Commit 0908204
authored
build(deps-dev): bump nokogiri from 1.19.3 to 1.19.4 (#257)
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.19.3
to 1.19.4.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/sparklemotion/nokogiri/releases">nokogiri's
releases</a>.</em></p>
<blockquote>
<h2>v1.19.4 / 2026-06-18</h2>
<h3>Security</h3>
<ul>
<li>[CRuby] (Low) Fixed a possible invalid memory read when
<code>XML::Node#initialize_copy_with_args</code> is called with an
argument that is not a <code>Node</code>. See <a
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-g9g8-vgvw-g3vf">GHSA-g9g8-vgvw-g3vf</a>
for more information.</li>
<li>[CRuby] (Low) Fixed a possible use-after-free when an
<code>XML::XPathContext</code> is used after its source document has
been garbage collected. See <a
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-p67v-3w7g-wjg7">GHSA-p67v-3w7g-wjg7</a>
for more information.</li>
<li>[CRuby] (Low) Fixed a possible use-after-free during XInclude
processing via <code>Node#do_xinclude</code>. See <a
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wfpw-mmfh-qq69">GHSA-wfpw-mmfh-qq69</a>
for more information.</li>
<li>[CRuby] (Low) Fixed a possible use-after-free when
<code>Document#root=</code> is assigned a non-element node. See <a
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wjv4-x9w8-wm3h">GHSA-wjv4-x9w8-wm3h</a>
for more information.</li>
<li>[CRuby] (Low) Fixed a possible use-after-free when setting an
attribute value via <code>XML::Attr#value=</code> or
<code>#content=</code>. See <a
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-phwj-rprq-35pp">GHSA-phwj-rprq-35pp</a>
for more information.</li>
<li>[CRuby] (Low) Fixed a null pointer dereference when methods are
called on uninitialized wrapper objects (e.g. via
<code>allocate</code>); these now raise instead of crashing the process.
See <a
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-9cv2-cfxc-v4v2">GHSA-9cv2-cfxc-v4v2</a>
for more information.</li>
<li>[CRuby] (Low) Fixed a possible use-after-free when
<code>Document#encoding=</code> raises an exception. See <a
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5v8h-3h3q-446p">GHSA-5v8h-3h3q-446p</a>
for more information.</li>
<li>[CRuby] (Medium) Fixed an out-of-bounds read in
<code>XML::NodeSet#[]</code> (alias <code>#slice</code>) when given a
large negative index. See <a
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5prr-v3j2-97mh">GHSA-5prr-v3j2-97mh</a>
for more information.</li>
<li>[JRuby] (Low) <code>XML::Schema</code> now enforces the
<code>NONET</code> parse option, which Nokogiri enables by default. It
was not enforced on JRuby, so a schema parsed with default options could
still fetch external resources over the network, potentially enabling
SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See
<a
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-8678-w3jw-xfc2">GHSA-8678-w3jw-xfc2</a>
for more information.</li>
</ul>
<!-- raw HTML omitted -->
<pre><code>1269fb644a6de405057a53dd5c762b1209b43ca7424f839454d3dbc677c31a8f
nokogiri-1.19.4-aarch64-linux-gnu.gem
35c65b9ce72b3bb03207bdbe7067915019dc18c1b9b59139684bd6690fdd01af
nokogiri-1.19.4-aarch64-linux-musl.gem
a301313e38bb065d68239e79734bcd6f56fb6efaacebde29e9abf2a4735340ca
nokogiri-1.19.4-arm-linux-gnu.gem
588923c101bcfa78869734d247d25b598674323e7f22474fc468f6e5647311eb
nokogiri-1.19.4-arm-linux-musl.gem
a46db9853286e6597b36ebc6953817d15acf3a299583eb3f89fdc6f91dd63527
nokogiri-1.19.4-arm64-darwin.gem
ce04b9e268c9626852231a48b49128ed52034f1ccb39484a6da3875491cd709e
nokogiri-1.19.4-java.gem
051da97b8eccfdb5444fed40246a35e10d7298b9efe759b4cd25455ea04c587e
nokogiri-1.19.4-x64-mingw-ucrt.gem
7fd17057d3e1f00e9954a74b3cd76595d3d4a5ef233b7ed9599047c204f70551
nokogiri-1.19.4-x86_64-darwin.gem
379fae440b28915e3f19d752ce2dcf8465ed2b2fbefd2a7ca0dd497bc981a06a
nokogiri-1.19.4-x86_64-linux-gnu.gem
17dfb7c1fa194ae02fbf7c51a7afc8d278045ab3fdacfd86f91d02d7b274470b
nokogiri-1.19.4-x86_64-linux-musl.gem
50c951611c92bca05c51411aef45f1cbc50f2821c4802758c5c6d34696533ab5
nokogiri-1.19.4.gem
</code></pre>
<!-- raw HTML omitted -->
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md">nokogiri's
changelog</a>.</em></p>
<blockquote>
<h2>v1.19.4 / 2026-06-18</h2>
<h3>Security</h3>
<ul>
<li>[CRuby] (Low) Fixed a possible invalid memory read when
<code>XML::Node#initialize_copy_with_args</code> is called with an
argument that is not a <code>Node</code>. See <a
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-g9g8-vgvw-g3vf">GHSA-g9g8-vgvw-g3vf</a>
for more information.</li>
<li>[CRuby] (Low) Fixed a possible use-after-free when an
<code>XML::XPathContext</code> is used after its source document has
been garbage collected. See <a
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-p67v-3w7g-wjg7">GHSA-p67v-3w7g-wjg7</a>
for more information.</li>
<li>[CRuby] (Low) Fixed a possible use-after-free during XInclude
processing via <code>Node#do_xinclude</code>. See <a
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wfpw-mmfh-qq69">GHSA-wfpw-mmfh-qq69</a>
for more information.</li>
<li>[CRuby] (Low) Fixed a possible use-after-free when
<code>Document#root=</code> is assigned a non-element node. See <a
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wjv4-x9w8-wm3h">GHSA-wjv4-x9w8-wm3h</a>
for more information.</li>
<li>[CRuby] (Low) Fixed a possible use-after-free when setting an
attribute value via <code>XML::Attr#value=</code> or
<code>#content=</code>. See <a
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-phwj-rprq-35pp">GHSA-phwj-rprq-35pp</a>
for more information.</li>
<li>[CRuby] (Low) Fixed a null pointer dereference when methods are
called on uninitialized wrapper objects (e.g. via
<code>allocate</code>); these now raise instead of crashing the process.
See <a
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-9cv2-cfxc-v4v2">GHSA-9cv2-cfxc-v4v2</a>
for more information.</li>
<li>[CRuby] (Low) Fixed a possible use-after-free when
<code>Document#encoding=</code> raises an exception. See <a
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5v8h-3h3q-446p">GHSA-5v8h-3h3q-446p</a>
for more information.</li>
<li>[CRuby] (Medium) Fixed an out-of-bounds read in
<code>XML::NodeSet#[]</code> (alias <code>#slice</code>) when given a
large negative index. See <a
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5prr-v3j2-97mh">GHSA-5prr-v3j2-97mh</a>
for more information.</li>
<li>[JRuby] (Low) <code>XML::Schema</code> now enforces the
<code>NONET</code> parse option, which Nokogiri enables by default. It
was not enforced on JRuby, so a schema parsed with default options could
still fetch external resources over the network, potentially enabling
SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See
<a
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-8678-w3jw-xfc2">GHSA-8678-w3jw-xfc2</a>
for more information.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/sparklemotion/nokogiri/commit/8cfb9daae9ee4a0837508eab43c40fbc8c4138c9"><code>8cfb9da</code></a>
version bump to v1.19.4</li>
<li><a
href="https://github.com/sparklemotion/nokogiri/commit/a856d1e46bda04ef47a0bd2b9eefe86df1eb0bb2"><code>a856d1e</code></a>
fix: JRuby NONET bypass in XML::Schema (v1.19.x) (<a
href="https://redirect.github.com/sparklemotion/nokogiri/issues/3639">#3639</a>)</li>
<li><a
href="https://github.com/sparklemotion/nokogiri/commit/6a0aa1e7042ea58e10db713d4984c692a8db1a30"><code>6a0aa1e</code></a>
fix(CRuby): use-after-free in Document#encoding= when setter raises
(v1.19.x)...</li>
<li><a
href="https://github.com/sparklemotion/nokogiri/commit/f658a54ab2df58a3525967c339edce9649c197d4"><code>f658a54</code></a>
fix: JRuby NONET bypass in XML::Schema</li>
<li><a
href="https://github.com/sparklemotion/nokogiri/commit/39d26fea52cda8ac15313561824fd0bc018818aa"><code>39d26fe</code></a>
fix(CRuby): use-after-free in Document#encoding= when setter raises</li>
<li><a
href="https://github.com/sparklemotion/nokogiri/commit/04a09ddd67a4b573eb5c634655c2fb857e0436ad"><code>04a09dd</code></a>
fix(CRuby): out-of-bounds read in NodeSet#[] with large negative index
(v1.19...</li>
<li><a
href="https://github.com/sparklemotion/nokogiri/commit/7799fbd325f9f5e10fcccc77daaa903949a9d545"><code>7799fbd</code></a>
fix: avoid NPE on uninitialized XML::Node structs (v1.19.x) (<a
href="https://redirect.github.com/sparklemotion/nokogiri/issues/3645">#3645</a>)</li>
<li><a
href="https://github.com/sparklemotion/nokogiri/commit/ef19e1329c39f885e980b301f33fb233f3431d14"><code>ef19e13</code></a>
fix(CRuby): avoid UAF in XML::Attr#value= (v1.19.x) (<a
href="https://redirect.github.com/sparklemotion/nokogiri/issues/3644">#3644</a>)</li>
<li><a
href="https://github.com/sparklemotion/nokogiri/commit/5524fa97868ae26dfd74d700aba256b117262267"><code>5524fa9</code></a>
fix: <code>Document#root=</code> rejects non-element nodes (v1.19.x) (<a
href="https://redirect.github.com/sparklemotion/nokogiri/issues/3643">#3643</a>)</li>
<li><a
href="https://github.com/sparklemotion/nokogiri/commit/9891ad1092a265ae1cef220c377ebbabc9fde622"><code>9891ad1</code></a>
fix(CRuby): use-after-free in XPathContext document lifetime (v1.19.x)
(<a
href="https://redirect.github.com/sparklemotion/nokogiri/issues/3641">#3641</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/sparklemotion/nokogiri/compare/v1.19.3...v1.19.4">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/github/rubocop-rails-accessibility/network/alerts).
</details>1 file changed
Lines changed: 3 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
48 | 48 | | |
49 | 49 | | |
50 | 50 | | |
51 | | - | |
| 51 | + | |
52 | 52 | | |
53 | | - | |
| 53 | + | |
54 | 54 | | |
55 | | - | |
| 55 | + | |
56 | 56 | | |
57 | 57 | | |
58 | 58 | | |
| |||
0 commit comments