Skip to content

build(deps): Bump the bundler group across 1 directory with 3 updates#485

Open
dependabot[bot] wants to merge 1 commit intotrunkfrom
dependabot/bundler/bundler-3204bbbcd8
Open

build(deps): Bump the bundler group across 1 directory with 3 updates#485
dependabot[bot] wants to merge 1 commit intotrunkfrom
dependabot/bundler/bundler-3204bbbcd8

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 4, 2026

Bumps the bundler group with 2 updates in the / directory: activesupport and addressable.

Updates activesupport from 8.1.2 to 8.1.2.1

Release notes

Sourced from activesupport's releases.

8.1.2.1

Active Support

  • Reject scientific notation in NumberConverter

    [CVE-2026-33176]

    Jean Boussier

  • Fix SafeBuffer#% to preserve unsafe status

    [CVE-2026-33170]

    Jean Boussier

  • Improve performance of NumberToDelimitedConverter

    [CVE-2026-33169]

    Jean Boussier

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • Skip blank attribute names in tag helpers to avoid generating invalid HTML.

    [CVE-2026-33168]

    Mike Dalessio

Action Pack

  • Fix possible XSS in DebugExceptions middleware

    [CVE-2026-33167]

    John Hawthorn

... (truncated)

Changelog

Sourced from activesupport's changelog.

Rails 8.1.2.1 (March 23, 2026)

  • Reject scientific notation in NumberConverter

    [CVE-2026-33176]

    Jean Boussier

  • Fix SafeBuffer#% to preserve unsafe status

    [CVE-2026-33170]

    Jean Boussier

  • Improve performance of NumberToDelimitedConverter

    [CVE-2026-33169]

    Jean Boussier

Commits
  • 1db4b89 Preparing for 8.1.2.1 release
  • 1c7d1cf Update changelog
  • ec1a0e2 Improve performance of NumberToDelimitedConverter
  • 50d732a Fix SafeBuffer#% to preserve unsafe status
  • 19dbab5 NumberConverter: reject scientific notation
  • See full diff in compare view

Updates addressable from 2.8.9 to 2.9.0

Changelog

Sourced from addressable's changelog.

Addressable 2.9.0

  • fixes ReDoS vulnerability in Addressable::Template#match (fixes incomplete remediation in 2.8.10)

Addressable 2.8.10

  • fixes ReDoS vulnerability in Addressable::Template#match
Commits
  • 0c3e858 Revving version and changelog
  • 91915c1 Fixing additional vulnerable paths
  • a091e39 Add many more adversarial test cases to ensure we don't have any ReDoS regres...
  • 463a819 Regenerate gemspec on newer rubygems
  • 0afcb0b Improve from O(n^2) to O(n)
  • c87f768 Fix a ReDoS vulnerability in URI template matching
  • See full diff in compare view

Updates json from 2.18.1 to 2.19.5

Release notes

Sourced from json's releases.

v2.19.5

What's Changed

  • Cap the parser to emit a maximum of 5 deprecation warnings per document. Emitting more is not helpful.

Full Changelog: ruby/json@v2.19.4...v2.19.5

v2.19.4

What's Changed

  • Fix parsing of out of range floats (very large exponents that lead to either 0.0 or Inf).

Full Changelog: ruby/json@v2.19.2...v2.19.4

v2.19.3

  • Fix handling of unescaped control characters preceeded by a backslash.

Full Changelog: ruby/json@v2.19.2...v2.19.3

v2.19.2

What's Changed

  • Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210

Full Changelog: ruby/json@v2.19.1...v2.19.2

v2.19.1

What's Changed

  • Fix a compiler dependent GC bug introduced in 2.18.0.

Full Changelog: ruby/json@v2.19.0...v2.19.1

v2.19.0

What's Changed

  • Fix allow_blank parsing option to no longer allow invalid types (e.g. load([], allow_blank: true) now raise a type error).
  • Add allow_invalid_escape parsing option to ignore backslashes that aren't followed by one of the valid escape characters.

Full Changelog: ruby/json@v2.18.1...v2.19.0

Changelog

Sourced from json's changelog.

2026-05-04 (2.19.5)

  • Cap the parser to emit a maximum of 5 deprecation warnings per document. Emitting more is not helpful.

2026-04-19 (2.19.4)

  • Fix parsing of out of range floats (very large exponents that lead to either 0.0 or Inf).

2026-03-25 (2.19.3)

  • Fix handling of unescaped control characters preceeded by a backslash.

2026-03-18 (2.19.2)

  • Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210.

2026-03-08 (2.19.1)

  • Fix a compiler dependent GC bug introduced in 2.18.0.

2026-03-06 (2.19.0)

  • Fix allow_blank parsing option to no longer allow invalid types (e.g. load([], allow_blank: true) now raise a type error).
  • Add allow_invalid_escape parsing option to ignore backslashes that aren't followed by one of the valid escape characters.
Commits
  • 4a1a4a4 Release 2.19.5
  • f6ca597 Avoid spamming too many deprecations while parsing
  • fa0671c Test TruffleRuby release in CI for improved stability
  • cfbe356 Force ensure_valid_encoding to be inlined.
  • 4ef7a45 Use RB_ENC_CODERANGE to first check the cached coderange before calling rb_en...
  • 7dd6b63 Fix typo in changelog
  • 6688a81 Release 2.19.4
  • f1e6163 Fix references to NAN and INFINITY in documentation comments
  • 18d5475 Reduce warnings
  • 1072482 Fix parsing of negative out of bound floats.
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): Bump the bundler group across 1 directory with 3 updates
6a59f48 
Bumps the bundler group with 2 updates in the / directory: [activesupport](https://github.com/rails/rails) and [addressable](https://github.com/sporkmonger/addressable).


Updates `activesupport` from 8.1.2 to 8.1.2.1
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/activesupport/CHANGELOG.md)
- [Commits](rails/rails@v8.1.2...v8.1.2.1)

Updates `addressable` from 2.8.9 to 2.9.0
- [Changelog](https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md)
- [Commits](sporkmonger/addressable@addressable-2.8.9...addressable-2.9.0)

Updates `json` from 2.18.1 to 2.19.5
- [Release notes](https://github.com/ruby/json/releases)
- [Changelog](https://github.com/ruby/json/blob/master/CHANGES.md)
- [Commits](ruby/json@v2.18.1...v2.19.5)

---
updated-dependencies:
- dependency-name: activesupport
  dependency-version: 8.1.2.1
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: addressable
  dependency-version: 2.9.0
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: json
  dependency-version: 2.19.5
  dependency-type: indirect
  dependency-group: bundler
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code labels May 4, 2026
@github-actions github-actions Bot added the [Type] Build Tooling Issues or PRs related to build tooling label May 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code [Type] Build Tooling Issues or PRs related to build tooling

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants