Skip to content

Bump nokogiri from 1.19.2 to 1.19.3#256

Merged
thc202 merged 1 commit into
mainfrom
dependabot/bundler/nokogiri-1.19.3
Apr 28, 2026
Merged

Bump nokogiri from 1.19.2 to 1.19.3#256
thc202 merged 1 commit into
mainfrom
dependabot/bundler/nokogiri-1.19.3

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 27, 2026

Bumps nokogiri from 1.19.2 to 1.19.3.

Changelog

Sourced from nokogiri's changelog.

v1.19.3 / 2026-04-27

Fixed / Security

  • Address exponential regex backtracking in CSS selector tokenizer. See GHSA-c4rq-3m3g-8wgx for more information.
  • [CRuby] Address memory leak in XSLT::Stylesheet#transform. See GHSA-v2fc-qm4h-8hqv for more information.
Commits
  • c139a3d version bump to v1.19.3
  • 7501a63 fix: backtracking in CSS tokenizer rules (v1.19.x backport) (#3627)
  • 03e7968 test: skip CSS tokenizer benchmarks on JRuby
  • b984b7e fix: ReDoS in CSS tokenizer ident rule
  • 0092623 fix: ReDoS in CSS tokenizer STRING rule
  • ee17d33 fix: memory leak in XSLT transform (backport to v1.19.x) (#3624)
  • ce188a3 doc: update CHANGELOG
  • caeaac4 fix: memory leak in XSLT transform
  • 25220bf dep(test): test against libxml-ruby v6 (#3618)
  • 0caeb21 doc: add security warnings for untrusted XSLT stylesheets
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump nokogiri from 1.19.2 to 1.19.3
6cd15d7 
Bumps [nokogiri](https://github.com/sparklemotion/nokogiri) from 1.19.2 to 1.19.3.
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](sparklemotion/nokogiri@v1.19.2...v1.19.3)

---
updated-dependencies:
- dependency-name: nokogiri
  dependency-version: 1.19.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code labels Apr 27, 2026
@thc202 thc202 merged commit 8d96ac5 into main Apr 28, 2026
2 checks passed
@dependabot dependabot Bot deleted the dependabot/bundler/nokogiri-1.19.3 branch April 28, 2026 06:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thc202 thc202 thc202 approved these changes

@kingthorin kingthorin kingthorin approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thc202 @kingthorin