We need to upgrade nokogiri to 1.10.5 due to CVE-2019-13117, CVE-2019-13118, and CVE-2019-18197.
The new version of nokogiri no longer reports the line number of an unclosed tag:
Fortunately for us, because of interactions with Sanitize, we close unclosed tags very late anyway, so there will be no changes from users' perspective.
How to test: confirm that imports still work and posting a work works as intended, similar to AO3-5181. Post a work with an unclosed HTML tag (e.g. em) and see if it gets auto-closed similarly to production.