Skip to content

Bump concurrent-ruby and nokogiri#1820

Merged
marcoroth merged 1 commit into
mainfrom
dependabot/bundler/bundler-774f904699
Jun 28, 2026
Merged

Bump concurrent-ruby and nokogiri#1820
marcoroth merged 1 commit into
mainfrom
dependabot/bundler/bundler-774f904699

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps the bundler group with 2 updates in the / directory: concurrent-ruby and nokogiri.

Updates concurrent-ruby from 1.3.6 to 1.3.7

Release notes

Sourced from concurrent-ruby's releases.

v1.3.7

There are 3 security fixes in this release, so updating is recommended. These security vulnerabilities are not very likely to be hit in practice and have a corresponding Low severity score.

What's Changed

New Contributors

Full Changelog: ruby-concurrency/concurrent-ruby@v1.3.6...v1.3.7

Changelog

Sourced from concurrent-ruby's changelog.

Release v1.3.7 (16 June 2026)

concurrent-ruby:

Commits
  • 4c8fc28 Release 1.3.7
  • d91ca94 Fix AtomicReference#update livelock when stored value is Float::NAN on JRuby ...
  • 7e4d711 Fix ReentrantReadWriteLock read hold overflow into write-lock bit
  • 6e37e06 Fix AtomicReference#update livelock when stored value is Float::NAN
  • 2825cfa Cleanup spec
  • 3fd4932 Fix ReadWriteLock wrong-thread write release and stray read release
  • 1974b47 Add Ruby 4.0 in CI
  • df8706d Add SECURITY.md (#1104)
  • 7a1b789 Bump actions/upload-pages-artifact from 4 to 5
  • 9b2dbf7 Bump actions/deploy-pages from 4 to 5
  • Additional commits viewable in compare view

Updates nokogiri from 1.19.3 to 1.19.4

Release notes

Sourced from nokogiri's releases.

v1.19.4 / 2026-06-18

Security

  • [CRuby] (Low) Fixed a possible invalid memory read when XML::Node#initialize_copy_with_args is called with an argument that is not a Node. See GHSA-g9g8-vgvw-g3vf for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when an XML::XPathContext is used after its source document has been garbage collected. See GHSA-p67v-3w7g-wjg7 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free during XInclude processing via Node#do_xinclude. See GHSA-wfpw-mmfh-qq69 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#root= is assigned a non-element node. See GHSA-wjv4-x9w8-wm3h for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when setting an attribute value via XML::Attr#value= or #content=. See GHSA-phwj-rprq-35pp for more information.
  • [CRuby] (Low) Fixed a null pointer dereference when methods are called on uninitialized wrapper objects (e.g. via allocate); these now raise instead of crashing the process. See GHSA-9cv2-cfxc-v4v2 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#encoding= raises an exception. See GHSA-5v8h-3h3q-446p for more information.
  • [CRuby] (Medium) Fixed an out-of-bounds read in XML::NodeSet#[] (alias #slice) when given a large negative index. See GHSA-5prr-v3j2-97mh for more information.
  • [JRuby] (Low) XML::Schema now enforces the NONET parse option, which Nokogiri enables by default. It was not enforced on JRuby, so a schema parsed with default options could still fetch external resources over the network, potentially enabling SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See GHSA-8678-w3jw-xfc2 for more information.
1269fb644a6de405057a53dd5c762b1209b43ca7424f839454d3dbc677c31a8f  nokogiri-1.19.4-aarch64-linux-gnu.gem
35c65b9ce72b3bb03207bdbe7067915019dc18c1b9b59139684bd6690fdd01af  nokogiri-1.19.4-aarch64-linux-musl.gem
a301313e38bb065d68239e79734bcd6f56fb6efaacebde29e9abf2a4735340ca  nokogiri-1.19.4-arm-linux-gnu.gem
588923c101bcfa78869734d247d25b598674323e7f22474fc468f6e5647311eb  nokogiri-1.19.4-arm-linux-musl.gem
a46db9853286e6597b36ebc6953817d15acf3a299583eb3f89fdc6f91dd63527  nokogiri-1.19.4-arm64-darwin.gem
ce04b9e268c9626852231a48b49128ed52034f1ccb39484a6da3875491cd709e  nokogiri-1.19.4-java.gem
051da97b8eccfdb5444fed40246a35e10d7298b9efe759b4cd25455ea04c587e  nokogiri-1.19.4-x64-mingw-ucrt.gem
7fd17057d3e1f00e9954a74b3cd76595d3d4a5ef233b7ed9599047c204f70551  nokogiri-1.19.4-x86_64-darwin.gem
379fae440b28915e3f19d752ce2dcf8465ed2b2fbefd2a7ca0dd497bc981a06a  nokogiri-1.19.4-x86_64-linux-gnu.gem
17dfb7c1fa194ae02fbf7c51a7afc8d278045ab3fdacfd86f91d02d7b274470b  nokogiri-1.19.4-x86_64-linux-musl.gem
50c951611c92bca05c51411aef45f1cbc50f2821c4802758c5c6d34696533ab5  nokogiri-1.19.4.gem
Changelog

Sourced from nokogiri's changelog.

v1.19.4 / 2026-06-18

Security

  • [CRuby] (Low) Fixed a possible invalid memory read when XML::Node#initialize_copy_with_args is called with an argument that is not a Node. See GHSA-g9g8-vgvw-g3vf for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when an XML::XPathContext is used after its source document has been garbage collected. See GHSA-p67v-3w7g-wjg7 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free during XInclude processing via Node#do_xinclude. See GHSA-wfpw-mmfh-qq69 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#root= is assigned a non-element node. See GHSA-wjv4-x9w8-wm3h for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when setting an attribute value via XML::Attr#value= or #content=. See GHSA-phwj-rprq-35pp for more information.
  • [CRuby] (Low) Fixed a null pointer dereference when methods are called on uninitialized wrapper objects (e.g. via allocate); these now raise instead of crashing the process. See GHSA-9cv2-cfxc-v4v2 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#encoding= raises an exception. See GHSA-5v8h-3h3q-446p for more information.
  • [CRuby] (Medium) Fixed an out-of-bounds read in XML::NodeSet#[] (alias #slice) when given a large negative index. See GHSA-5prr-v3j2-97mh for more information.
  • [JRuby] (Low) XML::Schema now enforces the NONET parse option, which Nokogiri enables by default. It was not enforced on JRuby, so a schema parsed with default options could still fetch external resources over the network, potentially enabling SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See GHSA-8678-w3jw-xfc2 for more information.
Commits
  • 8cfb9da version bump to v1.19.4
  • a856d1e fix: JRuby NONET bypass in XML::Schema (v1.19.x) (#3639)
  • 6a0aa1e fix(CRuby): use-after-free in Document#encoding= when setter raises (v1.19.x)...
  • f658a54 fix: JRuby NONET bypass in XML::Schema
  • 39d26fe fix(CRuby): use-after-free in Document#encoding= when setter raises
  • 04a09dd fix(CRuby): out-of-bounds read in NodeSet#[] with large negative index (v1.19...
  • 7799fbd fix: avoid NPE on uninitialized XML::Node structs (v1.19.x) (#3645)
  • ef19e13 fix(CRuby): avoid UAF in XML::Attr#value= (v1.19.x) (#3644)
  • 5524fa9 fix: Document#root= rejects non-element nodes (v1.19.x) (#3643)
  • 9891ad1 fix(CRuby): use-after-free in XPathContext document lifetime (v1.19.x) (#3641)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby labels Jun 22, 2026
Bumps the bundler group with 2 updates in the / directory: [concurrent-ruby](https://github.com/ruby-concurrency/concurrent-ruby) and [nokogiri](https://github.com/sparklemotion/nokogiri).


Updates `concurrent-ruby` from 1.3.6 to 1.3.7
- [Release notes](https://github.com/ruby-concurrency/concurrent-ruby/releases)
- [Changelog](https://github.com/ruby-concurrency/concurrent-ruby/blob/master/CHANGELOG.md)
- [Commits](ruby-concurrency/concurrent-ruby@v1.3.6...v1.3.7)

Updates `nokogiri` from 1.19.3 to 1.19.4
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](sparklemotion/nokogiri@v1.19.3...v1.19.4)

---
updated-dependencies:
- dependency-name: concurrent-ruby
  dependency-version: 1.3.7
  dependency-type: indirect
- dependency-name: nokogiri
  dependency-version: 1.19.4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/bundler/bundler-774f904699 branch from 83d3d20 to 4911d7c Compare June 28, 2026 11:05
@marcoroth marcoroth changed the title Bump the bundler group across 1 directory with 2 updates Bump concurrent-ruby and nokogiri Jun 28, 2026
@marcoroth marcoroth merged commit b58eff3 into main Jun 28, 2026
25 checks passed
@marcoroth marcoroth deleted the dependabot/bundler/bundler-774f904699 branch June 28, 2026 11:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file ruby

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant