Nokogiri v1.13.9 Release Notes
Release Date: 2022-10-18 // 12 months ago-
๐ Security
- โก๏ธ [CRuby] Vendored libxml2 is updated to address CVE-2022-2309, CVE-2022-40304, and CVE-2022-40303. See GHSA-2qc6-mcvw-92cw for more information.
- โก๏ธ [CRuby] Vendored zlib is updated to address CVE-2022-37434. Nokogiri was not affected by this vulnerability, but this version of zlib was being flagged up by some vulnerability scanners, see #2626 for more information.
Dependencies
- ๐ [CRuby] Vendored libxml2 is updated to v2.10.3 from v2.9.14.
- ๐ [CRuby] Vendored libxslt is updated to v1.1.37 from v1.1.35.
- ๐ [CRuby] Vendored zlib is updated from 1.2.12 to 1.2.13. (See LICENSE-DEPENDENCIES.md for details on which packages redistribute this library.)
๐ Fixed
- โก๏ธ [CRuby]
Nokogiri::XML::Namespaceobjects, when compacted, update their internal struct's reference to the Ruby object wrapper. Previously, with GC compaction enabled, a segmentation fault was possible after compaction was triggered. [#2658] (Thanks, @eightbitraptor and @peterzhu2118!) - ๐ [CRuby]
Document#remove_namespaces!now defers freeing the underlyingxmlNsstruct until theDocumentis GCed. Previously, maintaining a reference to aNamespaceobject that was removed in this way could lead to a segfault. [#2658]
Previous changes from v1.13.8
-
๐ Deprecated
- ๐
XML::Reader#attribute_nodesis deprecated due to incompatibility between libxml2'sxmlReadermemory semantics and Ruby's garbage collector. Although this method continues to exist for backwards compatibility, it is unsafe to call and may segfault. This method will be removed in a future version of Nokogiri, and callers should use#attribute_hashinstead. [#2598]
๐ Improvements
XML::Reader#attribute_hashis a new method to safely retrieve the attributes of a node fromXML::Reader. [#2598, #2599]
๐ Fixed
- ๐