🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
Nokogiri v1.13.2 upgrades two of its packaged dependencies:
vendored libxml2 from v2.9.12 to v2.9.13
vendored libxslt from v1.1.34 to v1.1.35
Those library versions address the following upstream CVEs:
libxslt: CVE-2021-30560 (CVSS 8.8, High severity)
libxml2: CVE-2022-23308 (Unspecified severity, see more information below)
Those library versions also address numerous other issues including performance
improvements, regression fixes, and bug fixes, as well as memory leaks and other
use-after-free issues that were not assigned CVEs.
Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.13.2, and only if the packaged libraries are being used. If you've
overridden defaults at installation time to use system libraries instead of
packaged libraries, you should instead pay attention to your distro's libxml2
and libxslt release announcements.
Mitigation
Upgrade to Nokogiri >= 1.13.2.
Users who are unable to upgrade Nokogiri may also choose a more complicated
mitigation: compile and link an older version Nokogiri against external libraries
libxml2 >= 2.9.13 and libxslt >= 1.1.35, which will also address these same CVEs.
All versions of libxslt prior to v1.1.35 are affected.
Applications using untrusted XSL stylesheets to transform XML are vulnerable to
a denial-of-service attack and should be upgraded immediately.
libxml2 CVE-2022-23308
As of the time this security advisory was published, there is no officially
published information available about this CVE's severity. The above NIST link
does not yet have a published record, and the libxml2 maintainer has declined
to provide a severity score.
The upstream commit and the explanation linked above indicate that an application
may be vulnerable to a denial of service, memory disclosure, or code execution if
it parses an untrusted document with parse options DTDVALID set to true, and NOENT
set to false.
An analysis of these parse options:
While NOENT is off by default for Document, DocumentFragment, Reader, and
Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri
v1.12.0 and later.
DTDVALID is an option that Nokogiri does not set for any operations, and so
this CVE applies only to applications setting this option explicitly.
It seems reasonable to assume that any application explicitly setting the parse
option DTDVALID when parsing untrusted documents is vulnerable and should be
upgraded immediately.
Fix Nokogiri::XSLT.quote_params regression in v1.13.0 that raised an exception when non-string stylesheet parameters were passed. Non-string parameters (e.g., integers and symbols) are now explicitly supported and both keys and values will be stringified with #to_s. [#2418]
Fix HTML5 CSS selector query regression in v1.13.0 that raised an Nokogiri::XML::XPath::SyntaxError when parsing XPath attributes mixed into the CSS query. Although this mash-up of XPath and CSS syntax previously worked unintentionally, it is now an officially supported feature and is documented as such. [#2419]
This release introduces native gem support for Ruby 3.1. Please note that Windows users should use the x64-mingw-ucrt platform gem for Ruby 3.1, and x64-mingw32 for Ruby 2.6–3.0 (see RubyInstaller 3.1.0 release notes).
JRuby 9.2, which is a Ruby 2.5-compatible release.
Faster, more reliable installation: Native Gem for ARM64 Linux
This version of Nokogiri ships experimental native gem support for the aarch64-linux platform, which should support AWS Graviton and other ARM Linux platforms. We don't yet have CI running for this platform, and so we're interested in hearing back from y'all whether this is working, and what problems you're seeing. Please send us feedback here: Feedback: Have you used the aarch64-linux native gem?
Publishing
This version of Nokogiri opts-in to the "MFA required to publish" setting on Rubygems.org. This and all future Nokogiri gem files must be published to Rubygems by an account with multi-factor authentication enabled. This should provide some additional protection against supply-chain attacks.
A related discussion about Trust exists at #2357 in which I invite you to participate if you have feelings or opinions on this topic.
Dependencies
[CRuby] Vendored libiconv is updated from 1.15 to 1.16. (Note that libiconv is only redistributed in the native windows and native darwin gems, see LICENSE-DEPENDENCIES.md for more information.) [#2206]
[CRuby] Upgrade mini_portile2 dependency from ~> 2.6.1 to ~> 2.7.0. ("ruby" platform gem only.)
Improved
{XML,HTML4}::DocumentFragment constructors all now take an optional parse options parameter or block (similar to Document constructors). [#1692] (Thanks, @JackMc!)
Nokogiri::CSS.xpath_for allows an XPathVisitor to be injected, for finer-grained control over how CSS queries are translated into XPath.
[CRuby] XML::Reader#encoding will return the encoding detected by the parser when it's not passed to the constructor. [#980]
[CRuby] Handle abruptly-closed HTML comments as recommended by WHATWG. (Thanks to tehryanx for reporting!)
[CRuby] Node#line is no longer capped at 65535. libxml v2.9.0 and later support a new parse option, exposed as Nokogiri::XML::ParseOptions::PARSE_BIG_LINES, which is turned on by default in ParseOptions::DEFAULT_{XML,XSLT,HTML,SCHEMA} (Note that JRuby already supported large line numbers.) [#1764, #1493, #1617, #1505, #1003, #533]
[CRuby] If a cycle is introduced when reparenting a node (i.e., the node becomes its own ancestor), a RuntimeError is raised. libxml2 does no checking for this, which means cycles would otherwise result in infinite loops on subsequent operations. (Note that JRuby already did this.) [#1912]
[CRuby] Source builds will download zlib and libiconv via HTTPS. ("ruby" platform gem only.) [#2391] (Thanks, @jmartin-r7!)
[JRuby] Node#line behavior has been modified to return the line number of the node in the final DOM structure. This behavior is different from CRuby, which returns the node's position in the input string. Ideally the two implementations would be the same, but at least is now officially documented and tested. The real-world impact of this change is that the value returned in JRuby is greater by 1 to account for the XML prolog in the output. [#2380] (Thanks, @dabdine!)
Fixed
CSS queries on HTML5 documents now correctly match foreign elements (SVG, MathML) when namespaces are not specified in the query. [#2376]
XML::Builder blocks restore context properly when exceptions are raised. [#2372] (Thanks, @ric2b and @rinthedev!)
The Nokogiri::CSS::Parser cache now uses the XPathVisitor configuration as part of the cache key, preventing incorrect cache results from being returned when multiple XPathVisitor options are being used.
Error recovery from in-context parsing (e.g., Node#parse) now always uses the correct DocumentFragment class. Previously Nokogiri::HTML4::DocumentFragment was always used, even for XML documents. [#1158]
DocumentFragment#> now works properly, matching a CSS selector against only the fragment roots. [#1857]
XML::DocumentFragment#errors now correctly contains any parsing errors encountered. Previously this was always empty. (Note that HTML::DocumentFragment#errors already did this.)
[CRuby] Fix memory leak in Document#canonicalize when inclusive namespaces are passed in. [#2345]
[CRuby] Fix memory leak in Document#canonicalize when an argument type error is raised. [#2345]
[CRuby] Fix memory leak in EncodingHandler where iconv handlers were not being cleaned up. [#2345]
[CRuby] Fix memory leak in XPath custom handlers where string arguments were not being cleaned up. [#2345]
[CRuby] Fix memory leak in Reader#base_uri where the string returned by libxml2 was not freed. [#2347]
[JRuby] Deleting a Namespace from a NodeSet no longer modifies the href to be the default namespace URL.
[JRuby] Fix XHTML formatting of closing tags for non-container elements. [#2355]
Deprecated
Passing a Nokogiri::XML::Node as the second parameter to Node.new is deprecated and will generate a warning. This parameter should be a kind of Nokogiri::XML::Document. This will become an error in a future version of Nokogiri. [#975]
Nokogiri::CSS::Parser, Nokogiri::CSS::Tokenizer, and Nokogiri::CSS::Node are now internal-only APIs that are no longer documented, and should not be considered stable. With the introduction of XPathVisitor injection into Nokogiri::CSS.xpath_for there should be no reason to rely on these internal APIs.
CSS-to-XPath utility classes Nokogiri::CSS::XPathVisitorAlwaysUseBuiltins and XPathVisitorOptimallyUseBuiltins are deprecated. Prefer Nokogiri::CSS::XPathVisitor with appropriate constructor arguments. These classes will be removed in a future version of Nokogiri.
Support xz-compressed archives (recognized by an .xz file extension).
When downloading a source archive, default open_timeout and read_timeout to 10 seconds, but allow configuration via open_timeout and read_timeout config parameters.
A test artifact that has been included in the gem was being flagged by some users' security scanners because it wasn't a real tarball. That artifact has been updated to be a real tarball. [#108]
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗️ nokogiri (indirect, 1.12.5 → 1.13.2) · Repo · Changelog
Security Advisories 🚨
🚨 Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Release Notes
1.13.2
1.13.1
1.13.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ mini_portile2 (indirect, 2.6.1 → 2.8.0) · Repo · Changelog
Release Notes
2.8.0
2.7.1
2.7.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by 19 commits:
version bump to 2.8.0Merge pull request #114 from flavorjones/flavorjones-support-xz-filesci: skip examples that won't build on arm64-darwinfeat: support xz-compressed archivesMerge pull request #115 from flavorjones/flavorjones-add-darwin-to-ci-matrixfeat: {open,read}_timeout defaults to 10, can be overriddenci: add darwin coverage to the ci matrixdev(dep): update development dependenciesMerge pull request #113 from flavorjones/flavorjones-update-ci-to-ruby31ci: update to cover Ruby 3.1meta: Github Sponsors linkversion bump to v2.7.1update CHANGELOG for releaseMerge pull request #109 from flavorjones/108-make-it-a-real-tarball-plzfix: ensure test artifact is a real tarballversion bump to v2.7.0Merge pull request #107 from cosmo0920/support-replace-cmake-command-via-initializeallow configuration of some commandsci: do not fail fast, cancel in progressDepfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands