Bump the bundler group across 1 directory with 5 updates

[dependabot]

Bumps the bundler group with 5 updates in the / directory:

Package	From	To
addressable	2.5.2	2.8.0
faraday	0.15.2	2.14.1
nokogiri	1.14.3	1.18.9
rubyzip	1.2.1	1.3.0
tzinfo	1.2.5	1.2.10

Updates addressable from 2.5.2 to 2.8.0

Changelog

Sourced from addressable's changelog.

Addressable 2.8.0

• fixes ReDoS vulnerability in Addressable::Template#match
• no longer replaces + with spaces in queries for non-http(s) schemes
• fixed encoding ipv6 literals
• the :compacted flag for normalized_query now dedupes parameters
• fix broken escape_component alias
• dropping support for Ruby 2.0 and 2.1
• adding Ruby 3.0 compatibility for development tasks
• drop support for rack-mount and remove Addressable::Template#generate
• performance improvements
• switch CI/CD to GitHub Actions

Addressable 2.7.0

• added :compacted flag to normalized_query
• heuristic_parse handles mailto: more intuitively
• dropped explicit support for JRuby 9.0.5.0
• compatibility w/ public_suffix 4.x
• performance improvements

Addressable 2.6.0

• added tld= method to allow assignment to the public suffix
• most heuristic_parse patterns are now case-insensitive
• heuristic_parse handles more file:// URI variations
• fixes bug in heuristic_parse when uri starts with digit
• fixes bug in request_uri= with query strings
• fixes template issues with nil and ? operator
• frozen_string_literal pragmas added
• minor performance improvements in regexps
• fixes to eliminate warnings

Commits

• 6469a23 Updating gemspec again
• 2433638 Merge branch 'main' of github.com:sporkmonger/addressable into main
• e9c76b8 Merge pull request #378 from ashmaroli/flat-map
• 56c5cf7 Update the gemspec
• c1fed1c Require a non-vulnerable rake
• 0d8a312 Adding note about ReDoS vulnerability
• 89c7613 Merge branch 'template-regexp' into main
• cf8884f Note about alias fix
• bb03f71 Merge pull request #371 from charleystran/add_missing_encode_component_doc_entry
• 6d1d809 Adding note about :compacted normalization
• Additional commits viewable in compare view

Updates faraday from 0.15.2 to 2.14.1

Release notes

Sourced from faraday's releases.

v2.14.1

Security Note

This release contains a security fix, we recommend all users to upgrade as soon as possible. A Security Advisory with more details will be posted shortly.

What's Changed

• Add comprehensive AI agent guidelines for Claude, Cursor, and GitHub Copilot by @​Copilot in lostisland/faraday#1642
• Add RFC document for Options architecture refactoring plan by @​Copilot in lostisland/faraday#1644
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in lostisland/faraday#1655
• Explicit top-level namespace reference by @​c960657 in lostisland/faraday#1657

New Contributors

• @​Copilot made their first contribution in lostisland/faraday#1642

Full Changelog: lostisland/faraday@v2.14.0...v2.14.1

v2.14.0

What's Changed

New features ✨

• Use newer UnprocessableContent naming for 422 by @​tylerhunt in lostisland/faraday#1638

Fixes 🐞

• Convert strings to UTF-8 by @​c960657 in lostisland/faraday#1624
• Fix Response#to_hash when response not finished yet by @​yykamei in lostisland/faraday#1639

Misc/Docs 📄

• Lint: use filter_map by @​olleolleolle in lostisland/faraday#1637
• Bump actions/checkout from v4 to v5 by @​dependabot[bot] in lostisland/faraday#1636
• Fixes documentation by @​dharamgollapudi in lostisland/faraday#1635

New Contributors

• @​c960657 made their first contribution in lostisland/faraday#1624
• @​dharamgollapudi made their first contribution in lostisland/faraday#1635
• @​tylerhunt made their first contribution in lostisland/faraday#1638

Full Changelog: lostisland/faraday@v2.13.4...v2.14.0

v2.13.4

What's Changed

• Improve error handling logic and add missing test coverage by @​iMacTia in lostisland/faraday#1633

Full Changelog: lostisland/faraday@v2.13.3...v2.13.4

v2.13.3

What's Changed

• Fix type assumption in Faraday::Error by @​iMacTia in lostisland/faraday#1630

... (truncated)

Changelog

Sourced from faraday's changelog.

Faraday Changelog

The changelog has moved!

This file is not being updated anymore. Instead, please check the Releases page.

2.2.0 (2022-02-03)

• Reintroduce the possibility to register middleware with symbols, strings or procs in #1391

2.1.0 (2022-01-15)

• Fix test adapter thread safety by @​iMacTia in #1380
• Add default adapter options by @​hirasawayuki in #1382
• CI: Add Ruby 3.1 to matrix by @​petergoldstein in #1374
• docs: fix regex pattern in logger.md examples by @​hirasawayuki in #1378

2.0.1 (2022-01-05)

• Re-add faraday-net_http as default adapter by @​iMacTia in #1366
• Updated sample format in UPGRADING.md by @​vimutter in #1361
• docs: Make UPGRADING examples more copyable by @​olleolleolle in #1363

2.0.0 (2022-01-04)

The next major release is here, and it comes almost 2 years after the release of v1.0!

This release changes the way you use Faraday and embraces a new paradigm of Faraday as an ecosystem, rather than a library.

What does that mean? It means that Faraday is less of a bundled tool and more of a framework for the community to build on top of.

As a result, all adapters and some middleware have moved out and are now shipped as standalone gems 🙌!

But this doesn't mean that upgrading from Faraday 1.x to Faraday 2.0 should be hard, in fact we've listed everything you need to do in the UPGRADING.md doc.

Moreover, we've setup a new awesome-faraday repository that will showcase a curated list of adapters and middleware 😎.

This release was the result of the efforts of the core team and all the contributors, new and old, that have helped achieve this milestone 👏.

What's Changed

• Autoloading, dependency loading and middleware registry cleanup by @​iMacTia in #1301
• Move JSON middleware (request and response) from faraday_middleware by @​iMacTia in #1300
• Remove deprecated Faraday::Request#method by @​olleolleolle in #1303
• Remove deprecated Faraday::UploadIO by @​iMacTia in #1307
• [1.x] Deprecate Authorization helpers in Faraday::Connection by @​iMacTia in #1306
• Drop deprecated auth helpers from Connection and refactor auth middleware by @​iMacTia in #1308
• Add Faraday 1.x examples in authentication.md docs by @​iMacTia in #1320
• Fix passing a URL with embedded basic auth by @​iMacTia in #1324
• Register JSON middleware by @​mollerhoj in #1331

... (truncated)

Commits

• 16cbd38 Version bump to 2.14.1
• a6d3a3a Merge commit from fork
• b23f710 Explicit top-level namespace reference (#1657)
• 49ba4ac Bump actions/checkout from 5 to 6 (#1655)
• 51a49bc Ensure Claude reads the guidelines and allow to plan in a gitignored .ai/PLAN...
• 894f65c Add RFC document for Options architecture refactoring plan (#1644)
• 397e3de Add comprehensive AI agent guidelines for Claude, Cursor, and GitHub Copilot ...
• d98c65c Update Faraday-specific AI agent guidelines
• 56c18ec Add AI agent guidelines specific to Faraday repository
• 3201a42 Version bump to 2.14.0
• Additional commits viewable in compare view

Updates nokogiri from 1.14.3 to 1.18.9

Release notes

Sourced from nokogiri's releases.

v1.18.9 / 2025-07-20

Security

• [CRuby] Applied upstream libxml2 patches to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. See GHSA-353f-x4gh-cqq8 for more information.

5bcfdf7aa8d1056a7ad5e52e1adffc64ef53d12d0724fbc6f458a3af1a4b9e32  nokogiri-1.18.9-aarch64-linux-gnu.gem
55e9e6ca46c4ad1715e313f407d8481d15be1e3b65d9f8e52ba1c124d01676a7  nokogiri-1.18.9-aarch64-linux-musl.gem
eea3f1f06463ff6309d3ff5b88033c4948d0da1ab3cc0a3a24f63c4d4a763979  nokogiri-1.18.9-arm64-darwin.gem
fe611ae65880e445a9c0f650d52327db239f3488626df4173c05beafd161d46e  nokogiri-1.18.9-arm-linux-gnu.gem
935605e14c0ba17da18d203922440bf6c0676c602659278d855d4622d756a324  nokogiri-1.18.9-arm-linux-musl.gem
ac5a7d93fd0e3cef388800b037407890882413feccca79eb0272a2715a82fa33  nokogiri-1.18.9.gem
1fe5b7aa4a054eda689a969bb4e03999960a6ea806582d327207d687168bceb5  nokogiri-1.18.9-java.gem
6b4fc1523aa0370c78653e38c94cb50e7f3ab786425de66ba7ad24222c1164a3  nokogiri-1.18.9-x64-mingw-ucrt.gem
e0d2deb03d3d7af8016e8c9df5ff4a7d692159cefb135cbb6a4109f265652348  nokogiri-1.18.9-x86_64-darwin.gem
b52f5defedc53d14f71eeaaf990da66b077e1918a2e13088b6a96d0230f44360  nokogiri-1.18.9-x86_64-linux-gnu.gem
e69359d6240c17e64cc9f43970d54f13bfc7b8cc516b819228f687e953425e69  nokogiri-1.18.9-x86_64-linux-musl.gem

v1.18.8 / 2025-04-21

Security

• [CRuby] Vendored libxml2 is updated to v2.13.8 to address CVE-2025-32414 and CVE-2025-32415. See GHSA-5w6v-399v-w3cc for more information.

36badd2eb281fca6214a5188e24a34399b15d89730639a068d12931e2adc210e  nokogiri-1.18.8-aarch64-linux-gnu.gem
664e0f9a77a7122a66d6c03abba7641ca610769a4728db55ee1706a0838b78a2  nokogiri-1.18.8-aarch64-linux-musl.gem
483b5b9fb33653f6f05cbe00d09ea315f268f0e707cfc809aa39b62993008212  nokogiri-1.18.8-arm64-darwin.gem
17de01ca3adf9f8e187883ed73c672344d3dbb3c260f88ffa1008e8dc255a28e  nokogiri-1.18.8-arm-linux-gnu.gem
6e6d7e71fc39572bd613a82d528cf54392c3de1ba5ce974f05c832b8187a040b  nokogiri-1.18.8-arm-linux-musl.gem
8c7464875d9ca7f71080c24c0db7bcaa3940e8be3c6fc4bcebccf8b9a0016365  nokogiri-1.18.8.gem
41002596960ff854198a20aaeb34cff0d445406d5ad85ba7ca9c3fd0c8f03de0  nokogiri-1.18.8-java.gem
11ab0f76772c5f2d718fb253fca5b74c6ef7628b72bbf8deba6ab1ffc93344cf  nokogiri-1.18.8-x64-mingw-ucrt.gem
024cdfe7d9ae3466bba6c06f348fb2a8395d9426b66a3c82f1961b907945cc0c  nokogiri-1.18.8-x86_64-darwin.gem
4a747875db873d18a2985ee2c320a6070c4a414ad629da625fbc58d1a20e5ecc  nokogiri-1.18.8-x86_64-linux-gnu.gem
ddd735fba49475a395b9ea793bb6474e3a3125b89960339604d08a5397de1165  nokogiri-1.18.8-x86_64-linux-musl.gem

v1.18.7 / 2025-03-31

Dependencies

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.18.9 / 2025-07-20

Security

• [CRuby] Applied upstream libxml2 patches to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. See GHSA-353f-x4gh-cqq8 for more information.

v1.18.8 / 2025-04-21

Security

• [CRuby] Vendored libxml2 is updated to v2.13.8 to address CVE-2025-32414 and CVE-2025-32415. See GHSA-5w6v-399v-w3cc for more information.

v1.18.7 / 2025-03-31

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.7, which is a bugfix release.

v1.18.6 / 2025-03-24

Fixed

• [JRuby] In HTML documents, Node#attribute now returns the correct attribute. This has been broken, and returning nil, since v1.17.0. (#3487) @​flavorjones

v1.18.5 / 2025-03-19

Fixed

• [JRuby] Update JRuby's XML serialization so it outputs namespaces exactly like CRuby. (#3455, #3456) @​johnnyshields

v1.18.4 / 2025-03-14

Security

• [CRuby] Vendored libxslt is updated to v1.1.43 to address CVE-2025-24855 and CVE-2024-55549. See GHSA-mrxw-mxhj-p664 for more information.

v1.18.3 / 2025-02-18

Security

• [CRuby] Vendored libxml2 is updated v2.13.6 to address CVE-2025-24928 and CVE-2024-56171. See GHSA-vvfq-8hwr-qm4m for more information.

v1.18.2 / 2024-01-19

... (truncated)

Commits

• 1dcd8ce version bump to v1.18.9
• a05d2b4 Apply upstream patches to address multiple vulnerabilities (#3526)
• 947a55e Apply upstream patches to address multiple vulnerabilities
• 9187f4a version bump to v1.18.8
• 1deea04 dep: libxml2 to v2.13.8 (branch v1.18.x) (#3509)
• 6457fe6 dep: libxml2 to v2.13.8
• 13e8aa4 version bump to v1.18.7
• 605699d dep: bump libxml2 to 2.13.7 (v1.18.x backport) (#3495)
• 804e590 dep: bump libxml2 to 2.13.7
• 52bf15b dep(dev): drop Rubocop from JRuby deps
• Additional commits viewable in compare view

Updates rubyzip from 1.2.1 to 1.3.0

Release notes

Sourced from rubyzip's releases.

v1.3.0

Security

• Add validate_entry_sizes option so that callers can trust an entry's reported size when using extract #403
  • This option defaults to false for backward compatibility in this release, but you are strongly encouraged to set it to true. It will default to true in rubyzip 2.0.

New Feature

• Add add_stored method to simplify adding entries without compression #366

Tooling / Documentation

• Add more gem metadata links #402

v1.2.4

• Do not rewrite zip files opened with open_buffer that have not changed #360

Tooling / Documentation

• Update example_recursive.rb in README #397
• Hold CI at trusty for now, automatically pick the latest ruby patch version, use rbx-4 and hold jruby at 9.1 #399

v1.2.3

• Allow tilde in zip entry names #391 (fixes regression in 1.2.2 from #376)
• Support frozen string literals in more files #390
• Require pathname explicitly #388 (fixes regression in 1.2.2 from #376)

Tooling / Documentation:

• CI updates #392, #394
  • Bump supported ruby versions and add 2.6
  • JRuby failures are no longer ignored (reverts #375 / part of #371)
• Add changelog entry that was missing for last release #387
• Comment cleanup #385

Since the GitHub release information for 1.2.2 is missing, I will also include it here:

1.2.2

NB: This release drops support for extracting symlinks, because there was no clear way to support this securely. See rubyzip/rubyzip#376 for details.

• Fix CVE-2018-1000544 #376 / #371
• Fix NoMethodError: undefined method `glob' #363
• Fix handling of stored files (i.e. files not using compression) with general purpose bit 3 set #358
• Fix close on StringIO-backed zip file #353
• Add Zip.force_entry_names_encoding option #340
• Update rubocop, apply auto-fixes, and fix regressions caused by said auto-fixes #332, #355
• Save temporary files to temporary directory (rather than current directory) #325

Tooling / Documentation:

... (truncated)

Changelog

Sourced from rubyzip's changelog.

1.3.0 (2019-09-25)

Security

• Add validate_entry_sizes option so that callers can trust an entry's reported size when using extract #403
  • This option defaults to false for backward compatibility in this release, but you are strongly encouraged to set it to true. It will default to true in rubyzip 2.0.

New Feature

• Add add_stored method to simplify adding entries without compression #366

Tooling / Documentation

• Add more gem metadata links #402

1.2.4 (2019-09-06)

• Do not rewrite zip files opened with open_buffer that have not changed #360

Tooling / Documentation

• Update example_recursive.rb in README #397
• Hold CI at trusty for now, automatically pick the latest ruby patch version, use rbx-4 and hold jruby at 9.1 #399

1.2.3

• Allow tilde in zip entry names #391 (fixes regression in 1.2.2 from #376)
• Support frozen string literals in more files #390
• Require pathname explicitly #388 (fixes regression in 1.2.2 from #376)

Tooling / Documentation:

• CI updates #392, #394
  • Bump supported ruby versions and add 2.6
  • JRuby failures are no longer ignored (reverts #375 / part of #371)
• Add changelog entry that was missing for last release #387
• Comment cleanup #385

1.2.2

NB: This release drops support for extracting symlinks, because there was no clear way to support this securely. See rubyzip/rubyzip#376 for details.

• Fix CVE-2018-1000544 #376 / #371
• Fix NoMethodError: undefined method `glob' #363
• Fix handling of stored files (i.e. files not using compression) with general purpose bit 3 set #358
• Fix close on StringIO-backed zip file #353
• Add Zip.force_entry_names_encoding option #340
• Update rubocop, apply auto-fixes, and fix regressions caused by said auto-fixes #332, #355
• Save temporary files to temporary directory (rather than current directory) #325

... (truncated)

Commits

• e79d9ea Merge pull request #407 from rubyzip/v1-3-0
• 7c65e1e Bump version to 1.3.0
• d65fe7b Merge pull request #403 from rubyzip/check-size
• 97cb6ae Warn when an entry size is invalid
• 7849f73 Default validate_entry_sizes to false for 1.3 release
• 4167f0c Validate entry sizes when extracting
• 94b7fa2 [ci skip] Update changelog
• 93505ca Check expected entry size in add_stored test
• 6619bf3 Merge pull request #366 from hainesr/add-stored
• ecb2776 Zip::File.add_stored() to add uncompressed files.
• Additional commits viewable in compare view

Updates tzinfo from 1.2.5 to 1.2.10

Release notes

Sourced from tzinfo's releases.

v1.2.10

• Fixed a relative path traversal bug that could cause arbitrary files to be loaded with require when used with RubyDataSource. Please refer to GHSA-5cm2-9h8c-rvfx for details. CVE-2022-31163.
• Ignore the SECURITY file from Arch Linux's tzdata package. #134.

TZInfo v1.2.10 on RubyGems.org

v1.2.9

• Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

TZInfo v1.2.9 on RubyGems.org

v1.2.8

• Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. The 64-bit section is now always used regardless of whether Time has support for 64-bit times. #120.
• Rubinius is no longer supported.

TZInfo v1.2.8 on RubyGems.org

v1.2.7

• Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
• Fixed warnings when running on Ruby 2.8. #112.

TZInfo v1.2.7 on RubyGems.org

v1.2.6

• Timezone#strftime('%s', time) will now return the correct number of seconds since the epoch. #91.
• Removed the unused TZInfo::RubyDataSource::REQUIRE_PATH constant.
• Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode.
• Fixed warnings when running on Ruby 2.7. #106 and #111.

TZInfo v1.2.6 on RubyGems.org

Changelog

Sourced from tzinfo's changelog.

Version 1.2.10 - 19-Jul-2022

• Fixed a relative path traversal bug that could cause arbitrary files to be loaded with require when used with RubyDataSource. Please refer to GHSA-5cm2-9h8c-rvfx for details. CVE-2022-31163.
• Ignore the SECURITY file from Arch Linux's tzdata package. #134.

Version 1.2.9 - 16-Dec-2020

• Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

Version 1.2.8 - 8-Nov-2020

• Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. The 64-bit section is now always used regardless of whether Time has support for 64-bit times. #120.
• Rubinius is no longer supported.

Version 1.2.7 - 2-Apr-2020

• Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
• Fixed warnings when running on Ruby 2.8. #112.

Version 1.2.6 - 24-Dec-2019

• Timezone#strftime('%s', time) will now return the correct number of seconds since the epoch. #91.
• Removed the unused TZInfo::RubyDataSource::REQUIRE_PATH constant.
• Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode.
• Fixed warnings when running on Ruby 2.7. #106 and #111.

Commits

• 0814dcd Fix the release date.
• fd05e2a Preparing v1.2.10.
• b98c32e Merge branch 'fix-directory-traversal-1.2' into 1.2
• ac3ee68 Remove unnecessary escaping of + within regex character classes.
• 9d49bf9 Fix relative path loading tests.
• 394c381 Remove private_constant for consistency and compatibility.
• 5e9f990 Exclude Arch Linux's SECURITY file from the time zone index.
• 17fc9e1 Workaround for 'Permission denied - NUL' errors with JRuby on Windows.
• 6bd7a51 Update copyright years.
• 9905ca9 Fix directory traversal in Timezone.get when using Ruby data source
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.