Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump org.jsoup:jsoup from 1.14.2 to 1.17.1 #1606

Closed
wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 27, 2023

Bumps org.jsoup:jsoup from 1.14.2 to 1.17.1.

Release notes

Sourced from org.jsoup:jsoup's releases.

jsoup 1.17.1

... (truncated)

Changelog

Sourced from org.jsoup:jsoup's changelog.

jsoup changelog

Release 1.17.1 [27-Nov-2023]

  • Improvement: in Jsoup.connect(), added support for request-level authentication, supporting authentication to proxies and to servers. jhy/jsoup#2046

  • Improvement: in the Elements list, added direct support for #set(index, element), #remove(index), #remove(object), #clear(), #removeAll(collection), #retainAll(collection), #removeIf(filter), #replaceAll(operator). These methods update the original DOM, as well as the Elements list. jhy/jsoup#2017

  • Improvement: added the NodeIterator class, to efficiently traverse a node tree using the Iterator interface. And added Stream Element#stream() and Node#nodeStream() methods, to enable fluent composable stream pipelines of node traversals. jhy/jsoup#2051

  • Improvement: when changing the OutputSettings syntax to XML, the xhtml EscapeMode is automatically set by default.

  • Improvement: added the :is(selector list) pseudo-selector, which finds elements that match any of the selectors in the selector list. Useful for making large ORed selectors more readable.

  • Improvement: repackaged the library with native (vs automatic) JPMS module support. jhy/jsoup#2025

  • Improvement: better fidelity of source positions when tracking is enabled. And implicitly created or closed elements are tracked and detectable via Range.isImplicit(). jhy/jsoup#2056

  • Improvement: when source tracking is enabled, the source position for attribute names and values is now available. Attribute#sourceRange() provides the ranges. jhy/jsoup#2057

  • Improvement: when running concurrently under Java 21+ Virtual Threads, virtual threads could be pinned to their carrier platform thread when parsing an input stream. To improve performance, particularly when parsing fetched URLs, the internal ConstrainableInputStream has been replaced by ControllableInputStream, which avoids the locking which caused that pinning. jhy/jsoup#2054

  • Improvement: in Jsoup.Connect, allow any XML mimetype as a supported mimetype. Was previously limited to {application|text}/xml. This enables for e.g. fetching SVGs with a image/svg+xml mimetype, without having to disable mimetype validation. jhy/jsoup#2059

  • Bugfix: when outputting with XML syntax, HTML elements that were parsed as data nodes ( and ) should be emitted as CDATA nodes, so that they can be parsed correctly by an XML parser. jhy/jsoup#1720

  • Bugfix: the Immediate Parent selector > could match elements above the root context element, causing incorrect elements to be returned when used on elements other than the root document.

... (truncated)

Commits
  • 8eecef3 [maven-release-plugin] prepare release jsoup-1.17.1
  • a6c1950 In javadoc, emit links to source
  • 00f85a8 Revised Connection.data javadoc
  • f49dd2c PR url
  • 4b91adf Simpler empty test
  • 73d4506 Refactored UserData to be tucked into a hash (#2060)
  • 58521a4 Allow any XML mimetype in Connection
  • bc79810 Specify overrides
  • 0a73767 Re-specify Iterator<Attribute> type
  • 4669e14 Make Attributes iterator throw NoSuchElementException
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [org.jsoup:jsoup](https://github.com/jhy/jsoup) from 1.14.2 to 1.17.1.
- [Release notes](https://github.com/jhy/jsoup/releases)
- [Changelog](https://github.com/jhy/jsoup/blob/master/CHANGES)
- [Commits](jhy/jsoup@jsoup-1.14.2...jsoup-1.17.1)

---
updated-dependencies:
- dependency-name: org.jsoup:jsoup
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Nov 27, 2023
@yeekangc
Copy link

We picked up on this too. Would like to suggest the team to consider updating the dependency as soon as possible.

Cc @TrevCraw @cherylking

@fbricon
Copy link
Contributor

fbricon commented Nov 28, 2023

Latest jsoup is not compatible with lemminx. Because the remark library has been abandoned, we want to move to flexmark-java, which also uses jsoup, but we're stuck because of vsch/flexmark-java#577

@TrevCraw
Copy link

@fbricon Is it possible to just move to 1.15.3 to resolve the vulnerability?
#1323

@fbricon
Copy link
Contributor

fbricon commented Nov 29, 2023

@fbricon Is it possible to just move to 1.15.3 to resolve the vulnerability? #1323

No, it's not:

Caused by: java.lang.ExceptionInInitializerError: Exception java.lang.NoClassDefFoundError: org/jsoup/safety/Whitelist [in thread "main"]
	at com.overzealous.remark.Remark.<init>(Remark.java:83)

Copy link
Contributor Author

dependabot bot commented on behalf of github Dec 29, 2023

Superseded by #1618.

@dependabot dependabot bot closed this Dec 29, 2023
@dependabot dependabot bot deleted the dependabot/maven/org.jsoup-jsoup-1.17.1 branch December 29, 2023 20:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file java Pull requests that update Java code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants