Skip to content

Bump the bundler group across 1 directory with 7 updates#154

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/bundler/bundler-7110728f75
Closed

Bump the bundler group across 1 directory with 7 updates#154
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/bundler/bundler-7110728f75

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 25, 2026

Copy link
Copy Markdown
Contributor

Bumps the bundler group with 3 updates in the / directory: puma, oj and actionview.

Updates puma from 6.6.1 to 7.2.1

Release notes

Sourced from puma's releases.

v7.2.1

  • Bugfixes
    • Limit and anchor PROXY protocol v1 parsing to prevent abuse via crafted inputs (#3947)
    • Parse PROXY protocol only once per connection to prevent injection on keep-alive requests (#3947)

Security advisories

v7.2.0 - On The Corner

  • Features

    • Add workers :auto (#3827)
    • Make it possible to restrict control server commands to stats (#3787)
  • Bugfixes

    • Don't break if WEB_CONCURRENCY is set to a blank string (#3837)
    • Don't share server between worker 0 and descendants on refork (#3602)
    • Fix phase check race condition in Puma::Cluster#check_workers (#3690)
    • Fix advertising of CLI config before config files are loaded (#3823)
  • Performance

    • 17% faster HTTP parsing through pre-interning env keys (#3825)
    • Implement dsize and dcompact functions for Puma::HttpParser, which makes Puma's C-extension GC-compactible (#3828)
  • Refactor

    • Remove NoMethodError rescue in Reactor#select_loop (#3831)
    • Various cleanups in the C extension (#3814)
    • Monomorphize handle_request return (#3802)
  • Docs

    • Change link to docs/deployment.md in README.md (#3848)
    • Fix formatting for each signal description in signals.md (#3813)
    • Update deployment and Kubernetes docs with Puma configuration tips (#3807)
    • Rename master to main (#3809, #3808, #3800)
    • Fix some minor typos in the docs (#3804)
    • Add GOVERNANCE.md, MAINTAINERS (#3826)
    • Remove Code Climate badge (#3820)
    • Add @​joshuay03 to the maintainer list
  • CI

v7.1.0

7.1.0 / 2025-10-16 - Neon Witch

neon_witch

  • Features

... (truncated)

Changelog

Sourced from puma's changelog.

7.2.1 / 2026-05-27

  • Bugfixes
    • Limit and anchor PROXY protocol v1 parsing to prevent abuse via crafted inputs (#3947)
    • Parse PROXY protocol only once per connection to prevent injection on keep-alive requests (#3947)

7.2.0 / 2026-01-20

  • Features

    • Add workers :auto (#3827)
    • Make it possible to restrict control server commands to stats (#3787)
  • Bugfixes

    • Don't break if WEB_CONCURRENCY is set to a blank string (#3837)
    • Don't share server between worker 0 and descendants on refork (#3602)
    • Fix phase check race condition in Puma::Cluster#check_workers (#3690)
    • Fix advertising of CLI config before config files are loaded (#3823)
  • Performance

    • 17% faster HTTP parsing through pre-interning env keys (#3825)
    • Implement dsize and dcompact functions for Puma::HttpParser, which makes Puma's C-extension GC-compactible (#3828)
  • Refactor

    • Remove NoMethodError rescue in Reactor#select_loop (#3831)
    • Various cleanups in the C extension (#3814)
    • Monomorphize handle_request return (#3802)
  • Docs

    • Change link to docs/deployment.md in README.md (#3848)
    • Fix formatting for each signal description in signals.md (#3813)
    • Update deployment and Kubernetes docs with Puma configuration tips (#3807)
    • Rename master to main (#3809, #3808, #3800)
    • Fix some minor typos in the docs (#3804)
    • Add GOVERNANCE.md, MAINTAINERS (#3826)
    • Remove Code Climate badge (#3820)
    • Add @​joshuay03 to the maintainer list
  • CI

7.1.0 / 2025-10-16

  • Features

    • Introduce after_worker_shutdown hook (#3707)
    • Reintroduce keepalive "fast inline" behavior. Provides faster (8x on JRuby & 1.4x on Ruby) pipeline processing (#3794)
  • Bugfixes

    • Skip reading zero bytes when request body is buffered (#3795)
    • Fix PUMA_LOG_CONFIG=1 logging twice with prune_bundler enabled (#3778)

... (truncated)

Commits

Updates oj from 3.17.1 to 3.17.3

Release notes

Sourced from oj's releases.

v3.17.3

What's Changed

Full Changelog: ohler55/oj@v3.17.1...v3.17.3

Changelog

Sourced from oj's changelog.

3.17.3 - 2026-06-04

  • Fixed issue in intern.c and fast.c.

3.17.2 - 2026-05-27

  • Fixed multiple issues related to extreme sizes.
Commits

Updates actionview from 7.2.3 to 7.2.3.1

Release notes

Sourced from actionview's releases.

7.2.3.1

Active Support

  • Reject scientific notation in NumberConverter

    [CVE-2026-33176]

    Jean Boussier

  • Fix SafeBuffer#% to preserve unsafe status

    [CVE-2026-33170]

    Jean Boussier

  • Improve performance of NumberToDelimitedConverter

    [CVE-2026-33169]

    Jean Boussier

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • Skip blank attribute names in tag helpers to avoid generating invalid HTML.

    [CVE-2026-33168]

    Mike Dalessio

Action Pack

  • No changes.

Active Job

  • No changes.

... (truncated)

Commits

Updates activestorage from 7.2.3 to 7.2.3.1

Release notes

Sourced from activestorage's releases.

7.2.3.1

Active Support

  • Reject scientific notation in NumberConverter

    [CVE-2026-33176]

    Jean Boussier

  • Fix SafeBuffer#% to preserve unsafe status

    [CVE-2026-33170]

    Jean Boussier

  • Improve performance of NumberToDelimitedConverter

    [CVE-2026-33169]

    Jean Boussier

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • Skip blank attribute names in tag helpers to avoid generating invalid HTML.

    [CVE-2026-33168]

    Mike Dalessio

Action Pack

  • No changes.

Active Job

  • No changes.

... (truncated)

Commits
  • ba76fca Preparing for 7.2.3.1 release
  • 8a379f4 Update changelog
  • fa19073 Prevent glob injection in ActiveStorage DiskService#delete_prefixed
  • 4933c1e Prevent path traversal in ActiveStorage DiskService
  • 707c0f1 Active Storage: Filter user supplied metadata in DirectUploadController
  • b8a1665 ActiveStorage::Streaming limit range requests to a single range
  • 8159a9c Configurable maxmimum streaming chunk size
  • See full diff in compare view

Updates activesupport from 7.2.3 to 7.2.3.1

Release notes

Sourced from activesupport's releases.

7.2.3.1

Active Support

  • Reject scientific notation in NumberConverter

    [CVE-2026-33176]

    Jean Boussier

  • Fix SafeBuffer#% to preserve unsafe status

    [CVE-2026-33170]

    Jean Boussier

  • Improve performance of NumberToDelimitedConverter

    [CVE-2026-33169]

    Jean Boussier

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • Skip blank attribute names in tag helpers to avoid generating invalid HTML.

    [CVE-2026-33168]

    Mike Dalessio

Action Pack

  • No changes.

Active Job

  • No changes.

... (truncated)

Commits
  • ba76fca Preparing for 7.2.3.1 release
  • 8a379f4 Update changelog
  • b54a4b3 Improve performance of NumberToDelimitedConverter
  • c1ad0e8 Fix SafeBuffer#% to preserve unsafe status
  • ebd6be1 NumberConverter: reject scientific notation
  • 4a155f1 Lock some dependencies
  • See full diff in compare view

Updates concurrent-ruby from 1.3.6 to 1.3.7

Release notes

Sourced from concurrent-ruby's releases.

v1.3.7

There are 3 security fixes in this release, so updating is recommended. These security vulnerabilities are not very likely to be hit in practice and have a corresponding Low severity score.

What's Changed

New Contributors

Full Changelog: ruby-concurrency/concurrent-ruby@v1.3.6...v1.3.7

Changelog

Sourced from concurrent-ruby's changelog.

Release v1.3.7 (16 June 2026)

concurrent-ruby:

Commits
  • 4c8fc28 Release 1.3.7
  • d91ca94 Fix AtomicReference#update livelock when stored value is Float::NAN on JRuby ...
  • 7e4d711 Fix ReentrantReadWriteLock read hold overflow into write-lock bit
  • 6e37e06 Fix AtomicReference#update livelock when stored value is Float::NAN
  • 2825cfa Cleanup spec
  • 3fd4932 Fix ReadWriteLock wrong-thread write release and stray read release
  • 1974b47 Add Ruby 4.0 in CI
  • df8706d Add SECURITY.md (#1104)
  • 7a1b789 Bump actions/upload-pages-artifact from 4 to 5
  • 9b2dbf7 Bump actions/deploy-pages from 4 to 5
  • Additional commits viewable in compare view

Updates nokogiri from 1.19.3 to 1.19.4

Release notes

Sourced from nokogiri's releases.

v1.19.4 / 2026-06-18

Security

  • [CRuby] (Low) Fixed a possible invalid memory read when XML::Node#initialize_copy_with_args is called with an argument that is not a Node. See GHSA-g9g8-vgvw-g3vf for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when an XML::XPathContext is used after its source document has been garbage collected. See GHSA-p67v-3w7g-wjg7 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free during XInclude processing via Node#do_xinclude. See GHSA-wfpw-mmfh-qq69 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#root= is assigned a non-element node. See GHSA-wjv4-x9w8-wm3h for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when setting an attribute value via XML::Attr#value= or #content=. See GHSA-phwj-rprq-35pp for more information.
  • [CRuby] (Low) Fixed a null pointer dereference when methods are called on uninitialized wrapper objects (e.g. via allocate); these now raise instead of crashing the process. See GHSA-9cv2-cfxc-v4v2 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#encoding= raises an exception. See GHSA-5v8h-3h3q-446p for more information.
  • [CRuby] (Medium) Fixed an out-of-bounds read in XML::NodeSet#[] (alias #slice) when given a large negative index. See GHSA-5prr-v3j2-97mh for more information.
  • [JRuby] (Low) XML::Schema now enforces the NONET parse option, which Nokogiri enables by default. It was not enforced on JRuby, so a schema parsed with default options could still fetch external resources over the network, potentially enabling SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See GHSA-8678-w3jw-xfc2 for more information.
1269fb644a6de405057a53dd5c762b1209b43ca7424f839454d3dbc677c31a8f  nokogiri-1.19.4-aarch64-linux-gnu.gem
35c65b9ce72b3bb03207bdbe7067915019dc18c1b9b59139684bd6690fdd01af  nokogiri-1.19.4-aarch64-linux-musl.gem
a301313e38bb065d68239e79734bcd6f56fb6efaacebde29e9abf2a4735340ca  nokogiri-1.19.4-arm-linux-gnu.gem
588923c101bcfa78869734d247d25b598674323e7f22474fc468f6e5647311eb  nokogiri-1.19.4-arm-linux-musl.gem
a46db9853286e6597b36ebc6953817d15acf3a299583eb3f89fdc6f91dd63527  nokogiri-1.19.4-arm64-darwin.gem
ce04b9e268c9626852231a48b49128ed52034f1ccb39484a6da3875491cd709e  nokogiri-1.19.4-java.gem
051da97b8eccfdb5444fed40246a35e10d7298b9efe759b4cd25455ea04c587e  nokogiri-1.19.4-x64-mingw-ucrt.gem
7fd17057d3e1f00e9954a74b3cd76595d3d4a5ef233b7ed9599047c204f70551  nokogiri-1.19.4-x86_64-darwin.gem
379fae440b28915e3f19d752ce2dcf8465ed2b2fbefd2a7ca0dd497bc981a06a  nokogiri-1.19.4-x86_64-linux-gnu.gem
17dfb7c1fa194ae02fbf7c51a7afc8d278045ab3fdacfd86f91d02d7b274470b  nokogiri-1.19.4-x86_64-linux-musl.gem
50c951611c92bca05c51411aef45f1cbc50f2821c4802758c5c6d34696533ab5  nokogiri-1.19.4.gem
Changelog

Sourced from nokogiri's changelog.

v1.19.4 / 2026-06-18

Security

  • [CRuby] (Low) Fixed a possible invalid memory read when XML::Node#initialize_copy_with_args is called with an argument that is not a Node. See GHSA-g9g8-vgvw-g3vf for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when an XML::XPathContext is used after its source document has been garbage collected. See GHSA-p67v-3w7g-wjg7 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free during XInclude processing via Node#do_xinclude. See GHSA-wfpw-mmfh-qq69 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#root= is assigned a non-element node. See GHSA-wjv4-x9w8-wm3h for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when setting an attribute value via XML::Attr#value= or #content=. See GHSA-phwj-rprq-35pp for more information.
  • [CRuby] (Low) Fixed a null pointer dereference when methods are called on uninitialized wrapper objects (e.g. via allocate); these now raise instead of crashing the process. See GHSA-9cv2-cfxc-v4v2 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#encoding= raises an exception. See GHSA-5v8h-3h3q-446p for more information.
  • [CRuby] (Medium) Fixed an out-of-bounds read in XML::NodeSet#[] (alias #slice) when given a large negative index. See GHSA-5prr-v3j2-97mh for more information.
  • [JRuby] (Low) XML::Schema now enforces the NONET parse option, which Nokogiri enables by default. It was not enforced on JRuby, so a schema parsed with default options could still fetch external resources over the network, potentially enabling SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See GHSA-8678-w3jw-xfc2 for more information.
Commits
  • 8cfb9da version bump to v1.19.4
  • a856d1e fix: JRuby NONET bypass in XML::Schema (v1.19.x) (#3639)
  • 6a0aa1e fix(CRuby): use-after-free in Document#encoding= when setter raises (v1.19.x)...
  • f658a54 fix: JRuby NONET bypass in XML::Schema
  • 39d26fe fix(CRuby): use-after-free in Document#encoding= when setter raises
  • 04a09dd fix(CRuby): out-of-bounds read in NodeSet#[] with large negative index (v1.19...
  • 7799fbd fix: avoid NPE on uninitialized XML::Node structs (v1.19.x) (#3645)
  • ef19e13 fix(CRuby): avoid UAF in XML::Attr#value= (v1.19.x) (#3644)
  • 5524fa9 fix: Document#root= rejects non-element nodes (v1.19.x) (#3643)
  • 9891ad1 fix(CRuby): use-after-free in XPathContext document lifetime (v1.19.x) (#3641)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the bundler group with 3 updates in the / directory: [puma](https://github.com/puma/puma), [oj](https://github.com/ohler55/oj) and [actionview](https://github.com/rails/rails).


Updates `puma` from 6.6.1 to 7.2.1
- [Release notes](https://github.com/puma/puma/releases)
- [Changelog](https://github.com/puma/puma/blob/main/History.md)
- [Commits](puma/puma@v6.6.1...v7.2.1)

Updates `oj` from 3.17.1 to 3.17.3
- [Release notes](https://github.com/ohler55/oj/releases)
- [Changelog](https://github.com/ohler55/oj/blob/develop/CHANGELOG.md)
- [Commits](ohler55/oj@v3.17.1...v3.17.3)

Updates `actionview` from 7.2.3 to 7.2.3.1
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/actionview/CHANGELOG.md)
- [Commits](rails/rails@v7.2.3...v7.2.3.1)

Updates `activestorage` from 7.2.3 to 7.2.3.1
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/activestorage/CHANGELOG.md)
- [Commits](rails/rails@v7.2.3...v7.2.3.1)

Updates `activesupport` from 7.2.3 to 7.2.3.1
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/activesupport/CHANGELOG.md)
- [Commits](rails/rails@v7.2.3...v7.2.3.1)

Updates `concurrent-ruby` from 1.3.6 to 1.3.7
- [Release notes](https://github.com/ruby-concurrency/concurrent-ruby/releases)
- [Changelog](https://github.com/ruby-concurrency/concurrent-ruby/blob/master/CHANGELOG.md)
- [Commits](ruby-concurrency/concurrent-ruby@v1.3.6...v1.3.7)

Updates `nokogiri` from 1.19.3 to 1.19.4
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](sparklemotion/nokogiri@v1.19.3...v1.19.4)

---
updated-dependencies:
- dependency-name: puma
  dependency-version: 7.2.1
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: oj
  dependency-version: 3.17.3
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: actionview
  dependency-version: 7.2.3.1
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: activestorage
  dependency-version: 7.2.3.1
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: activesupport
  dependency-version: 7.2.3.1
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: concurrent-ruby
  dependency-version: 1.3.7
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: nokogiri
  dependency-version: 1.19.4
  dependency-type: indirect
  dependency-group: bundler
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code labels Jun 25, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are no longer updatable, so this is no longer needed.

@dependabot dependabot Bot closed this Jul 8, 2026
@dependabot dependabot Bot deleted the dependabot/bundler/bundler-7110728f75 branch July 8, 2026 06:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants