Nokogiri v1.13.9 Release Notes
Release Date: 2022-10-18 // 12 months ago-
๐ Security
- โก๏ธ [CRuby] Vendored libxml2 is updated to address CVE-2022-2309, CVE-2022-40304, and CVE-2022-40303. See GHSA-2qc6-mcvw-92cw for more information.
- โก๏ธ [CRuby] Vendored zlib is updated to address CVE-2022-37434. Nokogiri was not affected by this vulnerability, but this version of zlib was being flagged up by some vulnerability scanners, see #2626 for more information.
Dependencies
- ๐ [CRuby] Vendored libxml2 is updated to v2.10.3 from v2.9.14.
- ๐ [CRuby] Vendored libxslt is updated to v1.1.37 from v1.1.35.
- ๐ [CRuby] Vendored zlib is updated from 1.2.12 to 1.2.13. (See LICENSE-DEPENDENCIES.md for details on which packages redistribute this library.)
๐ Fixed
- โก๏ธ [CRuby]
Nokogiri::XML::Namespace
objects, when compacted, update their internal struct's reference to the Ruby object wrapper. Previously, with GC compaction enabled, a segmentation fault was possible after compaction was triggered. [#2658] (Thanks, @eightbitraptor and @peterzhu2118!) - ๐ [CRuby]
Document#remove_namespaces!
now defers freeing the underlyingxmlNs
struct until theDocument
is GCed. Previously, maintaining a reference to aNamespace
object that was removed in this way could lead to a segfault. [#2658]
Previous changes from v1.13.8
-
๐ Deprecated
- ๐
XML::Reader#attribute_nodes
is deprecated due to incompatibility between libxml2'sxmlReader
memory semantics and Ruby's garbage collector. Although this method continues to exist for backwards compatibility, it is unsafe to call and may segfault. This method will be removed in a future version of Nokogiri, and callers should use#attribute_hash
instead. [#2598]
๐ Improvements
XML::Reader#attribute_hash
is a new method to safely retrieve the attributes of a node fromXML::Reader
. [#2598, #2599]
๐ Fixed
- ๐