Update nokogiri: 1.13.6 → 1.13.9 (patch)

[depfu]

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ nokogiri (1.13.6 → 1.13.9) · Repo · Changelog

Release Notes

1.13.9

1.13.9 / 2022-10-18

Security

• [CRuby] Vendored libxml2 is updated to address CVE-2022-2309, CVE-2022-40304, and CVE-2022-40303. See GHSA-2qc6-mcvw-92cw for more information.
• [CRuby] Vendored zlib is updated to address CVE-2022-37434. Nokogiri was not affected by this vulnerability, but this version of zlib was being flagged up by some vulnerability scanners, see #2626 for more information.

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.10.3 from v2.9.14.
• [CRuby] Vendored libxslt is updated to v1.1.37 from v1.1.35.
• [CRuby] Vendored zlib is updated from 1.2.12 to 1.2.13. (See LICENSE-DEPENDENCIES.md for details on which packages redistribute this library.)

Fixed

• [CRuby] Nokogiri::XML::Namespace objects, when compacted, update their internal struct's reference to the Ruby object wrapper. Previously, with GC compaction enabled, a segmentation fault was possible after compaction was triggered. [#2658] (Thanks, @eightbitraptor and @peterzhu2118!)
• [CRuby] Document#remove_namespaces! now defers freeing the underlying xmlNs struct until the Document is GCed. Previously, maintaining a reference to a Namespace object that was removed in this way could lead to a segfault. [#2658]

---

sha256 checksums:

9b69829561d30c4461ea803baeaf3460e8b145cff7a26ce397119577a4083a02  nokogiri-1.13.9-aarch64-linux.gem
e76ebb4b7b2e02c72b2d1541289f8b0679fb5984867cf199d89b8ef485764956  nokogiri-1.13.9-arm64-darwin.gem
15bae7d08bddeaa898d8e3f558723300137c26a2dc2632a1f89c8574c4467165  nokogiri-1.13.9-java.gem
f6a1dbc7229184357f3129503530af73cc59ceba4932c700a458a561edbe04b9  nokogiri-1.13.9-x64-mingw-ucrt.gem
36d935d799baa4dc488024f71881ff0bc8b172cecdfc54781169c40ec02cbdb3  nokogiri-1.13.9-x64-mingw32.gem
ebaf82aa9a11b8fafb67873d19ee48efb565040f04c898cdce8ca0cd53ff1a12  nokogiri-1.13.9-x86-linux.gem
11789a2a11b28bc028ee111f23311461104d8c4468d5b901ab7536b282504154  nokogiri-1.13.9-x86-mingw32.gem
01830e1646803ff91c0fe94bc768ff40082c6de8cfa563dafd01b3f7d5f9d795  nokogiri-1.13.9-x86_64-darwin.gem
8e93b8adec22958013799c8690d81c2cdf8a90b6f6e8150ab22e11895844d781  nokogiri-1.13.9-x86_64-linux.gem
96f37c1baf0234d3ae54c2c89aef7220d4a8a1b03d2675ff7723565b0a095531  nokogiri-1.13.9.gem

1.13.8

1.13.8 / 2022-07-23

Deprecated

• XML::Reader#attribute_nodes is deprecated due to incompatibility between libxml2's xmlReader memory semantics and Ruby's garbage collector. Although this method continues to exist for backwards compatibility, it is unsafe to call and may segfault. This method will be removed in a future version of Nokogiri, and callers should use #attribute_hash instead. [#2598]

Improvements

• XML::Reader#attribute_hash is a new method to safely retrieve the attributes of a node from XML::Reader. [#2598, #2599]

Fixed

• [CRuby] Calling XML::Reader#attributes is now safe to call. In Nokogiri <= 1.13.7 this method may segfault. [#2598, #2599]

---

sha256 checksums:

d6b2c45a57738f12fe27783939fe1394e7049246288c7770d3b1fee7f49432a6  nokogiri-1.13.8-aarch64-linux.gem
00217e48a6995e81dd83014325c0ea0b015023a8922c7bdb2ef1416aa87c1f43  nokogiri-1.13.8-arm64-darwin.gem
9d04c616900e2b5118e501436ebb9bc48520d08f3695d012a314006e28082f72  nokogiri-1.13.8-java.gem
98f7dac7583f07a84ec3fcc01dc03a66fce10f412cd363fce7de749acdb2a42d  nokogiri-1.13.8-x64-mingw-ucrt.gem
117a71b37f2e1d774a9f031d393e72d5d04b92af8036e0c1a8dd509c247b2013  nokogiri-1.13.8-x64-mingw32.gem
6d04342456edfb8fbc041d0c2cf5a59baaa7aacdda414b2333100b02f85d441d  nokogiri-1.13.8-x86-linux.gem
0529d558b4280a55bc7af500d3d4d590b7c059c814a0cea52e4e18cb30c25d15  nokogiri-1.13.8-x86-mingw32.gem
8966d79e687b271df87a4b240456597c43cd98584e3f783fc35de4f066486421  nokogiri-1.13.8-x86_64-darwin.gem
344f1bc66feac787e5b2053c6e9095d1f33605083e58ddf2b8d4eef257bccc5f  nokogiri-1.13.8-x86_64-linux.gem
79c279298b2f22fd4e760f49990c7930436bac1b1cfeff7bacff192f30edea3c  nokogiri-1.13.8.gem

1.13.7

1.13.7 / 2022-07-12

Fixed

XML::Node objects, when compacted, update their internal struct's reference to the Ruby object wrapper. Previously, with GC compaction enabled, a segmentation fault was possible after compaction was triggered. [#2578] (Thanks, @eightbitraptor!)

---

sha256 checksums:

16facd06367325b75bba1575ee87ee4c695e017ab7d447106ed2c00d6211db43  nokogiri-1.13.7-aarch64-linux.gem
69a1705a1f2be838bd0a778c1ff04ea58f847a41c3b5159de012617abba53f86  nokogiri-1.13.7-arm64-darwin.gem
6f26c7ed388406541ddc10cf7ea670cebe8f08a37e69be60503687374f835e1a  nokogiri-1.13.7-java.gem
3952cb78db8d107942ec7f3096d417f4d5d77bf44ae812c488bc49269d1dde6a  nokogiri-1.13.7-x64-mingw-ucrt.gem
e836c387eae9c6c93d4870db0d50e4d9505edd28100eef80c38a70d4481c09ed  nokogiri-1.13.7-x64-mingw32.gem
194484866cd0d100ee6e207a69611a63ece9e0cf305e42d449f244526e102f63  nokogiri-1.13.7-x86-linux.gem
f75903e7a1fbb896b8bd6e4ed895a0fc1760e7334b9c7faf2593f491907a9e26  nokogiri-1.13.7-x86-mingw32.gem
d41b8c9f609b3eecb129da52b9605bc833e464b9b9132c29a0c2115e5ea0ab57  nokogiri-1.13.7-x86_64-darwin.gem
dcb36fd4e75782e7b1b3315f464a0942b230497cd21d296a24d90b0d3620a9d0  nokogiri-1.13.7-x86_64-linux.gem
6ca1d753334418e749beb9bb69515a906451c9abfb9a5b060a36650419b61052  nokogiri-1.13.7.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 40 commits:

• version bump to v1.13.9
• doc: update CHANGELOG
• Merge pull request #2671 from sparklemotion/flavorjones-update-zlib-1.2.13_v1.13.x
• ext: hack to cross-compile zlib v1.2.13 on darwin
• dep: update zlib to v1.2.13
• doc: update CHANGELOG
• Merge pull request #2668 from sparklemotion/flavorjones-namespace-scopes-compaction_v1.13.x
• fix: Document#remove_namespaces! use-after-free bug
• fix: namespace nodes behave properly when compacted
• test: repro namespace_scopes compaction issue
• Merge pull request #2667 from sparklemotion/flavorjones-update-libxml2-2.10.3_backport-v1.13.x
• doc: update CHANGELOG.md
• style(rubocop): Minitest/AssertRaisesCompoundBody
• dep: update libxml2 to v2.10.3
• dep: update libxslt to v1.1.37
• dep: update libxml2 to v2.10.2
• dep: update libxml2 to v2.10.1
• ext(win): work around libxslt 1.1.36 symbol exporting
• dep: update libxslt to v1.1.36
• dep: update libxml2 to v2.10.0
• ci: upstream libxml2 fixed conditional html comments
• version bump to v1.13.8
• Merge pull request #2602 from sparklemotion/flavorjones-fix-reader-node-gc_backport-v1.13.x
• deprecate: Reader#attribute_nodes
• dev: introduce NOKO_WARN_DEPRECATION macro
• feat: Reader#attribute_hash
• ci: add creek to the downstream pipeline
• ci: import the downstream pipeline from main
• ci: update vmactions/freebsd-vm job config
• version bump to v1.13.7
• doc: update CHANGELOG
• dep: lock rubocop and rubocop-shopify
• Merge pull request #2588 from sparklemotion/fix-compaction-on-nodes_backport-to-v1.13.x
• dep: lock rake-compiler-dock to 1.2.2
• test: add memcheck suppressions
• Only add compaction callback on Rubies that support it
• Only check compaction on platforms that support it
• Add compaction callback to nodes
• Add a "node unwrap" macro and use it
• Always set a mark function on the node wrapper

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #270.