Skip to content

🚨 [security] [ruby] Update nokogiri 1.19.0 → 1.19.1 (patch)#1408

Merged
depfu[bot] merged 1 commit intomainfrom
depfu/update/nokogiri-1.19.1
Feb 19, 2026
Merged

🚨 [security] [ruby] Update nokogiri 1.19.0 → 1.19.1 (patch)#1408
depfu[bot] merged 1 commit intomainfrom
depfu/update/nokogiri-1.19.1

Conversation

@depfu
Copy link
Contributor

@depfu depfu bot commented Feb 19, 2026


🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!


Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ nokogiri (1.19.0 → 1.19.1) · Repo · Changelog

Security Advisories 🚨

🚨 Nokogiri does not check the return value from xmlC14NExecute

Summary

Nokogiri's CRuby extension fails to check the return value from xmlC14NExecute in the method Nokogiri::XML::Document#canonicalize and Nokogiri::XML::Node#canonicalize. When canonicalization fails, an empty string is returned instead of raising an exception. This incorrect return value may allow downstream libraries to accept invalid or incomplete canonicalized XML, which has been demonstrated to enable signature validation bypass in SAML libraries.

JRuby is not affected, as the Java implementation correctly raises RuntimeError on canonicalization failure.

Mitigation

Upgrade to Nokogiri >= 1.19.1.

Severity

The maintainers have assessed this as Medium severity. Nokogiri itself is a parsing library without a clear security boundary related to canonicalization, so the direct impact is that a method returns incorrect data on invalid input. However, this behavior was exploited in practice to bypass SAML signature validation in downstream libraries (see References).

Credit

This vulnerability was responsibly reported by HackerOne researcher d4d.

Release Notes

1.19.1

v1.19.1 / 2026-02-16

Security

sha256 checksums

cfdb0eafd9a554a88f12ebcc688d2b9005f9fce42b00b970e3dc199587b27f32  nokogiri-1.19.1-aarch64-linux-gnu.gem
1e2150ab43c3b373aba76cd1190af7b9e92103564063e48c474f7600923620b5  nokogiri-1.19.1-aarch64-linux-musl.gem
0a39ed59abe3bf279fab9dd4c6db6fe8af01af0608f6e1f08b8ffa4e5d407fa3  nokogiri-1.19.1-arm-linux-gnu.gem
3a18e559ee499b064aac6562d98daab3d39ba6cbb4074a1542781b2f556db47d  nokogiri-1.19.1-arm-linux-musl.gem
dfe2d337e6700eac47290407c289d56bcf85805d128c1b5a6434ddb79731cb9e  nokogiri-1.19.1-arm64-darwin.gem
1e0bda88b1c6409f0edb9e0c25f1bf9ff4fa94c3958f492a10fcf50dda594365  nokogiri-1.19.1-java.gem
110d92ae57694ae7866670d298a5d04cd150fae5a6a7849957d66f171e6aec9b  nokogiri-1.19.1-x64-mingw-ucrt.gem
7093896778cc03efb74b85f915a775862730e887f2e58d6921e3fa3d981e68bf  nokogiri-1.19.1-x86_64-darwin.gem
1a4902842a186b4f901078e692d12257678e6133858d0566152fe29cdb98456a  nokogiri-1.19.1-x86_64-linux-gnu.gem
4267f38ad4fc7e52a2e7ee28ed494e8f9d8eb4f4b3320901d55981c7b995fc23  nokogiri-1.19.1-x86_64-linux-musl.gem
598b327f36df0b172abd57b68b18979a6e14219353bca87180c31a51a00d5ad3  nokogiri-1.19.1.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 6 commits:


Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu bot added the depfu label Feb 19, 2026
@depfu depfu bot assigned mockdeep Feb 19, 2026
@depfu depfu bot requested a review from mockdeep February 19, 2026 00:25
@depfu depfu bot merged commit 2e307f0 into main Feb 19, 2026
3 checks passed
@depfu depfu bot deleted the depfu/update/nokogiri-1.19.1 branch February 19, 2026 00:37
ancientz pushed a commit to ancientz/stringer that referenced this pull request Feb 19, 2026
…lint (stringer-rss#1409)"

This reverts commit 458ec47.

Revert "Update nokogiri to version 1.19.1 (stringer-rss#1408)"

This reverts commit 2e307f0.

Revert "Apply template update: allow multiple JavaScript entry points (stringer-rss#1407)"

This reverts commit 3485da0.

Revert "Apply template update: separate asset compilation into bin/ files (conflicts) (stringer-rss#1406)"

This reverts commit 75f8bff.

Revert "Apply template update: Tighten up asset management (stringer-rss#1404)"

This reverts commit d56ffce.

Revert "structure styles a bit (stringer-rss#1405)"

This reverts commit edfa1be.

Revert "Apply template update: stop skipping lib checks (conflicts) (stringer-rss#1403)"

This reverts commit 0fefe2b.

Revert "Apply template update: enable noImplicitOverride TypeScript setting (stringer-rss#1402)"

This reverts commit a91f4f4.

Revert "Apply template update: integrate cssbundling-rails (conflicts) (stringer-rss#1401)"

This reverts commit 33cf714.

Revert "Apply template update: switch eslint config from mts -> ts (conflicts) (stringer-rss#1400)"

This reverts commit 5dd03d0.

Revert "Apply template update: configure vitest with globals (conflicts) (stringer-rss#1395)"

This reverts commit 2751e46.

Revert "Update Node.js to version 25.6.1 (stringer-rss#1398)"

This reverts commit 1a505d1.

Revert "Template: add hotkey support (stringer-rss#1399)"

This reverts commit 9df2dae.

Revert "Template: configure Stimulus and Turbo (stringer-rss#1397)"

This reverts commit 61b95da.

Revert "fix image stretching down in stories (stringer-rss#1394)"

This reverts commit 7d92d26.

Revert "Update all Bundler dependencies (2026-02-16) (stringer-rss#1393)"

This reverts commit 19875b4.

Revert "Apply template update: rename test_helper -> setup (conflicts) (stringer-rss#1392)"

This reverts commit 71f0b40.

Revert "sync up .circleci/config with template (stringer-rss#1390)"

This reverts commit 84e99b8.

Revert "set up TypeScript (stringer-rss#1389)"

This reverts commit a9a27d2.

Revert "switch from sprockets to propshaft (stringer-rss#1388)"

This reverts commit 59d7a95.

Revert "switch to esbuild for JS management (stringer-rss#1387)"

This reverts commit 2844bfe.

Revert "switch to vitest for js testing (stringer-rss#1386)"

This reverts commit c856e88.

Revert "remove flat-ui css (stringer-rss#1385)"

This reverts commit 23df7a6.

Revert "move font awesome to npm package (stringer-rss#1384)"

This reverts commit 2f1c19c.

Revert "move a couple of fonts to npm packages (stringer-rss#1383)"

This reverts commit 90cd03e.

Revert "remove unused vendored assets (stringer-rss#1382)"

This reverts commit cabd5ea.

Revert "upgrade bootstrap and move to package.json (stringer-rss#1381)"

This reverts commit 8e2f881.

Revert "move jquery-visible to package.json (stringer-rss#1380)"

This reverts commit 2e17315.

Revert "move main assets to package.json (stringer-rss#1379)"

This reverts commit 4dfb69f.

Revert "move vendored mocha, et al to package.json (stringer-rss#1375)"

This reverts commit 66860a0.

Revert "integrate Stylelint (stringer-rss#1374)"

This reverts commit e8d1e48.

Revert "set up ESLint (stringer-rss#1373)"

This reverts commit fc10a10.

Revert "Update all Bundler dependencies (2026-02-09) (stringer-rss#1371)"

This reverts commit c8c85d4.

Revert "Update all Bundler dependencies (2026-02-02) (stringer-rss#1370)"

This reverts commit a5f77a8.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant

Comments