Skip to content

Bump the bundler group across 1 directory with 21 updates#4

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bundler/bundler-fe0e0613cd
Open

Bump the bundler group across 1 directory with 21 updates#4
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bundler/bundler-fe0e0613cd

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 9, 2026

Copy link
Copy Markdown

Bumps the bundler group with 12 updates in the / directory:

Package From To
puma 6.5.0 7.2.1
rack 2.2.10 2.2.23
aws-sdk-s3 1.173.0 1.208.0
addressable 2.8.7 2.9.0
devise 4.9.4 5.0.4
omniauth-saml 2.2.1 2.2.3
nokogiri 1.16.7 1.19.3
actionpack 7.2.2 7.2.2.1
css_parser 1.19.1 1.22.0
faraday 2.12.0 2.14.2
jwt 2.7.1 2.10.3
net-imap 0.5.1 0.5.14

Updates puma from 6.5.0 to 7.2.1

Release notes

Sourced from puma's releases.

v7.2.1

  • Bugfixes
    • Limit and anchor PROXY protocol v1 parsing to prevent abuse via crafted inputs (#3947)
    • Parse PROXY protocol only once per connection to prevent injection on keep-alive requests (#3947)

Security advisories

v7.2.0 - On The Corner

  • Features

    • Add workers :auto (#3827)
    • Make it possible to restrict control server commands to stats (#3787)

  • Bugfixes

    • Don't break if WEB_CONCURRENCY is set to a blank string (#3837)
    • Don't share server between worker 0 and descendants on refork (#3602)
    • Fix phase check race condition in Puma::Cluster#check_workers (#3690)
    • Fix advertising of CLI config before config files are loaded (#3823)

  • Performance

    • 17% faster HTTP parsing through pre-interning env keys (#3825)
    • Implement dsize and dcompact functions for Puma::HttpParser, which makes Puma's C-extension GC-compactible (#3828)

  • Refactor

    • Remove NoMethodError rescue in Reactor#select_loop (#3831)
    • Various cleanups in the C extension (#3814)
    • Monomorphize handle_request return (#3802)

  • Docs

    • Change link to docs/deployment.md in README.md (#3848)
    • Fix formatting for each signal description in signals.md (#3813)
    • Update deployment and Kubernetes docs with Puma configuration tips (#3807)
    • Rename master to main (#3809, #3808, #3800)
    • Fix some minor typos in the docs (#3804)
    • Add GOVERNANCE.md, MAINTAINERS (#3826)
    • Remove Code Climate badge (#3820)
    • Add @​joshuay03 to the maintainer list

  • CI

v7.1.0

7.1.0 / 2025-10-16 - Neon Witch

neon_witch

  • Features

... (truncated)

Changelog

Sourced from puma's changelog.

7.2.1 / 2026-05-27

  • Bugfixes
    • Limit and anchor PROXY protocol v1 parsing to prevent abuse via crafted inputs (#3947)
    • Parse PROXY protocol only once per connection to prevent injection on keep-alive requests (#3947)

7.2.0 / 2026-01-20

  • Features

    • Add workers :auto (#3827)
    • Make it possible to restrict control server commands to stats (#3787)

  • Bugfixes

    • Don't break if WEB_CONCURRENCY is set to a blank string (#3837)
    • Don't share server between worker 0 and descendants on refork (#3602)
    • Fix phase check race condition in Puma::Cluster#check_workers (#3690)
    • Fix advertising of CLI config before config files are loaded (#3823)

  • Performance

    • 17% faster HTTP parsing through pre-interning env keys (#3825)
    • Implement dsize and dcompact functions for Puma::HttpParser, which makes Puma's C-extension GC-compactible (#3828)

  • Refactor

    • Remove NoMethodError rescue in Reactor#select_loop (#3831)
    • Various cleanups in the C extension (#3814)
    • Monomorphize handle_request return (#3802)

  • Docs

    • Change link to docs/deployment.md in README.md (#3848)
    • Fix formatting for each signal description in signals.md (#3813)
    • Update deployment and Kubernetes docs with Puma configuration tips (#3807)
    • Rename master to main (#3809, #3808, #3800)
    • Fix some minor typos in the docs (#3804)
    • Add GOVERNANCE.md, MAINTAINERS (#3826)
    • Remove Code Climate badge (#3820)
    • Add @​joshuay03 to the maintainer list

  • CI

7.1.0 / 2025-10-16

  • Features

    • Introduce after_worker_shutdown hook (#3707)
    • Reintroduce keepalive "fast inline" behavior. Provides faster (8x on JRuby & 1.4x on Ruby) pipeline processing (#3794)

  • Bugfixes

    • Skip reading zero bytes when request body is buffered (#3795)
    • Fix PUMA_LOG_CONFIG=1 logging twice with prune_bundler enabled (#3778)

... (truncated)

Commits

Updates rack from 2.2.10 to 2.2.23

Changelog

Sourced from rack's changelog.

[2.2.23] - 2026-04-01

Security

  • CVE-2026-34763 Root directory disclosure via unescaped regex interpolation in Rack::Directory.
  • CVE-2026-34230 Avoid O(n^2) algorithm in Rack::Utils.select_best_encoding which could lead to denial of service.
  • CVE-2026-26961 Raise error for multipart requests with multiple boundary parameters.
  • CVE-2026-34786 Rack::Static header_rules bypass via URL-encoded path mismatch.
  • CVE-2026-34831 Content-Length mismatch in Rack::Files error responses.
  • CVE-2026-34826 Multipart byte range processing allows denial of service via excessive overlapping ranges.
  • CVE-2026-34830 Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect.
  • CVE-2026-34785 Rack::Static prefix matching can expose unintended files under the static root.
  • CVE-2026-34829 Multipart parsing without Content-Length header allows unbounded chunked file uploads.

[2.2.22] - 2026-02-16

Security

  • CVE-2026-25500 XSS injection via malicious filename in Rack::Directory.
  • CVE-2026-22860 Directory traversal via root prefix bypass in Rack::Directory.

[2.2.21] - 2025-11-03

Fixed

  • Multipart parser: limit MIME header size check to the unread buffer region to avoid false multipart mime part header too large errors when previously read data accumulates in the scan buffer. (#2392, @​alpaca-tc, @​willnet, @​krororo)

[2.2.20] - 2025-10-10

Security

  • CVE-2025-61780 Improper handling of headers in Rack::Sendfile may allow proxy bypass.
  • CVE-2025-61919 Unbounded read in Rack::Request form parsing can lead to memory exhaustion.

[2.2.19] - 2025-10-07

Security

  • CVE-2025-61772 Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
  • CVE-2025-61771 Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
  • CVE-2025-61770 Unbounded multipart preamble buffering enables DoS (memory exhaustion)

[2.2.18] - 2025-09-25

Security

  • CVE-2025-59830 Unbounded parameter parsing in Rack::QueryParser can lead to memory exhaustion via semicolon-separated parameters.

[2.2.17] - 2025-06-03

... (truncated)

Commits
  • f2af0c8 Bump patch version.
  • 345b744 Fix tests for old Rubies.
  • e2d8e30 Add version guard around non-default gems.
  • add1a80 Fix handling of Errno::EPIPE in multipart tests.
  • 54261ec Fix typo in test.
  • a36f48b Add ostruct to Gemfile.
  • 8883f0d Fix test expectation.
  • 2287a3b Add logger to gemfile.
  • e6540e5 Add Ruby v4.0 to the test matrix.
  • c42e357 Add Content-Length size check in Rack::Multipart::Parser
  • Additional commits viewable in compare view

Updates aws-sdk-s3 from 1.173.0 to 1.208.0

Changelog

Sourced from aws-sdk-s3's changelog.

1.208.0 (2025-12-16)

  • Feature - Updates to the S3 Encryption Client. The V3 S3 Encryption Client now requires key committing algorithm suites by default.

1.207.0 (2025-12-15)

  • Feature - This release adds support for the new optional field 'LifecycleExpirationDate' in S3 Inventory configurations.

1.206.0 (2025-12-02)

  • Feature - New S3 Storage Class FSX_ONTAP

1.205.0 (2025-11-20)

  • Feature - Enable / Disable ABAC on a general purpose bucket.

1.204.0 (2025-11-19)

  • Feature - Adds support for blocking SSE-C writes to general purpose buckets.

1.203.1 (2025-11-10)

  • Issue - Deprecated :checksum_mode parameter in FileDownloader#download. When set to "DISABLED", a deprecation warning is issued and the parameter is ignored. Use :response_checksum_validation on the S3 client instead to control checksum validation behavior.

1.203.0 (2025-11-05)

  • Feature - Launch IPv6 dual-stack support for S3 Express

1.202.0 (2025-10-28)

  • Feature - Amazon Simple Storage Service / Features: Add conditional writes in CopyObject on destination key to prevent unintended object modifications.

1.201.0 (2025-10-21)

  • Feature - Code Generated Changes, see ./build_tools or aws-sdk-core's CHANGELOG.md for details.

  • Issue - Fix multipart upload to respect request_checksum_calculation when_required mode.

1.200.0 (2025-10-15)

... (truncated)

Commits

Updates addressable from 2.8.7 to 2.9.0

Changelog

Sourced from addressable's changelog.

Addressable 2.9.0

  • fixes ReDoS vulnerability in Addressable::Template#match (fixes incomplete remediation in 2.8.10)

Addressable 2.8.10

  • fixes ReDoS vulnerability in Addressable::Template#match

Addressable 2.8.9

  • Reduce gem size by excluding test files (#569)
  • No need for bundler as development dependency (#571, 5fc1d93)
  • idna/pure: stop building the useless COMPOSITION_TABLE (removes the Addressable::IDNA::COMPOSITION_TABLE constant) (#564)

#569: sporkmonger/addressable#569 #571: sporkmonger/addressable#571 #564: sporkmonger/addressable#564

Addressable 2.8.8

  • Replace the unicode.data blob by a ruby constant (#561)
  • Allow public_suffix 7 (#558)

#561: sporkmonger/addressable#561 #558: sporkmonger/addressable#558

Commits
  • 0c3e858 Revving version and changelog
  • 91915c1 Fixing additional vulnerable paths
  • a091e39 Add many more adversarial test cases to ensure we don't have any ReDoS regres...
  • 463a819 Regenerate gemspec on newer rubygems
  • 0afcb0b Improve from O(n^2) to O(n)
  • c87f768 Fix a ReDoS vulnerability in URI template matching
  • 0d7e9b2 Fix links for 2.8.9 in CHANGELOG (#573)
  • e209120 Update version, gemspec, and CHANGELOG for 2.8.9 (#572)
  • 3875874 Reduce gem size by excluding test files (#569)
  • 3e57cc6 CI: back to windows-2022 for MRI job
  • Additional commits viewable in compare view

Updates devise from 4.9.4 to 5.0.4

Release notes

Sourced from devise's releases.

v5.0.4

https://github.com/heartcombo/devise/blob/v5.0.4/CHANGELOG.md#504---2026-05-08

v5.0.3

https://github.com/heartcombo/devise/blob/v5.0.3/CHANGELOG.md#503---2026-03-16

v5.0.2

https://github.com/heartcombo/devise/blob/v5.0.2/CHANGELOG.md#502---2026-02-18

v5.0.1

https://github.com/heartcombo/devise/blob/v5.0.1/CHANGELOG.md#501---2026-02-13

v5.0.0

https://github.com/heartcombo/devise/blob/v5.0.0/CHANGELOG.md#500---2026-01-23

v5.0.0.rc

https://github.com/heartcombo/devise/blob/v5.0.0.rc/CHANGELOG.md#500rc---2025-12-31

Changelog

Sourced from devise's changelog.

5.0.4 - 2026-05-08

5.0.3 - 2026-03-16

5.0.2 - 2026-02-18

  • enhancements
    • Allow resource class scopes to override the global configuration for sign_in_after_change_password behaviour. #5825
      • Note: some users ran into an issue with this change because RegistrationsController now relies on a setting from the :registerable module. These users were configuring their own routes pointing to the RegistrationsController for resource edit/update actions mostly, without relying on the other registration actions (e.g. user sign up.), so they omitted :registerable from the model declaration. While using just a portion of the controller functionality is a valid use for :registerable (or any module really), the module must still be declared in the model, much like the other modules must be declared if you plan on using just a portion of their behavior. Please check this issue for more info.
    • Add sign_in_after_reset_password? check hook to passwords controller, to allow it to be customized by users. #5826

5.0.1 - 2026-02-13

  • bug fixes
    • Fix translation issue with German E-Mail on invalid authentication messages caused by previous fix for incorrect grammar #5822

5.0.0 - 2026-01-23

no changes

5.0.0.rc - 2025-12-31

  • breaking changes

    • Drop support to Ruby < 2.7

    • Drop support to Rails < 7.0

    • Remove deprecated :bypass option from sign_in helper, use bypass_sign_in instead. #5803

    • Remove deprecated devise_error_messages! helper, use render "devise/shared/error_messages", resource: resource instead. #5803

    • Remove deprecated scope second argument from sign_in(resource, :admin) controller test helper, use sign_in(resource, scope: :admin) instead. #5803

    • Remove deprecated Devise::TestHelpers, use Devise::Test::ControllerHelpers instead. #5803

    • Remove deprecated Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION #5598

    • Remove deprecated Devise.activerecord51? method.

    • Remove SecretKeyFinder and use app.secret_key_base as the default secret key for Devise.secret_key if a custom Devise.secret_key is not provided.

      This is potentially a breaking change because Devise previously used the following order to find a secret key:

      app.credentials.secret_key_base > app.secrets.secret_key_base > application.config.secret_key_base > application.secret_key_base

      Now, it always uses application.secret_key_base. Make sure you're using the same secret key after the upgrade; otherwise, previously generated tokens for recoverable, lockable, and confirmable will be invalid. #5645

    • Change password instructions button label on devise view from Send me reset password instructions to Send me password reset instructions #5515

    • Change <br> tags separating form elements to wrapping them in <p> tags #5494

    • Replace [data-turbo-cache=false] with [data-turbo-temporary] on devise/shared/error_messages partial. This has been deprecated by Turbo since v7.3.0 (released on Mar 1, 2023).

... (truncated)

Commits
  • 9ea459d Release v5.0.4 with sec fix for timeoutable
  • 025fe21 Merge commit from fork
  • 7ca7ed9 Add GHSA link to the v5.0.3 sec fix changelog entry [ci skip]
  • 605de86 Update links to https [ci skip]
  • 5e3a8bf Bundle update
  • 5d20277 Cleanup old Rails.version check for db migration path
  • 4ffb0b7 Fix Gemfile for Rails 7.2, incorrectly testing against 7.1
  • 2f80920 Release v5.0.3
  • 5334707 Add CVE to changelog [ci skip]
  • 0252777 Fix race condition vulnerability, by ensuring the unconfirmed_email is alwa...
  • Additional commits viewable in compare view

Updates omniauth-saml from 2.2.1 to 2.2.3

Release notes

Sourced from omniauth-saml's releases.

v2.2.3

Features

Bug Fixes

v2.2.2

Features

  • log errors on failed logout (23ef364)
Changelog

Sourced from omniauth-saml's changelog.

v2.2.3 (2025-03-12)

Features

Bug Fixes

v2.2.2 (2025-03-04)

Features

  • log errors on failed logout (23ef364)

Commits
  • 34eb354 feat: new release 2.2.3
  • 7a348b4 fix: bump ruby-saml to 1.18
  • 04c34be Merge pull request #233 from omniauth/release/v2.2.2
  • b253047 feat: new release 2.2.2
  • b4568bf Merge pull request #232 from machisuji/feat/log-errors-on-failed-logout
  • 23ef364 feat: log errors on failed logout
  • ca4d806 Merge pull request #227 from omniauth/feat/new-release-2.2.1
  • See full diff in compare view

Updates nokogiri from 1.16.7 to 1.19.3

Release notes

Sourced from nokogiri's releases.

v1.19.3 / 2026-04-27

Fixed / Security

  • Address exponential regex backtracking in CSS selector tokenizer. See GHSA-c4rq-3m3g-8wgx for more information.
  • [CRuby] Address memory leak in XSLT::Stylesheet#transform. See GHSA-v2fc-qm4h-8hqv for more information.
46b89e5d7b9e844c2ee360794240c6ea2a4e6fa0c5892a4ed487db621224b639  nokogiri-1.19.3-aarch64-linux-gnu.gem
8392dfdcd21be7a94dbbe9ccc138dea01b97b24cb2dc02a114ca98bfb1d9a0b7  nokogiri-1.19.3-aarch64-linux-musl.gem
3919d5ffc334ad778a4a9eb88fda7dcb8b1fb58c8a52ac640c6dcd2f038e774f  nokogiri-1.19.3-arm-linux-gnu.gem
9ce1cb6346bb9c67b1550eb537aa183ead91e4b6eadb2f36ade02d8dd2a79fb6  nokogiri-1.19.3-arm-linux-musl.gem
71b9bd424b1b7abc18b05052a1a3cfd3627abdca62be280854cc411791357e42  nokogiri-1.19.3-arm64-darwin.gem
40ea6ebf5cf2005dae1dee26dd557d3afb41fb6de6c9764aca8cf06fdb841db1  nokogiri-1.19.3-java.gem
8bb7132cad356c879a1286eaabcb5e68326cb2490317984280fbc62f456d506a  nokogiri-1.19.3-x64-mingw-ucrt.gem
77f3fba57d46c53ab31e62fc6c28f705109d1bf6264356c76f132b2be5728d4d  nokogiri-1.19.3-x86_64-darwin.gem
2f5078620fe12e83669b5b17311b32532a8153d02eee7ad06948b926d6080976  nokogiri-1.19.3-x86_64-linux-gnu.gem
248c906d2166eca5efb56d52fdee5f9a1f51d69a72e2b64fdac647b4ce39ea3f  nokogiri-1.19.3-x86_64-linux-musl.gem
78312cbac32a40c812780d9678221b79d51288eec00054c1a8d15f7ce05960e8  nokogiri-1.19.3.gem

v1.19.2 / 2026-03-19

Dependencies

  • [JRuby] Saxon-HE is updated to 12.7, from 9.6.0-4. Saxon-HE is a transitive dependency of nu.validator:jing, and this update addresses CVEs in Saxon-HE's own transitive dependencies JDOM and dom4j. We don't think this warrants a security release, however we're cutting a patch release to help users whose security scanners are flagging this. #3611 @​flavorjones

SHA256 Checksums

c34d5c8208025587554608e98fd88ab125b29c80f9352b821964e9a5d5cfbd19  nokogiri-1.19.2-aarch64-linux-gnu.gem
7f6b4b0202d507326841a4f790294bf75098aef50c7173443812e3ac5cb06515  nokogiri-1.19.2-aarch64-linux-musl.gem
b7fa1139016f3dc850bda1260988f0d749934a939d04ef2da13bec060d7d5081  nokogiri-1.19.2-arm-linux-gnu.gem
61114d44f6742ff72194a1b3020967201e2eb982814778d130f6471c11f9828c  nokogiri-1.19.2-arm-linux-musl.gem
58d8ea2e31a967b843b70487a44c14c8ba1866daa1b9da9be9dbdf1b43dee205  nokogiri-1.19.2-arm64-darwin.gem
e9d67034bc80ca71043040beea8a91be5dc99b662daa38a2bfb361b7a2cc8717  nokogiri-1.19.2-java.gem
8ccf25eea3363a2c7b3f2e173a3400582c633cfead27f805df9a9c56d4852d1a  nokogiri-1.19.2-x64-mingw-ucrt.gem
7d9af11fda72dfaa2961d8c4d5380ca0b51bc389dc5f8d4b859b9644f195e7a4  nokogiri-1.19.2-x86_64-darwin.gem
fa8feca882b73e871a9845f3817a72e9734c8e974bdc4fbad6e4bc6e8076b94f  nokogiri-1.19.2-x86_64-linux-gnu.gem
93128448e61a9383a30baef041bf1f5817e22f297a1d400521e90294445069a8  nokogiri-1.19.2-x86_64-linux-musl.gem
38fdd8b59db3d5ea9e7dfb14702e882b9bf819198d5bf976f17ebce12c481756  nokogiri-1.19.2.gem

Full Changelog: sparklemotion/nokogiri@v1.19.1...v1.19.2

v1.19.1 / 2026-02-16

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.19.3 / 2026-04-27

Fixed / Security

  • Address exponential regex backtracking in CSS selector tokenizer. See GHSA-c4rq-3m3g-8wgx for more information.
  • [CRuby] Address memory leak in XSLT::Stylesheet#transform. See GHSA-v2fc-qm4h-8hqv for more information.

v1.19.2 / 2026-03-19

Dependencies

  • [JRuby] Saxon-HE is updated to 12.7, from 9.6.0-4. Saxon-HE is a transitive dependency of nu.validator:jing, and this update addresses CVEs in Saxon-HE's own transitive dependencies JDOM and dom4j. We don't think this warrants a security release, however we're cutting a patch release to help users whose security scanners are flagging this. #3611 @​flavorjones

v1.19.1 / 2026-02-16

Security

v1.19.0 / 2025-12-28

Ruby

This release is focused on changes to Ruby version support, and is otherwise functionally identical to v1.18.10.

v1.18.10 / 2025-09-15

Dependencies

  • [CRuby] Vendored libxml2 is updated to v2.13.9. Note that the security fixes published in v2.13.9 were already present in Nokogiri v1.18.9.
  • [CRuby] [Windows and MacOS] Vendored libiconv is updated to v1.18

v1.18.9 / 2025-07-20

Security

v1.18.8 / 2025-04-21

... (truncated)

Commits
  • c139a3d version bump to v1.19.3
  • 7501a63 fix: backtracking in CSS tokenizer rules (v1.19.x backport) (#3627)
  • 03e7968 test: skip CSS tokenizer benchmarks on JRuby
  • b984b7e fix: ReDoS in CSS tokenizer ident rule
  • 0092623 fix: ReDoS in CSS tokenizer STRING rule
  • ee17d33 fix: memory leak in XSLT transform (backport to v1.19.x) (#3624)
  • ce188a3 doc: update CHANGELOG
  • caeaac4 fix: memory leak in XSLT transform
  • 25220bf dep(test): test against libxml-ruby v6 (#3618)
  • 0caeb21 doc: add security warnings for untrusted XSLT stylesheets
  • Additional commits viewable in compare view

Updates actionpack from 7.2.2 to 7.2.2.1

Release notes

Sourced from actionpack's releases.

7.2.2.1

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Add validation to content security policies to disallow spaces and semicolons. Developers should use multiple arguments, and different directive methods instead.

    [CVE-2024-54133]

    Gannon McGibbon

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

... (truncated)

Commits

Updates actionview from 7.2.2 to 7.2.2.1

Release notes

Sourced from actionview's releases.

7.2.2.1

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Add validation to content security policies to disallow spaces and semicolons. Developers should use multiple arguments, and different directive methods instead.

    [CVE-2024-54133]

    Gannon McGibbon

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

... (truncated)

Commits

Updates activerecord from 7.2.2 to 7.2.2.1

Release notes

Sourced from activerecord's releases.

7.2.2.1

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Add validation to content security policies to disallow spaces and semicolons. Developers should use multiple arguments, and different directive methods instead.

    [CVE-2024-54133]

    Gannon McGibbon

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

... (truncated)

Commits

Updates activestorage from 7.2.2 to 7.2.2.1

Release notes

Sourced from activestorage's releases.

7.2.2.1

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Add validation to content security policies to disallow spaces and semicolons. Developers should use multiple arguments, and different directive methods instead.

    [CVE-2024-54133]

    Gannon McGibbon

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

... (truncated)

Commits

Updates activesupport from 7.2.2 to 7.2.2.1

Release notes

Sourced from activesupport's releases.

7.2.2.1

Active Support

  • No changes.

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • No changes.

Action Pack

  • Add validation to content security policies to disallow spaces and semicolons. Developers should use multiple arguments, and different directive methods instead.

    [CVE-2024-54133]

    Gannon McGibbon

Active Job

  • No changes.

Action Mailer

  • No changes.

Action Cable

  • No changes.

Active Storage

  • No changes.

... (truncated)

Commits

Updates bcrypt from 3.1.20 to 3.1.22

Release notes

Sourced from bcrypt's releases.

v3.1.22

What's Changed

Full Changelog: bcrypt-ruby/bcrypt-ruby@v3.1.21...v3.1.22

v3.1.21

What's Changed

New Contributors

Full Changelog: bcrypt-ruby/bcrypt-ruby@v3.1.20...v3.1.21

Changelog

Sourced from bcrypt's changelog.

3.1.22 Mar 18 2026

3.1.21 Dec 31 2025

  • Use constant time comparisons
  • Mark as Ractor safe
Commits
  • 831ce64 Merge commit from fork
  • 32e687e bump version update changelog
  • 5faa274 Fix integer overflow in JRuby BCrypt rounds calculation
  • aafc033 Merge pull request #294 from bcrypt-ruby/fix-publishing
  • 01f947a fix env url
  • 92ca1d6 Merge pull request #293 from bcrypt-ruby/truffleruby-ci-alt-implementation
  • 4d1d95b Add TruffleRuby in CI
  • 36a04a2 Merge pull request #291 from tenderlove/fix-publishing
  • 01cc688 Move compilation after bundle install
  • 82e6c4c Merge pull request #290 from tenderlove/bump
  • Additional commits viewable in compare view

Updates css_parser from 1.19.1 to 1.22.0

Changelog

Sourced from css_parser's changelog.

Ruby CSS Parser CHANGELOG

Unreleased

Version 3.0.0

  • Harden read_remote_file, use allow_local_network: true and allow_file_uris: true to bypass

Version 2.2.0

  • Accept CSS <number> values with an omitted integer part (e.g. .1) inside rgb()/rgba()/hsl()/hsla(). Previously RE_COLOUR_NUMERIC and RE_COLOUR_NUMERIC_ALPHA required at least one digit before the decimal point, which caused colours such as rgba(0,0,0,.1) to be silently dropped during shorthand expansion (background-color from background:, border-*-color from border:).

Version 2.1.0

  • Validate ssl when pulling files via https

Version 2.0.0

  • Drop ruby <3.2, fix a memory leak

Version v1.21.1

  • Prefer !important rules over non-!important rules in the same ruleset
  • Minor performance improvements

Version v1.21.0

  • Minor performance improvements

Version v1.20.0

  • Remove iconv conditional require
Commits
  • 040895b v1.22.0
  • 5069b71 bundle
  • e0c95d5 Merge pull request #186 from premailer/grosser/https
  • 89c8111 v1.21.1
  • 9471b2a Merge pull request #175 from mogest/master
  • 3dba6e3 Prefer !important rules over non-!important rules in the same ruleset
  • 54b8ea5 Merge pull request #174 from tagliala/chore/fix-match-missed

@dependabot
Bump the bundler group across 1 directory with 21 updates
b4719dc 
Bumps the bundler group with 12 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [puma](https://github.com/puma/puma) | `6.5.0` | `7.2.1` |
| [rack](https://github.com/rack/rack) | `2.2.10` | `2.2.23` |
| [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby) | `1.173.0` | `1.208.0` |
| [addressable](https://github.com/sporkmonger/addressable) | `2.8.7` | `2.9.0` |
| [devise](https://github.com/heartcombo/devise) | `4.9.4` | `5.0.4` |
| [omniauth-saml](https://github.com/omniauth/omniauth-saml) | `2.2.1` | `2.2.3` |
| [nokogiri](https://github.com/sparklemotion/nokogiri) | `1.16.7` | `1.19.3` |
| [actionpack](https://github.com/rails/rails) | `7.2.2` | `7.2.2.1` |
| [css_parser](https://github.com/premailer/css_parser) | `1.19.1` | `1.22.0` |
| [faraday](https://github.com/lostisland/faraday) | `2.12.0` | `2.14.2` |
| [jwt](https://github.com/jwt/ruby-jwt) | `2.7.1` | `2.10.3` |
| [net-imap](https://github.com/ruby/net-imap) | `0.5.1` | `0.5.14` |



Updates `puma` from 6.5.0 to 7.2.1
- [Release notes](https://github.com/puma/puma/releases)
- [Changelog](https://github.com/puma/puma/blob/main/History.md)
- [Commits](puma/puma@v6.5.0...v7.2.1)

Updates `rack` from 2.2.10 to 2.2.23
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/main/CHANGELOG.md)
- [Commits](rack/rack@v2.2.10...v2.2.23)

Updates `aws-sdk-s3` from 1.173.0 to 1.208.0
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-s3/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/commits)

Updates `addressable` from 2.8.7 to 2.9.0
- [Changelog](https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md)
- [Commits](sporkmonger/addressable@addressable-2.8.7...addressable-2.9.0)

Updates `devise` from 4.9.4 to 5.0.4
- [Release notes](https://github.com/heartcombo/devise/releases)
- [Changelog](https://github.com/heartcombo/devise/blob/main/CHANGELOG.md)
- [Commits](heartcombo/devise@v4.9.4...v5.0.4)

Updates `omniauth-saml` from 2.2.1 to 2.2.3
- [Release notes](https://github.com/omniauth/omniauth-saml/releases)
- [Changelog](https://github.com/omniauth/omniauth-saml/blob/master/CHANGELOG.md)
- [Commits](omniauth/omniauth-saml@v2.2.1...v2.2.3)

Updates `nokogiri` from 1.16.7 to 1.19.3
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](sparklemotion/nokogiri@v1.16.7...v1.19.3)

Updates `actionpack` from 7.2.2 to 7.2.2.1
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/actionpack/CHANGELOG.md)
- [Commits](rails/rails@v7.2.2...v7.2.2.1)

Updates `actionview` from 7.2.2 to 7.2.2.1
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/actionview/CHANGELOG.md)
- [Commits](rails/rails@v7.2.2...v7.2.2.1)

Updates `activerecord` from 7.2.2 to 7.2.2.1
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/activerecord/CHANGELOG.md)
- [Commits](rails/rails@v7.2.2...v7.2.2.1)

Updates `activestorage` from 7.2.2 to 7.2.2.1
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/activestorage/CHANGELOG.md)
- [Commits](rails/rails@v7.2.2...v7.2.2.1)

Updates `activesupport` from 7.2.2 to 7.2.2.1
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/activesupport/CHANGELOG.md)
- [Commits](rails/rails@v7.2.2...v7.2.2.1)

Updates `bcrypt` from 3.1.20 to 3.1.22
- [Release notes](https://github.com/bcrypt-ruby/bcrypt-ruby/releases)
- [Changelog](https://github.com/bcrypt-ruby/bcrypt-ruby/blob/master/CHANGELOG)
- [Commits](bcrypt-ruby/bcrypt-ruby@v3.1.20...v3.1.22)

Updates `css_parser` from 1.19.1 to 1.22.0
- [Changelog](https://github.com/premailer/css_parser/blob/master/CHANGELOG.md)
- [Commits](premailer/css_parser@v1.19.1...v1.22.0)

Updates `faraday` from 2.12.0 to 2.14.2
- [Release notes](https://github.com/lostisland/faraday/releases)
- [Changelog](https://github.com/lostisland/faraday/blob/main/CHANGELOG.md)
- [Commits](lostisland/faraday@v2.12.0...v2.14.2)

Updates `jwt` from 2.7.1 to 2.10.3
- [Release notes](https://github.com/jwt/ruby-jwt/releases)
- [Changelog](https://github.com/jwt/ruby-jwt/blob/main/CHANGELOG.md)
- [Commits](jwt/ruby-jwt@v2.7.1...v2.10.3)

Updates `net-imap` from 0.5.1 to 0.5.14
- [Release notes](https://github.com/ruby/net-imap/releases)
- [Commits](ruby/net-imap@v0.5.1...v0.5.14)

Updates `rails-html-sanitizer` from 1.6.0 to 1.7.0
- [Release notes](https://github.com/rails/rails-html-sanitizer/releases)
- [Changelog](https://github.com/rails/rails-html-sanitizer/blob/main/CHANGELOG.md)
- [Commits](rails/rails-html-sanitizer@v1.6.0...v1.7.0)

Updates `rexml` from 3.3.9 to 3.4.4
- [Release notes](https://github.com/ruby/rexml/releases)
- [Changelog](https://github.com/ruby/rexml/blob/master/NEWS.md)
- [Commits](ruby/rexml@v3.3.9...v3.4.4)

Updates `ruby-saml` from 1.17.0 to 1.18.1
- [Release notes](https://github.com/saml-toolkits/ruby-saml/releases)
- [Changelog](https://github.com/SAML-Toolkits/ruby-saml/blob/master/CHANGELOG.md)
- [Commits](SAML-Toolkits/ruby-saml@v1.17.0...v1.18.1)

Updates `uri` from 0.13.1 to 1.1.1
- [Release notes](https://github.com/ruby/uri/releases)
- [Commits](ruby/uri@v0.13.1...v1.1.1)

---
updated-dependencies:
- dependency-name: puma
  dependency-version: 7.2.1
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: rack
  dependency-version: 2.2.23
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: aws-sdk-s3
  dependency-version: 1.208.0
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: addressable
  dependency-version: 2.9.0
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: devise
  dependency-version: 5.0.4
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: omniauth-saml
  dependency-version: 2.2.3
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: nokogiri
  dependency-version: 1.19.3
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: actionpack
  dependency-version: 7.2.2.1
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: actionview
  dependency-version: 7.2.2.1
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: activerecord
  dependency-version: 7.2.2.1
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: activestorage
  dependency-version: 7.2.2.1
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: activesupport
  dependency-version: 7.2.2.1
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: bcrypt
  dependency-version: 3.1.22
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: css_parser
  dependency-version: 1.22.0
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: faraday
  dependency-version: 2.14.2
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: jwt
  dependency-version: 2.10.3
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: net-imap
  dependency-version: 0.5.14
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: rails-html-sanitizer
  dependency-version: 1.7.0
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: rexml
  dependency-version: 3.4.4
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: ruby-saml
  dependency-version: 1.18.1
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: uri
  dependency-version: 1.1.1
  dependency-type: indirect
  dependency-group: bundler
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code labels Jun 9, 2026
@dependabot dependabot Bot mentioned this pull request Jun 9, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants