dep: update libxml2 to v2.13.6 (main branch) (#3438)

**What problem is this PR intended to solve?** Forward-port #3437 to `main`.
sparklemotion · Feb 19, 2025 · 130b173 · 130b173
2 parents b06b5d1 + 4374b2b
commit 130b173
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 13 deletions.
diff --git a/.github/workflows/downstream.yml b/.github/workflows/downstream.yml
@@ -16,7 +16,6 @@ on:
     types: [opened, synchronize]
     branches:
       - '*'
-
 jobs:
   downstream:
     name: downstream-${{matrix.name}}

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -20,6 +20,20 @@ Nokogiri follows [Semantic Versioning](https://semver.org/), please see the [REA
 * [CRuby] Update to rake-compiler-dock v1.9.1 for building precompiled native gems. (#3404, #3418) @flavorjones
 
 
+## v1.18.3 / 2025-02-18
+
+### Security
+
+* [CRuby] Vendored libxml2 is updated [v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6) to address CVE-2025-24928 and CVE-2024-56171. See [GHSA-vvfq-8hwr-qm4m](https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m) for more information.
+
+
+## v1.18.2 / 2024-01-19
+
+### Fixed
+
+* When performing a CSS selector query, an XML document's root namespace declarations should not be applied to wildcard selectors (`"*"`). Fixes a bug introduced in v1.17.0. (#3411) @flavorjones
+
+
 ## v1.18.1 / 2024-12-29
 
 ### Fixed

diff --git a/dependencies.yml b/dependencies.yml
@@ -1,8 +1,8 @@
 ---
 libxml2:
-  version: "2.13.5"
-  sha256: "74fc163217a3964257d3be39af943e08861263c4231f9ef5b496b6f6d4c7b2b6"
-  # sha-256 hash provided in https://download.gnome.org/sources/libxml2/2.13/libxml2-2.13.5.sha256sum
+  version: "2.13.6"
+  sha256: "f453480307524968f7a04ec65e64f2a83a825973bcd260a2e7691be82ae70c96"
+  # sha-256 hash provided in https://download.gnome.org/sources/libxml2/2.13/libxml2-2.13.6.sha256sum
 
 libxslt:
   version: "1.1.42"

diff --git a/ext/nokogiri/extconf.rb b/ext/nokogiri/extconf.rb
@@ -240,15 +240,7 @@ def zlib_source(version_string)
 end
 
 def gnome_source
-  # As of 2022-02-20, some mirrors have expired SSL certificates. I'm able to retrieve from my home,
-  # but whatever host is resolved on the github actions workers see an expired cert.
-  #
-  # See https://github.com/sparklemotion/nokogiri/runs/5266206403?check_suite_focus=true
-  if ENV["NOKOGIRI_USE_CANONICAL_GNOME_SOURCE"]
-    "https://download.gnome.org"
-  else
-    "https://muug.ca/mirror/gnome" # old reliable
-  end
+  "https://download.gnome.org"
 end
 
 LOCAL_PACKAGE_RESPONSE = Object.new