🚨 [security] Update html-proofer 5.2.0 → 5.2.1 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ html-proofer (5.2.0 → 5.2.1) · Repo · Changelog

Release Notes

5.2.1

What's Changed

• [skip test] Release v5.2.0 by @github-actions[bot] in #872
• Fix XPath syntax errors and hash validation false positives by @ZoeLeBlanc in #873
• [skip test] Release v5.2.1 by @github-actions[bot] in #874

New Contributors

• @ZoeLeBlanc made their first contribution in #873

Full Changelog: v5.2.0...v5.2.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 12 commits:

• Merge pull request #874 from gjtorikian/release/v5.2.1
• [skip test] update changelog
• Merge pull request #873 from ZoeLeBlanc/fix-internal-hash-validation
• bump to 5.2.1
• correct rubocop again
• correct Rubocop issues
• Revert "Fix Rubocop offenses"
• Fix Rubocop offenses
• Add test for hash validation on index URLs
• Fix XPath syntax errors and hash validation false positives
• Merge pull request #872 from gjtorikian/release/v5.2.0
• [skip test] update changelog

↗️ async (indirect, 2.38.0 → 2.38.1) · Repo · Changelog

Release Notes

2.38.1

• Fix Barrier#async when parent.async yields before the child block executes. Previously, Barrier#wait could return early and miss tracking the task entirely, because the task had not yet appended itself to the barrier's task list.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

• Bump patch version.
• Update copyrights.
• Add support for automatic GitHub release notes.
• Fix Barrier when parent.async() yields early (#449)

↗️ ffi (indirect, 1.17.3 → 1.17.4) · Repo · Changelog

Release Notes

1.17.4 (from changelog)

Fixed:

• Fix union by-value ABI mismatch with float and double types on ARM64 and X86_64. See #1177 and #1178 for details.
• Exclude libffi files, which are unnecessary. #1176

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 17 commits:

• Bump VERSION to 1.17.4
• Merge pull request #1178 from cfis/fix-union-arm64-abi
• Skip failing specs on JRuby
• Fix MSVC build.
• Move union-by-value argument tests to the section excluded by Truffleruby
• Correctly handle unions with mixed floating point types.
• Simplify the union type selection
• Extend the union tests
• Fix union by-value ABI mismatch on ARM64. See #1177 for details.
• Merge pull request #1180 from ffi/add-more-arm64
• Skip two specs that crash on JRuby+Macos+Arm64
• CI: Add more ARM64 platforms to test matrix
• Improve readablility of union_spec
• Merge pull request #1176 from ffi/exclude-libffi-files
• Exclude libffi files, which are unnecessary
• CI: Remove workaround for Ruby-4.0 on Windows
• Update changelog for Ruby version compatibility [ci skip]

↗️ io-event (indirect, 1.14.4 → 1.14.5) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 4 commits:

• Bump patch version.
• Modernize code.
• Call `xfree` on `TypedData_Make_Struct` selectors. (#163)
• Update release notes.

↗️ json (indirect, 2.19.1 → 2.19.3) · Repo · Changelog

Security Advisories 🚨

🚨 Ruby JSON has a format string injection vulnerability

Impact

A format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents.

This option isn't the default, if you didn't opt-in to use it, you are not impacted.

Patches

Patched in 2.19.2.

Workarounds

The issue can be avoided by not using the allow_duplicate_key: false parsing option.

Release Notes

2.19.3

• Fix handling of unescaped control characters preceeded by a backslash.

Full Changelog: v2.19.2...v2.19.3

2.19.2

What's Changed

• Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210

Full Changelog: v2.19.1...v2.19.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 6 commits:

• Release 2.19.3
• Fix handling of unescaped control characters preceeded by a backslash
• Release 2.19.2
• Fix a format string injection vulnerability
• Merge pull request #953 from ruby/dependabot/github_actions/actions/create-github-app-token-3
• Bump actions/create-github-app-token from 2 to 3

↗️ nokogiri (indirect, 1.19.1 → 1.19.2) · Repo · Changelog

Release Notes

1.19.2

v1.19.2 / 2026-03-19

Dependencies

• [JRuby] Saxon-HE is updated to 12.7, from 9.6.0-4. Saxon-HE is a transitive dependency of nu.validator:jing, and this update addresses CVEs in Saxon-HE's own transitive dependencies JDOM and dom4j. We don't think this warrants a security release, however we're cutting a patch release to help users whose security scanners are flagging this. [#3611] @flavorjones

SHA256 Checksums

c34d5c8208025587554608e98fd88ab125b29c80f9352b821964e9a5d5cfbd19  nokogiri-1.19.2-aarch64-linux-gnu.gem
7f6b4b0202d507326841a4f790294bf75098aef50c7173443812e3ac5cb06515  nokogiri-1.19.2-aarch64-linux-musl.gem
b7fa1139016f3dc850bda1260988f0d749934a939d04ef2da13bec060d7d5081  nokogiri-1.19.2-arm-linux-gnu.gem
61114d44f6742ff72194a1b3020967201e2eb982814778d130f6471c11f9828c  nokogiri-1.19.2-arm-linux-musl.gem
58d8ea2e31a967b843b70487a44c14c8ba1866daa1b9da9be9dbdf1b43dee205  nokogiri-1.19.2-arm64-darwin.gem
e9d67034bc80ca71043040beea8a91be5dc99b662daa38a2bfb361b7a2cc8717  nokogiri-1.19.2-java.gem
8ccf25eea3363a2c7b3f2e173a3400582c633cfead27f805df9a9c56d4852d1a  nokogiri-1.19.2-x64-mingw-ucrt.gem
7d9af11fda72dfaa2961d8c4d5380ca0b51bc389dc5f8d4b859b9644f195e7a4  nokogiri-1.19.2-x86_64-darwin.gem
fa8feca882b73e871a9845f3817a72e9734c8e974bdc4fbad6e4bc6e8076b94f  nokogiri-1.19.2-x86_64-linux-gnu.gem
93128448e61a9383a30baef041bf1f5817e22f297a1d400521e90294445069a8  nokogiri-1.19.2-x86_64-linux-musl.gem
38fdd8b59db3d5ea9e7dfb14702e882b9bf819198d5bf976f17ebce12c481756  nokogiri-1.19.2.gem

Full Changelog: v1.19.1...v1.19.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

• version bump to v1.19.2
• dep: upgrade Saxon-HE from 9.6.0-4 to 12.7 [v1.19.x backport] (#3614)
• dep: upgrade Saxon-HE from 9.6.0-4 to 12.7
• Skip compressed file SAX test on libxml2 >= 2.15

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)