Nokogiri v1.13.9 Release Notes

Release Date: 2022-10-18 // 4 months ago
  • ๐Ÿ”’ Security

    • โšก๏ธ [CRuby] Vendored libxml2 is updated to address CVE-2022-2309, CVE-2022-40304, and CVE-2022-40303. See GHSA-2qc6-mcvw-92cw for more information.
    • โšก๏ธ [CRuby] Vendored zlib is updated to address CVE-2022-37434. Nokogiri was not affected by this vulnerability, but this version of zlib was being flagged up by some vulnerability scanners, see #2626 for more information.

    Dependencies

    • ๐Ÿš€ [CRuby] Vendored libxml2 is updated to v2.10.3 from v2.9.14.
    • ๐Ÿš€ [CRuby] Vendored libxslt is updated to v1.1.37 from v1.1.35.
    • ๐Ÿš€ [CRuby] Vendored zlib is updated from 1.2.12 to 1.2.13. (See LICENSE-DEPENDENCIES.md for details on which packages redistribute this library.)

    ๐Ÿ›  Fixed

    • โšก๏ธ [CRuby] Nokogiri::XML::Namespace objects, when compacted, update their internal struct's reference to the Ruby object wrapper. Previously, with GC compaction enabled, a segmentation fault was possible after compaction was triggered. [#2658] (Thanks, @eightbitraptor and @peterzhu2118!)
    • ๐Ÿšš [CRuby] Document#remove_namespaces! now defers freeing the underlying xmlNs struct until the Document is GCed. Previously, maintaining a reference to a Namespace object that was removed in this way could lead to a segfault. [#2658]

Previous changes from v1.13.8

  • ๐Ÿ—„ Deprecated

    • ๐Ÿšš XML::Reader#attribute_nodes is deprecated due to incompatibility between libxml2's xmlReader memory semantics and Ruby's garbage collector. Although this method continues to exist for backwards compatibility, it is unsafe to call and may segfault. This method will be removed in a future version of Nokogiri, and callers should use #attribute_hash instead. [#2598]

    ๐Ÿ‘Œ Improvements

    • XML::Reader#attribute_hash is a new method to safely retrieve the attributes of a node from XML::Reader. [#2598, #2599]

    ๐Ÿ›  Fixed

    • ๐Ÿ’Ž [CRuby] Calling XML::Reader#attributes is now safe to call. In Nokogiri <= 1.13.7 this method may segfault. [#2598, #2599]