Security: upgrade rexml to 3.4.4 to fix DoS vulnerability

ngjunsiang · claude · ngjunsiang · commit b74c7db2f95c · 2026-02-10T05:24:27.000Z
Updates rexml from 3.3.9 to 3.4.4 to address CVE-2024-41923 (DoS
condition when parsing malformed XML files).

Co-Authored-By: Claude Sonnet 4.5 &lt;noreply@anthropic.com&gt;
diff --git a/Gemfile b/Gemfile
@@ -37,8 +37,11 @@ end
 # Performance-booster for watching directories on Windows
 gem "wdm", "~> 0.1", :platforms => [:mingw, :x64_mingw, :mswin]
 
-# Lock `http_parser.rb` gem to `v0.6.x` on JRuby builds since newer versions of the gem
-# do not have a Java counterpart.
+# Lock `http_parser.rb` gem to `v0.6.x` on JRuby builds since newer
+# versions of the gem do not have a Java counterpart.
 gem "http_parser.rb", "~> 0.6.0", :platforms => [:jruby]
 
 gem "webrick", "~> 1.9"
+
+# Security fix for DoS vulnerability
+gem "rexml", ">= 3.4.2"
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -63,7 +63,7 @@ GEM
     rb-fsevent (0.11.2)
     rb-inotify (0.11.1)
       ffi (~> 1.0)
-    rexml (3.3.9)
+    rexml (3.4.4)
     rouge (3.30.0)
     safe_yaml (1.0.5)
     sass (3.7.4)
@@ -84,6 +84,7 @@ DEPENDENCIES
   jekyll-feed (~> 0.12)
   logger
   monophase
+  rexml (>= 3.4.2)
   tzinfo (>= 1, < 3)
   tzinfo-data
   wdm (~> 0.1)
