequence <![CDATA[ and
   incorrectly-opened comments will result in HTML text nodes starting with
   &lt;! instead of skipping the invalid tag. This behavior is a direct
   result of the quadratic-behavior fix
   <https://gitlab.gnome.org/GNOME/libxml2/-/commit/798bdf1> noted above.
   The behavior of downstream sanitizers relying on this behavior will also
   change. Some tests describing the changed behavior are in
   test/html4/test_comments.rb
   <nokogiri/test_comments.rb at 3ed5bf2b5a367cb9dc6e329c5a1c512e1dd4565d · sparklemotion/nokogiri · GitHub>
   .