Skip to content

Bump nokogiri from 1.19.3 to 1.19.4#116

Merged
whitby3001 merged 1 commit into
masterfrom
dependabot/bundler/nokogiri-1.19.4
Jun 29, 2026
Merged

Bump nokogiri from 1.19.3 to 1.19.4#116
whitby3001 merged 1 commit into
masterfrom
dependabot/bundler/nokogiri-1.19.4

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor

Bumps nokogiri from 1.19.3 to 1.19.4.

Release notes

Sourced from nokogiri's releases.

v1.19.4 / 2026-06-18

Security

  • [CRuby] (Low) Fixed a possible invalid memory read when XML::Node#initialize_copy_with_args is called with an argument that is not a Node. See GHSA-g9g8-vgvw-g3vf for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when an XML::XPathContext is used after its source document has been garbage collected. See GHSA-p67v-3w7g-wjg7 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free during XInclude processing via Node#do_xinclude. See GHSA-wfpw-mmfh-qq69 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#root= is assigned a non-element node. See GHSA-wjv4-x9w8-wm3h for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when setting an attribute value via XML::Attr#value= or #content=. See GHSA-phwj-rprq-35pp for more information.
  • [CRuby] (Low) Fixed a null pointer dereference when methods are called on uninitialized wrapper objects (e.g. via allocate); these now raise instead of crashing the process. See GHSA-9cv2-cfxc-v4v2 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#encoding= raises an exception. See GHSA-5v8h-3h3q-446p for more information.
  • [CRuby] (Medium) Fixed an out-of-bounds read in XML::NodeSet#[] (alias #slice) when given a large negative index. See GHSA-5prr-v3j2-97mh for more information.
  • [JRuby] (Low) XML::Schema now enforces the NONET parse option, which Nokogiri enables by default. It was not enforced on JRuby, so a schema parsed with default options could still fetch external resources over the network, potentially enabling SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See GHSA-8678-w3jw-xfc2 for more information.
1269fb644a6de405057a53dd5c762b1209b43ca7424f839454d3dbc677c31a8f  nokogiri-1.19.4-aarch64-linux-gnu.gem
35c65b9ce72b3bb03207bdbe7067915019dc18c1b9b59139684bd6690fdd01af  nokogiri-1.19.4-aarch64-linux-musl.gem
a301313e38bb065d68239e79734bcd6f56fb6efaacebde29e9abf2a4735340ca  nokogiri-1.19.4-arm-linux-gnu.gem
588923c101bcfa78869734d247d25b598674323e7f22474fc468f6e5647311eb  nokogiri-1.19.4-arm-linux-musl.gem
a46db9853286e6597b36ebc6953817d15acf3a299583eb3f89fdc6f91dd63527  nokogiri-1.19.4-arm64-darwin.gem
ce04b9e268c9626852231a48b49128ed52034f1ccb39484a6da3875491cd709e  nokogiri-1.19.4-java.gem
051da97b8eccfdb5444fed40246a35e10d7298b9efe759b4cd25455ea04c587e  nokogiri-1.19.4-x64-mingw-ucrt.gem
7fd17057d3e1f00e9954a74b3cd76595d3d4a5ef233b7ed9599047c204f70551  nokogiri-1.19.4-x86_64-darwin.gem
379fae440b28915e3f19d752ce2dcf8465ed2b2fbefd2a7ca0dd497bc981a06a  nokogiri-1.19.4-x86_64-linux-gnu.gem
17dfb7c1fa194ae02fbf7c51a7afc8d278045ab3fdacfd86f91d02d7b274470b  nokogiri-1.19.4-x86_64-linux-musl.gem
50c951611c92bca05c51411aef45f1cbc50f2821c4802758c5c6d34696533ab5  nokogiri-1.19.4.gem
Changelog

Sourced from nokogiri's changelog.

v1.19.4 / 2026-06-18

Security

  • [CRuby] (Low) Fixed a possible invalid memory read when XML::Node#initialize_copy_with_args is called with an argument that is not a Node. See GHSA-g9g8-vgvw-g3vf for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when an XML::XPathContext is used after its source document has been garbage collected. See GHSA-p67v-3w7g-wjg7 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free during XInclude processing via Node#do_xinclude. See GHSA-wfpw-mmfh-qq69 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#root= is assigned a non-element node. See GHSA-wjv4-x9w8-wm3h for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when setting an attribute value via XML::Attr#value= or #content=. See GHSA-phwj-rprq-35pp for more information.
  • [CRuby] (Low) Fixed a null pointer dereference when methods are called on uninitialized wrapper objects (e.g. via allocate); these now raise instead of crashing the process. See GHSA-9cv2-cfxc-v4v2 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#encoding= raises an exception. See GHSA-5v8h-3h3q-446p for more information.
  • [CRuby] (Medium) Fixed an out-of-bounds read in XML::NodeSet#[] (alias #slice) when given a large negative index. See GHSA-5prr-v3j2-97mh for more information.
  • [JRuby] (Low) XML::Schema now enforces the NONET parse option, which Nokogiri enables by default. It was not enforced on JRuby, so a schema parsed with default options could still fetch external resources over the network, potentially enabling SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See GHSA-8678-w3jw-xfc2 for more information.
Commits
  • 8cfb9da version bump to v1.19.4
  • a856d1e fix: JRuby NONET bypass in XML::Schema (v1.19.x) (#3639)
  • 6a0aa1e fix(CRuby): use-after-free in Document#encoding= when setter raises (v1.19.x)...
  • f658a54 fix: JRuby NONET bypass in XML::Schema
  • 39d26fe fix(CRuby): use-after-free in Document#encoding= when setter raises
  • 04a09dd fix(CRuby): out-of-bounds read in NodeSet#[] with large negative index (v1.19...
  • 7799fbd fix: avoid NPE on uninitialized XML::Node structs (v1.19.x) (#3645)
  • ef19e13 fix(CRuby): avoid UAF in XML::Attr#value= (v1.19.x) (#3644)
  • 5524fa9 fix: Document#root= rejects non-element nodes (v1.19.x) (#3643)
  • 9891ad1 fix(CRuby): use-after-free in XPathContext document lifetime (v1.19.x) (#3641)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump nokogiri from 1.19.3 to 1.19.4
44bb872 
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.19.3 to 1.19.4.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](sparklemotion/nokogiri@v1.19.3...v1.19.4)

---
updated-dependencies:
- dependency-name: nokogiri
  dependency-version: 1.19.4
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 23, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 23, 2026 15:56
@dependabot dependabot Bot added ruby Pull requests that update ruby code dependencies Pull requests that update a dependency file labels Jun 23, 2026
@whitby3001

whitby3001 commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Copilot summary:

Review summary

I checked the nokogiri bump from 1.19.3 → 1.19.4 against both:

  • the upstream changelog / release notes
  • the actual upstream code changes in sparklemotion/nokogiri

and compared that with how hermod uses Nokogiri.

What changed upstream

1.19.4 is a security-focused patch release. The upstream diff is almost entirely fixes for memory-safety and parser-safety issues, including:

  • XML::Node#initialize_copy_with_args type checking
  • XML::XPathContext document lifetime fix
  • Node#do_xinclude use-after-free fix
  • Document#root= rejecting non-element nodes
  • XML::Attr#value= use-after-free fix
  • uninitialized wrapper object guards
  • Document#encoding= safety fix
  • XML::NodeSet#[] / #slice large negative index fix
  • JRuby-only XML::Schema NONET enforcement fix

There are no broad API changes or normal feature changes in the release — this is essentially a patch/security release.

How this repo uses Nokogiri

In hermod, Nokogiri appears to be used only in test/support code, not as a runtime dependency:

  • hermod.gemspec declares nokogiri as a development dependency: ~> 1.16
  • the PR only updates Gemfile.lock
  • usage in spec/minitest_helper.rb is limited to:
    • Nokogiri.XML(...)
    • remove_namespaces!
    • css(...)
    • reading node contents / attributes

This is a very small, conventional surface area and does not overlap with the upstream areas changed in 1.19.4 (XInclude, XPathContext lifetime edge cases, Document#root=, low-level attr mutation internals, large negative NodeSet indexing, JRuby schema NONET behavior, etc.).

Compatibility assessment

I don’t see any compatibility risk for this repo:

  • the dependency constraint already allows this version (~> 1.16)
  • the PR changes only the lockfile
  • hermod’s Nokogiri usage is narrow and test-only
  • none of the changed upstream code paths appear to be relied on here
  • no behavioral change is expected for the way these specs parse and inspect XML

Risk notes

Only minor caveats:

  • if this repo runs tests on JRuby, 1.19.4 does tighten XML::Schema NONET behavior — but I found no evidence this repo uses Nokogiri schema parsing at all
  • if there were hidden tests depending on obscure buggy behavior in low-level Nokogiri internals, that could surface, but nothing in this codebase suggests that

Recommendation

Safe to merge.

This looks like a straightforward security patch upgrade with very low compatibility risk for hermod, and it improves the security posture of the development/test dependency without affecting runtime gem behavior.

whitby3001
whitby3001 approved these changes Jun 29, 2026
View reviewed changes

@whitby3001 whitby3001 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor security version upgrade, so looks safe to merge.

@whitby3001 whitby3001 merged commit 7bc0bf9 into master Jun 29, 2026
2 checks passed
@whitby3001 whitby3001 deleted the dependabot/bundler/nokogiri-1.19.4 branch June 29, 2026 14:34
@sonarqubecloud

sonarqubecloud Bot commented Jun 29, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@whitby3001 whitby3001 whitby3001 approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@whitby3001