🚨 [security] Update nokogiri 1.17.2 → 1.18.5 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ nokogiri (indirect, 1.17.2 → 1.18.5) · Repo · Changelog

Security Advisories 🚨

🚨 Nokogiri updates packaged libxslt to v1.1.43 to resolve multiple CVEs

Summary

Nokogiri v1.18.4 upgrades its dependency libxslt to v1.1.43.

libxslt v1.1.43 resolves:

• CVE-2025-24855: Fix use-after-free of XPath context node
• CVE-2024-55549: Fix UAF related to excluded namespaces

Impact

CVE-2025-24855

• "Use-after-free due to xsltEvalXPathStringNs leaking xpathCtxt->node"
• MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
• Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/128
• NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2025-24855

CVE-2024-55549

• "Use-after-free related to excluded result prefixes"
• MITRE has rated this 7.8 High CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H
• Upstream report: https://gitlab.gnome.org/GNOME/libxslt/-/issues/127
• NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2024-55549

🚨 Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

• CVE-2025-24928
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
• CVE-2024-56171
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828

Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.

CVE-2024-56171

Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

Release Notes

1.18.5

v1.18.5 / 2025-03-19

Fixed

• [JRuby] Update JRuby's XML serialization so it outputs namespaces exactly like CRuby. (#3455, #3456) @johnnyshields

sha256 checksums

3f12540863e45db38236257be30a8605cd1d2d074c38a63c6f1307fd968a477c  nokogiri-1.18.5-aarch64-linux-gnu.gem
296a9e346d9a816526ee0944b5df26e947d91ec09225897bf2fc14561e8861ca  nokogiri-1.18.5-aarch64-linux-musl.gem
df7731e550a7653c003ed142cc8bc3c611c15fae3b7be4ff317b61dfe32842d9  nokogiri-1.18.5-arm64-darwin.gem
25fc71081c671fc4e983eac76ad1b3c8ee2707c467dcdb96a066f749f978eaba  nokogiri-1.18.5-arm-linux-gnu.gem
8682d38ac2015ffa3b0c23925c579ced7e455f16931130ab434f26ff1c2846fa  nokogiri-1.18.5-arm-linux-musl.gem
c8a6f8da9418ac21345124bc79b94701f036fa05b27dfec4a6dc148d5fa136dc  nokogiri-1.18.5.gem
22354b83a81acefd028e7622d4dd832c1e3cc305bf152f7f77e7db9c820b59d0  nokogiri-1.18.5-java.gem
874080a907a550a60b28febd56fe8ae921e6a7e0bb0ae61aaecd6c71665dc604  nokogiri-1.18.5-x64-mingw-ucrt.gem
28659cf43eedb652ae2fb94a8c7a14d368b6944db97e63b4158c8d5d5b4f49d8  nokogiri-1.18.5-x86_64-darwin.gem
195f4a139961f3c892ac22fda6ae4e665919e6573149f0adc786adc8c20402be  nokogiri-1.18.5-x86_64-linux-gnu.gem
8c2786d259e3c73687f8c595e1ab040a66809799ad066dad8eb492fd58f4f8fd  nokogiri-1.18.5-x86_64-linux-musl.gem

1.18.4

v1.18.4 / 2025-03-14

Security

• [CRuby] Vendored libxslt is updated to v1.1.43 to address CVE-2025-24855 and CVE-2024-55549. See GHSA-mrxw-mxhj-p664 for more information.

sha256 checksums

8f2263cef9953ce09bd5293d76c9bbd3013d2f94d1cca67783dfe6635c529deb  nokogiri-1.18.4-aarch64-linux-gnu.gem
4e231f8ba3128cfc2ef0cc0bdc807d7ce71fc62cb6a78216e817be8631fe6a96  nokogiri-1.18.4-aarch64-linux-musl.gem
73902663b23b1123282b9c0b6d9654b1fb286dfee8d65cb1f6029087b7f0d037  nokogiri-1.18.4-arm64-darwin.gem
cc2945e2c19560a61a97737e6bd3b329edb1f82ca204d46a18e5e98ad0a550a6  nokogiri-1.18.4-arm-linux-gnu.gem
4fb7f44de0cd85abfa869e4cfb619410da174ebf9fbe26ae0caa65462b818bcb  nokogiri-1.18.4-arm-linux-musl.gem
bb7820521c1bbae1d3e0092ff03b27a8e700912b37d80f962b7e4567947a64ac  nokogiri-1.18.4.gem
cbc0bab72eb5a9573efa7b98351fdd44c609e8d4585456ca1be18db2b7764b64  nokogiri-1.18.4-java.gem
bd567cb509eb75de8f27ca6ecaf4a38bf0563482188991f9bcccccac9c3b9a2f  nokogiri-1.18.4-x64-mingw-ucrt.gem
e4776f58eea9b94d05caf8bf351e3c6aa1cce01edcc2ed530f3c302c13178965  nokogiri-1.18.4-x86_64-darwin.gem
b1c6407b346b88704e97a342a80acd4755175324e624da34d0c5cfdc8d34191e  nokogiri-1.18.4-x86_64-linux-gnu.gem
ea7c0356a70f3d2d0d76315b533877013d20368d5c9f437c38e0bd462c4844dc  nokogiri-1.18.4-x86_64-linux-musl.gem

1.18.3

v1.18.3 / 2025-02-18

Security

• [CRuby] Vendored libxml2 is updated to v2.13.6 to address CVE-2025-24928 and CVE-2024-56171. See GHSA-vvfq-8hwr-qm4m for more information.

sha256 checksums

cab20305133078a8f6b60cf96311b48319175038cc7772e5ec586ff624cb7838  nokogiri-1.18.3-aarch64-linux-gnu.gem
acb256bb3213a180b1ed84a49c06d5d4c6c1da26f33bc9681f1fece4dab09a79  nokogiri-1.18.3-aarch64-linux-musl.gem
ce088965cd424b8e752d82087dcf017069d55791f157098ed1f671d966857610  nokogiri-1.18.3-arm64-darwin.gem
37b73a55e0d1e8a058a24abb16868903e81cb4773049739c532b864f87236b1b  nokogiri-1.18.3-arm-linux-gnu.gem
09407970cd13736cf87e975fae69c13e1178bab0313d07b35580ee4dd3650793  nokogiri-1.18.3-arm-linux-musl.gem
6b9fc3b14fd0cedd21f6cad8cf565123ba7401e56b5d0aec180c23cdca28fd5a  nokogiri-1.18.3.gem
236078c5f80ffc3d49c223fa98933d970543455403f9d672ca0aa5a6178a84fe  nokogiri-1.18.3-java.gem
216be1cb454c4657fc64747e5ae32b2ab4015843183766f238e4f4a62fb1f6be  nokogiri-1.18.3-x64-mingw-ucrt.gem
d729406bb5a7b1bbe7ed3c0922336dd2c46085ed444d6de2a0a4c33950a4edea  nokogiri-1.18.3-x86_64-darwin.gem
3c7ad5cee39855ed9c746065f39b584b9fd2aaff61df02d0f85ba8d671bbe497  nokogiri-1.18.3-x86_64-linux-gnu.gem
8aaecc22c0e5f12dac613e15f9a04059c3ec859d6f98f493cc831bd88fe8e731  nokogiri-1.18.3-x86_64-linux-musl.gem

1.18.2

v1.18.2 / 2024-01-19

Fixed

• When performing a CSS selector query, an XML document's root namespace declarations should not be applied to wildcard selectors ("*"). Fixes a bug introduced in v1.17.0. (#3411) @flavorjones

sha256 checksums

74e0f9a7487a30a2957f46c5113d58f836436b033c9906e0bc6fee9d8cdafabf  nokogiri-1.18.2-aarch64-linux-gnu.gem
99bcea596a80eaee99f2bae2596275641ea688262c1da32b4e90db6159e86477  nokogiri-1.18.2-aarch64-linux-musl.gem
8288ec7a296e2510ca9bd053c0c5989f11260f8c07bc3e9afbafa536f7077281  nokogiri-1.18.2-arm64-darwin.gem
6fb0246b69f2c589a69254e82bc2a40aa238c4f977fd7903e283341a92935729  nokogiri-1.18.2-arm-linux-gnu.gem
dcdd4d10ed2743f0d8c887825700c3a8506aea1aa415917ac50ccc01597c51a3  nokogiri-1.18.2-arm-linux-musl.gem
93791cfb33186fe077eb9e1b8a6855b5621e328f81f565334572fa398366f8bf  nokogiri-1.18.2.gem
eefdf9f0d6086173d3488cf7a736732ee13fb6674ef15643478c20502a67bf37  nokogiri-1.18.2-java.gem
894514572fa7503ce9210e51a7f8a9a35f34f154d6406cec1ac148c3ce1536a3  nokogiri-1.18.2-x64-mingw-ucrt.gem
7fca165e5ee87e9b6b3f1377180376afc0c8652ed2a3d761f472f0e3d3a1c651  nokogiri-1.18.2-x86_64-darwin.gem
9330ced4a976604865c2a76ce158e2bc608fa83999552e85a32ec06f85f427db  nokogiri-1.18.2-x86_64-linux-gnu.gem
1cd7786ed15c76958d6a8f9a864df6208fecd624c340eb4ed211fbea60328f02  nokogiri-1.18.2-x86_64-linux-musl.gem

1.18.1

v1.18.1 / 2024-12-29

Fixed

• [CRuby] XML::SAX::ParserContext keeps a reference to the input to avoid a potential use-after-free issue that's existed since v1.4.0 (2009). (#3395) @flavorjones

sha256 checksums

35837013800e34342fcbaca305f8c49231f6bd4f779bfa23fe7b4686ae82d5b8  nokogiri-1.18.1-aarch64-linux-gnu.gem
1b303402cd045f9075a6ee291767c1ffe654b426ed30911e5b47819c21855b22  nokogiri-1.18.1-aarch64-linux-musl.gem
d75193f284c899d225943a8944479faedd995a7573ddd5c8308ffbdf2ec55204  nokogiri-1.18.1-arm64-darwin.gem
3b873fd6b0cd1ad7c77e87af701075bdfd14c9a6b2f2965c5e00ed29a5627a37  nokogiri-1.18.1-arm-linux-gnu.gem
d6fe26f6d1425f403077fbf829fc0ef8e521545c924a13777d6fdf1a0c07c1f3  nokogiri-1.18.1-arm-linux-musl.gem
df18be7e96c34736b6abfdeda80c6e845134fb9afe2fe5d4fbc1cf1f89c68475  nokogiri-1.18.1.gem
e0e19b340f92d09b2b731e22d68895b2062d6555188aff370b05617516d3a781  nokogiri-1.18.1-java.gem
50d81e905a60dff706b99c980abefedaf1c3d2c434a3b49afaf1b69b80f7f5b4  nokogiri-1.18.1-x64-mingw-ucrt.gem
d94e3aa6483577495fc8969d6b4b5c075840ce6b1ab09636a6d4177ad171051d  nokogiri-1.18.1-x86_64-darwin.gem
e516cf16ccde67ed4cc595a2621ca5ddd42562ecb24928914b0045a20a41620e  nokogiri-1.18.1-x86_64-linux-gnu.gem
f2c389bc100541247edaeaabc6d875b31d72e897471b66a67987b2e4df0192d6  nokogiri-1.18.1-x86_64-linux-musl.gem

1.18.0

v1.18.0 / 2024-12-25

Notable Changes

Ruby

This release introduces native gem support for Ruby 3.4.

This release ends support for Ruby 3.0, for which upstream support ended 2024-04-23.

This release ships separate precompiled GNU and Musl gems for all linux platforms. Previously both GNU and Musl target systems could use and install the same gem, e.g., the platform gem for x86_64-linux. Now, however, the precompiled gem platforms would be x86_64-linux-gnu and x86_64-linux-musl. So long as you're on bundler >= 2.5.6 this should be seamless other than perhaps needing to update the platforms in your "Gemfile.lock".

This release drops precompiled native platform gems for x86-linux and x86-mingw32. These platforms are still supported. Users on these platforms must install the "ruby platform" gem which requires a compiler toolchain. See Installing the ruby platform gem in the installation docs. (#3369, #3081)

Improved

• [CRuby] CSS and XPath queries are faster now that Node#xpath, Node#css, and related functions are using a faster XPathContext initialization process. We benchmarked a 1.9x improvement for a 6kb file. Big thanks to @nwellnhof for helping with this one. (#3378, superseded by #3389) @flavorjones

sha256 checksums

a240b4183b7a12d82cdd46d7a77255d785e01198ffb0c52c8aee1197daf0b465  nokogiri-1.18.0-aarch64-linux-gnu.gem
a12b764089d9c0e60f4794b685d29a97a3e2952caa1c4c87473c771edb7e9db5  nokogiri-1.18.0-aarch64-linux-musl.gem
e6e75760aa66adf5ea0dccfba2516c111526ba50f6475426975532d1a134173c  nokogiri-1.18.0-arm64-darwin.gem
80e9534e153b141242864c7274605fcb8312860a16460bae796fa4490acca4e8  nokogiri-1.18.0-arm-linux-gnu.gem
0764082c12c01447a0e9b522d3d2cc91f384a683453c7a55842502d37b0180a8  nokogiri-1.18.0-arm-linux-musl.gem
119dea343386d88849f44dd8c36fb1cc36f4a4fe42cf4d60f26f4bac18b3a709  nokogiri-1.18.0.gem
432ecef3824ff23d38c897b4d08cddb5d10cf53838add84834349422038e4812  nokogiri-1.18.0-java.gem
ab1d35ce91ee9af7fbe45e97a6eca0e6b103b724a7b4712e6eeb7968ca9809eb  nokogiri-1.18.0-x64-mingw-ucrt.gem
4c27a29a3509f38caeec582feef381b07d1e80f56a622b3548be07271dc903b9  nokogiri-1.18.0-x86_64-darwin.gem
1232a310b8e186d402a5f3d0c06affafaf25b1c30b01aa797559ac7bd5851c92  nokogiri-1.18.0-x86_64-linux-gnu.gem
5ec8161e1a0799102227009122ef836824abfab693fd4b32cb252e2f34f300c2  nokogiri-1.18.0-x86_64-linux-musl.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #650.