Update gem nokogiri (CVE-2015-8806)

Update gem nokogiri from 1.6.7.2 to version 1.6.8.
This update was reported to us by our usual bundle-audit
dependency analysis process (part of the default 'rake' process),
It reported that nokogiri 1.6.7.2 had advisory CVE-2015-8806,
title "Denial of service or RCE from libxml2 and libxslt".
We don't know if it's exploitable in our configuration,
but it's better to upgrade than do the analysis.
Those interested can see more at:
sparklemotion/nokogiri#1473

This caused us to upgrade pkg-config, which required
a licensing decision (included in the commit).
This whitelists LGPLv2+, since that's a known OSI license
that's compatible with the MIT license.

Signed-off-by: David A. Wheeler <dwheeler@dwheeler.com>

Gemfile.lock

@@ -191,7 +191,7 @@ GEM
       mixlib-config (~> 2.1, >= 2.1.0)
     method_source (0.8.2)
     mime-types (2.99.2)
-    mini_portile2 (2.0.0)
+    mini_portile2 (2.1.0)
     minitest (5.9.0)
     minitest-capybara (0.8.2)
       capybara (~> 2.2)
@@ -215,8 +215,9 @@ GEM
     multi_xml (0.5.5)
     multipart-post (2.0.0)
     newrelic_rpm (3.15.2.317)
-    nokogiri (1.6.7.2)
-      mini_portile2 (~> 2.0.0.rc2)
+    nokogiri (1.6.8)
+      mini_portile2 (~> 2.1.0)
+      pkg-config (~> 1.1.7)
     oauth2 (1.1.0)
       faraday (>= 0.8, < 0.10)
       jwt (~> 1.0, < 1.5.2)
@@ -241,6 +242,7 @@ GEM
     parser (2.3.1.0)
       ast (~> 2.2)
     pg (0.18.4)
+    pkg-config (1.1.7)
     poltergeist (1.9.0)
       capybara (~> 2.1)
       cliver (~> 0.3.1)

doc/dependency_decisions.yml

@@ -14,6 +14,11 @@
   - :who: David A. Wheeler
     :why: OSI-approved OSS license BSD-2-Clause, known compatible with MIT
     :when: 2015-12-17 15:40:09.473789072 Z
+- - :whitelist
+  - LGPLv2+
+  - :who: David A. Wheeler
+    :why: OSI-approved OSS license LGPL-2.0+, known compatible with MIT
+    :when: 2016-06-07 17:30-0400
 - - :approve
   - rake
   - &1