Skip to content

Bump nokogiri from 1.19.0 to 1.19.1#22855

Open
ebembi-crdb wants to merge 1 commit intomainfrom
dependabot/nokogiri-1.19.1
Open

Bump nokogiri from 1.19.0 to 1.19.1#22855
ebembi-crdb wants to merge 1 commit intomainfrom
dependabot/nokogiri-1.19.1

Conversation

@ebembi-crdb
Copy link
Contributor

@ebembi-crdb ebembi-crdb commented Feb 26, 2026

Summary

  • Upgrades nokogiri from 1.19.0 to 1.19.1 across all platform variants in src/current/Gemfile.lock
  • Fixes GHSA-wx95-c6cv-8532: Nokogiri::XML::Document#canonicalize and Nokogiri::XML::Node#canonicalize failed to check the return value of xmlC14NExecute, silently returning an empty string on failure instead of raising an exception. This was demonstrated to enable SAML signature validation bypass in downstream libraries.

Closes https://github.com/cockroachdb/docs/security/dependabot/13

Test plan

  • Verify CI passes
  • Confirm no regressions in Jekyll build

Bump nokogiri from 1.19.0 to 1.19.1
96c2cc8 
Fixes GHSA-wx95-c6cv-8532: nokogiri did not check the return value
from xmlC14NExecute, allowing silent canonicalization failures that
could enable SAML signature validation bypass in downstream libraries.
Upgrade to 1.19.1 resolves this.
@netlify
Copy link

netlify bot commented Feb 26, 2026

Deploy Preview for cockroachdb-interactivetutorials-docs canceled.

Name Link
🔨 Latest commit 96c2cc8
🔍 Latest deploy log https://app.netlify.com/projects/cockroachdb-interactivetutorials-docs/deploys/69a04fd2fe6fb40008dba447

@netlify
Copy link

netlify bot commented Feb 26, 2026

Deploy Preview for cockroachdb-api-docs canceled.

Name Link
🔨 Latest commit 96c2cc8
🔍 Latest deploy log https://app.netlify.com/projects/cockroachdb-api-docs/deploys/69a04fd2f1599d0008fc99e5

@github-actions
Copy link

github-actions bot commented Feb 26, 2026

Files changed:

  • src/current/Gemfile.lock

@netlify
Copy link

netlify bot commented Feb 26, 2026

Netlify Preview

Name Link
🔨 Latest commit 96c2cc8
🔍 Latest deploy log https://app.netlify.com/projects/cockroachdb-docs/deploys/69a04fd2929e5f0007fdf4c1
😎 Deploy Preview https://deploy-preview-22855--cockroachdb-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

mohini-crl
mohini-crl requested changes Feb 26, 2026
View reviewed changes
src/current/Gemfile.lock

BUNDLED WITH
4.0.6
2.7.2
Copy link
Contributor

@mohini-crl mohini-crl Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The lockfile’s BUNDLED WITH was changed from 4.0.6 → 2.7.2. Was that intentional? If not, can you regenerate the Gemfile.lock using the repo’s canonical Bundler

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mohini-crl mohini-crl mohini-crl requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ebembi-crdb @mohini-crl