Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to v2.10.4 from v2.10.3.
libxml2 v2.10.4 addresses the following known vulnerabilities:
CVE-2023-29469: Hashing of empty dict strings isn't deterministic
CVE-2023-28484: Fix null deref in xmlSchemaFixupComplexType
Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK
Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.14.3, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.
Mitigation
Upgrade to Nokogiri >= 1.14.3.
Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 >= 2.10.4 which will also address these same issues.
Impact
No public information has yet been published about the security-related issues other than the upstream commits. Examination of those changesets indicate that the more serious issues relate to libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.
sparklemotion/nokogiri (nokogiri)
### [`v1.14.3`](https://togithub.com/sparklemotion/nokogiri/blob/HEAD/CHANGELOG.md#1143--2023-04-11)
[Compare Source](https://togithub.com/sparklemotion/nokogiri/compare/v1.14.2...v1.14.3)
##### Security
- \[CRuby] Vendored libxml2 is updated to address CVE-2023-29469, CVE-2023-28484, and one other security-related issue. See [GHSA-pxvg-2qj5-37jqGHSA-pxvg-2qj5-37jq](https://togithub.com/sparklemotion/nokogiri/security/advisories/GHSA-pxvg-2qj5-37jq) for more information.
##### Dependencies
- \[CRuby] Vendored libxml2 is updated to [v2.10.4](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4) from v2.10.3.
### [`v1.14.2`](https://togithub.com/sparklemotion/nokogiri/blob/HEAD/CHANGELOG.md#1142--2023-02-13)
[Compare Source](https://togithub.com/sparklemotion/nokogiri/compare/v1.14.1...v1.14.2)
##### Fixed
- Calling `NodeSet#to_html` on an empty node set no longer raises an encoding-related exception. This bug was introduced in v1.14.0 while fixing [#2649](https://togithub.com/sparklemotion/nokogiri/issues/2649). \[[#2784](https://togithub.com/sparklemotion/nokogiri/issues/2784)]
### [`v1.14.1`](https://togithub.com/sparklemotion/nokogiri/blob/HEAD/CHANGELOG.md#1141--2023-01-30)
[Compare Source](https://togithub.com/sparklemotion/nokogiri/compare/v1.14.0...v1.14.1)
##### Fixed
- Serializing documents now works again with pseudo-IO objects that don't support IO's encoding API (like rubyzip's `Zip::OutputStream`). This was a regression in v1.14.0 due to the fix for [#752](https://togithub.com/sparklemotion/nokogiri/issues/752) in [#2434](https://togithub.com/sparklemotion/nokogiri/issues/2434), and was not completely fixed by [#2753](https://togithub.com/sparklemotion/nokogiri/issues/2753). \[[#2773](https://togithub.com/sparklemotion/nokogiri/issues/2773)]
- \[CRuby] Address compiler warnings about `void*` casting and old-style C function definitions.
### [`v1.14.0`](https://togithub.com/sparklemotion/nokogiri/blob/HEAD/CHANGELOG.md#1140--2023-01-12)
[Compare Source](https://togithub.com/sparklemotion/nokogiri/compare/v1.13.10...v1.14.0)
##### Notable Changes
##### Ruby
This release introduces native gem support for Ruby 3.2. (Also see "Technical note" under "Changed" below.)
This release ends support for:
- Ruby 2.6, for which [upstream support ended 2022-04-12](https://www.ruby-lang.org/en/downloads/branches/).
- JRuby 9.3, which is not fully compatible with Ruby 2.7+
##### Faster, more reliable installation: Native Gem for `aarch64-linux` (aka `linux/arm64/v8`)
This version of Nokogiri ships *official* native gem support for the `aarch64-linux` platform, which should support AWS Graviton and other ARM64 Linux platforms. Please note that glibc >= 2.29 is required for aarch64-linux systems, see [Supported Platforms](https://nokogiri.org/#supported-platforms) for more information.
##### Faster, more reliable installation: Native Gem for `arm-linux` (aka `linux/arm/v7`)
This version of Nokogiri ships *experimental* native gem support for the `arm-linux` platform. Please note that glibc >= 2.29 is required for arm-linux systems, see [Supported Platforms](https://nokogiri.org/#supported-platforms) for more information.
##### Pattern matching
This version introduces an *experimental* pattern matching API for `XML::Attr`, `XML::Document`, `XML::DocumentFragment`, `XML::Namespace`, `XML::Node`, and `XML::NodeSet` (and their subclasses).
Some documentation on what can be matched:
- [`XML::Attr#deconstruct_keys`](https://nokogiri.org/rdoc/Nokogiri/XML/Attr.html?h=deconstruct#method-i-deconstruct_keys)
- [`XML::Document#deconstruct_keys`](https://nokogiri.org/rdoc/Nokogiri/XML/Document.html?h=deconstruct#method-i-deconstruct_keys)
- [`XML::Namespace#deconstruct_keys`](https://nokogiri.org/rdoc/Nokogiri/XML/Namespace.html?h=deconstruct+namespace#method-i-deconstruct_keys)
- [`XML::Node#deconstruct_keys`](https://nokogiri.org/rdoc/Nokogiri/XML/Node.html?h=deconstruct#method-i-deconstruct_keys)
- [`XML::DocumentFragment#deconstruct`](https://nokogiri.org/rdoc/Nokogiri/XML/DocumentFragment.html?h=deconstruct#method-i-deconstruct)
- [`XML::NodeSet#deconstruct`](https://nokogiri.org/rdoc/Nokogiri/XML/NodeSet.html?h=deconstruct#method-i-deconstruct)
We welcome feedback on this API at [#2360](https://togithub.com/sparklemotion/nokogiri/issues/2360).
##### Dependencies
##### CRuby
- Vendored libiconv is updated to [v1.17](https://savannah.gnu.org/forum/forum.php?forum_id=10175)
##### JRuby
- This version of Nokogiri uses [`jar-dependencies`](https://togithub.com/mkristian/jar-dependencies) to manage most of the vendored Java dependencies. `nokogiri -v` now outputs maven metadata for all Java dependencies, and `Nokogiri::VERSION_INFO` also contains this metadata. \[[#2432](https://togithub.com/sparklemotion/nokogiri/issues/2432)]
- HTML parsing is now provided by `net.sourceforge.htmlunit:neko-htmlunit:2.61.0` (previously Nokogiri used a fork of `org.cyberneko.html:nekohtml`)
- Vendored Jing is updated from `com.thaiopensource:jing:20091111` to `nu.validator:jing:20200702VNU`.
- New dependency on `net.sf.saxon:Saxon-HE:9.6.0-4` (via `nu.validator:jing:20200702VNU`).
##### Added
- `Node#wrap` and `NodeSet#wrap` now also accept a `Node` type argument, which will be `dup`ed for each wrapper. For cases where many nodes are being wrapped, creating a `Node` once using `Document#create_element` and passing that `Node` multiple times is significantly faster than re-parsing markup on each call. \[[#2657](https://togithub.com/sparklemotion/nokogiri/issues/2657)]
- \[CRuby] Invocation of custom XPath or CSS handler functions may now use the `nokogiri` namespace prefix. Historically, the JRuby implementation *required* this namespace but the CRuby implementation did not support it. It's recommended that all XPath and CSS queries use the `nokogiri` namespace going forward. Invocation without the namespace is planned for deprecation in v1.15.0 and removal in a future release. \[[#2147](https://togithub.com/sparklemotion/nokogiri/issues/2147)]
- `HTML5::Document#quirks_mode` and `HTML5::DocumentFragment#quirks_mode` expose the quirks mode used by the parser.
##### Improved
##### Functional
- HTML5 parser update to reflect changes to the living specification:
- [Add the \ element by domenic · whatwg/html](https://togithub.com/whatwg/html/pull/7320)
- [Remove parse error for \\
\
\ by zcorpan · whatwg/html](https://togithub.com/whatwg/html/pull/8271)
##### Performance
- Serialization of HTML5 documents and fragments has been re-implemented and is ~10x faster than previous versions. \[[#2596](https://togithub.com/sparklemotion/nokogiri/issues/2596), [#2569](https://togithub.com/sparklemotion/nokogiri/issues/2569)]
- Parsing of HTML5 documents is ~90% faster thanks to additional compiler optimizations being applied. \[[#2639](https://togithub.com/sparklemotion/nokogiri/issues/2639)]
- Compare `Encoding` objects rather than compare their names. This is a slight performance improvement and is future-proof. \[[#2454](https://togithub.com/sparklemotion/nokogiri/issues/2454)] (Thanks, [@casperisfine](https://togithub.com/casperisfine)!)
##### Error handling
- `Document#canonicalize` now raises an exception if `inclusive_namespaces` is non-nil and the mode is inclusive, i.e. `XML_C14N_1_0` or `XML_C14N_1_1`. `inclusive_namespaces` can only be passed with exclusive modes, and previously this silently failed.
- Empty CSS selectors now raise a clearer `Nokogiri::CSS::SyntaxError` message, "empty CSS selector". Previously the exception raised from the bowels of `racc` was "unexpected '$' after ''". \[[#2700](https://togithub.com/sparklemotion/nokogiri/issues/2700)]
- \[CRuby] `XML::Reader` parsing errors encountered during `Reader#attribute_hash` and `Reader#namespaces` now raise an `XML::SyntaxError`. Previously these methods would return `nil` and users would generally experience `NoMethodErrors` from elsewhere in the code.
- Prefer `ruby_xmalloc` to `malloc` within the C extension. \[[#2480](https://togithub.com/sparklemotion/nokogiri/issues/2480)] (Thanks, [@Garfield96](https://togithub.com/Garfield96)!)
##### Installation
- Avoid compile-time conflict with system-installed `gumbo.h` on OpenBSD. \[[#2464](https://togithub.com/sparklemotion/nokogiri/issues/2464)]
- Remove calls to `vasprintf` in favor of platform-independent `rb_vsprintf`
- Installation from source on systems missing libiconv will once again generate a helpful error message (broken since v1.11.0). \[[#2505](https://togithub.com/sparklemotion/nokogiri/issues/2505)]
- \[CRuby+OSX] Compiling from source on MacOS will use the clang option `-Wno-unknown-warning-option` to avoid errors when Ruby injects options that clang doesn't know about. \[[#2689](https://togithub.com/sparklemotion/nokogiri/issues/2689)]
##### Fixed
- `SAX::Parser`'s `encoding` attribute will not be clobbered when an alternative encoding is passed into `SAX::Parser#parse_io`. \[[#1942](https://togithub.com/sparklemotion/nokogiri/issues/1942)] (Thanks, [@kp666](https://togithub.com/kp666)!)
- Serialized `HTML4::DocumentFragment` will now be properly encoded. Previously this empty string was encoded as `US-ASCII`. \[[#2649](https://togithub.com/sparklemotion/nokogiri/issues/2649)]
- `Node#wrap` now uses the parent as the context node for parsing wrapper markup, falling back to the document for unparented nodes. Previously the document was always used.
- \[CRuby] UTF-16-encoded documents longer than ~4000 code points now serialize properly. Previously the serialized document was corrupted when it exceeded the length of libxml2's internal string buffer. \[[#752](https://togithub.com/sparklemotion/nokogiri/issues/752)]
- \[CRuby] The HTML5 parser now correctly handles text at the end of `form` elements.
- \[CRuby] `HTML5::Document#fragment` now always uses `body` as the parsing context. Previously, fragments were parsed in the context of the associated document's root node, which allowed for inconsistent parsing. \[[#2553](https://togithub.com/sparklemotion/nokogiri/issues/2553)]
- \[CRuby] `Nokogiri::HTML5::Document#url` now correctly returns the URL passed to the constructor method. Previously it always returned `nil`. \[[#2583](https://togithub.com/sparklemotion/nokogiri/issues/2583)]
- \[CRuby] `HTML5` encoding detection is now case-insensitive with respect to `meta` tag charset declaration. \[[#2693](https://togithub.com/sparklemotion/nokogiri/issues/2693)]
- \[CRuby] `HTML5` fragment parsing in context of an annotation-xml node now works. Previously this rarely-used path invoked rb_funcall with incorrect parameters, resulting in an exception, a fatal error, or potentially a segfault. \[[#2692](https://togithub.com/sparklemotion/nokogiri/issues/2692)]
- \[CRuby] `HTML5` quirks mode during fragment parsing more closely matches document parsing. \[[#2646](https://togithub.com/sparklemotion/nokogiri/issues/2646)]
- \[JRuby] Fixed a bug with adding the same namespace to multiple nodes via `#add_namespace_definition`. \https:/togithub.com/sparklemotion/nokogiri/issues/1247ogiri/issues/1247)]
- \[JRuby] `NodeSet#[]` now raises a TypeError if passed an invalid parameter type. \[[#2211](https://togithub.com/sparklemotion/nokogiri/issues/2211)]
##### Deprecated
- `Nokogiri.install_default_aliases` is deprecated in favor of `Nokogiri::EncodingHandler.install_default_aliases`. This is part of a private API and is probably not called by anybody, but we'll go through a deprecation cycle before removal anyway. \[[#2643](https://togithub.com/sparklemotion/nokogiri/issues/2643), [#2446](https://togithub.com/sparklemotion/nokogiri/issues/2446)]
##### Changed
- \[CRuby+OSX] Technical note: On MacOS Ruby 3.2, the symbols from libxml2 and libxslt are no longer exported. Ruby 3.2 adopted new features from the Darwin toolchain that make it challenging to continue to support this rarely-used binary API. A future minor release of Nokogiri may remove these symbols (and others) entirely. Feedback from downstream gem maintainers is welcome at [#2746](https://togithub.com/sparklemotion/nokogiri/issues/2746), where you'll also be able to read deeper context on this decision.
##### Thank you!
The following people and organizations were kind enough to sponsor [@flavorjones](https://togithub.com/flavorjones) or the Nokogiri project during the development of v1.14.0:
- Götz Görisch [@GoetzGoerisch](https://togithub.com/GoetzGoerisch)
- Airbnb [@airbnb](https://togithub.com/airbnb)
- Kyohei Nanba [@kyo-nanba](https://togithub.com/kyo-nanba)
- Maxime Gauthier [@biximilien](https://togithub.com/biximilien)
- [@renuo](https://togithub.com/renuo)
- [@dbootyfvrt](https://togithub.com/dbootyfvrt)
- YOSHIDA Katsuhiko [@kyoshidajp](https://togithub.com/kyoshidajp)
- Homebrew [@Homebrew](https://togithub.com/Homebrew)
- David Vrensk [@dvrensk](https://togithub.com/dvrensk)
- Alex Daragiu [@daragiu](https://togithub.com/daragiu)
- Github [@github](https://togithub.com/github)
- Julian Joseph [@Julian88Tex](https://togithub.com/Julian88Tex)
- Charles Simon-Meunier [@csimonmeunier](https://togithub.com/csimonmeunier)
- Ben Slaughter [@benSlaughter](https://togithub.com/benSlaughter)
- Garen Torikian [@gjtorikian](https://togithub.com/gjtorikian)
- Frank Groeneveld [@frenkel](https://togithub.com/frenkel)
- Hiroshi SHIBATA [@hsbt](https://togithub.com/hsbt)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
'~> 1.13.10', '>= 1.13.10'
->'~> 1.14.0', '>= 1.14.3'
⚠ Dependency Lookup Warnings ⚠
Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
GHSA-pxvg-2qj5-37jq
Summary
Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to v2.10.4 from v2.10.3.
libxml2 v2.10.4 addresses the following known vulnerabilities:
Please note that this advisory only applies to the CRuby implementation of Nokogiri
< 1.14.3
, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro'slibxml2
release announcements.Mitigation
Upgrade to Nokogiri
>= 1.14.3
.Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2
>= 2.10.4
which will also address these same issues.Impact
No public information has yet been published about the security-related issues other than the upstream commits. Examination of those changesets indicate that the more serious issues relate to libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.
The commits can be examined at:
Release Notes
sparklemotion/nokogiri (nokogiri)
### [`v1.14.3`](https://togithub.com/sparklemotion/nokogiri/blob/HEAD/CHANGELOG.md#1143--2023-04-11) [Compare Source](https://togithub.com/sparklemotion/nokogiri/compare/v1.14.2...v1.14.3) ##### Security - \[CRuby] Vendored libxml2 is updated to address CVE-2023-29469, CVE-2023-28484, and one other security-related issue. See [GHSA-pxvg-2qj5-37jqGHSA-pxvg-2qj5-37jq](https://togithub.com/sparklemotion/nokogiri/security/advisories/GHSA-pxvg-2qj5-37jq) for more information. ##### Dependencies - \[CRuby] Vendored libxml2 is updated to [v2.10.4](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4) from v2.10.3. ### [`v1.14.2`](https://togithub.com/sparklemotion/nokogiri/blob/HEAD/CHANGELOG.md#1142--2023-02-13) [Compare Source](https://togithub.com/sparklemotion/nokogiri/compare/v1.14.1...v1.14.2) ##### Fixed - Calling `NodeSet#to_html` on an empty node set no longer raises an encoding-related exception. This bug was introduced in v1.14.0 while fixing [#2649](https://togithub.com/sparklemotion/nokogiri/issues/2649). \[[#2784](https://togithub.com/sparklemotion/nokogiri/issues/2784)] ### [`v1.14.1`](https://togithub.com/sparklemotion/nokogiri/blob/HEAD/CHANGELOG.md#1141--2023-01-30) [Compare Source](https://togithub.com/sparklemotion/nokogiri/compare/v1.14.0...v1.14.1) ##### Fixed - Serializing documents now works again with pseudo-IO objects that don't support IO's encoding API (like rubyzip's `Zip::OutputStream`). This was a regression in v1.14.0 due to the fix for [#752](https://togithub.com/sparklemotion/nokogiri/issues/752) in [#2434](https://togithub.com/sparklemotion/nokogiri/issues/2434), and was not completely fixed by [#2753](https://togithub.com/sparklemotion/nokogiri/issues/2753). \[[#2773](https://togithub.com/sparklemotion/nokogiri/issues/2773)] - \[CRuby] Address compiler warnings about `void*` casting and old-style C function definitions. ### [`v1.14.0`](https://togithub.com/sparklemotion/nokogiri/blob/HEAD/CHANGELOG.md#1140--2023-01-12) [Compare Source](https://togithub.com/sparklemotion/nokogiri/compare/v1.13.10...v1.14.0) ##### Notable Changes ##### Ruby This release introduces native gem support for Ruby 3.2. (Also see "Technical note" under "Changed" below.) This release ends support for: - Ruby 2.6, for which [upstream support ended 2022-04-12](https://www.ruby-lang.org/en/downloads/branches/). - JRuby 9.3, which is not fully compatible with Ruby 2.7+ ##### Faster, more reliable installation: Native Gem for `aarch64-linux` (aka `linux/arm64/v8`) This version of Nokogiri ships *official* native gem support for the `aarch64-linux` platform, which should support AWS Graviton and other ARM64 Linux platforms. Please note that glibc >= 2.29 is required for aarch64-linux systems, see [Supported Platforms](https://nokogiri.org/#supported-platforms) for more information. ##### Faster, more reliable installation: Native Gem for `arm-linux` (aka `linux/arm/v7`) This version of Nokogiri ships *experimental* native gem support for the `arm-linux` platform. Please note that glibc >= 2.29 is required for arm-linux systems, see [Supported Platforms](https://nokogiri.org/#supported-platforms) for more information. ##### Pattern matching This version introduces an *experimental* pattern matching API for `XML::Attr`, `XML::Document`, `XML::DocumentFragment`, `XML::Namespace`, `XML::Node`, and `XML::NodeSet` (and their subclasses). Some documentation on what can be matched: - [`XML::Attr#deconstruct_keys`](https://nokogiri.org/rdoc/Nokogiri/XML/Attr.html?h=deconstruct#method-i-deconstruct_keys) - [`XML::Document#deconstruct_keys`](https://nokogiri.org/rdoc/Nokogiri/XML/Document.html?h=deconstruct#method-i-deconstruct_keys) - [`XML::Namespace#deconstruct_keys`](https://nokogiri.org/rdoc/Nokogiri/XML/Namespace.html?h=deconstruct+namespace#method-i-deconstruct_keys) - [`XML::Node#deconstruct_keys`](https://nokogiri.org/rdoc/Nokogiri/XML/Node.html?h=deconstruct#method-i-deconstruct_keys) - [`XML::DocumentFragment#deconstruct`](https://nokogiri.org/rdoc/Nokogiri/XML/DocumentFragment.html?h=deconstruct#method-i-deconstruct) - [`XML::NodeSet#deconstruct`](https://nokogiri.org/rdoc/Nokogiri/XML/NodeSet.html?h=deconstruct#method-i-deconstruct) We welcome feedback on this API at [#2360](https://togithub.com/sparklemotion/nokogiri/issues/2360). ##### Dependencies ##### CRuby - Vendored libiconv is updated to [v1.17](https://savannah.gnu.org/forum/forum.php?forum_id=10175) ##### JRuby - This version of Nokogiri uses [`jar-dependencies`](https://togithub.com/mkristian/jar-dependencies) to manage most of the vendored Java dependencies. `nokogiri -v` now outputs maven metadata for all Java dependencies, and `Nokogiri::VERSION_INFO` also contains this metadata. \[[#2432](https://togithub.com/sparklemotion/nokogiri/issues/2432)] - HTML parsing is now provided by `net.sourceforge.htmlunit:neko-htmlunit:2.61.0` (previously Nokogiri used a fork of `org.cyberneko.html:nekohtml`) - Vendored Jing is updated from `com.thaiopensource:jing:20091111` to `nu.validator:jing:20200702VNU`. - New dependency on `net.sf.saxon:Saxon-HE:9.6.0-4` (via `nu.validator:jing:20200702VNU`). ##### Added - `Node#wrap` and `NodeSet#wrap` now also accept a `Node` type argument, which will be `dup`ed for each wrapper. For cases where many nodes are being wrapped, creating a `Node` once using `Document#create_element` and passing that `Node` multiple times is significantly faster than re-parsing markup on each call. \[[#2657](https://togithub.com/sparklemotion/nokogiri/issues/2657)] - \[CRuby] Invocation of custom XPath or CSS handler functions may now use the `nokogiri` namespace prefix. Historically, the JRuby implementation *required* this namespace but the CRuby implementation did not support it. It's recommended that all XPath and CSS queries use the `nokogiri` namespace going forward. Invocation without the namespace is planned for deprecation in v1.15.0 and removal in a future release. \[[#2147](https://togithub.com/sparklemotion/nokogiri/issues/2147)] - `HTML5::Document#quirks_mode` and `HTML5::DocumentFragment#quirks_mode` expose the quirks mode used by the parser. ##### Improved ##### Functional - HTML5 parser update to reflect changes to the living specification: - [Add the \Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.