🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
Please note that this advisory only applies to the CRuby implementation of
Nokogiri < 1.16.2, and only if the packaged libraries are being used. If
you've overridden defaults at installation time to use system libraries
instead of packaged libraries, you should instead pay attention to your
distro's libxml2 release announcements.
Severity
The Nokogiri maintainers have evaluated this as Moderate.
Mitigation
Upgrade to Nokogiri >= 1.16.2.
Users who are unable to upgrade Nokogiri may also choose a more complicated
mitigation: compile and link Nokogiri against external libraries libxml2 >=
2.12.5 which will also address these same issues.
[CRuby] XML::Reader defaults the encoding to UTF-8 if it's not specified in either the document or as a method parameter. Previously non-ASCII characters were serialized as NCRs in this case. [#2891] (@flavorjones)
[CRuby] Restored support for compilation by GCC versions earlier than 4.6, which was broken in v1.15.0 (540e9ae). [#3090] (@adfoster-r7)
[CRuby] Patched upstream libxml2 to allow parsing HTML5 in the context of a namespaced node (e.g., foreign content like MathML). [#3112, #3116] (@flavorjones)
[CRuby] Fixed a small memory leak in libgumbo (HTML5 parser) when the maximum tree depth limit is hit. [#3098, #3100] (@stevecheckoway)
This version marks official support for the pattern matching API in XML::Attr, XML::Document, XML::DocumentFragment, XML::Namespace, XML::Node, and XML::NodeSet (and their subclasses), originally introduced as an experimental feature in v1.14.0. (@flavorjones)
CSS nth pseudo-classes now handle spaces, e.g. "2n + 1". [#3018] (@fusion2004)
[CRuby] libgumbo no longer leaks memory when an incomplete tag is abandoned by the HTML5 parser. [#3036] (@flavorjones)
Removed
Removed Nokogiri::HTML5.get which was deprecated in v1.12.0. [#2278] (@flavorjones)
Removed the CSS-to-XPath utility modules XPathVisitorAlwaysUseBuiltins and XPathVisitorOptimallyUseBuiltins, which were deprecated in v1.13.0 in favor of XPathVisitor constructor args. [#2403] (@flavorjones)
Removed XML::Reader#attribute_nodes which was deprecated in v1.13.8 in favor of #attribute_hash. [#2598, #2599] (@flavorjones)
[CRuby] Removed the libxml/libxml2_path key from VersionInfo, used in the past for third-party library integration, in favor of the nokogiri/cppflags and nokogiri/ldflags keys. Please note that third-party library integration is not fully supported and may be deprecated soon, see #2746 for more context. [#2143] (@flavorjones)
Thank you!
The following people and organizations were kind enough to sponsor @flavorjones or the Nokogiri project during the development of v1.16.0:
Fixed a typo in a HTML5 parser error message. [#2927] (Thanks, @anishathalye!)
[CRuby] ObjectSpace.memsize_of is now safe to call on Documents with complex DTDs. In previous versions, this debugging method could result in a segfault. [#2923, #2924]
Passing an object that is not a kind of XML::Node as the first parameter to CDATA.new now raises a TypeError. Previously this would result in either a segfault (CRuby) or a Java exception (JRuby). [#2920]
Passing an object that is not a kind of XML::Node as the first parameter to Schema.from_document now raises a TypeError. Previously this would result in either a segfault (CRuby) or a Java exception (JRuby). [#2920]
[CRuby] Passing an object that is not a kind of XML::Node as the second parameter to Text.new now raises a TypeError. Previously this would result in a segfault. [#2920]
[CRuby] Replacing a node's children via methods like Node#inner_html=, #children=, and #replace no longer defensively dups the node's next sibling if it is a Text node. This behavior was originally adopted to work around libxml2's memory management (see #283 and #595) but should not have included operations involving xmlAddChild(). [#2916]
[JRuby] Fixed NPE when serializing an unparented HTML node. [#2559, #2895] (Thanks, @cbasguti!)
Since 2009, Nokogiri has configured libxml2 to use ruby_xmalloc et al for memory management. This has provided benefits for memory management, but comes with a performance penalty.
Users can now opt into using system malloc for libxml2 memory management by setting an environment variable:
# "default" here means "libxml2's default" which is system malloc
NOKOGIRI_LIBXML_MEMORY_MANAGEMENT=default
Benchmarks show that this setting will significantly improve performance, but be aware that the tradeoff may involve poorer memory management including bloated heap sizes and/or OOM conditions.
Encoding objects may now be passed to serialization methods like #to_xml, #to_html, #serialize, and #write_to to specify the output encoding. Previously only encoding names (strings) were accepted. [#2774, #2798] (Thanks, @ellaklara!)
[CRuby] Schema.from_document now makes a defensive copy of the document if it has blank text nodes with Ruby objects instantiated for them. This prevents unsafe behavior in libxml2 from causing a segfault. There is a small performance cost, but we think this has the virtue of being "what the user meant" since modifying the original is surprising behavior for most users. Previously this was addressed in v1.10.9 by raising an exception.
Fixed
[CRuby] XSLT.transform now makes a defensive copy of the document if it has blank text nodes with Ruby objects instantiated for them and the template uses xsl:strip-spaces. This prevents unsafe behavior in libxslt from causing a segfault. There is a small performance cost, but we think this has the virtue of being "what the user meant" since modifying the original is surprising behavior for most users. Previously this would allow unsafe memory access and potentially segfault. [#2800]
Improved
Nokogiri::XML::Node::SaveOptions#inspect now shows the names of the options set in the bitmask, similar to ParseOptions. [#2767]
#inspect and pretty-printing are improved for AttributeDecl, ElementContent, ElementDecl, and EntityDecl.
[CRuby] The C extension now uses Ruby's TypedData API for managing all the libxml2 structs. Write barriers may improve GC performance in some extreme cases. [#2808] (Thanks, @etiennebarrie and @byroot!)
[CRuby] ObjectSpace.memsize_of reports a pretty good guess of memory usage when called on Nokogiri::XML::Document objects. [#2807] (Thanks, @etiennebarrie and @byroot!)
[CRuby] Users installing the "ruby" platform gem and compiling libxml2 and libxslt from source will now be using a modern config.guess and config.sub that supports new architectures like loongarch64. [#2831] (Thanks, @zhangwenlong8911!)
[CRuby] HTML5 parser:
adjusts the specified attributes, adding xlink:arcrole and removing xml:base [#2841, #2842]
[JRuby] Node#first_element_child now returns nil if there are only non-element children. Previously a null pointer exception was raised. [#2808, #2844]
Documentation for Nokogiri::XSLT now has usage examples including custom function handlers.
Deprecated
Passing a Nokogiri::XML::Node as the first parameter to CDATA.new is deprecated and will generate a warning. This parameter should be a kind of Nokogiri::XML::Document. This will become an error in a future version of Nokogiri.
Passing a Nokogiri::XML::Node as the first parameter to Schema.from_document is deprecated and will generate a warning. This parameter should be a kind of Nokogiri::XML::Document. This will become an error in a future version of Nokogiri.
Passing a Nokogiri::XML::Node as the second parameter to Text.new is deprecated and will generate a warning. This parameter should be a kind of Nokogiri::XML::Document. This will become an error in a future version of Nokogiri.
[CRuby] Calling a custom XPath function without the nokogiri namespace is deprecated and will generate a warning. Support for non-namespaced functions will be removed in a future version of Nokogiri. (Note that JRuby has never supported non-namespaced custom XPath functions.)
Thank you!
The following people and organizations were kind enough to sponsor @flavorjones or the Nokogiri project during the development of v1.15.0:
To ensure that JRuby users on Java 8 can apply the security changes from v1.14.4, we're cutting this release on the v1.14.x branch. We don't expect to make any more v1.14.x releases.
Dependencies
[JRuby] Vendored org.nokogiri:nekodtd is updated to v0.1.11.noko2. This is functionally equivalent to v0.1.11.noko1 but restores support for Java 8.
Fixed
[JRuby] Java 8 support is restored, fixing a regression introduced in v1.14.0. [#2887]
[JRuby] Vendored Xalan-J is updated to v2.7.3. This is the first Xalan release in nine years, and it was done to address CVE-2022-34169.
The Nokogiri maintainers wish to stress that Nokogiri users were not vulnerable to this CVE, as we explained in GHSA-qwq9-89rg-ww72, and so upgrading is really at the discretion of users.
This release was cut primarily so that JRuby users of v1.14.x can avoid vulnerability scanner alerts on earlier versions of Xalan-J.
New methods #lib_path and #include_path which point at the installed directories under ports. (by @flavorjones)
Add config param for CMAKE_BUILD_TYPE, which now defaults to Release. (#136 by @Watson1978)
Experimental
Introduce experimental support for MiniPortile#mkmf_config which sets up MakeMakefile variables to properly link against the recipe. This should make it easier for C extensions to package third-party libraries. (by @flavorjones)
With no arguments, will set up just $INCFLAGS, $libs, and $LIBPATH.
Optionally, if provided a pkg-config file, will use that config to more precisely set $INCFLAGS, $libs, $LIBPATH, and $CFLAGS/$CXXFLAGS.
Optionally, if provided the name of a static archive, will rewrite linker flags to ensure correct linkage.
Note that the behavior may change slightly before official support is announced. Please comment on #118 if you have feedback.
cmake: set CMAKE compile flags to configure cross-compilation similarly to autotools--host flag: SYSTEM_NAME, SYSTEM_PROCESSOR, C_COMPILER, and CXX_COMPILER. [#130] (Thanks, @stanhu!)
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
@depfu rebase
Rebases against your default branch and redoes this update
@depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@depfu cancel merge
Cancels automatic merging of this PR
@depfu close
Closes this PR and deletes the branch
@depfu reopen
Restores the branch and reopens this PR (if it's closed)
@depfu pause
Ignores all future updates for this dependency and closes this PR
@depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)
depfu[bot]
commented
3 months ago
🚨 Your current dependencies have known security vulnerabilities 🚨
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
↗️ nokogiri (indirect, 1.14.3 → 1.16.2) · Repo · Changelog
Security Advisories 🚨
🚨 Improper Handling of Unexpected Data Type in Nokogiri
Release Notes
1.16.2
1.16.1
1.16.0
1.15.5
1.15.4
1.15.3
1.15.2
1.15.1
1.15.0
1.14.5
1.14.4
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ mini_portile2 (indirect, 2.8.1 → 2.8.5) · Repo · Changelog
Release Notes
2.8.5
2.8.4
2.8.3
2.8.2
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
↗️ racc (indirect, 1.6.2 → 1.7.3) · Repo · Changelog
Release Notes
1.7.3
1.7.2
1.7.1
1.7.0
Does any of this look wrong? Please let us know.
Commits
See the full diff on Github. The new version differs by more commits than we can show here.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with
@depfu rebase.All Depfu comment commands