Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: sparklemotion/nokogiri
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.19.1
Choose a base ref
...
head repository: sparklemotion/nokogiri
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v1.19.2
Choose a head ref
  • 4 commits
  • 11 files changed
  • 1 contributor

Commits on Mar 19, 2026

  1. Skip compressed file SAX test on libxml2 >= 2.15 

    libxml2 2.15.0 requires callers to explicitly pass XML_PARSE_UNZIP to
enable decompression. Until Nokogiri adds support for this option, skip
the test on affected versions.

Closes #3599
    @flavorjones
    flavorjones committed Mar 19, 2026
    Configuration menu
    Copy the full SHA
    b42e620 View commit details
    Browse the repository at this point in the history

  2. dep: upgrade Saxon-HE from 9.6.0-4 to 12.7 

    Saxon-HE is a transitive dependency of nu.validator:jing, which pins
it to 9.6.0-4. The old version has CVEs in its transitive dependencies
(dom4j, jdom) that trigger false positives in vulnerability scanners.

Add Saxon-HE as an explicit dependency in the gemspec to override the
transitive version. Saxon-HE 12.7 brings in a new required transitive
dependency (org.xmlresolver:xmlresolver 5.3.3).

Also fix the vendor_jars rake task to correctly handle Maven classifier
artifacts (g:a:classifier:v) when building the JAR_DEPENDENCIES hash.

Closes #3611
    @flavorjones
    flavorjones committed Mar 19, 2026
    Configuration menu
    Copy the full SHA
    acf9527 View commit details
    Browse the repository at this point in the history

  3. dep: upgrade Saxon-HE from 9.6.0-4 to 12.7 [v1.19.x backport] (#3614) 

    ## Summary

Backport of #3613 to `v1.19.x` for a patch release.

- Upgrade Saxon-HE from 9.6.0-4 to 12.7 to address CVEs in transitive
dependencies (dom4j, jdom) that trigger false positives in vulnerability
scanners
- Add Saxon-HE as an explicit gemspec requirement to override the
transitive version pinned by nu.validator:jing
- Add new transitive dependency org.xmlresolver:xmlresolver 5.3.3
(required by Saxon-HE 12.x)
- Fix vendor_jars rake task to correctly handle Maven classifier
artifacts (g:a:classifier:v)
- Update LICENSE-DEPENDENCIES.md with xmlresolver license (Apache 2.0)

Closes #3611

## Test plan

- [x] Full JRuby test suite passes (2005 runs, 0 failures, 0 errors)
- [ ] CI green
    @flavorjones
    flavorjones authored Mar 19, 2026
    Configuration menu
    Copy the full SHA
    6d4677f View commit details
    Browse the repository at this point in the history

  4. version bump to v1.19.2

    @flavorjones
    flavorjones committed Mar 19, 2026
    Configuration menu
    Copy the full SHA
    6f5d025 View commit details
    Browse the repository at this point in the history
Loading