🚨 [security] Update nokogiri 1.18.5 → 1.18.8 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ nokogiri (indirect, 1.18.5 → 1.18.8) · Repo · Changelog

Security Advisories 🚨

🚨 Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415

Summary

Nokogiri v1.18.8 upgrades its dependency libxml2 to v2.13.8.

libxml2 v2.13.8 addresses:

• CVE-2025-32414
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
• CVE-2025-32415
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890

Impact

CVE-2025-32414: No impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

There is no impact from this CVE for Nokogiri users.

CVE-2025-32415: Low impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

In the upstream issue, further context is provided by the maintainer:

The bug affects validation against untrusted XML Schemas (.xsd) and validation of untrusted
documents against trusted Schemas if they make use of xsd:keyref in combination with recursively
defined types that have additional identity constraints.

MITRE has published a severity score of 2.9 LOW (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE.

Release Notes

1.18.7

v1.18.7 / 2025-03-31

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.7, which is a bugfix release.

sha256 checksums

57a064ab5440814a69a0e040817bd8154adea68a30d2ff2b3aa515a6a06dbb5f  nokogiri-1.18.7-aarch64-linux-gnu.gem
3e442dc5b69376e84288295fe37cbb890a21ad816a7e571e5e9967b3c1e30cd3  nokogiri-1.18.7-aarch64-linux-musl.gem
083abb2e9ed2646860f6b481a981485a658c6064caafaa81bf1cda1bada2e9d5  nokogiri-1.18.7-arm64-darwin.gem
337d9149deb5ae01022dff7c90f97bed81715fd586aacab0c5809ef933994c5e  nokogiri-1.18.7-arm-linux-gnu.gem
97a26edcc975f780a0822aaf7f7d7427c561067c1c9ee56bd3542960f0c28a6e  nokogiri-1.18.7-arm-linux-musl.gem
6b63ff5defe48f30d1d3b3122f65255ca91df2caf5378c6e0482ce73ff46fb31  nokogiri-1.18.7.gem
2cb83666f35619ec59d24d831bf492e49cfe27b112c222330ee929737f42f2eb  nokogiri-1.18.7-java.gem
681148fbc918aa5d54933d8b48aeb9462ab708d23409797ed750af961107f72b  nokogiri-1.18.7-x64-mingw-ucrt.gem
081d1aa517454ba3415304e2ea51fe411d6a3a809490d0c4aa42799cada417b7  nokogiri-1.18.7-x86_64-darwin.gem
3a0bf946eb2defde13d760f869b61bc8b0c18875afdd3cffa96543cfa3a18005  nokogiri-1.18.7-x86_64-linux-gnu.gem
9d83f8ec1fc37a305fa835d7ee61a4f37899e6ccc6dcb05be6645fa9797605af  nokogiri-1.18.7-x86_64-linux-musl.gem

1.18.6

v1.18.6 / 2025-03-24

Fixed

• [JRuby] In HTML documents, Node#attribute now returns the correct attribute. This has been broken, and returning nil, since v1.17.0. (#3487) @flavorjones

sha256 checksums

1b11f9a814068282cc2b47ebe61395b2a69d1918092d2ca3bd664074f72540e9  nokogiri-1.18.6-aarch64-linux-gnu.gem
797662f201c37a8feac3bd5b0c0e3447053bc71e6633d273fefd4c68b03e6a54  nokogiri-1.18.6-aarch64-linux-musl.gem
727a441d179d934b4b7c73e0e28e6723ee46463d96bb0cc6e2e33a13540962c4  nokogiri-1.18.6-arm64-darwin.gem
2da07a07ef4c9d9e9da809b3dc0937ed90b031e32c2c658d9918941b85d68b95  nokogiri-1.18.6-arm-linux-gnu.gem
e8ae1c9a4d8cfa7a92d632a6f596a88235ebe66d4b70418543378ba16c601f70  nokogiri-1.18.6-arm-linux-musl.gem
4d283431d7829719ea1287ca388f24c6ce343af736bbcbd1365cbdb83bce41a4  nokogiri-1.18.6.gem
bf16c53446987007ff3e1deb29d65d20444073ba112cb5bddbd2671135ba293c  nokogiri-1.18.6-java.gem
134f6d54f56edd46cb6db77c9d9de1704b3f83b3981a6763671e3cfbeba221f5  nokogiri-1.18.6-x64-mingw-ucrt.gem
fb72568c97ccd90a8d68cb765b0ff0720b109bd62e3babbf372e854ef8fef995  nokogiri-1.18.6-x86_64-darwin.gem
df065db6ba6e1e80f76ef04f860fcf260cc24685125fe33cdc3d1572a1c66b71  nokogiri-1.18.6-x86_64-linux-gnu.gem
75ec7a93cec54687aa63b2eaf830dc4ac5b4f3d8c969f20c035e67c9e6a30cef  nokogiri-1.18.6-x86_64-linux-musl.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

• version bump to v1.18.8
• dep: libxml2 to v2.13.8 (branch `v1.18.x`) (#3509)
• dep: libxml2 to v2.13.8
• version bump to v1.18.7
• dep: bump libxml2 to 2.13.7 (v1.18.x backport) (#3495)
• dep: bump libxml2 to 2.13.7
• dep(dev): drop Rubocop from JRuby deps
• version bump to v1.18.6
• fix(jruby): Node#attribute in HTML documents (v1.18.x) (#3492)
• fix(jruby): Node#attribute in HTML documents

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)