version bump to v1.14.4

sparklemotion · May 11, 2023 · 71a2269 · 71a2269
1 parent de74596
commit 71a2269
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,17 @@ Nokogiri follows [Semantic Versioning](https://semver.org/), please see the [REA
 
 ---
 
+## 1.14.4 / 2023-05-11
+
+### Dependencies
+
+* [JRuby] Vendored Xalan-J is updated to [v2.7.3](https://xalan.apache.org/xalan-j/readme.html). This is the first Xalan release in nine years, and it was done to address [CVE-2022-34169](https://github.com/advisories/GHSA-9339-86wc-4qgf).
+
+  The Nokogiri maintainers wish to stress that Nokogiri users were not vulnerable to this CVE, as we explained in [GHSA-qwq9-89rg-ww72](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-qwq9-89rg-ww72), and so upgrading is really at the discretion of users.
+
+  This release was cut primarily so that JRuby users of v1.14.x can avoid vulnerability scanner alerts on earlier versions of Xalan-J.
+
+
 ## 1.14.3 / 2023-04-11
 
 ### Security

diff --git a/lib/nokogiri/version/constant.rb b/lib/nokogiri/version/constant.rb
@@ -2,5 +2,5 @@
 
 module Nokogiri
   # The version of Nokogiri you are using
-  VERSION = "1.14.3"
+  VERSION = "1.14.4"
 end