v1.11.0.rc2 / 2020-04-01

v1.11.0.rc2 / 2020-04-01

To try out release candidates, use gem install --prerelease. Latest is v1.11.0.rc2.

Delta since v1.11.0.rc1:

Notes

Note that the linux-native gems for v1.11.0.rc2 and later support musl systems (e.g., alpine).

Dependencies

• [MRI] Upgrade mini_portile2 dependency from ~> 2.4.0 to ~> 2.5.0 [#2005] (Thanks, @alejandroperea!)

Added

• Add Node methods for manipulating keyword attributes (like class and rel): #kwattr_values, #kwattr_add, #kwattr_append, and #kwattr_remove. [#2000]

Fixed

• The switch to turn off the CSS-to-XPath cache is now thread-local, rather than being shared mutable state. [#1935]
• The switch to turn off the CSS-to-XPath cache is now thread-local, rather than being shared mutable state. [#1935]

Removed

• The internal method Nokogiri::CSS::Parser.cache_on= has been removed. Use .set_cache if you need to muck with the cache internals.
• The method Nokogiri::CSS::Parser.parse has been removed. This was originally deprecated in 2009 in 13db61b.

1.10.9 / 2020-03-01

1.10.9 / 2020-03-01

Fixed

• [MRI] Raise an exception when Nokogiri detects a specific libxml2 edge case involving blank Schema nodes wrapped by Ruby objects that would cause a segfault. Currently no fix is available upstream, so we're preventing a dangerous operation and informing users to code around it if possible. [#1985, #2001]
• [JRuby] Change NodeSet#to_a to return a RubyArray instead of Object, for compilation under JRuby 9.2.9 and later. [#1968, #1969] (Thanks, @headius!)

1.10.8 / 2020-02-10

1.10.8 / 2020-02-10

Security

[MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595. Full details are available in #1992. Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.

v1.11.0.rc1 / 2020-02-02

v1.11.0.rc1 / 2020-02-02

To try out release candidates, use gem install --prerelease.

Notes

Experiment: Pre-Compiled Native Linux Gems

With the v1.11.0 release candidates, we are experimenting with shipping pre-compiled native Linux gems for the x86-linux and x86_64-linux platforms.

If this works properly for you, it will speed up installation time on Linux.

If this doesn't work for you, please drop us a note at #1983, we may reach out to you for more information on your distro and configuration.

Either way, we'd appreciate some feedback at #1983.

Dependencies

This release introduces support for:

• Ruby 2.7, including the precompiled native binary gems for Windows.

This release ends support for:

• Ruby 2.3, for which official support ended on 2019-03-31 [#1886] (Thanks @ashmaroli!)
• JRuby 9.1, which is the Ruby 2.3-compatible release.

Added

• Add support for CSS queries "a:has(> b)", "a:has(~ b)", and "a:has(+ b)". [#688] (Thanks, @jonathanhefner!)
• Add Node#value? to better match expected semantics of a Hash-like object. [#1838, #1840] (Thanks, @MatzFan!)
• [MRI] Add Nokogiri::XML::Node#line= for use by downstream libs like nokogumbo. [#1918] (Thanks, @stevecheckoway!)

Improved

• Add frozen_string_literal: true magic comment to all lib files. [#1745] (Thanks, @oniofchaos!)
• Improve performance of some namespace operations. [#1916] (Thanks, @ashmaroli!)
• Remove unnecessary array allocations from Node serialization methods [#1911] (Thanks, @ashmaroli!)
• Avoid creation of unnecessary zero-length String objects. [#1970] (Thanks, @ashmaroli!)
• [JRuby] Lots of code cleanup and performance improvements. [#1934] (Thanks, @kares!)

Fixed

• [JRuby] Standardize reading from IO like objects, including StringIO. [#1888, #1897]
• [JRuby] Change NodeSet#to_a to return a RubyArray instead of Object, for compilation under JRuby 9.2.9 and later. [#1968, #1969] (Thanks, @headius!)

Changed

VersionInfo and the output of nokogiri -v

This release changes the information provided in
Nokogiri::VersionInfo, see #1482 and #1974 for background. Note that
the output of nokogiri -v will also reflect these changes.

Nokogiri::VersionInfo will no longer contain the following keys (previously these were set only when vendored libraries were being used)

• libxml/libxml2_path
• libxml/libxslt_path

Nokogiri::VersionInfo now contains version metadata for libxslt:

• libxslt/source (either "packaged" or "system", similar to libxml/source)
• libxslt/compiled (the version of libxslt compiled at installation time, similar to libxml/compiled)
• libxslt/loaded (the version of libxslt loaded at runtime, similar to libxml/loaded)
• libxslt/patches moved from libxml/libxslt_patches

Nokogiri::VersionInfo key libxml/libxml2_patches has been renamed to libxml/patches

These C macros will no longer be defined:

• NOKOGIRI_LIBXML2_PATH
• NOKOGIRI_LIBXSLT_PATH

These global variables will no longer be defined:

• NOKOGIRI_LIBXML2_PATH
• NOKOGIRI_LIBXSLT_PATH

These constants have been renamed:

• Nokogiri::LIBXML_VERSION is now Nokogiri::LIBXML_COMPILED_VERSION
• Nokogiri::LIBXML_PARSER_VERSION is now Nokogiri::LIBXML_LOADED_VERSION

These methods have been renamed and the return type changed from String to Gem::Version:

• VersionInfo#loaded_parser_version is now #loaded_libxml_version
• VersionInfo#compiled_parser_version is now #compiled_libxml_version

Nokogiri.uses_libxml? now accepts an optional requirement string which is interpreted as a Gem::Requirement and tested against the loaded libxml2 version (the value in VersionInfo key libxml/loaded). This greatly simplifies much of the version-dependent branching logic in both the implementation and the tests.

To sum these changes up, the output from CRuby when using vendored libraries was something like:

# Nokogiri (1.10.7)
    ---
    warnings: []
    nokogiri: 1.10.7
    ruby:
      version: 2.7.0
      platform: x86_64-linux
      description: ruby 2.7.0p0 (2019-12-25 revision 647ee6f091) [x86_64-linux]
      engine: ruby
    libxml:
      binding: extension
      source: packaged
      libxml2_path: "/home/flavorjones/.rvm/gems/ruby-2.7.0/gems/nokogiri-1.10.7/ports/x86_64-pc-linux-gnu/libxml2/2.9.10"
      libxslt_path: "/home/flavorjones/.rvm/gems/ruby-2.7.0/gems/nokogiri-1.10.7/ports/x86_64-pc-linux-gnu/libxslt/1.1.34"
      libxml2_patches:
      - 0001-Revert-Do-not-URI-escape-in-server-side-includes.patch
      - 0002-Remove-script-macro-support.patch
      - 0003-Update-entities-to-remove-handling-of-ssi.patch
      - 0004-libxml2.la-is-in-top_builddir.patch
      libxslt_patches: []
      compiled: 2.9.10
      loaded: 2.9.10

but now looks like:

# Nokogiri (1.11.0)
    ---
    warnings: []
    nokogiri: 1.11.0
    ruby:
      version: 2.7.0
      platform: x86_64-linux
      description: ruby 2.7.0p0 (2019-12-25 revision 647ee6f091) [x86_64-linux]
      engine: ruby
    libxml:
      source: packaged
      patches:
      - 0001-Revert-Do-not-URI-escape-in-server-side-includes.patch
      - 0002-Remove-script-macro-support.patch
      - 0003-Update-entities-to-remove-handling-of-ssi.patch
      - 0004-libxml2.la-is-in-top_builddir.patch
      compiled: 2.9.10
      loaded: 2.9.10
    libxslt:
      source: packaged
      patches: []
      compiled: 1.1.34
      loaded: 1.1.34

and the output from using system libraries now looks like:

# Nokogiri (1.11.0)
    ---
    warnings: []
    nokogiri: 1.11.0
    ruby:
      version: 2.7.0
      platform: x86_64-linux
      description: ruby 2.7.0p0 (2019-12-25 revision 647ee6f091) [x86_64-linux]
      engine: ruby
    libxml:
      source: system
      compiled: 2.9.4
      loaded: 2.9.4
    libxslt:
      source: system
      compiled: 1.1.29
      loaded: 1.1.29

1.10.7 / 2019-12-03

1.10.7 / 2019-12-03

Bug

• [MRI] Ensure the patch applied in v1.10.6 works with GNU patch. [#1954]

1.10.6 / 2019-12-03

1.10.6 / 2019-12-03

Bug

• [MRI] Fix FreeBSD installation of vendored libxml2. [#1941, #1953] (Thanks, @nurse!)

1.10.5 / 2019-10-31

1.10.5 / 2019-10-31

Dependencies

• [MRI] vendored libxml2 is updated from 2.9.9 to 2.9.10
• [MRI] vendored libxslt is updated from 1.1.33 to 1.1.34

1.10.4 / 2019-08-11

1.10.4 / 2019-08-11

Security

Address CVE-2019-5477 (#1915)

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess by Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being passed untrusted user input.

This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

This CVE's public notice is #1915

1.10.3 / 2019-04-22

1.10.3 / 2019-04-22

Security Notes

[MRI] Pulled in upstream patch from libxslt that addresses CVE-2019-11068. Full details are available in #1892. Note that this patch is not yet (as of 2019-04-22) in an upstream release of libxslt.

1.10.2 / 2019-03-24

1.10.2 / 2019-03-24

Security

• [MRI] Remove support from vendored libxml2 for future script macros. [#1871]
• [MRI] Remove support from vendored libxml2 for server-side includes within attributes. [#1877]

Bug fixes

• [JRuby] Fix node ownership in duplicated documents. [#1060]
• [JRuby] Rethrow exceptions caught by Java SAX handler. [#1847, #1872] (Thanks, @adjam!)