Closed renovate[bot] closed 1 year ago
@rultor please, try to merge
@rultor please, try to merge
@renovate[bot] @yegor256 Can't merge it. Some CI checks were failed. Apparently, the pull request is not ready to be merged since it has some problems. Please, fix them first.
This PR contains the following updates:
'1.13.10'
->'1.14.3'
GitHub Vulnerability Alerts
GHSA-pxvg-2qj5-37jq
Summary
Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to v2.10.4 from v2.10.3.
libxml2 v2.10.4 addresses the following known vulnerabilities:
Please note that this advisory only applies to the CRuby implementation of Nokogiri
< 1.14.3
, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro'slibxml2
release announcements.Mitigation
Upgrade to Nokogiri
>= 1.14.3
.Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2
>= 2.10.4
which will also address these same issues.Impact
No public information has yet been published about the security-related issues other than the upstream commits. Examination of those changesets indicate that the more serious issues relate to libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.
The commits can be examined at:
Release Notes
sparklemotion/nokogiri
### [`v1.14.3`](https://togithub.com/sparklemotion/nokogiri/blob/HEAD/CHANGELOG.md#1143--2023-04-11) [Compare Source](https://togithub.com/sparklemotion/nokogiri/compare/v1.14.2...v1.14.3) ##### Security - \[CRuby] Vendored libxml2 is updated to address CVE-2023-29469, CVE-2023-28484, and one other security-related issue. See [GHSA-pxvg-2qj5-37jqGHSA-pxvg-2qj5-37jq](https://togithub.com/sparklemotion/nokogiri/security/advisories/GHSA-pxvg-2qj5-37jq) for more information. ##### Dependencies - \[CRuby] Vendored libxml2 is updated to [v2.10.4](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.4) from v2.10.3. ### [`v1.14.2`](https://togithub.com/sparklemotion/nokogiri/blob/HEAD/CHANGELOG.md#1142--2023-02-13) [Compare Source](https://togithub.com/sparklemotion/nokogiri/compare/v1.14.1...v1.14.2) ##### Fixed - Calling `NodeSet#to_html` on an empty node set no longer raises an encoding-related exception. This bug was introduced in v1.14.0 while fixing [#2649](https://togithub.com/sparklemotion/nokogiri/issues/2649). \[[#2784](https://togithub.com/sparklemotion/nokogiri/issues/2784)] ### [`v1.14.1`](https://togithub.com/sparklemotion/nokogiri/blob/HEAD/CHANGELOG.md#1141--2023-01-30) [Compare Source](https://togithub.com/sparklemotion/nokogiri/compare/v1.14.0...v1.14.1) ##### Fixed - Serializing documents now works again with pseudo-IO objects that don't support IO's encoding API (like rubyzip's `Zip::OutputStream`). This was a regression in v1.14.0 due to the fix for [#752](https://togithub.com/sparklemotion/nokogiri/issues/752) in [#2434](https://togithub.com/sparklemotion/nokogiri/issues/2434), and was not completely fixed by [#2753](https://togithub.com/sparklemotion/nokogiri/issues/2753). \[[#2773](https://togithub.com/sparklemotion/nokogiri/issues/2773)] - \[CRuby] Address compiler warnings about `void*` casting and old-style C function definitions. ### [`v1.14.0`](https://togithub.com/sparklemotion/nokogiri/blob/HEAD/CHANGELOG.md#1140--2023-01-12) [Compare Source](https://togithub.com/sparklemotion/nokogiri/compare/v1.13.10...v1.14.0) ##### Notable Changes ##### Ruby This release introduces native gem support for Ruby 3.2. (Also see "Technical note" under "Changed" below.) This release ends support for: - Ruby 2.6, for which [upstream support ended 2022-04-12](https://www.ruby-lang.org/en/downloads/branches/). - JRuby 9.3, which is not fully compatible with Ruby 2.7+ ##### Faster, more reliable installation: Native Gem for `aarch64-linux` (aka `linux/arm64/v8`) This version of Nokogiri ships *official* native gem support for the `aarch64-linux` platform, which should support AWS Graviton and other ARM64 Linux platforms. Please note that glibc >= 2.29 is required for aarch64-linux systems, see [Supported Platforms](https://nokogiri.org/#supported-platforms) for more information. ##### Faster, more reliable installation: Native Gem for `arm-linux` (aka `linux/arm/v7`) This version of Nokogiri ships *experimental* native gem support for the `arm-linux` platform. Please note that glibc >= 2.29 is required for arm-linux systems, see [Supported Platforms](https://nokogiri.org/#supported-platforms) for more information. ##### Pattern matching This version introduces an *experimental* pattern matching API for `XML::Attr`, `XML::Document`, `XML::DocumentFragment`, `XML::Namespace`, `XML::Node`, and `XML::NodeSet` (and their subclasses). Some documentation on what can be matched: - [`XML::Attr#deconstruct_keys`](https://nokogiri.org/rdoc/Nokogiri/XML/Attr.html?h=deconstruct#method-i-deconstruct_keys) - [`XML::Document#deconstruct_keys`](https://nokogiri.org/rdoc/Nokogiri/XML/Document.html?h=deconstruct#method-i-deconstruct_keys) - [`XML::Namespace#deconstruct_keys`](https://nokogiri.org/rdoc/Nokogiri/XML/Namespace.html?h=deconstruct+namespace#method-i-deconstruct_keys) - [`XML::Node#deconstruct_keys`](https://nokogiri.org/rdoc/Nokogiri/XML/Node.html?h=deconstruct#method-i-deconstruct_keys) - [`XML::DocumentFragment#deconstruct`](https://nokogiri.org/rdoc/Nokogiri/XML/DocumentFragment.html?h=deconstruct#method-i-deconstruct) - [`XML::NodeSet#deconstruct`](https://nokogiri.org/rdoc/Nokogiri/XML/NodeSet.html?h=deconstruct#method-i-deconstruct) We welcome feedback on this API at [#2360](https://togithub.com/sparklemotion/nokogiri/issues/2360). ##### Dependencies ##### CRuby - Vendored libiconv is updated to [v1.17](https://savannah.gnu.org/forum/forum.php?forum_id=10175) ##### JRuby - This version of Nokogiri uses [`jar-dependencies`](https://togithub.com/mkristian/jar-dependencies) to manage most of the vendored Java dependencies. `nokogiri -v` now outputs maven metadata for all Java dependencies, and `Nokogiri::VERSION_INFO` also contains this metadata. \[[#2432](https://togithub.com/sparklemotion/nokogiri/issues/2432)] - HTML parsing is now provided by `net.sourceforge.htmlunit:neko-htmlunit:2.61.0` (previously Nokogiri used a fork of `org.cyberneko.html:nekohtml`) - Vendored Jing is updated from `com.thaiopensource:jing:20091111` to `nu.validator:jing:20200702VNU`. - New dependency on `net.sf.saxon:Saxon-HE:9.6.0-4` (via `nu.validator:jing:20200702VNU`). ##### Added - `Node#wrap` and `NodeSet#wrap` now also accept a `Node` type argument, which will be `dup`ed for each wrapper. For cases where many nodes are being wrapped, creating a `Node` once using `Document#create_element` and passing that `Node` multiple times is significantly faster than re-parsing markup on each call. \[[#2657](https://togithub.com/sparklemotion/nokogiri/issues/2657)] - \[CRuby] Invocation of custom XPath or CSS handler functions may now use the `nokogiri` namespace prefix. Historically, the JRuby implementation *required* this namespace but the CRuby implementation did not support it. It's recommended that all XPath and CSS queries use the `nokogiri` namespace going forward. Invocation without the namespace is planned for deprecation in v1.15.0 and removal in a future release. \[[#2147](https://togithub.com/sparklemotion/nokogiri/issues/2147)] - `HTML5::Document#quirks_mode` and `HTML5::DocumentFragment#quirks_mode` expose the quirks mode used by the parser. ##### Improved ##### Functional - HTML5 parser update to reflect changes to the living specification: - [Add the \Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.