dependabot[bot] opened a new pull request, #255:
URL: https://github.com/apache/datasketches-website/pull/255

   Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.19.3 to 
1.19.4.
   <details>
   <summary>Release notes</summary>
   <p><em>Sourced from <a 
href="https://github.com/sparklemotion/nokogiri/releases";>nokogiri's 
releases</a>.</em></p>
   <blockquote>
   <h2>v1.19.4 / 2026-06-18</h2>
   <h3>Security</h3>
   <ul>
   <li>[CRuby] (Low) Fixed a possible invalid memory read when 
<code>XML::Node#initialize_copy_with_args</code> is called with an argument 
that is not a <code>Node</code>. See <a 
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-g9g8-vgvw-g3vf";>GHSA-g9g8-vgvw-g3vf</a>
 for more information.</li>
   <li>[CRuby] (Low) Fixed a possible use-after-free when an 
<code>XML::XPathContext</code> is used after its source document has been 
garbage collected. See <a 
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-p67v-3w7g-wjg7";>GHSA-p67v-3w7g-wjg7</a>
 for more information.</li>
   <li>[CRuby] (Low) Fixed a possible use-after-free during XInclude processing 
via <code>Node#do_xinclude</code>. See <a 
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wfpw-mmfh-qq69";>GHSA-wfpw-mmfh-qq69</a>
 for more information.</li>
   <li>[CRuby] (Low) Fixed a possible use-after-free when 
<code>Document#root=</code> is assigned a non-element node. See <a 
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wjv4-x9w8-wm3h";>GHSA-wjv4-x9w8-wm3h</a>
 for more information.</li>
   <li>[CRuby] (Low) Fixed a possible use-after-free when setting an attribute 
value via <code>XML::Attr#value=</code> or <code>#content=</code>. See <a 
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-phwj-rprq-35pp";>GHSA-phwj-rprq-35pp</a>
 for more information.</li>
   <li>[CRuby] (Low) Fixed a null pointer dereference when methods are called 
on uninitialized wrapper objects (e.g. via <code>allocate</code>); these now 
raise instead of crashing the process. See <a 
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-9cv2-cfxc-v4v2";>GHSA-9cv2-cfxc-v4v2</a>
 for more information.</li>
   <li>[CRuby] (Low) Fixed a possible use-after-free when 
<code>Document#encoding=</code> raises an exception. See <a 
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5v8h-3h3q-446p";>GHSA-5v8h-3h3q-446p</a>
 for more information.</li>
   <li>[CRuby] (Medium) Fixed an out-of-bounds read in 
<code>XML::NodeSet#[]</code> (alias <code>#slice</code>) when given a large 
negative index. See <a 
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5prr-v3j2-97mh";>GHSA-5prr-v3j2-97mh</a>
 for more information.</li>
   <li>[JRuby] (Low) <code>XML::Schema</code> now enforces the 
<code>NONET</code> parse option, which Nokogiri enables by default. It was not 
enforced on JRuby, so a schema parsed with default options could still fetch 
external resources over the network, potentially enabling SSRF or XXE attacks 
and bypassing the mitigation for CVE-2020-26247. See <a 
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-8678-w3jw-xfc2";>GHSA-8678-w3jw-xfc2</a>
 for more information.</li>
   </ul>
   <!-- raw HTML omitted -->
   <pre><code>1269fb644a6de405057a53dd5c762b1209b43ca7424f839454d3dbc677c31a8f  
nokogiri-1.19.4-aarch64-linux-gnu.gem
   35c65b9ce72b3bb03207bdbe7067915019dc18c1b9b59139684bd6690fdd01af  
nokogiri-1.19.4-aarch64-linux-musl.gem
   a301313e38bb065d68239e79734bcd6f56fb6efaacebde29e9abf2a4735340ca  
nokogiri-1.19.4-arm-linux-gnu.gem
   588923c101bcfa78869734d247d25b598674323e7f22474fc468f6e5647311eb  
nokogiri-1.19.4-arm-linux-musl.gem
   a46db9853286e6597b36ebc6953817d15acf3a299583eb3f89fdc6f91dd63527  
nokogiri-1.19.4-arm64-darwin.gem
   ce04b9e268c9626852231a48b49128ed52034f1ccb39484a6da3875491cd709e  
nokogiri-1.19.4-java.gem
   051da97b8eccfdb5444fed40246a35e10d7298b9efe759b4cd25455ea04c587e  
nokogiri-1.19.4-x64-mingw-ucrt.gem
   7fd17057d3e1f00e9954a74b3cd76595d3d4a5ef233b7ed9599047c204f70551  
nokogiri-1.19.4-x86_64-darwin.gem
   379fae440b28915e3f19d752ce2dcf8465ed2b2fbefd2a7ca0dd497bc981a06a  
nokogiri-1.19.4-x86_64-linux-gnu.gem
   17dfb7c1fa194ae02fbf7c51a7afc8d278045ab3fdacfd86f91d02d7b274470b  
nokogiri-1.19.4-x86_64-linux-musl.gem
   50c951611c92bca05c51411aef45f1cbc50f2821c4802758c5c6d34696533ab5  
nokogiri-1.19.4.gem
   </code></pre>
   <!-- raw HTML omitted -->
   </blockquote>
   </details>
   <details>
   <summary>Changelog</summary>
   <p><em>Sourced from <a 
href="https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md";>nokogiri's
 changelog</a>.</em></p>
   <blockquote>
   <h2>v1.19.4 / 2026-06-18</h2>
   <h3>Security</h3>
   <ul>
   <li>[CRuby] (Low) Fixed a possible invalid memory read when 
<code>XML::Node#initialize_copy_with_args</code> is called with an argument 
that is not a <code>Node</code>. See <a 
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-g9g8-vgvw-g3vf";>GHSA-g9g8-vgvw-g3vf</a>
 for more information.</li>
   <li>[CRuby] (Low) Fixed a possible use-after-free when an 
<code>XML::XPathContext</code> is used after its source document has been 
garbage collected. See <a 
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-p67v-3w7g-wjg7";>GHSA-p67v-3w7g-wjg7</a>
 for more information.</li>
   <li>[CRuby] (Low) Fixed a possible use-after-free during XInclude processing 
via <code>Node#do_xinclude</code>. See <a 
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wfpw-mmfh-qq69";>GHSA-wfpw-mmfh-qq69</a>
 for more information.</li>
   <li>[CRuby] (Low) Fixed a possible use-after-free when 
<code>Document#root=</code> is assigned a non-element node. See <a 
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wjv4-x9w8-wm3h";>GHSA-wjv4-x9w8-wm3h</a>
 for more information.</li>
   <li>[CRuby] (Low) Fixed a possible use-after-free when setting an attribute 
value via <code>XML::Attr#value=</code> or <code>#content=</code>. See <a 
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-phwj-rprq-35pp";>GHSA-phwj-rprq-35pp</a>
 for more information.</li>
   <li>[CRuby] (Low) Fixed a null pointer dereference when methods are called 
on uninitialized wrapper objects (e.g. via <code>allocate</code>); these now 
raise instead of crashing the process. See <a 
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-9cv2-cfxc-v4v2";>GHSA-9cv2-cfxc-v4v2</a>
 for more information.</li>
   <li>[CRuby] (Low) Fixed a possible use-after-free when 
<code>Document#encoding=</code> raises an exception. See <a 
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5v8h-3h3q-446p";>GHSA-5v8h-3h3q-446p</a>
 for more information.</li>
   <li>[CRuby] (Medium) Fixed an out-of-bounds read in 
<code>XML::NodeSet#[]</code> (alias <code>#slice</code>) when given a large 
negative index. See <a 
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5prr-v3j2-97mh";>GHSA-5prr-v3j2-97mh</a>
 for more information.</li>
   <li>[JRuby] (Low) <code>XML::Schema</code> now enforces the 
<code>NONET</code> parse option, which Nokogiri enables by default. It was not 
enforced on JRuby, so a schema parsed with default options could still fetch 
external resources over the network, potentially enabling SSRF or XXE attacks 
and bypassing the mitigation for CVE-2020-26247. See <a 
href="https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-8678-w3jw-xfc2";>GHSA-8678-w3jw-xfc2</a>
 for more information.</li>
   </ul>
   </blockquote>
   </details>
   <details>
   <summary>Commits</summary>
   <ul>
   <li><a 
href="https://github.com/sparklemotion/nokogiri/commit/8cfb9daae9ee4a0837508eab43c40fbc8c4138c9";><code>8cfb9da</code></a>
 version bump to v1.19.4</li>
   <li><a 
href="https://github.com/sparklemotion/nokogiri/commit/a856d1e46bda04ef47a0bd2b9eefe86df1eb0bb2";><code>a856d1e</code></a>
 fix: JRuby NONET bypass in XML::Schema (v1.19.x) (<a 
href="https://redirect.github.com/sparklemotion/nokogiri/issues/3639";>#3639</a>)</li>
   <li><a 
href="https://github.com/sparklemotion/nokogiri/commit/6a0aa1e7042ea58e10db713d4984c692a8db1a30";><code>6a0aa1e</code></a>
 fix(CRuby): use-after-free in Document#encoding= when setter raises 
(v1.19.x)...</li>
   <li><a 
href="https://github.com/sparklemotion/nokogiri/commit/f658a54ab2df58a3525967c339edce9649c197d4";><code>f658a54</code></a>
 fix: JRuby NONET bypass in XML::Schema</li>
   <li><a 
href="https://github.com/sparklemotion/nokogiri/commit/39d26fea52cda8ac15313561824fd0bc018818aa";><code>39d26fe</code></a>
 fix(CRuby): use-after-free in Document#encoding= when setter raises</li>
   <li><a 
href="https://github.com/sparklemotion/nokogiri/commit/04a09ddd67a4b573eb5c634655c2fb857e0436ad";><code>04a09dd</code></a>
 fix(CRuby): out-of-bounds read in NodeSet#[] with large negative index 
(v1.19...</li>
   <li><a 
href="https://github.com/sparklemotion/nokogiri/commit/7799fbd325f9f5e10fcccc77daaa903949a9d545";><code>7799fbd</code></a>
 fix: avoid NPE on uninitialized XML::Node structs (v1.19.x) (<a 
href="https://redirect.github.com/sparklemotion/nokogiri/issues/3645";>#3645</a>)</li>
   <li><a 
href="https://github.com/sparklemotion/nokogiri/commit/ef19e1329c39f885e980b301f33fb233f3431d14";><code>ef19e13</code></a>
 fix(CRuby): avoid UAF in XML::Attr#value= (v1.19.x) (<a 
href="https://redirect.github.com/sparklemotion/nokogiri/issues/3644";>#3644</a>)</li>
   <li><a 
href="https://github.com/sparklemotion/nokogiri/commit/5524fa97868ae26dfd74d700aba256b117262267";><code>5524fa9</code></a>
 fix: <code>Document#root=</code> rejects non-element nodes (v1.19.x) (<a 
href="https://redirect.github.com/sparklemotion/nokogiri/issues/3643";>#3643</a>)</li>
   <li><a 
href="https://github.com/sparklemotion/nokogiri/commit/9891ad1092a265ae1cef220c377ebbabc9fde622";><code>9891ad1</code></a>
 fix(CRuby): use-after-free in XPathContext document lifetime (v1.19.x) (<a 
href="https://redirect.github.com/sparklemotion/nokogiri/issues/3641";>#3641</a>)</li>
   <li>Additional commits viewable in <a 
href="https://github.com/sparklemotion/nokogiri/compare/v1.19.3...v1.19.4";>compare
 view</a></li>
   </ul>
   </details>
   <br />
   
   
   [![Dependabot compatibility 
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=nokogiri&package-manager=bundler&previous-version=1.19.3&new-version=1.19.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
   
   Dependabot will resolve any conflicts with this PR as long as you don't 
alter it yourself. You can also trigger a rebase manually by commenting 
`@dependabot rebase`.
   
   [//]: # (dependabot-automerge-start)
   [//]: # (dependabot-automerge-end)
   
   ---
   
   <details>
   <summary>Dependabot commands and options</summary>
   <br />
   
   You can trigger Dependabot actions by commenting on this PR:
   - `@dependabot rebase` will rebase this PR
   - `@dependabot recreate` will recreate this PR, overwriting any edits that 
have been made to it
   - `@dependabot show <dependency name> ignore conditions` will show all of 
the ignore conditions of the specified dependency
   - `@dependabot ignore this major version` will close this PR and stop 
Dependabot creating any more for this major version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this minor version` will close this PR and stop 
Dependabot creating any more for this minor version (unless you reopen the PR 
or upgrade to it yourself)
   - `@dependabot ignore this dependency` will close this PR and stop 
Dependabot creating any more for this dependency (unless you reopen the PR or 
upgrade to it yourself)
   You can disable automated security fix PRs for this repo from the [Security 
Alerts page](https://github.com/apache/datasketches-website/network/alerts).
   
   </details>


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to