🚨 [security] Update nokogiri 1.15.4 → 1.16.5 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ nokogiri (indirect, 1.15.4 → 1.16.5) · Repo · Changelog

Security Advisories 🚨

🚨 Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to
2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

• described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
• patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53

Impact

There is no impact to Nokogiri users because the issue is present only
in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

• 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
• 2024-05-13 08:30 EDT, nokogiri maintainers begin triage
• 2024-05-13 10:05 EDT, nokogiri v1.16.5 is released
  and this GHSA made public

🚨 Nokogiri updates packaged libxml2 to v2.12.7 to resolve CVE-2024-34459

Summary

Nokogiri v1.16.5 upgrades its dependency libxml2 to 2.12.7 from 2.12.6.

libxml2 v2.12.7 addresses CVE-2024-34459:

• described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/720
• patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/2876ac53

Impact

There is no impact to Nokogiri users because the issue is present only in libxml2's xmllint tool which Nokogiri does not provide or expose.

Timeline

• 2024-05-13 05:57 EDT, libxml2 2.12.7 release is announced
• 2024-05-13 08:30 EDT, nokogiri maintainers begin triage
• 2024-05-13 10:05 EDT, nokogiri v1.16.5 is released and this GHSA made public

🚨 Use-after-free in libxml2 via Nokogiri::XML::Reader

Summary

Nokogiri upgrades its dependency libxml2 as follows:

• v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
• v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062

• described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
• patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if
the packaged libraries are being used. If you've overridden defaults at installation time to use
system libraries instead of packaged libraries, you should instead pay attention to your distro's
libxml2 release announcements.

JRuby users are not affected.

Severity

The Nokogiri maintainers have evaluated this as Moderate.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies
Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled,
processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.

🚨 Use-after-free in libxml2 via Nokogiri::XML::Reader

Summary

Nokogiri upgrades its dependency libxml2 as follows:

• v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
• v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062

• described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
• patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if
the packaged libraries are being used. If you've overridden defaults at installation time to use
system libraries instead of packaged libraries, you should instead pay attention to your distro's
libxml2 release announcements.

JRuby users are not affected.

Severity

The Nokogiri maintainers have evaluated this as Moderate.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies
Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled,
processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.

🚨 Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062

Summary

Nokogiri upgrades its dependency libxml2 as follows:

• Nokogiri v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
• Nokogiri v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

• CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
  • patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

JRuby users are not affected.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Timeline

• 2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information
• 2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions
• 2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public
• 2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated "Impact" section
• 2024-03-16 09:03 EDT - v1.15.6 published (see discussion at #3146), updated mitigation information
• 2024-03-18 22:12 EDT - update "affected products" range with v1.15.6 information

🚨 Nokogiri update packaged libxml2 to v2.12.5 to resolve CVE-2024-25062

Summary

Nokogiri upgrades its dependency libxml2 as follows:

• Nokogiri v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
• Nokogiri v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4

libxml2 v2.11.7 and v2.12.5 address the following vulnerability:

• CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
  • patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970

Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if the packaged libraries are being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libxml2 release announcements.

JRuby users are not affected.

Mitigation

Upgrade to Nokogiri ~> 1.15.6 or >= 1.16.2.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against patched external libxml2 libraries which will also address these same
issues.

Impact

From the CVE description, this issue applies to the xmlTextReader module (which underlies Nokogiri::XML::Reader):

When using the XML Reader interface with DTD validation and XInclude expansion enabled, processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.

Timeline

• 2024-02-04 10:35 EST - this GHSA is drafted without complete details about when the upstream issue was introduced; a request is made of libxml2 maintainers for more detailed information
• 2024-02-04 10:48 EST - updated GHSA to reflect libxml2 maintainers' confirmation of affected versions
• 2024-02-04 11:54 EST - v1.16.2 published, this GHSA made public
• 2024-02-05 10:18 EST - updated with MITRE link to the CVE information, and updated "Impact" section
• 2024-03-16 09:03 EDT - v1.15.6 published (see discussion at #3146), updated mitigation information
• 2024-03-18 22:12 EDT - update "affected products" range with v1.15.6 information

Release Notes

1.16.5

v1.16.5 / 2024-05-13

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-34459. See GHSA-r95h-9x8f-r3f7 for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.7 from v2.12.6. (@flavorjones)

---

sha256 checksums:

af0f44fa3e664dfb2aa10de8b551447d720c1e8d1f0aa3f35783dcc43e40a874  nokogiri-1.16.5-aarch64-linux.gem
23dc2357b26409a5c33b7e32a82902f0e9995305420f16d1a03ab3ea1a482fec  nokogiri-1.16.5-arm-linux.gem
950d037530edb49f75ad35de0b8038b970a7dda57e2b6326895b0e49fadf6214  nokogiri-1.16.5-arm64-darwin.gem
b7aefc94370c62476b8528e8d8abb6160203abd84a1f4eceda8f1aa8974d9989  nokogiri-1.16.5-java.gem
ec2167160df8fec3137bf95d574ed80ebc1d002bb3b281546b60b4aa9002466e  nokogiri-1.16.5-x64-mingw-ucrt.gem
6984200491fac69974005ecfa2de129d61843d345eafa5d6f58e8b908d1cf107  nokogiri-1.16.5-x64-mingw32.gem
abdc389ab1ec6604492da16bd9d06ad746fdb6bd6a1bd274c400d61ffcadb3c4  nokogiri-1.16.5-x86-linux.gem
63d24981345856f2baf7f4089870a62d3042fb8d3021b280fb04fc052532e3c4  nokogiri-1.16.5-x86-mingw32.gem
71b5f54e378c433d13df67c3b71acc4716129da62402d8181f310c4216a63279  nokogiri-1.16.5-x86_64-darwin.gem
0ca238da870066bed2f7837af6f35791bb9b76c4c5638999c46aac44818a6a97  nokogiri-1.16.5-x86_64-linux.gem
ec36162c68984fa0a90a5c4ae7ab7759460639e716cc1ce75f34c3cb54158ad2  nokogiri-1.16.5.gem

1.16.4

v1.16.4 / 2024-04-10

Dependencies

• [CRuby] Vendored zlib in the precompiled native gems is updated to v1.3.1 from v1.3. Nokogiri is not affected by the minizip CVE patched in this version, but this update may satisfy some security scanners. Related, see this discussion about removing the compression libraries altogether in a future version of Nokogiri.

---

sha256 checksums:

bdb1dc4378ebcf3ade8f440c7df68f6d76946a1a96c4823a2b4c53c01a320cd5  nokogiri-1.16.4-aarch64-linux.gem
0c994b9996d5576eddcc3201a94ef2bff6fc3627c4ae4d2708b0ec9b9743ec6a  nokogiri-1.16.4-arm-linux.gem
8e86abb64c93c06d3c588042a0e757279e8f1dc88b5210a00be892a9a7a27196  nokogiri-1.16.4-arm64-darwin.gem
bf84fa28be4943692bd64772186e0832fb1061f80714ccb93e111e9d72b1cadc  nokogiri-1.16.4-java.gem
a46808467c1f63a2031e1ca0715cd5336bb4ec759e9c0e2f4c951c1cc30994ae  nokogiri-1.16.4-x64-mingw-ucrt.gem
4cdf64bc5e9443ec3e0b595347ecc8affe21968d9ae934c0825d26630ef96468  nokogiri-1.16.4-x64-mingw32.gem
d86d21bae47dd9f6f5223055e45d33fae08b0b89aad94cbc0ece4f4274fa7af5  nokogiri-1.16.4-x86-linux.gem
d488b872884844686780fda7cf5da44ee884d32faa713a55aeb4736d76718168  nokogiri-1.16.4-x86-mingw32.gem
a896e52a56951ffb0e6a9279afbf485d683e357a053d27f4cfcb2a73b0824628  nokogiri-1.16.4-x86_64-darwin.gem
92ff4f09910255fec84b3bc4c4b182e94cada3ed12b9f7a6ea058e0af186fb31  nokogiri-1.16.4-x86_64-linux.gem
62c116c3a14b4ed4e1faec786da266c4bd4c717a0bd04a9916164a7046040f45  nokogiri-1.16.4.gem

1.16.3

v1.16.3 / 2024-03-15

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.6 from v2.12.5. (@flavorjones)

Changed

• [CRuby] XML::Reader sets the @encoding instance variable during reading if it is not passed into the initializer. Previously, it would remain nil. The behavior of Reader#encoding has not changed. This works around changes to how libxml2 reports the encoding used in v2.12.6.

---

sha256 checksums:

3d806263a0548e5163ff256655d78a87998fa83a5ae256b83c14a1a97731e824  nokogiri-1.16.3-aarch64-linux.gem
cfb923c02bde065005e2521f0a6883c63cf305cb899a9dd4c74897731bb2af1d  nokogiri-1.16.3-arm-linux.gem
5d3268558c002fa493e33076798cfda1df8effbd5363060dc41595cfebb1cf90  nokogiri-1.16.3-arm64-darwin.gem
6bf0918233959c7d5e703061ada0f436544612397475a866aa314071f02bfabb  nokogiri-1.16.3-java.gem
656f163dd287671c3a28157a2e853ee1a36afeb3f4185a78af863f3980efc58d  nokogiri-1.16.3-x64-mingw-ucrt.gem
7330f65cf2f8fa442327112b6515b4988f396d23010d33571714fd2ac0648fb9  nokogiri-1.16.3-x64-mingw32.gem
08d8a369940fa2309379cd8af1e7b3cc702b0115d3ddd197cfa7b33daedfd541  nokogiri-1.16.3-x86-linux.gem
cd26e99fa6388cd73c8892bb99ac98af162fe83c8f71c6473dfeba7aac76bcb9  nokogiri-1.16.3-x86-mingw32.gem
bc22786f4db4c32a5587e3b77a106408148d3bb1602dd0b52c0f5c968c42d17d  nokogiri-1.16.3-x86_64-darwin.gem
47a3330e41b49a100225b6fab490b2dc43410931e01e791886e0c2998412e8cb  nokogiri-1.16.3-x86_64-linux.gem
498aa253ccd5b89a0fa5c4c82b346d22176fc865f4a12ef8da642064d1d3e248  nokogiri-1.16.3.gem

1.16.2

v1.16.2 / 2024-02-04

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See GHSA-xc9x-jj77-9p9j for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.5 from v2.12.4. (@flavorjones)

---

sha256 checksums:

69ba15d2a2498324489ed63850997f0b8f684260114ea81116d3082f16551d2d  nokogiri-1.16.2-aarch64-linux.gem
6a05ce42e3587a40cf8936ece0beaa5d32922254215d2e8cf9ad40588bb42e57  nokogiri-1.16.2-arm-linux.gem
c957226c8e36b31be6a3afb8602e2128282bf8b40ea51016c4cd21aa2608d3f8  nokogiri-1.16.2-arm64-darwin.gem
122652bfc338cd8a54a692ac035e245e41fd3b8283299202ca26e7a7d50db310  nokogiri-1.16.2-java.gem
7344b5072ca69fc5bedb61cb01a3b765b93a27aae5a2a845c2ba7200e4345074  nokogiri-1.16.2-x64-mingw-ucrt.gem
a2a5e184a424111a0d5b77947986484920ad708009c667f061e8d02035c562dd  nokogiri-1.16.2-x64-mingw32.gem
833efddeb51a6c2c9f6356295623c2b2e0d50050d468695c59bd929162953323  nokogiri-1.16.2-x86-linux.gem
e67fc0418dffaff9dc8b1dc65f0605282c3fee9488832d0223b620b4319e0b53  nokogiri-1.16.2-x86-mingw32.gem
5def799e5f139f21a79d7cf71172313a7b6fb0e4b2a31ab9bd5d4ad305994539  nokogiri-1.16.2-x86_64-darwin.gem
5b146240ac6ec6c40fd4367623e74442bca45a542bd3282b1d4d18b07b8e5dfe  nokogiri-1.16.2-x86_64-linux.gem
68922ee5cde27497d995c46f2821957bae961947644eed2822d173daf7567f9c  nokogiri-1.16.2.gem

1.16.1

v1.16.1 / 2024-02-03

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.4 from v2.12.3. (@flavorjones)

Fixed

• [CRuby] XML::Reader defaults the encoding to UTF-8 if it's not specified in either the document or as a method parameter. Previously non-ASCII characters were serialized as NCRs in this case. [#2891] (@flavorjones)
• [CRuby] Restored support for compilation by GCC versions earlier than 4.6, which was broken in v1.15.0 (540e9ae). [#3090] (@adfoster-r7)
• [CRuby] Patched upstream libxml2 to allow parsing HTML5 in the context of a namespaced node (e.g., foreign content like MathML). [#3112, #3116] (@flavorjones)
• [CRuby] Fixed a small memory leak in libgumbo (HTML5 parser) when the maximum tree depth limit is hit. [#3098, #3100] (@stevecheckoway)

---

sha256 checksums:

a541f35e5b9798a0c97300f9ee18f4217da2a2945a6d5499e4123b9018f9cafc  nokogiri-1.16.1-aarch64-linux.gem
6b82affd195000ab2f9c36cc08744ec2d2fcf6d8da88d59a2db67e83211f7c69  nokogiri-1.16.1-arm-linux.gem
487f0072c154b8a8fd12716f746beee9fb7cea1d62773471bb2951e540f3798a  nokogiri-1.16.1-arm64-darwin.gem
d45378ce34b8d2cfac2428cebb0e21ace4d9c97e76c565ba2e8cec041df02afb  nokogiri-1.16.1-java.gem
d50359f604e650e47365baa8af231b587080ffa7bb84ffca836f34f8c06ae10d  nokogiri-1.16.1-x64-mingw-ucrt.gem
5b656174e77db8f97ee2cc45c4f1476c8262797b577e8fc8abf458beefd4372c  nokogiri-1.16.1-x64-mingw32.gem
c6ba741e41b73a75cdefbf3733101c66a93eb041cab22ba3472a6c548f5b20d7  nokogiri-1.16.1-x86-linux.gem
e37439f5ce9bf91f3797420f8a1e1502ebc3654c3ca4eca80a0b2707235c9326  nokogiri-1.16.1-x86-mingw32.gem
380c94bd8a7fbdee4633db117e5c1ef04cafd35e0dbbdb20eb9224631fe0dc49  nokogiri-1.16.1-x86_64-darwin.gem
cf43557ea7eed0e9f9ed90837a27e1dbfb7fd56d65eb806955965e02231bed3e  nokogiri-1.16.1-x86_64-linux.gem
304db173d8a87afc63f1e1702a671d9eb9e4a30974b297ccca604f6cfd3ed2a7  nokogiri-1.16.1.gem

1.16.0

v1.16.0 / 2023-12-27

Notable Changes

Ruby

This release introduces native gem support for Ruby 3.3.

This release ends support for Ruby 2.7, for which upstream support ended 2023-03-31.

Pattern matching

This version marks official support for the pattern matching API in XML::Attr, XML::Document, XML::DocumentFragment, XML::Namespace, XML::Node, and XML::NodeSet (and their subclasses), originally introduced as an experimental feature in v1.14.0. (@flavorjones)

Documentation on what can be matched:

• XML::Attr#deconstruct_keys
• XML::Document#deconstruct_keys
• XML::Namespace#deconstruct_keys
• XML::Node#deconstruct_keys
• XML::DocumentFragment#deconstruct
• XML::NodeSet#deconstruct

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.12.3 from v2.11.6. (@flavorjones)
  • https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.0
  • https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.1
  • https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.2
  • https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.3

Fixed

• CSS nth pseudo-classes now handle spaces, e.g. "2n + 1". [#3018] (@fusion2004)
• [CRuby] libgumbo no longer leaks memory when an incomplete tag is abandoned by the HTML5 parser. [#3036] (@flavorjones)

Removed

• Removed Nokogiri::HTML5.get which was deprecated in v1.12.0. [#2278] (@flavorjones)
• Removed the CSS-to-XPath utility modules XPathVisitorAlwaysUseBuiltins and XPathVisitorOptimallyUseBuiltins, which were deprecated in v1.13.0 in favor of XPathVisitor constructor args. [#2403] (@flavorjones)
• Removed XML::Reader#attribute_nodes which was deprecated in v1.13.8 in favor of #attribute_hash. [#2598, #2599] (@flavorjones)
• [CRuby] Removed the libxml/libxml2_path key from VersionInfo, used in the past for third-party library integration, in favor of the nokogiri/cppflags and nokogiri/ldflags keys. Please note that third-party library integration is not fully supported and may be deprecated soon, see #2746 for more context. [#2143] (@flavorjones)

Thank you!

The following people and organizations were kind enough to sponsor @flavorjones or the Nokogiri project during the development of v1.16.0:

• Götz Görisch @GoetzGoerisch
• Airbnb @airbnb
• Maxime Gauthier @biximilien
• Renuo AG @renuo
• YOSHIDA Katsuhiko @kyoshidajp
• Homebrew @Homebrew
• Hiroshi SHIBATA @hsbt
• @zzak
• Evil Martians @evilmartians
• Ajaya Agrawalla @ajaya
• Modern Treasury @Modern-Treasury
• Danilo Lessa Bernardineli @danlessa
• matt marques @mestre-dos-magos
• Quan Nguyen @qu8n
• Harry Lascelles @hlascelles
• Oleksandr Tyshchenko @altivi
• Prowly @prowlycom
• Better Stack Community @betterstack-community
• Sentry @getsentry
• Codecov @codecov
• Typesense @typesense
• Roy Boivin II @Yabbo
• Frank Groeneveld @frenkel

We'd also like to thank @github who donate a ton of compute time for our CI pipelines!

---

sha256 checksums:

8cd981dfd4bea4f519ceebb885cf3b422b71c059d841c039d327e73b19247f53  nokogiri-1.16.0-aarch64-linux.gem
c68d861155c40777eee3eb4efbb375d665c8c889cebd5cd1ba32f30a8aac6c21  nokogiri-1.16.0-arm-linux.gem
10c08f246085709790ea628b5fa031cf23dadd843e173711b335ba6287b59d0a  nokogiri-1.16.0-arm64-darwin.gem
f76f2dc353993862d07eccfc5561e373e8058d62e265bae9bcf4f4793c35c9e2  nokogiri-1.16.0-java.gem
5c59792f7f5f8a76e17a87b89b9057544853a6f713b692a75b7f8895a854b74f  nokogiri-1.16.0-x64-mingw-ucrt.gem
286950458a58bdf09bb3a800ac16f0aa361aa9a6c9a63bcd71e98e3c34d314a8  nokogiri-1.16.0-x64-mingw32.gem
159107da8a35f1fc22ee5b78d70da9bda4098a3771a29beac3f727cafd5041cb  nokogiri-1.16.0-x86-linux.gem
27d3d96f53b3fa1da9c4d9d69fffadc34abf7350a8e22be61a7483f15f065438  nokogiri-1.16.0-x86-mingw32.gem
237aa89b9ef6b8e014f197167677926ebc4bdb9cafb2b101399d8001fda4fa43  nokogiri-1.16.0-x86_64-darwin.gem
6f55093bb47e75d412138f4b9462f960d3aad96cb6b43dbe9a3de62c2d31a742  nokogiri-1.16.0-x86_64-linux.gem
341388184e975d091e6e38ce3f3b3388bfb7e4ac3d790efd8e39124844040bd1  nokogiri-1.16.0.gem

1.15.6

1.15.6 / 2024-03-16

Note

This security release is a backport to the unsupported v1.15.x branch. Current stable is v1.16.x, which addressed the referenced CVE in v1.16.2 on 2024-02-04.

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2024-25062. See GHSA-xc9x-jj77-9p9j for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.11.7 from v2.11.6. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.7

---

sha256 checksums:

d79f713dffff149d60ab272d206a3ca96db2b891ab6a9f65362bfb78aface37a  gems/nokogiri-1.15.6-aarch64-linux.gem
62b5b7b387ec6c61c1ea5f889b7bc579eedd37f265f7cc1dc392484938549f1a  gems/nokogiri-1.15.6-arm-linux.gem
ba93c63f5c03047778abf16c80676fe67e7eb7d871ab0aaa7e2c2dfe4ec20027  gems/nokogiri-1.15.6-arm64-darwin.gem
d24639a546ba58c86d18da1ed124eaecbd45c5ae4c4dec41751b730a2b732ac3  gems/nokogiri-1.15.6-java.gem
e36887d89ec1b080e4a01dd2ff52650003db01d2a5edf5e6ab19e4c0bdb1385f  gems/nokogiri-1.15.6-x64-mingw-ucrt.gem
852c59a398499c8fcb6478d76396dcd50afa8f8902563b76265cd7dc90a731a1  gems/nokogiri-1.15.6-x64-mingw32.gem
19e0a5fbfa4393353fbcf6801f8f62350b6e16f43c907680c5884896858a23a2  gems/nokogiri-1.15.6-x86-linux.gem
9d464bbbaad6721a5a73181165fda67573f64ef2803c3337f6f733603e9d309a  gems/nokogiri-1.15.6-x86-mingw32.gem
32d045cdb0ce097e4543a5e7a79efd13ff05d904e32f4328732149dbea3c7f15  gems/nokogiri-1.15.6-x86_64-darwin.gem
26a79da0377100d6938ae2f1b115230a8a4a4595e35b89164d8495af32091186  gems/nokogiri-1.15.6-x86_64-linux.gem
70ce799b4b3e23b358501f1da3914f70b1c7a113fb12e96a7d53558481146e08  gems/nokogiri-1.15.6.gem

1.15.5

1.15.5 / 2023-11-17

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.11.6 from v2.11.5. For details please see https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.11.6
• [CRuby] Vendored libxslt is updated to v1.1.39 from v1.1.38. For details please see https://gitlab.gnome.org/GNOME/libxslt/-/releases/v1.1.39

---

sha256 checksums:

6dfa1d9837ddb233e234d56e244560ab1bc545d3d1744478060e18691f44ded7  nokogiri-1.15.5-aarch64-linux.gem
e3ac6608c6e1714bc11ff04e29a43fedf4cac2aea1bd88256cc3b927c06f347f  nokogiri-1.15.5-arm-linux.gem
4d7b15d53c0397d131376a19875aa97dd1c8b404c2c03bd2171f9b77e9592d40  nokogiri-1.15.5-arm64-darwin.gem
5f87e71aaeb4f7479b94698737a0aacea77836b4805c7433b655e9565bd56cfe  nokogiri-1.15.5-java.gem
7612be800909ae51e0a7cfbe1f768757857a9ff0339686814ca67d9bae271ca2  nokogiri-1.15.5-x64-mingw-ucrt.gem
28fd78d98e12005fe017db5ceccb74b2497f30582e6e26a3344200625fe46aae  nokogiri-1.15.5-x64-mingw32.gem
0d1b564d7f148a6766380966bb48b23afa72c72c992c69c71d21acd4a7f5c0e4  nokogiri-1.15.5-x86-linux.gem
d27dbf44c19b83e570e65b660a8a921441d1e8b6063ab1b985b516f78e0a2854  nokogiri-1.15.5-x86-mingw32.gem
10bafa54935f68aebd23235cb0fc7dfb8f6f5e52131379484771247eb3a0cc70  nokogiri-1.15.5-x86_64-darwin.gem
c5d9453cc155dc15f08ac699cc1293fd994ec6cfacec48e67653aa95ee946adf  nokogiri-1.15.5-x86_64-linux.gem
22448ca35dbcbdcec60dbe25ccf452b685a5436c28f21b2fec2e20917aba9100  nokogiri-1.15.5.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ racc (indirect, 1.7.1 → 1.7.3) · Repo · Changelog

Release Notes

1.7.3

What's Changed

• Exclude CRuby extension from JRuby gem by @nobu in #244
• Fix for dummy rake/extensiontask.rb at ruby test-bundled-gems by @nobu in #245
• Fix jar file path by @nobu in #246
• Bump by @nobu in #247
• Add srcs target to prepare to build by @nobu in #248
• Make CI runnable for any push by @yui-knk in #249
• Check rake build on CI by @yui-knk in #250
• Bump up v1.7.3.pre.1 by @yui-knk in #251
• Fix locations of expect param in docs by @yui-knk in #252
• 'lib/racc/parser-text.rb' depends on 'lib/racc/info.rb' by @yui-knk in #253
• Bump up v1.7.3 by @yui-knk in #254

Full Changelog: v1.7.2...v1.7.3

1.7.2

What's Changed

• Update parser.rb, fixed typo by @jwillemsen in #224
• Remove leading newline from on_error exception messages. by @zenspider in #226
• Add --frozen to add frozen_string_literals to top of generated files. by @zenspider in #225
• Update development dependency to avoid ruby 2.5 failures by @flavorjones in #228
• dep: pin development dependencies, and enable dependabot for gems by @flavorjones in #229
• Clean embedded pragmas by @nobu in #230
• Embed grammar file name into generated file by @yui-knk in #231
• Bump actions/checkout from 3 to 4 by @dependabot in #232
• Fix a typo by @yui-knk in #234
• Add "Release flow" to README.rdoc by @yui-knk in #235
• Prepare 1.7.2 by @nobu in #236
• Remove install guide by setup.rb by @yui-knk in #237
• Fix tiny typos by @makenowjust in #238
• Remove old checks by @nobu in #240
• Remove MANIFEST which was used by ancient extmk.rb by @nobu in #242
• Extract Racc::VERSION from racc/info.rb at extconf.rb by @nobu in #241
• Use prototype declarations by @nobu in #243
• Bump up v1.7.2 by @yui-knk in #239

New Contributors

• @makenowjust made their first contribution in #238

Full Changelog: v1.7.1...v1.7.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 67 commits:

• Merge pull request #254 from yui-knk/v1.7.3
• Bump up v1.7.3
• Merge pull request #253 from yui-knk/add_dependency
• 'lib/racc/parser-text.rb' depends on 'lib/racc/info.rb'
• Merge pull request #252 from yui-knk/fix_doc_expect_param
• Fix locations of `expect` param in docs
• Merge pull request #251 from yui-knk/v1.7.3.pre.1
• Bump up v1.7.3.pre.1
• Merge pull request #250 from yui-knk/test_rake_compile_build
• Check `rake build` on CI
• Merge pull request #249 from yui-knk/always_run_ci
• Merge pull request #248 from nobu/srcs
• Make CI runnable for any push
• Add `srcs` target to prepare to build
• Make reproducible
• Merge pull request #247 from nobu/bump
• Update test-unit-ruby-core for ruby 2.5
• Prepare 1.7.3
• Add recipe to update RACC_VERSION in Cparse.java
• Merge pull request #246 from nobu/jruby-extdir
• Fix jar file path
• Merge pull request #245 from nobu/ruby-test
• Fix for dummy rake/extensiontask.rb at ruby test-bundled-gems
• Merge pull request #244 from nobu/cruby-ext
• Exclude CRuby extension from JRuby gem
• Merge pull request #239 from yui-knk/v1.7.2
• Merge pull request #243 from nobu/protoize
• Use prototype declarations
• Bump up v1.7.2
• Merge pull request #241 from nobu/info_version
• Merge pull request #242 from nobu/manifest
• [DOC] Update release flow
• Remove MANIFEST which was used by ancient extmk.rb
• Extract Racc::VERSION from racc/info.rb at extconf.rb
• Merge pull request #240 from nobu/old-checks
• Remove fallback code
• Remove old checks
• Rename CI file since it is not only Ubuntu now [ci skip]
• Merge pull request #238 from makenowjust/typos
• Fix tiny typos
• Merge pull request #237 from yui-knk/remove_install_guide_via_setup_rb
• Remove install guide by setup.rb
• Merge pull request #236 from nobu/bump-up
• Start 1.7.2
• Update `Gem::Specification#files`
• Merge pull request #235 from yui-knk/readme_release-flow
• Add "Release flow" to README.rdoc
• Merge pull request #234 from yui-knk/fix_typo
• Fix a typo
• Merge pull request #232 from ruby/dependabot/github_actions/actions/checkout-4
• Bump actions/checkout from 3 to 4
• Merge pull request #231 from yui-knk/embed_grammar_file_name_into_generated_file
• Embed grammar file name into generated file
• Merge pull request #230 from nobu/embedded-pragmas
• Remove frozen_string_literal pragmas from embedded runtime files
• Stop littering platform-independent directory with platform-dependent bianries
• Merge pull request #229 from ruby/flavorjones-pin-dev-dependencies
• dep: pin development dependencies, and enable dependabot for gems
• Merge pull request #228 from ruby/flavorjones-work-around-rake-compiler-ruby-2.5
• Update development dependency to avoid ruby 2.5 failures
• Merge pull request #225 from zenspider/zenspider/frozen_string_literals
• Merge pull request #226 from zenspider/zenspider/newline
• Remove NEWS files since they've not been updated in quite some time
• Add --frozen to add frozen_string_literals to top of generated files.
• Remove leading newline from on_error exception messages.
• Merge pull request #224 from jwillemsen/patch-4
• Update parser.rb, fixed typo

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)