Releases: sparklemotion/nokogiri
1.10.8 / 2020-02-10
1.10.8 / 2020-02-10
Security
[MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in #1992. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.
v1.11.0.rc1 / 2020-02-02
v1.11.0.rc1 / 2020-02-02
To try out release candidates, use gem install --prerelease
.
Notes
Experiment: Pre-Compiled Native Linux Gems
With the v1.11.0 release candidates, we are experimenting with shipping pre-compiled native Linux gems for the x86-linux
and x86_64-linux
platforms.
If this works properly for you, it will speed up installation time on Linux.
If this doesn't work for you, please drop us a note at #1983, we may reach out to you for more information on your distro and configuration.
Either way, we'd appreciate some feedback at #1983.
Dependencies
This release introduces support for:
- Ruby 2.7, including the precompiled native binary gems for Windows.
This release ends support for:
- Ruby 2.3, for which official support ended on 2019-03-31 [#1886] (Thanks @ashmaroli!)
- JRuby 9.1, which is the Ruby 2.3-compatible release.
Added
- Add support for CSS queries "a:has(> b)", "a:has(~ b)", and "a:has(+ b)". [#688] (Thanks, @jonathanhefner!)
- Add
Node#value?
to better match expected semantics of a Hash-like object. [#1838, #1840] (Thanks, @MatzFan!) - [MRI] Add
Nokogiri::XML::Node#line=
for use by downstream libs like nokogumbo. [#1918] (Thanks, @stevecheckoway!)
Improved
- Add
frozen_string_literal: true
magic comment to alllib
files. [#1745] (Thanks, @oniofchaos!) - Improve performance of some namespace operations. [#1916] (Thanks, @ashmaroli!)
- Remove unnecessary array allocations from Node serialization methods [#1911] (Thanks, @ashmaroli!)
- Avoid creation of unnecessary zero-length String objects. [#1970] (Thanks, @ashmaroli!)
- [JRuby] Lots of code cleanup and performance improvements. [#1934] (Thanks, @kares!)
Fixed
- [JRuby] Standardize reading from IO like objects, including StringIO. [#1888, #1897]
- [JRuby] Change
NodeSet#to_a
to return a RubyArray instead of Object, for compilation under JRuby 9.2.9 and later. [#1968, #1969] (Thanks, @headius!)
Changed
VersionInfo
and the output of nokogiri -v
This release changes the information provided in
Nokogiri::VersionInfo
, see #1482 and #1974 for background. Note that
the output of nokogiri -v
will also reflect these changes.
Nokogiri::VersionInfo
will no longer contain the following keys (previously these were set only when vendored libraries were being used)
libxml/libxml2_path
libxml/libxslt_path
Nokogiri::VersionInfo
now contains version metadata for libxslt:
libxslt/source
(either "packaged" or "system", similar tolibxml/source
)libxslt/compiled
(the version of libxslt compiled at installation time, similar tolibxml/compiled
)libxslt/loaded
(the version of libxslt loaded at runtime, similar tolibxml/loaded
)libxslt/patches
moved fromlibxml/libxslt_patches
Nokogiri::VersionInfo
key libxml/libxml2_patches
has been renamed to libxml/patches
These C macros will no longer be defined:
NOKOGIRI_LIBXML2_PATH
NOKOGIRI_LIBXSLT_PATH
These global variables will no longer be defined:
NOKOGIRI_LIBXML2_PATH
NOKOGIRI_LIBXSLT_PATH
These constants have been renamed:
Nokogiri::LIBXML_VERSION
is nowNokogiri::LIBXML_COMPILED_VERSION
Nokogiri::LIBXML_PARSER_VERSION
is nowNokogiri::LIBXML_LOADED_VERSION
These methods have been renamed and the return type changed from String
to Gem::Version
:
VersionInfo#loaded_parser_version
is now#loaded_libxml_version
VersionInfo#compiled_parser_version
is now#compiled_libxml_version
Nokogiri.uses_libxml?
now accepts an optional requirement string which is interpreted as a Gem::Requirement
and tested against the loaded libxml2 version (the value in VersionInfo
key libxml/loaded
). This greatly simplifies much of the version-dependent branching logic in both the implementation and the tests.
To sum these changes up, the output from CRuby when using vendored libraries was something like:
# Nokogiri (1.10.7)
---
warnings: []
nokogiri: 1.10.7
ruby:
version: 2.7.0
platform: x86_64-linux
description: ruby 2.7.0p0 (2019-12-25 revision 647ee6f091) [x86_64-linux]
engine: ruby
libxml:
binding: extension
source: packaged
libxml2_path: "/home/flavorjones/.rvm/gems/ruby-2.7.0/gems/nokogiri-1.10.7/ports/x86_64-pc-linux-gnu/libxml2/2.9.10"
libxslt_path: "/home/flavorjones/.rvm/gems/ruby-2.7.0/gems/nokogiri-1.10.7/ports/x86_64-pc-linux-gnu/libxslt/1.1.34"
libxml2_patches:
- 0001-Revert-Do-not-URI-escape-in-server-side-includes.patch
- 0002-Remove-script-macro-support.patch
- 0003-Update-entities-to-remove-handling-of-ssi.patch
- 0004-libxml2.la-is-in-top_builddir.patch
libxslt_patches: []
compiled: 2.9.10
loaded: 2.9.10
but now looks like:
# Nokogiri (1.11.0)
---
warnings: []
nokogiri: 1.11.0
ruby:
version: 2.7.0
platform: x86_64-linux
description: ruby 2.7.0p0 (2019-12-25 revision 647ee6f091) [x86_64-linux]
engine: ruby
libxml:
source: packaged
patches:
- 0001-Revert-Do-not-URI-escape-in-server-side-includes.patch
- 0002-Remove-script-macro-support.patch
- 0003-Update-entities-to-remove-handling-of-ssi.patch
- 0004-libxml2.la-is-in-top_builddir.patch
compiled: 2.9.10
loaded: 2.9.10
libxslt:
source: packaged
patches: []
compiled: 1.1.34
loaded: 1.1.34
and the output from using system libraries now looks like:
# Nokogiri (1.11.0)
---
warnings: []
nokogiri: 1.11.0
ruby:
version: 2.7.0
platform: x86_64-linux
description: ruby 2.7.0p0 (2019-12-25 revision 647ee6f091) [x86_64-linux]
engine: ruby
libxml:
source: system
compiled: 2.9.4
loaded: 2.9.4
libxslt:
source: system
compiled: 1.1.29
loaded: 1.1.29
1.10.7 / 2019-12-03
1.10.6 / 2019-12-03
1.10.5 / 2019-10-31
1.10.5 / 2019-10-31
Dependencies
- [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
- [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34
1.10.4 / 2019-08-11
1.10.4 / 2019-08-11
Security
Address CVE-2019-5477 (#1915)
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open
method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file
is being passed untrusted user input.
This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
This CVE's public notice is #1915
1.10.3 / 2019-04-22
1.10.3 / 2019-04-22
Security Notes
[MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in #1892. Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.
1.10.2 / 2019-03-24
1.10.1 / 2019-01-13
1.10.1 / 2019-01-13
Features
- [MRI] During installation, handle Xcode 10's new library pathOS. [#1801, #1851] (Thanks, @mlj and @deepj!)
- Avoid unnecessary creation of
Proc
s in many methods. [#1776] (Thanks, @chopraanmol1!)
Bug fixes
- CSS selector
:has()
now correctly matches against any descendant. Previously this selector matched against only direct children). [#350] (Thanks, @Phrogz!) NodeSet#attr
now returnsnil
if it's empty. Previously this raised a NoMethodError.- [MRI] XPath errors are no longer suppressed during
XSLT::Stylesheet#transform
. Previously these errors were suppressed which led to silent failures and a subsequent segfault. [#1802]
1.10.0 / 2019-01-04
1.10.0 / 2019-01-04
Features
Backwards incompatibilities
This release ends support for:
- Ruby 2.2, for which official support ended on 2018-03-31 [#1841]
- JRuby 1.7, for which official support ended on 2017-11-21 [#1741]
Dependencies
- [MRI] libxml2 is updated from 2.9.8 to 2.9.9
- [MRI] libxslt is updated from 1.1.32 to 1.1.33