🚨 [security] Update nokogiri: 1.13.10 → 1.14.3 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ nokogiri (indirect, 1.13.10 → 1.14.3) · Repo · Changelog

Security Advisories 🚨

🚨 Update packaged libxml2 to v2.10.4 to resolve multiple CVEs

Summary

Nokogiri v1.14.3 upgrades the packaged version of its dependency libxml2 to
v2.10.4 from v2.10.3.

libxml2 v2.10.4 addresses the following known vulnerabilities:

• CVE-2023-29469: Hashing of
  empty dict strings isn't deterministic
• CVE-2023-28484: Fix null deref
  in xmlSchemaFixupComplexType
• Schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK

Please note that this advisory only applies to the CRuby implementation of Nokogiri < 1.14.3,
and only if the packaged libraries are being used. If you've overridden defaults at installation
time to use system libraries instead of packaged libraries, you should instead pay attention to
your distro's libxml2 release announcements.

Mitigation

Upgrade to Nokogiri >= 1.14.3.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
and link Nokogiri against external libraries libxml2 >= 2.10.4 which will also address these
same issues.

Impact

No public information has yet been published about the security-related issues other than the
upstream commits. Examination of those changesets indicate that the more serious issues relate to
libxml2 dereferencing NULL pointers and potentially segfaulting while parsing untrusted inputs.

The commits can be examined at:

• [CVE-2023-29469] Hashing of empty dict strings isn't deterministic (09a2dd45)
• [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType (647e072e)
• schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK (4c6922f7)

Release Notes

1.14.2

1.14.2 / 2023-02-13

Fixed

• Calling NodeSet#to_html on an empty node set no longer raises an encoding-related exception. This bug was introduced in v1.14.0 while fixing #2649. [#2784]

---

sha256 checksums:

966acf4f6c1fba10518f86498141cf44265564ac5a65dcc8496b65f8c354f776  nokogiri-1.14.2-aarch64-linux.gem
8a3a35cadae4a800ddc0b967394257343d62196d9d059b54e38cf067981db428  nokogiri-1.14.2-arm-linux.gem
81404cd014ecb597725c3847523c2ee365191a968d0b5f7d857e03f388c57631  nokogiri-1.14.2-arm64-darwin.gem
0a39222af14e75eb0243e8d969345e03b90c0e02b0f33c61f1ebb6ae53538bb5  nokogiri-1.14.2-java.gem
62a18f9213a0ceeaf563d1bc7ccfd93273323c4356ded58a5617c59bc4635bc5  nokogiri-1.14.2-x64-mingw-ucrt.gem
54f6ac2c15a7a88f431bb5e23f4616aa8fc97a92eb63336bcf65b7050f2d3be0  nokogiri-1.14.2-x64-mingw32.gem
c42fa0856f01f901954898e28c3c2b4dce0e843056b1b126f441d06e887e1b77  nokogiri-1.14.2-x86-linux.gem
f940d9c8e47b0f19875465376f2d1c8911bc9489ac9a48c124579819dc4a7f19  nokogiri-1.14.2-x86-mingw32.gem
2508978f5ca28944919973f6300f0a7355fbe72604ab6a6913f1630be1030265  nokogiri-1.14.2-x86_64-darwin.gem
bc6405e1f3ddac6e401f82d775f1c0c24c6e58c371b3fadaca0596d5d511e476  nokogiri-1.14.2-x86_64-linux.gem
c765a74aac6cf430a710bb0b6038b8ee11f177393cd6ae8dadc7a44a6e2658b6  nokogiri-1.14.2.gem

1.14.1

1.14.1 / 2023-01-30

Fixed

• Serializing documents now works again with pseudo-IO objects that don't support IO's encoding API (like rubyzip's Zip::OutputStream). This was a regression in v1.14.0 due to the fix for #752 in #2434, and was not completely fixed by #2753. [#2773]
• [CRuby] Address compiler warnings about void* casting and old-style C function definitions.

---

sha256 checksums:

99594e8b94f576644ac640a223d74c79e840218948e963aa635f0254927bff10  nokogiri-1.14.1-aarch64-linux.gem
1dc9b7821e1fa1f3fda40659662e51a4b3692acc4ee6342ee34a6a537fc1d5d8  nokogiri-1.14.1-arm-linux.gem
1a693df86da8c4c97b01d614470f9c3e10b9c755de8803fbfcfffe0f9dff522a  nokogiri-1.14.1-arm64-darwin.gem
c1f87a8f7bc56028deb2aecbb29e9b318405f7c468b29047aede78b41bc735a2  nokogiri-1.14.1-java.gem
2463a1ae0be5f06a10f3f3b374c2b743bff6280db993d488511a19bb7bc7cb7c  nokogiri-1.14.1-x64-mingw-ucrt.gem
f3a2b0ceedf51d776b39dc759ce191a4df842d7d4f5900c64f33d4753db39877  nokogiri-1.14.1-x64-mingw32.gem
f395d6c28c822b0877cfb0c71781f05243c034b4823359ab25b3288a73b9fc82  nokogiri-1.14.1-x86-linux.gem
be34b32fe74e82bffca5b1f3df8727c8fdc828762b6dddab53a11cd8f8515785  nokogiri-1.14.1-x86-mingw32.gem
9b14091f77086c4f0f09451ba3acd1b5f7e0076fb34fc536682170fa9f1a5074  nokogiri-1.14.1-x86_64-darwin.gem
21d234c51582b292e2e1e02e6c30eea9188894348985d6910aa8e993749c0aff  nokogiri-1.14.1-x86_64-linux.gem
b2db3af7769c29cd77d5f39cd3d0b65ab10975bdecf04be71d683f9c9abe2663  nokogiri-1.14.1.gem

1.14.0

1.14.0 / 2023-01-12

Notable Changes

Ruby

This release introduces native gem support for Ruby 3.2. (Also see "Technical note" under "Changed" below.)

This release ends support for:

• Ruby 2.6, for which upstream support ended 2022-04-12.
• JRuby 9.3, which is not fully compatible with Ruby 2.7+

Faster, more reliable installation: Native Gem for aarch64-linux (aka linux/arm64/v8)

This version of Nokogiri ships official native gem support for the aarch64-linux platform, which should support AWS Graviton and other ARM64 Linux platforms. Please note that glibc >= 2.29 is required for aarch64-linux systems, see Supported Platforms for more information.

Faster, more reliable installation: Native Gem for arm-linux (aka linux/arm/v7)

This version of Nokogiri ships experimental native gem support for the arm-linux platform. Please note that glibc >= 2.29 is required for arm-linux systems, see Supported Platforms for more information.

Pattern matching

This version introduces an experimental pattern matching API for XML::Attr, XML::Document, XML::DocumentFragment, XML::Namespace, XML::Node, and XML::NodeSet (and their subclasses).

Some documentation on what can be matched:

• XML::Attr#deconstruct_keys
• XML::Document#deconstruct_keys
• XML::Namespace#deconstruct_keys
• XML::Node#deconstruct_keys
• XML::DocumentFragment#deconstruct
• XML::NodeSet#deconstruct

We welcome feedback on this API at #2360.

Dependencies

CRuby

• Vendored libiconv is updated to v1.17

JRuby

• This version of Nokogiri uses jar-dependencies to manage most of the vendored Java dependencies. nokogiri -v now outputs maven metadata for all Java dependencies, and Nokogiri::VERSION_INFO also contains this metadata. [#2432]
• HTML parsing is now provided by net.sourceforge.htmlunit:neko-htmlunit:2.61.0 (previously Nokogiri used a fork of org.cyberneko.html:nekohtml)
• Vendored Jing is updated from com.thaiopensource:jing:20091111 to nu.validator:jing:20200702VNU.
• New dependency on net.sf.saxon:Saxon-HE:9.6.0-4 (via nu.validator:jing:20200702VNU).

Added

• Node#wrap and NodeSet#wrap now also accept a Node type argument, which will be duped for each wrapper. For cases where many nodes are being wrapped, creating a Node once using Document#create_element and passing that Node multiple times is significantly faster than re-parsing markup on each call. [#2657]
• [CRuby] Invocation of custom XPath or CSS handler functions may now use the nokogiri namespace prefix. Historically, the JRuby implementation required this namespace but the CRuby implementation did not support it. It's recommended that all XPath and CSS queries use the nokogiri namespace going forward. Invocation without the namespace is planned for deprecation in v1.15.0 and removal in a future release. [#2147]
• HTML5::Document#quirks_mode and HTML5::DocumentFragment#quirks_mode expose the quirks mode used by the parser.

Improved

Functional

• HTML5 parser update to reflect changes to the living specification:
  • Add the <search> element by domenic · whatwg/html
  • Remove parse error for <template><tr></tr> </template> by zcorpan · whatwg/html

Performance

• Serialization of HTML5 documents and fragments has been re-implemented and is ~10x faster than previous versions. [#2596, #2569]
• Parsing of HTML5 documents is ~90% faster thanks to additional compiler optimizations being applied. [#2639]
• Compare Encoding objects rather than compare their names. This is a slight performance improvement and is future-proof. [#2454] (Thanks, @casperisfine!)

Error handling

• Document#canonicalize now raises an exception if inclusive_namespaces is non-nil and the mode is inclusive, i.e. XML_C14N_1_0 or XML_C14N_1_1. inclusive_namespaces can only be passed with exclusive modes, and previously this silently failed.
• Empty CSS selectors now raise a clearer Nokogiri::CSS::SyntaxError message, "empty CSS selector". Previously the exception raised from the bowels of racc was "unexpected '$' after ''". [#2700]
• [CRuby] XML::Reader parsing errors encountered during Reader#attribute_hash and Reader#namespaces now raise an XML::SyntaxError. Previously these methods would return nil and users would generally experience NoMethodErrors from elsewhere in the code.
• Prefer ruby_xmalloc to malloc within the C extension. [#2480] (Thanks, @Garfield96!)

Installation

• Avoid compile-time conflict with system-installed gumbo.h on OpenBSD. [#2464]
• Remove calls to vasprintf in favor of platform-independent rb_vsprintf
• Installation from source on systems missing libiconv will once again generate a helpful error message (broken since v1.11.0). [#2505]
• [CRuby+OSX] Compiling from source on MacOS will use the clang option -Wno-unknown-warning-option to avoid errors when Ruby injects options that clang doesn't know about. [#2689]

Fixed

• SAX::Parser's encoding attribute will not be clobbered when an alternative encoding is passed into SAX::Parser#parse_io. [#1942] (Thanks, @kp666!)
• Serialized HTML4::DocumentFragment will now be properly encoded. Previously this empty string was encoded as US-ASCII. [#2649]
• Node#wrap now uses the parent as the context node for parsing wrapper markup, falling back to the document for unparented nodes. Previously the document was always used.
• [CRuby] UTF-16-encoded documents longer than ~4000 code points now serialize properly. Previously the serialized document was corrupted when it exceeded the length of libxml2's internal string buffer. [#752]
• [CRuby] The HTML5 parser now correctly handles text at the end of form elements.
• [CRuby] HTML5::Document#fragment now always uses body as the parsing context. Previously, fragments were parsed in the context of the associated document's root node, which allowed for inconsistent parsing. [#2553]
• [CRuby] Nokogiri::HTML5::Document#url now correctly returns the URL passed to the constructor method. Previously it always returned nil. [#2583]
• [CRuby] HTML5 encoding detection is now case-insensitive with respect to meta tag charset declaration. [#2693]
• [CRuby] HTML5 fragment parsing in context of an annotation-xml node now works. Previously this rarely-used path invoked rb_funcall with incorrect parameters, resulting in an exception, a fatal error, or potentially a segfault. [#2692]
• [CRuby] HTML5 quirks mode during fragment parsing more closely matches document parsing. [#2646]
• [JRuby] Fixed a bug with adding the same namespace to multiple nodes via #add_namespace_definition. [#1247]
• [JRuby] NodeSet#[] now raises a TypeError if passed an invalid parameter type. [#2211]

Deprecated

• Nokogiri.install_default_aliases is deprecated in favor of Nokogiri::EncodingHandler.install_default_aliases. This is part of a private API and is probably not called by anybody, but we'll go through a deprecation cycle before removal anyway. [#2643, #2446]

Changed

• [CRuby+OSX] Technical note: On MacOS Ruby 3.2, the symbols from libxml2 and libxslt are no longer exported. Ruby 3.2 adopted new features from the Darwin toolchain that make it challenging to continue to support this rarely-used binary API. A future minor release of Nokogiri may remove these symbols (and others) entirely. Feedback from downstream gem maintainers is welcome at #2746, where you'll also be able to read deeper context on this decision.

Thank you!

The following people and organizations were kind enough to sponsor @flavorjones or the Nokogiri project during the development of v1.14.0:

• Götz Görisch @GoetzGoerisch
• Airbnb @airbnb
• Kyohei Nanba @kyo-nanba
• Maxime Gauthier @biximilien
• @renuo
• @dbootyfvrt
• YOSHIDA Katsuhiko @kyoshidajp
• Homebrew @Homebrew
• David Vrensk @dvrensk
• Alex Daragiu @daragiu
• Github @github
• Julian Joseph @Julian88Tex
• Charles Simon-Meunier @csimonmeunier
• Ben Slaughter @benSlaughter
• Garen Torikian @gjtorikian
• Frank Groeneveld @frenkel
• Hiroshi SHIBATA @hsbt

---

sha256 checksums:

c87564f5f8fbfb72fbcb7ed9781f6472ceabe2f288ede6b9c37071dc32320ba6  nokogiri-1.14.0-aarch64-linux.gem
33617e8a94993b8130a50bd59d6141a8d4d2aa4d4053f5c7874c71608e6e6dcc  nokogiri-1.14.0-arm-linux.gem
5c0cd4eeb8501526e7e2aaba93b60ebf3dda37bfda665691196d4e9bb87adb1a  nokogiri-1.14.0-arm64-darwin.gem
772936bf635b33b99bc89828de8e7077de47009638fe5ff11795f8b1d578465c  nokogiri-1.14.0-java.gem
ee11c092b2cf2b137e71f623746162c578b53483dccf4c6209c80f5ba47927fe  nokogiri-1.14.0-x64-mingw-ucrt.gem
9b91eede6155eb8891d7d95d8087d514f3007dd19813982104ed77452a2a7ace  nokogiri-1.14.0-x64-mingw32.gem
649019d961b0ea8aee1bc8aa2573ab8ffb77d3f5e9c333aa2462a79fc56745fc  nokogiri-1.14.0-x86-linux.gem
40985fc46315ea3d33ed900a649c0bb77484035ea882b7c9e55aef436b1958a8  nokogiri-1.14.0-x86-mingw32.gem
5d328c0d0c5f6f37a26c75b0282f9014c9686d4c10578ec8dfbbfcbea7da8b95  nokogiri-1.14.0-x86_64-darwin.gem
faa88b2bca46adaa3420c6e27eb8eb71f5b8d9f454ed7488a194a00c5ef52fbe  nokogiri-1.14.0-x86_64-linux.gem
55ca6e87ae85e944a5901dd5a6cacbb961eaaf8b8dd3901b57475665396914bb  nokogiri-1.14.0.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ mini_portile2 (indirect, 2.8.0 → 2.8.1) · Repo · Changelog

Release Notes

2.8.1

2.8.1 / 2022-12-24

Fixed

• Support applying patches via git apply even when the working directory resembles a git directory. [#119] (Thanks, @h0tw1r3!)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 7 commits:

• version bump to v2.8.1
• Merge pull request #122 from flavorjones/119-improve-patching
• fix: handle patching in dirs that resemble an actual git dir
• Merge pull request #121 from flavorjones/flavorjones-exercise-patching-in-examples
• test: `rake test:examples` now exercises patching
• Merge pull request #117 from flavorjones/flavorjones-loosen-bundler-dependency
• dep(dev): loosen bundler dependency

↗️ racc (indirect, 1.6.1 → 1.6.2) · Repo · Changelog

Release Notes

1.6.2

What's Changed

• Fixed typo in racc.en.rhtml by @jwillemsen in #200
• Removed old Id tag by @jwillemsen in #204
• Removed old originalId in comment by @jwillemsen in #203
• Adjust Racc parser version with gem version. by @hsbt in #205

Full Changelog: v1.6.1...v1.6.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 11 commits:

• Bump version to 1.6.2
• Merge pull request #205 from ruby/racc-version
• Removed Original ID constant from Java impl
• Bump up Racc parser version
• Always issue deprecation warning when calling Regexp.new with 3rd positional argument
• Merge pull request #203 from jwillemsen/patch-3
• Merge pull request #204 from jwillemsen/patch-4
• Removed old Id tag
• Removed old originalId in comment
• Merge pull request #200 from jwillemsen/patch-3
• Fixed typo in racc.en.rhtml

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #118.