ci(deps): bump the bundler group across 1 directory with 13 updates

[dependabot]

Bumps the bundler group with 8 updates in the /spec/dummy directory:

Package	From	To
puma	6.6.0	7.2.1
actionview	8.0.2	8.0.4.1
addressable	2.8.7	2.9.0
erb	5.0.1	6.0.1.1
net-imap	0.5.8	0.5.14
rack	3.1.16	3.1.21
rack-session	2.1.1	2.1.2
rexml	3.4.1	3.4.2

Updates puma from 6.6.0 to 7.2.1

Release notes

Sourced from puma's releases.

v7.2.1

• Bugfixes
  • Limit and anchor PROXY protocol v1 parsing to prevent abuse via crafted inputs (#3947)
  • Parse PROXY protocol only once per connection to prevent injection on keep-alive requests (#3947)

Security advisories

• CVE-2026-47736 / GHSA-qpgp-93vx-g8v8: Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
• CVE-2026-47737 / GHSA-2vqw-3mp8-cgmx: Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections

v7.2.0 - On The Corner

• Features

  • Add workers :auto (#3827)
  • Make it possible to restrict control server commands to stats (#3787)

• Bugfixes

  • Don't break if WEB_CONCURRENCY is set to a blank string (#3837)
  • Don't share server between worker 0 and descendants on refork (#3602)
  • Fix phase check race condition in Puma::Cluster#check_workers (#3690)
  • Fix advertising of CLI config before config files are loaded (#3823)

• Performance

  • 17% faster HTTP parsing through pre-interning env keys (#3825)
  • Implement dsize and dcompact functions for Puma::HttpParser, which makes Puma's C-extension GC-compactible (#3828)

• Refactor

  • Remove NoMethodError rescue in Reactor#select_loop (#3831)
  • Various cleanups in the C extension (#3814)
  • Monomorphize handle_request return (#3802)

• Docs

  • Change link to docs/deployment.md in README.md (#3848)
  • Fix formatting for each signal description in signals.md (#3813)
  • Update deployment and Kubernetes docs with Puma configuration tips (#3807)
  • Rename master to main (#3809, #3808, #3800)
  • Fix some minor typos in the docs (#3804)
  • Add GOVERNANCE.md, MAINTAINERS (#3826)
  • Remove Code Climate badge (#3820)
  • Add @​joshuay03 to the maintainer list

• CI

  • Use Minitest 6 where applicable (#3859)
  • Many test suite improvements and flake fixes (#3861, #3863, #3860, #3852, #3857, #3856, #3845, #3843, #3842, #3841, #3822, #3817, #3764)

v7.1.0

7.1.0 / 2025-10-16 - Neon Witch

• Features

... (truncated)

Changelog

Sourced from puma's changelog.

7.2.1 / 2026-05-27

• Bugfixes
  • Limit and anchor PROXY protocol v1 parsing to prevent abuse via crafted inputs (#3947)
  • Parse PROXY protocol only once per connection to prevent injection on keep-alive requests (#3947)

7.2.0 / 2026-01-20

• Features

  • Add workers :auto (#3827)
  • Make it possible to restrict control server commands to stats (#3787)

• Bugfixes

  • Don't break if WEB_CONCURRENCY is set to a blank string (#3837)
  • Don't share server between worker 0 and descendants on refork (#3602)
  • Fix phase check race condition in Puma::Cluster#check_workers (#3690)
  • Fix advertising of CLI config before config files are loaded (#3823)

• Performance

  • 17% faster HTTP parsing through pre-interning env keys (#3825)
  • Implement dsize and dcompact functions for Puma::HttpParser, which makes Puma's C-extension GC-compactible (#3828)

• Refactor

  • Remove NoMethodError rescue in Reactor#select_loop (#3831)
  • Various cleanups in the C extension (#3814)
  • Monomorphize handle_request return (#3802)

• Docs

  • Change link to docs/deployment.md in README.md (#3848)
  • Fix formatting for each signal description in signals.md (#3813)
  • Update deployment and Kubernetes docs with Puma configuration tips (#3807)
  • Rename master to main (#3809, #3808, #3800)
  • Fix some minor typos in the docs (#3804)
  • Add GOVERNANCE.md, MAINTAINERS (#3826)
  • Remove Code Climate badge (#3820)
  • Add @​joshuay03 to the maintainer list

• CI

  • Use Minitest 6 where applicable (#3859)
  • Many test suite improvements and flake fixes (#3861, #3863, #3860, #3852, #3857, #3856, #3845, #3843, #3842, #3841, #3822, #3817, #3764)

7.1.0 / 2025-10-16

• Features

  • Introduce after_worker_shutdown hook (#3707)
  • Reintroduce keepalive "fast inline" behavior. Provides faster (8x on JRuby & 1.4x on Ruby) pipeline processing (#3794)

• Bugfixes

  • Skip reading zero bytes when request body is buffered (#3795)
  • Fix PUMA_LOG_CONFIG=1 logging twice with prune_bundler enabled (#3778)

... (truncated)

Commits

• 92754ac Release v7.2.1 (#3948)
• ebe9db3 7.2.1 backport (#3947)
• 96b5aa6 v7.2.0 (#3864)
• 5d7d1dd Add workers :auto (#3827)
• b8c4783 ci: fix ci - remove append_as_bytes logic, misc changes (#3861)
• 44a3ac4 Fix PR label manager when maintainer comments [ci skip] (#3863)
• 43f5d89 Add GOVERNANCE.md, MAINTAINERS (#3826)
• 21afa66 Use Minitest 6 where applicable (#3859)
• ec7dd61 ci: Update test_http11.rb for TruffleRuby - string size (#3860)
• fa89dbe ci: add ruby 4.0 and rails 8.1 (#3852)
• Additional commits viewable in compare view

Updates actionview from 8.0.2 to 8.0.4.1

Release notes

Sourced from actionview's releases.

8.0.4.1

Active Support

• Reject scientific notation in NumberConverter

  [CVE-2026-33176]

  Jean Boussier

• Fix SafeBuffer#% to preserve unsafe status

  [CVE-2026-33170]

  Jean Boussier

• Improve performance of NumberToDelimitedConverter

  [CVE-2026-33169]

  Jean Boussier

Active Model

• No changes.

Active Record

• No changes.

Action View

• Skip blank attribute names in tag helpers to avoid generating invalid HTML.

  [CVE-2026-33168]

  Mike Dalessio

Action Pack

• No changes.

Active Job

• No changes.

... (truncated)

Commits

• a79efed Preparing for 8.0.4.1 release
• ac7979b Update changelog
• c79a07d Skip blank attribute names in Action View tag helpers
• 624fe3c Preparing for 8.0.4 release
• 2f3eb21 Sync CHANGELOG
• 9ab450a Merge pull request #55490 from Earlopain/bump-rubocop
• 95bee6a Merge pull request #55738 from skipkayhil/hm-nkxzsnnrqqlyrotw
• 529f933 Preparing for 8.0.3 release
• 6409b24 Merge pull request #55719 from skipkayhil/hm-fix-label-for-namespace
• 0160f42 Sync CHANGELOGs
• Additional commits viewable in compare view

Updates activerecord from 8.0.2 to 8.0.4.1

Release notes

Sourced from activerecord's releases.

8.0.4.1

Active Support

• Reject scientific notation in NumberConverter

  [CVE-2026-33176]

  Jean Boussier

• Fix SafeBuffer#% to preserve unsafe status

  [CVE-2026-33170]

  Jean Boussier

• Improve performance of NumberToDelimitedConverter

  [CVE-2026-33169]

  Jean Boussier

Active Model

• No changes.

Active Record

• No changes.

Action View

• Skip blank attribute names in tag helpers to avoid generating invalid HTML.

  [CVE-2026-33168]

  Mike Dalessio

Action Pack

• No changes.

Active Job

• No changes.

... (truncated)

Commits

• a79efed Preparing for 8.0.4.1 release
• 624fe3c Preparing for 8.0.4 release
• 2f3eb21 Sync CHANGELOG
• 6981fd2 Merge pull request #55969 from rails/fix-explain-tests-mysql-9.5
• 52347e0 Merge pull request #55938 from aidanharan/truthy-condition-mssql
• d282621 Merge pull request #55925 from flavorjones/flavorjones/shard-swap-prohibition...
• 511dbf2 Merge pull request #55907 from ruyrocha/fix/sqlite3-data-loss
• bf9219d Merge pull request #55918 from baarde/with-bound-sql-literals
• 865bc77 Merge pull request #55332 from zzak/re-54882
• dee79c4 Merge pull request #55778 from ianterrell/ianterrell/fix-autosave-changed-via...
• Additional commits viewable in compare view

Updates activestorage from 8.0.2 to 8.0.4.1

Release notes

Sourced from activestorage's releases.

8.0.4.1

Active Support

• Reject scientific notation in NumberConverter

  [CVE-2026-33176]

  Jean Boussier

• Fix SafeBuffer#% to preserve unsafe status

  [CVE-2026-33170]

  Jean Boussier

• Improve performance of NumberToDelimitedConverter

  [CVE-2026-33169]

  Jean Boussier

Active Model

• No changes.

Active Record

• No changes.

Action View

• Skip blank attribute names in tag helpers to avoid generating invalid HTML.

  [CVE-2026-33168]

  Mike Dalessio

Action Pack

• No changes.

Active Job

• No changes.

... (truncated)

Commits

• a79efed Preparing for 8.0.4.1 release
• ac7979b Update changelog
• 955284d Prevent glob injection in ActiveStorage DiskService#delete_prefixed
• a290c8a Prevent path traversal in ActiveStorage DiskService
• 8fcb934 Active Storage: Filter user supplied metadata in DirectUploadController
• d7da4ef ActiveStorage::Streaming limit range requests to a single range
• 2cd933c Configurable maxmimum streaming chunk size
• 624fe3c Preparing for 8.0.4 release
• 82f2c96 Disable GCS tests in CI
• 529f933 Preparing for 8.0.3 release
• Additional commits viewable in compare view

Updates activesupport from 8.0.2 to 8.0.4.1

Release notes

Sourced from activesupport's releases.

8.0.4.1

Active Support

• Reject scientific notation in NumberConverter

  [CVE-2026-33176]

  Jean Boussier

• Fix SafeBuffer#% to preserve unsafe status

  [CVE-2026-33170]

  Jean Boussier

• Improve performance of NumberToDelimitedConverter

  [CVE-2026-33169]

  Jean Boussier

Active Model

• No changes.

Active Record

• No changes.

Action View

• Skip blank attribute names in tag helpers to avoid generating invalid HTML.

  [CVE-2026-33168]

  Mike Dalessio

Action Pack

• No changes.

Active Job

• No changes.

... (truncated)

Commits

• a79efed Preparing for 8.0.4.1 release
• ac7979b Update changelog
• 29154f1 Improve performance of NumberToDelimitedConverter
• 6e8a811 Fix SafeBuffer#% to preserve unsafe status
• ee2c59e NumberConverter: reject scientific notation
• 5b6ad9d Lock some dependencies
• 624fe3c Preparing for 8.0.4 release
• 0ddf2c9 Delete test that now fails with new version of benchmark gem
• 3c7a8a8 Merge pull request #55864 from RicardoTrindade/patch-2
• 00e1dfa Merge pull request #55840 from zzak/asup-xml-mini-bigdecimal-float-precision
• Additional commits viewable in compare view

Updates addressable from 2.8.7 to 2.9.0

Changelog

Sourced from addressable's changelog.

Addressable 2.9.0

• fixes ReDoS vulnerability in Addressable::Template#match (fixes incomplete remediation in 2.8.10)

Addressable 2.8.10

• fixes ReDoS vulnerability in Addressable::Template#match

Addressable 2.8.9

• Reduce gem size by excluding test files (#569)
• No need for bundler as development dependency (#571, 5fc1d93)
• idna/pure: stop building the useless COMPOSITION_TABLE (removes the Addressable::IDNA::COMPOSITION_TABLE constant) (#564)

#569: sporkmonger/addressable#569 #571: sporkmonger/addressable#571 #564: sporkmonger/addressable#564

Addressable 2.8.8

• Replace the unicode.data blob by a ruby constant (#561)
• Allow public_suffix 7 (#558)

#561: sporkmonger/addressable#561 #558: sporkmonger/addressable#558

Commits

• 0c3e858 Revving version and changelog
• 91915c1 Fixing additional vulnerable paths
• a091e39 Add many more adversarial test cases to ensure we don't have any ReDoS regres...
• 463a819 Regenerate gemspec on newer rubygems
• 0afcb0b Improve from O(n^2) to O(n)
• c87f768 Fix a ReDoS vulnerability in URI template matching
• 0d7e9b2 Fix links for 2.8.9 in CHANGELOG (#573)
• e209120 Update version, gemspec, and CHANGELOG for 2.8.9 (#572)
• 3875874 Reduce gem size by excluding test files (#569)
• 3e57cc6 CI: back to windows-2022 for MRI job
• Additional commits viewable in compare view

Updates erb from 5.0.1 to 6.0.1.1

Release notes

Sourced from erb's releases.

v6.0.1.1

Full Changelog: ruby/erb@v6.0.1...v6.0.1.1

v6.0.1

What's Changed

• Fix typo in changelog by @​hunchr in ruby/erb#96
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in ruby/erb#97
• Bump step-security/harden-runner from 2.13.1 to 2.13.2 by @​dependabot[bot] in ruby/erb#98
• Fixed by misspell -w -error -source=text by @​hsbt in ruby/erb#99
• Freeze ERB::Compiler::TrimScanner::ERB_STAG by @​osyoyu in ruby/erb#100

New Contributors

• @​hunchr made their first contribution in ruby/erb#96
• @​osyoyu made their first contribution in ruby/erb#100

Full Changelog: ruby/erb@v6.0.0...v6.0.1

v6.0.0

What's Changed

• Update the latest versions of actions: push-gem.yml by @​hsbt in ruby/erb#90
• Fix typo in documentation by @​suy in ruby/erb#91
• Fix tag shown in example of ERB expression tag and execution tag by @​sampart in ruby/erb#92
• [DOC] Suppress documentation for internals by @​nobu in ruby/erb#93
• Replace Ruby 3.5 with Ruby 4.0 by @​yahonda in ruby/erb#94
• Reapply "Remove safe_level and further positional arguments (#7)" by @​k0kubun in ruby/erb#95

New Contributors

• @​suy made their first contribution in ruby/erb#91
• @​sampart made their first contribution in ruby/erb#92
• @​yahonda made their first contribution in ruby/erb#94

Full Changelog: ruby/erb@v5.1.3...v6.0.0

v5.1.3

Full Changelog: ruby/erb@v5.1.2...v5.1.3

v5.1.2

What's Changed

• Refactor html_escape by @​noteflakes in ruby/erb#88
• Add changelog_uri to spec metadata by @​jgarber623 in ruby/erb#89

New Contributors

• @​jgarber623 made their first contribution in ruby/erb#89

Full Changelog: ruby/erb@v5.1.1...v5.1.2

Changelog

Sourced from erb's changelog.

6.0.1.1

• Prohibit def_method on marshal-loaded ERB instances

6.0.1

• Freeze ERB::Compiler::TrimScanner::ERB_STAG for Ractor compatibility

6.0.0

• Remove safe_level and further positional arguments from ERB.new
• Remove deprecated constant ERB::Revision

5.1.3

• Release v5.1.2 with trusted publishing for JRuby

5.1.2

• Add changelog_uri to spec metadata ruby/erb#89

5.1.1

• Fix integer overflow that is introduced at v5.1.0

5.1.0

• html_escape: Avoid buffer allocation for strings with no escapable character ruby/erb#87

5.0.3

• Update help of erb(1) #85

5.0.2

• Declare escape functions as Ractor-safe #63

Commits

• 9345076 Version 6.0.1.1
• dd34ce4 Prohibit def_method on marshal-loaded ERB instances
• bbde68f Version 6.0.1
• 43f0876 Freeze ERB::Compiler::TrimScanner::ERB_STAG (#100)
• 2aa3a68 Fixed by misspell -w -error -source=text (#99)
• f91b260 Bump step-security/harden-runner from 2.13.1 to 2.13.2 (#98)
• 543500f Bump actions/checkout from 5 to 6 (#97)
• b23452a Fix typo in changelog (#96)
• bbaaf1f Version 6.0.0
• 1f83b25 Drop a deprecated constant ERB::Revision
• Additional commits viewable in compare view

Updates net-imap from 0.5.8 to 0.5.14

Release notes

Sourced from net-imap's releases.

v0.5.14

What's Changed

🔒 Security

This release contains fixes for multiple vulnerabilities concerning STARTTLS stripping, argument validation, and denial of service attacks.

[!WARNING] ruby/net-imap#665 fixes a STARTTLS stripping vulnerability (GHSA-vcgp-9326-pqcp). Without this fix, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully", without starting TLS.

[!IMPORTANT] Argument validation is significantly improved. Several command injection vulnerabilities have been fixed: ruby/net-imap#662 fixes CRLF/command/argument injection via Symbol arguments (GHSA-75xq-5h9v-w6px). ruby/net-imap#662 fixes CRLF/command/argument injection via the attr argument to #store/#uid_store (GHSA-hm49-wcqc-g2xg) ruby/net-imap#662 fixes CRLF/command/argument injection via the storage_limit argument to #setquota (GHSA-hm49-wcqc-g2xg). ruby/net-imap#662 fixes CRLF/command injection via RawData (GHSA-hm49-wcqc-g2xg):

• #search and #uid_search send criteria as raw data, when it is a String
• #fetch and #uid_fetch send attr as raw data, when it is a String. When attr is an Array, its String members are sent as raw data.

[!CAUTION] RawData does not defend against other forms of argument injection! It is an intentionally low-level API.

[!NOTE] Two denial of service vulnerabilities have been addressed. These are generally only relevant when connecting to an untrusted hostile server (or without TLS).

ruby/net-imap#650 fixes quadratic time complexity when reading large responses containing many string literals (GHSA-q2mw-fvj9-vvcw). ruby/net-imap#656 adds a configurable max_iterations count for SCRAM-* authentication (GHSA-87pf-fpwv-p7m7).

Added

• 🔒 Add ScramAuthenticator#max_iterations (backports #654) in ruby/net-imap#656, reported by @​Masamuneee

Fixed

• 🔒 Fix STARTTLS stripping vulnerability (backports #664) in ruby/net-imap#665, reported by @​Masamuneee
• 🔒 Fix CRLF injection vulnerabilities (backports #657, #658, #659, #660, #636, #661) in ruby/net-imap#662, reported by @​manunio
• ⚡ Much faster ResponseReader performance (backports #642) in ruby/net-imap#650, reported by @​Masamuneee
• 🐛 Config version_defaults should be attr_reader (backports #594) by @​nevans in ruby/net-imap#631
• 🐛 Wait to continue RawData literals (backports #660) by @​nevans in ruby/net-imap#662

Other Changes

• ♻️ Improve internal literal sending (partially backports #616, #649) by @​nevans in ruby/net-imap#652

Miscellaneous

• ✅ Fix Data polyfill tests for ruby 4.1 by @​nevans in ruby/net-imap#632

Full Changelog: ruby/net-imap@v0.5.13...v0.5.14

v0.5.13

What's Changed

... (truncated)

Commits

• 4063bc1 🔖 Bump version to 0.5.14
• f79d35b 🔀 Merge pull request #665 from ruby/backport/v0.5/STARTTLS-stripping
• b3ad198 🍒 pick 24d5c773d: 🔒🥅 Handle tagged "OK" to incomplete command [backport #664]
• 7a233c5 🍒 pick 62eea6ffe: 🔒🥅 Ensure STARTTLS tagged response was handled [backport #664]
• a530fa7 🍒 pick 46636cae8: ❌🔒 Add failing test for STARTTLS stripping [backport #664]
• 6bf02ae 🔀 Merge pull request #662 from ruby/backport/v0.5/raw_data-warnings
• fa478c5 🍒 pick be32e712e: 📚 Improve documentation of RawData arguments [backports #661]
• ca0ca5d 🍒 pick 47c72186d: 🐛 Validate RawData and wait to continue literals [backports...
• 3116c7d 🍒 pick 0ec4fd351: 🥅 Validate #setquota storage limit argument [backports #659]
• bbe901a 🍒 pick 0ea729c78: 📚 Update QUOTA rdoc, params, attrs to match RFCs [backports...
• Additional commits viewable in compare view

Updates nokogiri from 1.18.8 to 1.19.3

Release notes

Sourced from nokogiri's releases.

v1.19.3 / 2026-04-27

Fixed / Security

• Address exponential regex backtracking in CSS selector tokenizer. See GHSA-c4rq-3m3g-8wgx for more information.
• [CRuby] Address memory leak in XSLT::Stylesheet#transform. See GHSA-v2fc-qm4h-8hqv for more information.

46b89e5d7b9e844c2ee360794240c6ea2a4e6fa0c5892a4ed487db621224b639  nokogiri-1.19.3-aarch64-linux-gnu.gem
8392dfdcd21be7a94dbbe9ccc138dea01b97b24cb2dc02a114ca98bfb1d9a0b7  nokogiri-1.19.3-aarch64-linux-musl.gem
3919d5ffc334ad778a4a9eb88fda7dcb8b1fb58c8a52ac640c6dcd2f038e774f  nokogiri-1.19.3-arm-linux-gnu.gem
9ce1cb6346bb9c67b1550eb537aa183ead91e4b6eadb2f36ade02d8dd2a79fb6  nokogiri-1.19.3-arm-linux-musl.gem
71b9bd424b1b7abc18b05052a1a3cfd3627abdca62be280854cc411791357e42  nokogiri-1.19.3-arm64-darwin.gem
40ea6ebf5cf2005dae1dee26dd557d3afb41fb6de6c9764aca8cf06fdb841db1  nokogiri-1.19.3-java.gem
8bb7132cad356c879a1286eaabcb5e68326cb2490317984280fbc62f456d506a  nokogiri-1.19.3-x64-mingw-ucrt.gem
77f3fba57d46c53ab31e62fc6c28f705109d1bf6264356c76f132b2be5728d4d  nokogiri-1.19.3-x86_64-darwin.gem
2f5078620fe12e83669b5b17311b32532a8153d02eee7ad06948b926d6080976  nokogiri-1.19.3-x86_64-linux-gnu.gem
248c906d2166eca5efb56d52fdee5f9a1f51d69a72e2b64fdac647b4ce39ea3f  nokogiri-1.19.3-x86_64-linux-musl.gem
78312cbac32a40c812780d9678221b79d51288eec00054c1a8d15f7ce05960e8  nokogiri-1.19.3.gem

v1.19.2 / 2026-03-19

Dependencies

• [JRuby] Saxon-HE is updated to 12.7, from 9.6.0-4. Saxon-HE is a transitive dependency of nu.validator:jing, and this update addresses CVEs in Saxon-HE's own transitive dependencies JDOM and dom4j. We don't think this warrants a security release, however we're cutting a patch release to help users whose security scanners are flagging this. #3611 @​flavorjones

SHA256 Checksums

c34d5c8208025587554608e98fd88ab125b29c80f9352b821964e9a5d5cfbd19  nokogiri-1.19.2-aarch64-linux-gnu.gem
7f6b4b0202d507326841a4f790294bf75098aef50c7173443812e3ac5cb06515  nokogiri-1.19.2-aarch64-linux-musl.gem
b7fa1139016f3dc850bda1260988f0d749934a939d04ef2da13bec060d7d5081  nokogiri-1.19.2-arm-linux-gnu.gem
61114d44f6742ff72194a1b3020967201e2eb982814778d130f6471c11f9828c  nokogiri-1.19.2-arm-linux-musl.gem
58d8ea2e31a967b843b70487a44c14c8ba1866daa1b9da9be9dbdf1b43dee205  nokogiri-1.19.2-arm64-darwin.gem
e9d67034bc80ca71043040beea8a91be5dc99b662daa38a2bfb361b7a2cc8717  nokogiri-1.19.2-java.gem
8ccf25eea3363a2c7b3f2e173a3400582c633cfead27f805df9a9c56d4852d1a  nokogiri-1.19.2-x64-mingw-ucrt.gem
7d9af11fda72dfaa2961d8c4d5380ca0b51bc389dc5f8d4b859b9644f195e7a4  nokogiri-1.19.2-x86_64-darwin.gem
fa8feca882b73e871a9845f3817a72e9734c8e974bdc4fbad6e4bc6e8076b94f  nokogiri-1.19.2-x86_64-linux-gnu.gem
93128448e61a9383a30baef041bf1f5817e22f297a1d400521e90294445069a8  nokogiri-1.19.2-x86_64-linux-musl.gem
38fdd8b59db3d5ea9e7dfb14702e882b9bf819198d5bf976f17ebce12c481756  nokogiri-1.19.2.gem

Full Changelog: sparklemotion/nokogiri@v1.19.1...v1.19.2

v1.19.1 / 2026-02-16

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.19.3 / 2026-04-27

Fixed / Security

• Address exponential regex backtracking in CSS selector tokenizer. See GHSA-c4rq-3m3g-8wgx for more information.
• [CRuby] Address memory leak in XSLT::Stylesheet#transform. See GHSA-v2fc-qm4h-8hqv for more information.

v1.19.2 / 2026-03-19

Dependencies

• [JRuby] Saxon-HE is updated to 12.7, from 9.6.0-4. Saxon-HE is a transitive dependency of nu.validator:jing, and this update addresses CVEs in Saxon-HE's own transitive dependencies JDOM and dom4j. We don't think this warrants a security release, however we're cutting a patch release to help users whose security scanners are flagging this. #3611 @​flavorjones

v1.19.1 / 2026-02-16

Security

• [CRuby] Address unchecked return value from xmlC14NExecute which was a contributing cause to ruby-saml GHSA-x4h9-gwv3-r4m4. See GHSA-wx95-c6cv-8532 for more information.

v1.19.0 / 2025-12-28

Ruby

This release is focused on changes to Ruby version support, and is otherwise functionally identical to v1.18.10.

• Introduce native gem support for Ruby 4.0. #3590
• End support for Ruby 3.1, for which upstream support ended 2025-03-26.
• End support for JRuby 9.4 (which targets Ruby 3.1 compatibility).

v1.18.10 / 2025-09-15

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.9. Note that the security fixes published in v2.13.9 were already present in Nokogiri v1.18.9.
• [CRuby] [Windows and MacOS] Vendored libiconv is updated to v1.18

v1.18.9 / 2025-07-20

Security

• [CRuby] Applied upstream libxml2 patches to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. See GHSA-353f-x4gh-cqq8 for more information.

Commits

• c139a3d version bump to v1.19.3
• 7501a63 fix: backtracking in CSS tokenizer rules (v1.19.x backport) (#3627)
• 03e7968 test: skip CSS tokenizer benchmarks on JRuby
• b984b7e fix: ReDoS in CSS tokenizer ident rule
• 0092623 fix: ReDoS in CSS tokenizer STRING rule
• ee17d33 fix: memory leak in XSLT transform (backport to v1.19.x) (#3624)
• ce188a3 doc: update CHANGELOG
• caeaac4 fix: memory leak in XSLT transform
• 25220bf dep(test): test against libxml-ruby v6 (#3618)
• 0caeb21 doc: add security warnings for untrusted XSLT stylesheets
• Additional commits viewable in compare view

Updates rack from 3.1.16 to 3.1.21

Changelog

Sourced from rack's changelog.

[3.1.21] - 2026-04-01

Security

• CVE-2026-34763 Root directory disclosure via unescaped regex interpolation in Rack::Directory.
• CVE-2026-34230 Avoid O(n^2) algorithm in Rack::Utils.select_best_encoding which could lead to denial of service.
• CVE-2026-32762 Forwarded header semicolon injection enables Host and Scheme spoofing.
• CVE-2026-26961 Raise error for multipart requests with multiple boundary parameters.
• CVE-2026-34786 Rack::Static header_rules bypass via URL-encoded path mismatch.
• CVE-2026-34831 Content-Length mismatch in Rack::Files error responses.
• CVE-2026-34826 Multipart byte range processing allows denial of service via excessive overlapping ranges.
• CVE-2026-34835 Rack::Request accepts invalid Host characters, enabling host allowlist bypass.
• CVE-2026-34830 Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect.
• CVE-2026-34785 Rack::Static prefix matching can expose unintended files under the static root.
• CVE-2026-34829 Multipart parsing without Content-Length header allows unbounded chunked file uploads.
• CVE-2026-34827 Multipart header parsing allows denial of service via escape-heavy quoted parameters.

[3.1.20] - 2026-02-16

Security

• CVE-2026-25500 XSS injection via malicious filename in Rack::Directory.
• CVE-2026-22860 Directory traversal via root prefix bypass in Rack::Directory.

[3.1.19] - 2025-11-03

Fixed

• Multipart parser: limit MIME header size check to the unread buffer region to avoid false multipart mime part header too large errors when previously read data accumulates in the scan buffer. (#2392, @​alpaca-tc, @​willnet, @​krororo)

[3.1.18] - 2025-10-10

Security

• CVE-2025-61780 Improper handling of headers in Rack::Sendfile may allow proxy bypass.
• CVE-2025-61919 Unbounded read in Rack::Request form parsing can lead to memory exhaustion.

[3.1.17] - 2025-10-07

Security

• CVE-2025-61772 Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
• CVE-2025-61771 Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
• CVE-2025-61770 Unbounded multipart preamble buffering enables DoS (memory exhaustion)

Commits

• ae84311 Bump patch version.
• 87961c3 Fix typo in test.
• fd1c23d Add logger to gemfile.
• c59d924 Fix test expectation.
• 176f468 Add Ruby v4.0 to the test matrix.
• 2856934 Drop EOL Rubies from external tests.
• 17ce783 Limit the number of quoted escapes during multipart parsing
• 367a2a0 Add Content-Length size check in Rack::Multipart::Parser
• a17cb99 Fix root prefix bug in Rack::Static
• 59a0966 Only do a simple substitution on the x-accel-mapping paths
• Additional commits viewable in compare view

Updates rack-session from 2.1.1 to 2.1.2

Release notes

Sourced from rack-session's releases.

v2.1.2

• CVE-2026-39324 Don't fall back to unencrypted coder if encryptors are present.

Changelog

Sourced from rack-session's changelog.

v2.1.2

• CVE-2026-39324 Don't fall back to unencrypted coder if encryptors are present.

Commits

• 504367b Bump patch version.
• f43638c Don't fall back to unencrypted coder if encryptors are present.
• dadcfe6 Bump actions/checkout from 4 to 5 (#54)
• 4eb9ea8 Add top level session spec to validate existing formats.
• 8f94577 Add rails to external tests.

[p204-helm]

⚠️ Auto-merge skipped: This update requires manual review (likely a major version change).

[p204-helm]

🔍 CI Quality Check

✅ CI Status: success

✅ Tests passed
✅ Code quality passed
✅ Security scan passed
✅ Compatibility passed

View Details →