Bump the bundler group across 1 directory with 10 updates

[dependabot]

Bumps the bundler group with 2 updates in the / directory: jquery-rails and omniauth.

Updates jquery-rails from 1.0.16 to 4.6.1

Changelog

Sourced from jquery-rails's changelog.

4.6.1

• update jquery to 3.7.1

4.6.0

• update jquery to 3.7.0

4.5.1

• update jquery to 3.6.1
• update jquery-ujs to 1.2.3

4.5.0

• update jquery to 3.6.0

4.4.0

• update jquery to 3.5.1 (note: 3.5.0 contains important security updates)
• unescape dollar signs and backticks in assert_select_jquery to match Rails updated behavior.

4.3.5

• update jquery to 3.4.1

4.3.4

• update jquery to 3.4.0

4.3.3

• update jquery to 3.3.1

4.3.2

• update jquery to 3.3.0
• Add possibility to test HTML: all, attribute prefix, attribute contains, attribute ends with, child, and class selectors
• Fix matching multiple calls for the same selector/function exception

4.3.1

• update jquery to 3.2.1

4.3.0

• update jquery to 3.2.0
• Add possibility to test HTML attribute selectors

... (truncated)

Commits

• 0342960 Release v4.6.1 with jQuery v3.7.1
• 039b12e Update jquery to v3.7.1 (#305)
• 12869da Release v4.6.0 with jQuery v3.7.0
• 65a9c73 Update jquery to 3.7.0
• fb5a7a8 Merge pull request #293 from MichaelHoste/patch-1
• d9dfbe1 Merge pull request #296 from okuramasafumi/patch-1
• f34a439 Update CHANGELOG.md
• b9e5aa7 Fix typo in CHANGELOG.md (usj => ujs)
• de8792d Release v4.5.1 with jquery 3.6.1 and jquery-ujs 1.2.3
• 7e6f508 Update jquery-ujs to latest v1.2.3
• Additional commits viewable in compare view

Updates omniauth from 1.0.0 to 2.1.4

Release notes

Sourced from omniauth's releases.

v2.1.4

What's Changed

• Add Ruby 3.4 to CI by @​tejasbubane in omniauth/omniauth#1142
• Add after_request_phase callback hook by @​gerardo-navarro in omniauth/omniauth#1147

Full Changelog: omniauth/omniauth@v2.1.3...v2.1.4

You may now configure an after_request_phase callback on your omniauth builder instance. This callback will be run after the request phase before returning the request result.

v2.1.3

What's Changed

• Test against Ruby 3.3 by @​enomotodev in omniauth/omniauth#1128
• Exclude (macos, 2.5) from test matrix by @​TastyPi in omniauth/omniauth#1137
• Avoid using URI::ABS_URI by @​mame in omniauth/omniauth#1136
• Do not override omniauth.origin in environment in test mode by @​TastyPi in omniauth/omniauth#1134

New Contributors

• @​TastyPi made their first contribution in omniauth/omniauth#1137
• @​mame made their first contribution in omniauth/omniauth#1136

Full Changelog: omniauth/omniauth@v2.1.2...v2.1.3

v2.1.2

What's Changed

• Fix bundle install step on CI for TruffleRuby by @​andrykonchin in omniauth/omniauth#1104
• Use GET with :developer strategy. by @​cycomachead in omniauth/omniauth#1106
• Test against Ruby 3.2 by @​enomotodev in omniauth/omniauth#1113
• ci: use ubuntu-latest runner by @​nschonni in omniauth/omniauth#1109
• chore: add Dependabot for version updates by @​nschonni in omniauth/omniauth#1110
• Added Ruby 3.2 to workflow. by @​madogiwa0124 in omniauth/omniauth#1102
• chore: Remove conditions for old (J)Ruby by @​nschonni in omniauth/omniauth#1118
• fix: conditional delegate require Rack/JRuby by @​nschonni in omniauth/omniauth#1122

New Contributors

• @​andrykonchin made their first contribution in omniauth/omniauth#1104
• @​cycomachead made their first contribution in omniauth/omniauth#1106
• @​nschonni made their first contribution in omniauth/omniauth#1109
• @​madogiwa0124 made their first contribution in omniauth/omniauth#1102

Full Changelog: omniauth/omniauth@v2.1.1...v2.1.2

v2.1.1

What's Changed

• Separate jruby and truffle ruby workflows by @​BobbyMcWho in omniauth/omniauth#1065
• Added docs showing how to integrate omniauth with rack_csrf by @​HoneyryderChuck in omniauth/omniauth#1070
• Fixed nil error in callback_path by @​shreyakurian02 in omniauth/omniauth#1092

New Contributors

• @​HoneyryderChuck made their first contribution in omniauth/omniauth#1070
• @​shreyakurian02 made their first contribution in omniauth/omniauth#1092

... (truncated)

Commits

• 20ac5e0 3.1.4 release
• 3a249af Add after_request_phase callback hook (#1147)
• 0bcfd5b Merge pull request #1142 from tejasbubane/ruby-3.4
• 09ee92e include cgi in test group due to removal of cookie
• abfde90 add dependency on logger
• 78d4e1d Prepare for next release
• 844548c Add Ruby 3.4 to CI
• e23567a Merge pull request #1134 from TastyPi/env-override
• c2ebe5b Merge pull request #1136 from mame/avoid-uri-abs_uri
• 35f69b1 Merge pull request #1137 from TastyPi/patch-1
• Additional commits viewable in compare view

Updates omniauth from 1.0.0 to 2.1.4

Release notes

Sourced from omniauth's releases.

v2.1.4

What's Changed

• Add Ruby 3.4 to CI by @​tejasbubane in omniauth/omniauth#1142
• Add after_request_phase callback hook by @​gerardo-navarro in omniauth/omniauth#1147

Full Changelog: omniauth/omniauth@v2.1.3...v2.1.4

You may now configure an after_request_phase callback on your omniauth builder instance. This callback will be run after the request phase before returning the request result.

v2.1.3

What's Changed

• Test against Ruby 3.3 by @​enomotodev in omniauth/omniauth#1128
• Exclude (macos, 2.5) from test matrix by @​TastyPi in omniauth/omniauth#1137
• Avoid using URI::ABS_URI by @​mame in omniauth/omniauth#1136
• Do not override omniauth.origin in environment in test mode by @​TastyPi in omniauth/omniauth#1134

New Contributors

• @​TastyPi made their first contribution in omniauth/omniauth#1137
• @​mame made their first contribution in omniauth/omniauth#1136

Full Changelog: omniauth/omniauth@v2.1.2...v2.1.3

v2.1.2

What's Changed

• Fix bundle install step on CI for TruffleRuby by @​andrykonchin in omniauth/omniauth#1104
• Use GET with :developer strategy. by @​cycomachead in omniauth/omniauth#1106
• Test against Ruby 3.2 by @​enomotodev in omniauth/omniauth#1113
• ci: use ubuntu-latest runner by @​nschonni in omniauth/omniauth#1109
• chore: add Dependabot for version updates by @​nschonni in omniauth/omniauth#1110
• Added Ruby 3.2 to workflow. by @​madogiwa0124 in omniauth/omniauth#1102
• chore: Remove conditions for old (J)Ruby by @​nschonni in omniauth/omniauth#1118
• fix: conditional delegate require Rack/JRuby by @​nschonni in omniauth/omniauth#1122

New Contributors

• @​andrykonchin made their first contribution in omniauth/omniauth#1104
• @​cycomachead made their first contribution in omniauth/omniauth#1106
• @​nschonni made their first contribution in omniauth/omniauth#1109
• @​madogiwa0124 made their first contribution in omniauth/omniauth#1102

Full Changelog: omniauth/omniauth@v2.1.1...v2.1.2

v2.1.1

What's Changed

• Separate jruby and truffle ruby workflows by @​BobbyMcWho in omniauth/omniauth#1065
• Added docs showing how to integrate omniauth with rack_csrf by @​HoneyryderChuck in omniauth/omniauth#1070
• Fixed nil error in callback_path by @​shreyakurian02 in omniauth/omniauth#1092

New Contributors

• @​HoneyryderChuck made their first contribution in omniauth/omniauth#1070
• @​shreyakurian02 made their first contribution in omniauth/omniauth#1092

... (truncated)

Commits

• 20ac5e0 3.1.4 release
• 3a249af Add after_request_phase callback hook (#1147)
• 0bcfd5b Merge pull request #1142 from tejasbubane/ruby-3.4
• 09ee92e include cgi in test group due to removal of cookie
• abfde90 add dependency on logger
• 78d4e1d Prepare for next release
• 844548c Add Ruby 3.4 to CI
• e23567a Merge pull request #1134 from TastyPi/env-override
• c2ebe5b Merge pull request #1136 from mame/avoid-uri-abs_uri
• 35f69b1 Merge pull request #1137 from TastyPi/patch-1
• Additional commits viewable in compare view

Updates actionmailer from 3.1.1 to 6.1.3

Release notes

Sourced from actionmailer's releases.

v6.0.6.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Make sanitize_as_sql_comment more strict

  Though this method was likely never meant to take user input, it was attempting sanitization. That sanitization could be bypassed with carefully crafted input.

  This commit makes the sanitization more robust by replacing any occurrances of "/" or "/" with "/ " or " /". It also performs a first pass to remove one surrounding comment to avoid compatibility issues for users relying on the existing removal.

  This also clarifies in the documentation of annotate that it should not be provided user input.

  [CVE-2023-22794]

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

... (truncated)

Commits

• 5aaaa16 Preparing for 6.1.3 release
• 130c128 Preparing for 6.1.2.1 release
• bf8c59c Preparing for 6.1.2 release
• 9386cb0 Rename master to main in all code references
• 5f3ff60 Preparing for 6.1.1 release
• 928c97d Merge pull request #40848 from jetthoughts/use_default_queue_for_assert_enque...
• 914caca Preparing for 6.1.0 release
• 3930449 Change default queue name of all the internal jobs to be the job adapter's de...
• b38eb45 Preparing for 6.1.0.rc2 release
• 8389f99 Preparing for 6.1.0.rc1 release
• Additional commits viewable in compare view

Updates actionpack from 3.1.1 to 6.1.3

Release notes

Sourced from actionpack's releases.

v6.0.6.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Make sanitize_as_sql_comment more strict

  Though this method was likely never meant to take user input, it was attempting sanitization. That sanitization could be bypassed with carefully crafted input.

  This commit makes the sanitization more robust by replacing any occurrances of "/" or "/" with "/ " or " /". It also performs a first pass to remove one surrounding comment to avoid compatibility issues for users relying on the existing removal.

  This also clarifies in the documentation of annotate that it should not be provided user input.

  [CVE-2023-22794]

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

... (truncated)

Commits

• 5aaaa16 Preparing for 6.1.3 release
• e322277 Merge pull request #41463 from jhawthorn/isolated_engine_controller_subclasses
• eddb809 Merge pull request #41441 from jonathanhefner/apidocs-inline-code-markup
• 32064ab Remove unnessary escape char in Regexp
• 130c128 Preparing for 6.1.2.1 release
• b5de7b3 Prevent open redirect when allowed host starts with a dot
• bf8c59c Preparing for 6.1.2 release
• 42ad010 Merge pull request #41280 from kentakag/fix-raw-params-method-to-not-raise-an...
• 04d6ac8 Merge pull request #41223 from janko/controller-throw-log-subscriber
• 9386cb0 Rename master to main in all code references
• Additional commits viewable in compare view

Updates activerecord from 3.1.1 to 6.1.3

Release notes

Sourced from activerecord's releases.

v6.0.6.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Make sanitize_as_sql_comment more strict

  Though this method was likely never meant to take user input, it was attempting sanitization. That sanitization could be bypassed with carefully crafted input.

  This commit makes the sanitization more robust by replacing any occurrances of "/" or "/" with "/ " or " /". It also performs a first pass to remove one surrounding comment to avoid compatibility issues for users relying on the existing removal.

  This also clarifies in the documentation of annotate that it should not be provided user input.

  [CVE-2023-22794]

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

... (truncated)

Commits

• 5aaaa16 Preparing for 6.1.3 release
• 4f5e6b5 Revert "Merge pull request #41232 from code4me/fix-malformed-packet-master"
• eddb809 Merge pull request #41441 from jonathanhefner/apidocs-inline-code-markup
• 2a7ff0a Merge pull request #41419 from smartygus/activerecord-findermethod-include-wi...
• 442c6f1 Merge PR #41356
• 48af94b Merge pull request #41394 from afrase/recursive-association-fix
• 2ca0d66 Fix string quotes
• 8d825b5 Make we always type cast TimeWithZone objects before passing to mysql2
• d0f5164 Merge branch '6-1-sec' into 6-1-stable
• 130c128 Preparing for 6.1.2.1 release
• Additional commits viewable in compare view

Updates activesupport from 3.1.1 to 6.1.3

Release notes

Sourced from activesupport's releases.

v6.0.6.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Make sanitize_as_sql_comment more strict

  Though this method was likely never meant to take user input, it was attempting sanitization. That sanitization could be bypassed with carefully crafted input.

  This commit makes the sanitization more robust by replacing any occurrances of "/" or "/" with "/ " or " /". It also performs a first pass to remove one surrounding comment to avoid compatibility issues for users relying on the existing removal.

  This also clarifies in the documentation of annotate that it should not be provided user input.

  [CVE-2023-22794]

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

... (truncated)

Commits

• 5aaaa16 Preparing for 6.1.3 release
• eddb809 Merge pull request #41441 from jonathanhefner/apidocs-inline-code-markup
• 130c128 Preparing for 6.1.2.1 release
• bf8c59c Preparing for 6.1.2 release
• ca798c0 Merge pull request #41381 from movermeyer/allow_for_nil_addresses_from_dalli_...
• 97a0a94 Fix warning with Ruby 2.7 on Time.at with keyword arguments
• 5400804 Merge pull request #41376 from fatkodima/memcached-normalize_key-nil
• 9386cb0 Rename master to main in all code references
• 5f3ff60 Preparing for 6.1.1 release
• b02ceaa Merge pull request #41027 from flavorjones/flavorjones-fix-nokogiri-xml-mini-...
• Additional commits viewable in compare view

Updates i18n from 0.6.0 to 1.14.8

Release notes

Sourced from i18n's releases.

v1.14.8

Full Changelog: ruby-i18n/i18n@v1.14.7...v1.14.8

What's Changed

• Remove unused cgi require for Ruby 3.5 compatibility by @​Earlopain in ruby-i18n/i18n#713
• Explicitly require pathname by @​voxik in ruby-i18n/i18n#708
• CI: Add Ruby 3.4 to CI Matrix by @​taketo1113 in ruby-i18n/i18n#722
• Fix: I18n.locale reset in Fiber context by using Thread#thread_variable by @​lee266 in ruby-i18n/i18n#724
• CI: Use actions/checkout@v5 by @​olleolleolle in ruby-i18n/i18n#721
• Fix compatibility with --enable-frozen-string-literal by @​byroot in ruby-i18n/i18n#726

New Contributors

• @​Earlopain made their first contribution in ruby-i18n/i18n#713
• @​taketo1113 made their first contribution in ruby-i18n/i18n#722
• @​lee266 made their first contribution in ruby-i18n/i18n#724
• @​byroot made their first contribution in ruby-i18n/i18n#726

Full Changelog: ruby-i18n/i18n@v1.14.7...v1.14.8

v1.14.7

What's Changed

• Ruby 3.4 Hash#inspect compatibility. by @​voxik in ruby-i18n/i18n#709
• Removed (annoying) post-install message that was triggering on all Rubies, rather than the specified versions.

Full Changelog: ruby-i18n/i18n@v1.14.6...v1.14.7

v1.14.6

What's Changed

Ruby < 3.2 support will be dropped April 2025. Upgrade now to continue using i18n after that date.

• fix issues with RDoc generation by @​davetron5000 in ruby-i18n/i18n#698
• Fix loading of .rb locale files when load_path is not a string by @​stevegeek in ruby-i18n/i18n#701
• Fixes strings being interpolated multiple times by @​alexpls in ruby-i18n/i18n#699
• Optimize pluralization logic in test data by @​zachmargolis in ruby-i18n/i18n#697
• [FIX] Raise ArgumentError on nil key in exists? by @​KinWang-2013 in ruby-i18n/i18n#696

New Contributors

• @​davetron5000 made their first contribution in ruby-i18n/i18n#698
• @​stevegeek made their first contribution in ruby-i18n/i18n#701
• @​alexpls made their first contribution in ruby-i18n/i18n#699
• @​zachmargolis made their first contribution in ruby-i18n/i18n#697
• @​KinWang-2013 made their first contribution in ruby-i18n/i18n#696

Full Changelog: ruby-i18n/i18n@v1.14.5...v1.14.6

v1.14.5

... (truncated)

Commits

• f2fb6a5 Bump to 1.14.9
• ef62253 Merge pull request #726 from byroot/fstr-compat
• 0022013 Merge branch 'master' into fstr-compat
• dee96b6 Remove testing for EOL Rubies 3.1 + 3.0
• c6873f9 Merge remote-tracking branch 'olleolleolle/patch-1'
• 2134338 Merge pull request #724 from lee266/fix/i18n-locale-thread-variable
• 3f9ae64 Fix compatibility with --enable-frozen-string-literal
• d64a88d Merge pull request #722 from taketo1113/ci-ruby-3.4
• 0e5484f CI: Fix rails version specification in gemfiles to run with the specified min...
• 960ab2b CI: Add ruby 3.4 to CI Matrix
• Additional commits viewable in compare view

Updates nokogiri from 1.5.0 to 1.19.0

Release notes

Sourced from nokogiri's releases.

v1.19.0 / 2025-12-28

Ruby

This release is focused on changes to Ruby version support, and is otherwise functionally identical to v1.18.10.

• Introduce native gem support for Ruby 4.0. #3590
• End support for Ruby 3.1, for which upstream support ended 2025-03-26.
• End support for JRuby 9.4 (which targets Ruby 3.1 compatibility).

11a97ecc3c0e7e5edcf395720b10860ef493b768f6aa80c539573530bc933767  nokogiri-1.19.0-aarch64-linux-gnu.gem
eb70507f5e01bc23dad9b8dbec2b36ad0e61d227b42d292835020ff754fb7ba9  nokogiri-1.19.0-aarch64-linux-musl.gem
572a259026b2c8b7c161fdb6469fa2d0edd2b61cd599db4bbda93289abefbfe5  nokogiri-1.19.0-arm-linux-gnu.gem
23ed90922f1a38aed555d3de4d058e90850c731c5b756d191b3dc8055948e73c  nokogiri-1.19.0-arm-linux-musl.gem
0811dfd936d5f6dd3f6d32ef790568bf29b2b7bead9ba68866847b33c9cf5810  nokogiri-1.19.0-arm64-darwin.gem
5f3a70e252be641d8a4099f7fb4cc25c81c632cb594eec9b4b8f2ca8be4374f3  nokogiri-1.19.0-java.gem
05d7ed2d95731edc9bef2811522dc396df3e476ef0d9c76793a9fca81cab056b  nokogiri-1.19.0-x64-mingw-ucrt.gem
1dad56220b603a8edb9750cd95798bffa2b8dd9dd9aa47f664009ee5b43e3067  nokogiri-1.19.0-x86_64-darwin.gem
f482b95c713d60031d48c44ce14562f8d2ce31e3a9e8dd0ccb131e9e5a68b58c  nokogiri-1.19.0-x86_64-linux-gnu.gem
1c4ca6b381622420073ce6043443af1d321e8ed93cc18b08e2666e5bd02ffae4  nokogiri-1.19.0-x86_64-linux-musl.gem
e304d21865f62518e04f2bf59f93bd3a97ca7b07e7f03952946d8e1c05f45695  nokogiri-1.19.0.gem

v1.18.10 / 2025-09-15

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.9. Note that the security fixes published in v2.13.9 were already present in Nokogiri v1.18.9.
• [CRuby] [Windows and MacOS] Vendored libiconv is updated to v1.18

7fb87235d729c74a2be635376d82b1d459230cc17c50300f8e4fcaabc6195344  nokogiri-1.18.10-aarch64-linux-gnu.gem
7e74e58314297cc8a8f1b533f7212d1999dbe2639a9ee6d97b483ea2acc18944  nokogiri-1.18.10-aarch64-linux-musl.gem
51f4f25ab5d5ba1012d6b16aad96b840a10b067b93f35af6a55a2c104a7ee322  nokogiri-1.18.10-arm-linux-gnu.gem
1c6ea754e51cecc85c30ee8ab1e6aa4ce6b6e134d01717e9290e79374a9e00aa  nokogiri-1.18.10-arm-linux-musl.gem
c2b0de30770f50b92c9323fa34a4e1cf5a0af322afcacd239cd66ee1c1b22c85  nokogiri-1.18.10-arm64-darwin.gem
cd431a09c45d84a2f870ba0b7e8f571199b3727d530f2b4888a73639f76510b5  nokogiri-1.18.10-java.gem
64f40d4a41af9f7f83a4e236ad0cf8cca621b97e31f727b1bebdae565a653104  nokogiri-1.18.10-x64-mingw-ucrt.gem
536e74bed6db2b5076769cab5e5f5af0cd1dccbbd75f1b3e1fa69d1f5c2d79e2  nokogiri-1.18.10-x86_64-darwin.gem
ff5ba26ba2dbce5c04b9ea200777fd225061d7a3930548806f31db907e500f72  nokogiri-1.18.10-x86_64-linux-gnu.gem
0651fccf8c2ebbc2475c8b1dfd7ccac3a0a6d09f8a41b72db8c21808cb483385  nokogiri-1.18.10-x86_64-linux-musl.gem
d5cc0731008aa3b3a87b361203ea3d19b2069628cb55e46ac7d84a0445e69cc1  nokogiri-1.18.10.gem
</tr></table> 

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.19.0 / 2025-12-28

Ruby

This release is focused on changes to Ruby version support, and is otherwise functionally identical to v1.18.10.

• Introduce native gem support for Ruby 4.0. #3590
• End support for Ruby 3.1, for which upstream support ended 2025-03-26.
• End support for JRuby 9.4 (which targets Ruby 3.1 compatibility).

v1.18.10 / 2025-09-15

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.9. Note that the security fixes published in v2.13.9 were already present in Nokogiri v1.18.9.
• [CRuby] [Windows and MacOS] Vendored libiconv is updated to v1.18

v1.18.9 / 2025-07-20

Security

• [CRuby] Applied upstream libxml2 patches to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. See GHSA-353f-x4gh-cqq8 for more information.

v1.18.8 / 2025-04-21

Security

• [CRuby] Vendored libxml2 is updated to v2.13.8 to address CVE-2025-32414 and CVE-2025-32415. See GHSA-5w6v-399v-w3cc for more information.

v1.18.7 / 2025-03-31

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.7, which is a bugfix release.

v1.18.6 / 2025-03-24

Fixed

• [JRuby] In HTML documents, Node#attribute now returns the correct attribute. This has been broken, and returning nil, since v1.17.0. (#3487) @​flavorjones

v1.18.5 / 2025-03-19

Fixed

... (truncated)

Commits

• d77bfb6 version bump to v1.19.0
• 1eb5c2c dev: convert scripts/test-gem-set to use mise
• 88a120f dep: Add native Ruby 4 support, drop Ruby 3.1 support (v1.19.x) (#3592)
• f8c8f74 Skip the parser compression test for Windows system libs
• e91c0fc ci: temporarily pin to setup-ruby with windows ruby 4
• 1b08acc dep: update to minitest 6
• 404487d dep: require JRuby >= 10.0
• 19b22ea dep: add support for native Ruby 4.0 gem
• ec57d11 ci: bump versions in CI images
• f7b640f ci: avoid bundler collisions in downstream tests
• Additional commits viewable in compare view

Updates rack from 1.3.5 to 2.2.21

Release notes

Sourced from rack's releases.

v2.2.8.1

What's Changed

• Fixed ReDoS in Accept header parsing [CVE-2024-26146]
• Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
• Reject Range headers which are too large [CVE-2024-26141]

Full Changelog: rack/rack@v2.2.8...v2.2.8.1

v2.2.8

What's Changed

• Limit file extension length of multipart tempfiles (2.2 backport) by @​dentarg in rack/rack#2075
• CHANGELOG: Add missing 2.2.7 by @​tisba in rack/rack#2081
• Update cookie.rb by @​dchandekstark in rack/rack#2092
• Prefer ubuntu-latest for testing. by @​ioquatix in rack/rack#2095
• Fix inefficient assert pattern in Rack::Lint [2-2-stable] by @​skipkayhil in rack/rack#2101
• Regenerate SPEC [2-2-stable] by @​skipkayhil in rack/rack#2102

New Contributors

• @​tisba made their first contribution in rack/rack#2081
• @​dchandekstark made their first contribution in rack/rack#2092

Full Changelog: rack/rack@v2.2.7...v2.2.8

v2.2.7

What's Changed

• Correct the year number in the changelog by @​kimulab in rack/rack#2015
• Support underscore in host names for Rack 2.2 (Fixes #2070) by @​jeremyevans in rack/rack#2071

New Contributors

• @​kimulab made their first contribution in rack/rack#2015

Full Changelog: rack/rack@v2.2.6.4...v2.2.7

v2.2.6.4

No release notes provided.

v2.1.4.4

What's Changed

• Fixed ReDoS in Accept header parsing [CVE-2024-26146]

Full Changelog: rack/rack@v2.1.4.3...v2.1.4.4

v2.0.9.4

What's Changed

• Fixed ReDoS in Accept header parsing [CVE-2024-26146]

Full Changelog: rack/rack@v2.0.9.3...v2.0.9.4

Changelog

Sourced from rack's changelog.

[2.2.21] - 2025-11-03

Fixed

• Multipart parser: limit MIME header size check to the unread buffer region to avoid false multipart mime part header too large errors when previously read data accumulates in the scan buffer. (#2392, @​alpaca-tc, @​willnet, @​krororo)

[2.2.20] - 2025-10-10

Security

• CVE-2025-61780 Improper handling of headers in Rack::Sendfile may allow proxy bypass.
• CVE-2025-61919 Unbounded read in Rack::Request form parsing can lead to memory exhaustion.

[2.2.19] - 2025-10-07

Security

• CVE-2025-61772 Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
• CVE-2025-61771 Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
• CVE-2025-61770 Unbounded multipart preamble buffering enables DoS (memory exhaustion)

[2.2.18] - 2025-09-25

Security

• CVE-2025-59830 Unbounded parameter parsing in Rack::QueryParser can lead to memory exhaustion via semicolon-separated parameters.

[2.2.17] - 2025-06-03

• Backport Rack::MediaType#params now handles parameters without values. (#2263, @​AllyMarthaJ)

[2.2.16] - 2025-05-22

• Fix incorrect backport of optional CGI::Cookie support. (#2335, [@​jeremyevans])

[2.2.15] - 2025-05-18

• Optional support for CGI::Cookie if not available. (#2327, #2333, [@​earlopain])

[2.2.14] - 2025-05-06

⚠️ This release includes a security fix that may cause certain routes in previously working applications to fail if query parameters exceed 4,096 in count or 4 MB in total size. See rack/rack#2356 for more details.

Security

• CVE-2025-46727 Unbounded parameter parsing in Rack::QueryParser can lead to memory exhaustion.

[2.2.13] - 2025-03-11

Security

... (truncated)

Commits

• 851dc02 Bump patch version.
• 1e6aeda Allow Multipart head to span read boundary. (#2392)
• 6ef5915 Bump patch version.
• 4e2c903 Unbounded read in Rack::Request form parsing can lead to memory exhaustion.
• fba2c8b Improper handling of proxy headers in Rack::Sendfile may allow proxy bypass.
• ed3d834 Normalize adivsories links.
• 4c4ea29 Bump patch version.
• c370dcd Limit amount of retained data when parsing multipart requests
• d869fed Fix denial of service vulnerbilties in multipart parsing
• 0f76d43 Bump patch version.
• Additional commits viewable in compare view

Updates tzinfo from 0.3.30 to 2.0.6

Release notes

Sourced from tzinfo's releases.

v2.0.6

• Eliminate Object#untaint deprecation warnings on JRuby 9.4.0.0. #145.

TZInfo v2.0.6 on RubyGems.org

v2.0.5

• Changed DateTime results to always use the proleptic Gregorian calendar. This affects DateTime results prior to 1582-10-15 and any arithmetic performed on the results that would produce a secondary result prior to 1582-10-15.
• Added support for eager loading all the time zone and country data by calling either TZInfo::DataSource#eager_load! or TZInfo.eager_load!. Compatible with Ruby On Rails' eager_load_namespaces. #129.
• Ignore the SECURITY file from Arch Linux's tzdata package. #134.

TZInfo v2.0.5 on RubyGems.org

v2.0.4

• Fixed an incorrect InvalidTimezoneIdentifier exception raised when loading a zoneinfo file that includes rules specifying an additional transition to the final defined offset (for example, Africa/Casablanca in version 2018e of the Time Zone Database). #123.

TZInfo v2.0.4 on RubyGems.org

v2.0.3

• Added support for handling "slim" format zoneinfo files that are produced by default by zic version 2020b and later. The POSIX-style TZ string is now used calculate DST transition times after the final defined transition in the file. #120.
• Fixed TimeWithOffset#getlocal returning a TimeWithOffset with the timezone_offset still assigned when called with an offset argument on JRuby 9.3.
• Rubinius is no longer supported.

TZInfo v2.0.3 on RubyGems.org

v2.0.2

• Fixed 'wrong number of arguments' errors when running on JRuby 9.0. #114.
• Fixed warnings when running on Ruby 2.8. #113.

TZInfo v2.0.2 on RubyGems.org

v2.0.1

• Fixed "SecurityError: Insecure operation - require" exceptions when loading data with recent Ruby releases in safe mode. #100.
• Fixed warnings when running on Ruby 2.7. #109.
• Added a TZInfo::Timezone#=~ method that performs a regex match on the time zone identifier. #99.
• Added a TZInfo::Country#=~ method that performs a regex match on the country code.

TZInfo v2.0.1 on RubyGems.org

v2.0.0

Added

• to_local and period_for instance methods have been added to TZInfo::Timezone. These are similar to utc_to_local and period_for_utc, but take the UTC offset of the given time into account.
• abbreviation, dst?, base_utc_offset and observed_utc_offset instance methods have been added to TZInfo::Timezone, returning the abbreviation, whether daylight savings time is in effect and the UTC offset of the time zone at a specified time.
• A TZInfo::Timestamp class has been added. It can be used with TZInfo::Timezone in place of a Time or DateTime.
• local_time, local_datetime and local_timestamp instance methods have been added to TZInfo::Timezone. These methods construct local Time, DateTime and TZInfo::Timestamp instances with the correct UTC offset a...

  Description has been truncated