chore(deps): bump the bundler group across 2 directories with 10 updates

[dependabot]

Bumps the bundler group with 2 updates in the /qlty-plugins/plugins/linters/brakeman/fixtures/basic.in directory: puma and actionmailer.
Bumps the bundler group with 2 updates in the /qlty-plugins/plugins/linters/brakeman/fixtures/basic_nested.in/nested directory: puma and actionmailer.

Updates puma from 4.3.12 to 7.2.1

Release notes

Sourced from puma's releases.

v7.2.1

• Bugfixes
  • Limit and anchor PROXY protocol v1 parsing to prevent abuse via crafted inputs (#3947)
  • Parse PROXY protocol only once per connection to prevent injection on keep-alive requests (#3947)

Security advisories

• CVE-2026-47736 / GHSA-qpgp-93vx-g8v8: Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
• CVE-2026-47737 / GHSA-2vqw-3mp8-cgmx: Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections

v7.2.0 - On The Corner

• Features

  • Add workers :auto (#3827)
  • Make it possible to restrict control server commands to stats (#3787)

• Bugfixes

  • Don't break if WEB_CONCURRENCY is set to a blank string (#3837)
  • Don't share server between worker 0 and descendants on refork (#3602)
  • Fix phase check race condition in Puma::Cluster#check_workers (#3690)
  • Fix advertising of CLI config before config files are loaded (#3823)

• Performance

  • 17% faster HTTP parsing through pre-interning env keys (#3825)
  • Implement dsize and dcompact functions for Puma::HttpParser, which makes Puma's C-extension GC-compactible (#3828)

• Refactor

  • Remove NoMethodError rescue in Reactor#select_loop (#3831)
  • Various cleanups in the C extension (#3814)
  • Monomorphize handle_request return (#3802)

• Docs

  • Change link to docs/deployment.md in README.md (#3848)
  • Fix formatting for each signal description in signals.md (#3813)
  • Update deployment and Kubernetes docs with Puma configuration tips (#3807)
  • Rename master to main (#3809, #3808, #3800)
  • Fix some minor typos in the docs (#3804)
  • Add GOVERNANCE.md, MAINTAINERS (#3826)
  • Remove Code Climate badge (#3820)
  • Add @​joshuay03 to the maintainer list

• CI

  • Use Minitest 6 where applicable (#3859)
  • Many test suite improvements and flake fixes (#3861, #3863, #3860, #3852, #3857, #3856, #3845, #3843, #3842, #3841, #3822, #3817, #3764)

v7.1.0

7.1.0 / 2025-10-16 - Neon Witch

• Features

... (truncated)

Changelog

Sourced from puma's changelog.

7.2.1 / 2026-05-27

• Bugfixes
  • Limit and anchor PROXY protocol v1 parsing to prevent abuse via crafted inputs (#3947)
  • Parse PROXY protocol only once per connection to prevent injection on keep-alive requests (#3947)

7.2.0 / 2026-01-20

• Features

  • Add workers :auto (#3827)
  • Make it possible to restrict control server commands to stats (#3787)

• Bugfixes

  • Don't break if WEB_CONCURRENCY is set to a blank string (#3837)
  • Don't share server between worker 0 and descendants on refork (#3602)
  • Fix phase check race condition in Puma::Cluster#check_workers (#3690)
  • Fix advertising of CLI config before config files are loaded (#3823)

• Performance

  • 17% faster HTTP parsing through pre-interning env keys (#3825)
  • Implement dsize and dcompact functions for Puma::HttpParser, which makes Puma's C-extension GC-compactible (#3828)

• Refactor

  • Remove NoMethodError rescue in Reactor#select_loop (#3831)
  • Various cleanups in the C extension (#3814)
  • Monomorphize handle_request return (#3802)

• Docs

  • Change link to docs/deployment.md in README.md (#3848)
  • Fix formatting for each signal description in signals.md (#3813)
  • Update deployment and Kubernetes docs with Puma configuration tips (#3807)
  • Rename master to main (#3809, #3808, #3800)
  • Fix some minor typos in the docs (#3804)
  • Add GOVERNANCE.md, MAINTAINERS (#3826)
  • Remove Code Climate badge (#3820)
  • Add @​joshuay03 to the maintainer list

• CI

  • Use Minitest 6 where applicable (#3859)
  • Many test suite improvements and flake fixes (#3861, #3863, #3860, #3852, #3857, #3856, #3845, #3843, #3842, #3841, #3822, #3817, #3764)

7.1.0 / 2025-10-16

• Features

  • Introduce after_worker_shutdown hook (#3707)
  • Reintroduce keepalive "fast inline" behavior. Provides faster (8x on JRuby & 1.4x on Ruby) pipeline processing (#3794)

• Bugfixes

  • Skip reading zero bytes when request body is buffered (#3795)
  • Fix PUMA_LOG_CONFIG=1 logging twice with prune_bundler enabled (#3778)

... (truncated)

Commits

• 92754ac Release v7.2.1 (#3948)
• ebe9db3 7.2.1 backport (#3947)
• 96b5aa6 v7.2.0 (#3864)
• 5d7d1dd Add workers :auto (#3827)
• b8c4783 ci: fix ci - remove append_as_bytes logic, misc changes (#3861)
• 44a3ac4 Fix PR label manager when maintainer comments [ci skip] (#3863)
• 43f5d89 Add GOVERNANCE.md, MAINTAINERS (#3826)
• 21afa66 Use Minitest 6 where applicable (#3859)
• ec7dd61 ci: Update test_http11.rb for TruffleRuby - string size (#3860)
• fa89dbe ci: add ruby 4.0 and rails 8.1 (#3852)
• Additional commits viewable in compare view

Updates actionmailer from 5.2.8.1 to 6.1.7.9

Release notes

Sourced from actionmailer's releases.

6.1.7.9

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Avoid regex backtracking in HTTP Token authentication

  [CVE-2024-47887]

• Avoid regex backtracking in query parameter filtering

  [CVE-2024-41128]

Active Job

• No changes.

Action Mailer

• Avoid regex backtracking in block_format helper

  [CVE-2024-47889]

Action Cable

• No changes.

Active Storage

... (truncated)

Commits

• b2fbbfb Preparing for 6.1.7.9 release
• 534b3c7 Update CHANGELOGs
• faadb28 Merge pull request #16 from rails/7-0-sec-relase
• 985f192 Avoid backtracking in ActionMailer block_format
• e39361a Preparing for 6.1.7.8 release
• 86521a0 update changelog
• ac87f58 Preparing for 6.1.7.7 release
• fc2f1b8 update changelog
• 56bcc0a Preparing for 6.1.7.6 release
• 1f03e9d Bumping version for new release
• Additional commits viewable in compare view

Updates actionpack from 5.2.8.1 to 6.1.7.9

Release notes

Sourced from actionpack's releases.

6.1.7.9

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Avoid regex backtracking in HTTP Token authentication

  [CVE-2024-47887]

• Avoid regex backtracking in query parameter filtering

  [CVE-2024-41128]

Active Job

• No changes.

Action Mailer

• Avoid regex backtracking in block_format helper

  [CVE-2024-47889]

Action Cable

• No changes.

Active Storage

... (truncated)

Commits

• b2fbbfb Preparing for 6.1.7.9 release
• 534b3c7 Update CHANGELOGs
• faadb28 Merge pull request #16 from rails/7-0-sec-relase
• fb493be Avoid backtracking in filtered_query_string
• 8e057db Avoid backtracking in Token#raw_params
• e39361a Preparing for 6.1.7.8 release
• 86521a0 update changelog
• b329b26 include the HTTP Permissions-Policy on non-HTML Content-Types
• ac87f58 Preparing for 6.1.7.7 release
• fc2f1b8 update changelog
• Additional commits viewable in compare view

Updates actionview from 5.2.8.1 to 6.1.7.9

Release notes

Sourced from actionview's releases.

6.1.7.9

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Avoid regex backtracking in HTTP Token authentication

  [CVE-2024-47887]

• Avoid regex backtracking in query parameter filtering

  [CVE-2024-41128]

Active Job

• No changes.

Action Mailer

• Avoid regex backtracking in block_format helper

  [CVE-2024-47889]

Action Cable

• No changes.

Active Storage

... (truncated)

Commits

• b2fbbfb Preparing for 6.1.7.9 release
• e39361a Preparing for 6.1.7.8 release
• 86521a0 update changelog
• ac87f58 Preparing for 6.1.7.7 release
• fc2f1b8 update changelog
• 56bcc0a Preparing for 6.1.7.6 release
• 1f03e9d Bumping version for new release
• 3a1b615 Preparing for 6.1.7.5 release
• c2af578 bumping version / changelog
• 7d949d7 Preparing for 6.1.7.4 release
• Additional commits viewable in compare view

Updates activerecord from 5.2.8.1 to 6.1.7.9

Release notes

Sourced from activerecord's releases.

6.1.7.9

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Avoid regex backtracking in HTTP Token authentication

  [CVE-2024-47887]

• Avoid regex backtracking in query parameter filtering

  [CVE-2024-41128]

Active Job

• No changes.

Action Mailer

• Avoid regex backtracking in block_format helper

  [CVE-2024-47889]

Action Cable

• No changes.

Active Storage

... (truncated)

Commits

• b2fbbfb Preparing for 6.1.7.9 release
• faadb28 Merge pull request #16 from rails/7-0-sec-relase
• e39361a Preparing for 6.1.7.8 release
• 86521a0 update changelog
• ac87f58 Preparing for 6.1.7.7 release
• fc2f1b8 update changelog
• 56bcc0a Preparing for 6.1.7.6 release
• 1f03e9d Bumping version for new release
• 3a1b615 Preparing for 6.1.7.5 release
• c2af578 bumping version / changelog
• Additional commits viewable in compare view

Updates activestorage from 5.2.8.1 to 6.1.7.9

Release notes

Sourced from activestorage's releases.

6.1.7.9

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Avoid regex backtracking in HTTP Token authentication

  [CVE-2024-47887]

• Avoid regex backtracking in query parameter filtering

  [CVE-2024-41128]

Active Job

• No changes.

Action Mailer

• Avoid regex backtracking in block_format helper

  [CVE-2024-47889]

Action Cable

• No changes.

Active Storage

... (truncated)

Commits

• b2fbbfb Preparing for 6.1.7.9 release
• faadb28 Merge pull request #16 from rails/7-0-sec-relase
• e39361a Preparing for 6.1.7.8 release
• 86521a0 update changelog
• ac87f58 Preparing for 6.1.7.7 release
• fc2f1b8 update changelog
• 78fe149 Merge pull request #48869 from brunoprietog/disable-session-active-storage-pr...
• 56bcc0a Preparing for 6.1.7.6 release
• 1f03e9d Bumping version for new release
• 3a1b615 Preparing for 6.1.7.5 release
• Additional commits viewable in compare view

Updates activesupport from 5.2.8.1 to 6.1.7.9

Release notes

Sourced from activesupport's releases.

6.1.7.9

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Avoid regex backtracking in HTTP Token authentication

  [CVE-2024-47887]

• Avoid regex backtracking in query parameter filtering

  [CVE-2024-41128]

Active Job

• No changes.

Action Mailer

• Avoid regex backtracking in block_format helper

  [CVE-2024-47889]

Action Cable

• No changes.

Active Storage

... (truncated)

Commits

• b2fbbfb Preparing for 6.1.7.9 release
• faadb28 Merge pull request #16 from rails/7-0-sec-relase
• e39361a Preparing for 6.1.7.8 release
• 86521a0 update changelog
• ac87f58 Preparing for 6.1.7.7 release
• fc2f1b8 update changelog
• 56bcc0a Preparing for 6.1.7.6 release
• 1f03e9d Bumping version for new release
• 3a1b615 Preparing for 6.1.7.5 release
• c2af578 bumping version / changelog
• Additional commits viewable in compare view

Updates net-imap from 0.3.4 to 0.6.4.1

Release notes

Sourced from net-imap's releases.

v0.6.4.1

What's Changed

🔒 Security

This release fixes several more security vulnerabilities which are related to the fixes in v0.6.4. Please see the linked security advisories for more information.

• (moderate) Command Injection via non-synchronizing literal in "raw" argument (CVE-2026-47240, GHSA-8p34-64r3-mwg8) This vulnerability depends how the server interprets non-synchronizing literals. The connection is not vulnerable if the server supports non-synchronizing literals.
  • 🥅 Validate non-synchronizing literals support by @​nevans in ruby/net-imap#701
• (moderate) Command Injection via unvalidated ID and ENABLE arguments (CVE-2026-47242, GHSA-46q3-7gv7-qmgg)
  • 🥅 Validate ID values contain only valid bytes by @​nevans in ruby/net-imap#698
  • 🥅 Validate #enable arguments are all atoms by @​nevans in ruby/net-imap#699 NOTE: #enable should never be called with untrusted input.
• (low) Denial of Service via incomplete "raw" argument validation (CVE-2026-47241, GHSA-c4fp-cxrr-mj66) This results in the affected command hanging until the connection is closed. If another thread attempts to send a concurrent pipelined command, the first thread will return with a syntax error and the second thread will hang until the connection closes.
  • Reported by @​fg0x0
  • 🐛 Prevent trailing {0} in RawData validation by @​nevans in ruby/net-imap#700

Added

• 🔍 Add more detail to Net::IMAP#inspect TLS info by @​nevans in ruby/net-imap#674

Fixed

• 🔧 Disallow config.max_non_synchronizing_literal = nil by @​nevans in ruby/net-imap#672
• 🧵 Fix deadlock in #disconnect by @​nevans in ruby/net-imap#686
• 🥅 Validate that Atom and Flag are not empty by @​nevans in ruby/net-imap#684

Documentation

• ⚠️ Boost visibility of raw data argument documentation warnings by @​nevans in ruby/net-imap#677

Other Changes

• 🏷️ Allow 64-bit Integer arguments by @​nevans in ruby/net-imap#675
• 🥅 Ensure send_number_data input is an Integer by @​nevans in ruby/net-imap#676
• ♻️ Improve RawData.new, Add RawData.split by @​nevans in ruby/net-imap#679
• 🏷️ Less strict number string coercion, to match RFCs by @​nevans in ruby/net-imap#680
• 🥅 Validate response literal byte size format by @​nevans in ruby/net-imap#681

Miscellaneous

• ⬆️ Bump step-security/harden-runner from 2.19.0 to 2.19.1 by @​dependabot[bot] in ruby/net-imap#673
• ✅ Improvements to tests' FakeServer by @​nevans in ruby/net-imap#678
• ⬆️ Bump step-security/harden-runner from 2.19.1 to 2.19.3 by @​dependabot[bot] in ruby/net-imap#682
• ⬆️ Bump step-security/harden-runner from 2.19.3 to 2.19.4 by @​dependabot[bot] in ruby/net-imap#683

Full Changelog: ruby/net-imap@v0.6.4...v0.6.4.1

v0.6.4

What's Changed

... (truncated)

Commits

• 357f3b5 🔖 Bump version to 0.6.4.1
• e066b83 🔀 Merge pull request #701 from ruby/security/validate-non_sync_literal-support
• 0ea9eba ✅ Fix flaky tests for MacOS, TruffleRuby
• 5cad699 🔀 Merge pull request #700 from ruby/security/fix-raw_data-trailing-literal-ma...
• 5a0af4a 🔀 Merge pull request #699 from ruby/security/validate-enable-arguments
• b9d1972 🔀 Merge pull request #698 from ruby/security/validate-quoted-data
• 07e002b ♻️ Use QuotedString internally to send quoted string
• ae9f83b ♻️ Extract str.bytesize lvar in send_literal
• d6ddd29 🐛 Prevent trailing {0} in RawData validation
• 1f97168 🥅 Validate #enable arguments are all atoms
• Additional commits viewable in compare view

Updates nokogiri from 1.14.1 to 1.19.4

Release notes

Sourced from nokogiri's releases.

v1.19.4 / 2026-06-18

Security

• [CRuby] (Low) Fixed a possible invalid memory read when XML::Node#initialize_copy_with_args is called with an argument that is not a Node. See GHSA-g9g8-vgvw-g3vf for more information.
• [CRuby] (Low) Fixed a possible use-after-free when an XML::XPathContext is used after its source document has been garbage collected. See GHSA-p67v-3w7g-wjg7 for more information.
• [CRuby] (Low) Fixed a possible use-after-free during XInclude processing via Node#do_xinclude. See GHSA-wfpw-mmfh-qq69 for more information.
• [CRuby] (Low) Fixed a possible use-after-free when Document#root= is assigned a non-element node. See GHSA-wjv4-x9w8-wm3h for more information.
• [CRuby] (Low) Fixed a possible use-after-free when setting an attribute value via XML::Attr#value= or #content=. See GHSA-phwj-rprq-35pp for more information.
• [CRuby] (Low) Fixed a null pointer dereference when methods are called on uninitialized wrapper objects (e.g. via allocate); these now raise instead of crashing the process. See GHSA-9cv2-cfxc-v4v2 for more information.
• [CRuby] (Low) Fixed a possible use-after-free when Document#encoding= raises an exception. See GHSA-5v8h-3h3q-446p for more information.
• [CRuby] (Medium) Fixed an out-of-bounds read in XML::NodeSet#[] (alias #slice) when given a large negative index. See GHSA-5prr-v3j2-97mh for more information.
• [JRuby] (Low) XML::Schema now enforces the NONET parse option, which Nokogiri enables by default. It was not enforced on JRuby, so a schema parsed with default options could still fetch external resources over the network, potentially enabling SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See GHSA-8678-w3jw-xfc2 for more information.

1269fb644a6de405057a53dd5c762b1209b43ca7424f839454d3dbc677c31a8f  nokogiri-1.19.4-aarch64-linux-gnu.gem
35c65b9ce72b3bb03207bdbe7067915019dc18c1b9b59139684bd6690fdd01af  nokogiri-1.19.4-aarch64-linux-musl.gem
a301313e38bb065d68239e79734bcd6f56fb6efaacebde29e9abf2a4735340ca  nokogiri-1.19.4-arm-linux-gnu.gem
588923c101bcfa78869734d247d25b598674323e7f22474fc468f6e5647311eb  nokogiri-1.19.4-arm-linux-musl.gem
a46db9853286e6597b36ebc6953817d15acf3a299583eb3f89fdc6f91dd63527  nokogiri-1.19.4-arm64-darwin.gem
ce04b9e268c9626852231a48b49128ed52034f1ccb39484a6da3875491cd709e  nokogiri-1.19.4-java.gem
051da97b8eccfdb5444fed40246a35e10d7298b9efe759b4cd25455ea04c587e  nokogiri-1.19.4-x64-mingw-ucrt.gem
7fd17057d3e1f00e9954a74b3cd76595d3d4a5ef233b7ed9599047c204f70551  nokogiri-1.19.4-x86_64-darwin.gem
379fae440b28915e3f19d752ce2dcf8465ed2b2fbefd2a7ca0dd497bc981a06a  nokogiri-1.19.4-x86_64-linux-gnu.gem
17dfb7c1fa194ae02fbf7c51a7afc8d278045ab3fdacfd86f91d02d7b274470b  nokogiri-1.19.4-x86_64-linux-musl.gem
50c951611c92bca05c51411aef45f1cbc50f2821c4802758c5c6d34696533ab5  nokogiri-1.19.4.gem

v1.19.3 / 2026-04-27

Fixed / Security

• Address exponential regex backtracking in CSS selector tokenizer. See GHSA-c4rq-3m3g-8wgx for more information.
• [CRuby] Address memory leak in XSLT::Stylesheet#transform. See GHSA-v2fc-qm4h-8hqv for more information.

46b89e5d7b9e844c2ee360794240c6ea2a4e6fa0c5892a4ed487db621224b639  nokogiri-1.19.3-aarch64-linux-gnu.gem
8392dfdcd21be7a94dbbe9ccc138dea01b97b24cb2dc02a114ca98bfb1d9a0b7  nokogiri-1.19.3-aarch64-linux-musl.gem
3919d5ffc334ad778a4a9eb88fda7dcb8b1fb58c8a52ac640c6dcd2f038e774f  nokogiri-1.19.3-arm-linux-gnu.gem
9ce1cb6346bb9c67b1550eb537aa183ead91e4b6eadb2f36ade02d8dd2a79fb6  nokogiri-1.19.3-arm-linux-musl.gem
71b9bd424b1b7abc18b05052a1a3cfd3627abdca62be280854cc411791357e42  nokogiri-1.19.3-arm64-darwin.gem
40ea6ebf5cf2005dae1dee26dd557d3afb41fb6de6c9764aca8cf06fdb841db1  nokogiri-1.19.3-java.gem
8bb7132cad356c879a1286eaabcb5e68326cb2490317984280fbc62f456d506a  nokogiri-1.19.3-x64-mingw-ucrt.gem
</tr></table> 

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.19.4 / 2026-06-18

Security

• [CRuby] (Low) Fixed a possible invalid memory read when XML::Node#initialize_copy_with_args is called with an argument that is not a Node. See GHSA-g9g8-vgvw-g3vf for more information.
• [CRuby] (Low) Fixed a possible use-after-free when an XML::XPathContext is used after its source document has been garbage collected. See GHSA-p67v-3w7g-wjg7 for more information.
• [CRuby] (Low) Fixed a possible use-after-free during XInclude processing via Node#do_xinclude. See GHSA-wfpw-mmfh-qq69 for more information.
• [CRuby] (Low) Fixed a possible use-after-free when Document#root= is assigned a non-element node. See GHSA-wjv4-x9w8-wm3h for more information.
• [CRuby] (Low) Fixed a possible use-after-free when setting an attribute value via XML::Attr#value= or #content=. See GHSA-phwj-rprq-35pp for more information.
• [CRuby] (Low) Fixed a null pointer dereference when methods are called on uninitialized wrapper objects (e.g. via allocate); these now raise instead of crashing the process. See GHSA-9cv2-cfxc-v4v2 for more information.
• [CRuby] (Low) Fixed a possible use-after-free when Document#encoding= raises an exception. See GHSA-5v8h-3h3q-446p for more information.
• [CRuby] (Medium) Fixed an out-of-bounds read in XML::NodeSet#[] (alias #slice) when given a large negative index. See GHSA-5prr-v3j2-97mh for more information.
• [JRuby] (Low) XML::Schema now enforces the NONET parse option, which Nokogiri enables by default. It was not enforced on JRuby, so a schema parsed with default options could still fetch external resources over the network, potentially enabling SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See GHSA-8678-w3jw-xfc2 for more information.

v1.19.3 / 2026-04-27

Fixed / Security

• Address exponential regex backtracking in CSS selector tokenizer. See GHSA-c4rq-3m3g-8wgx for more information.
• [CRuby] Address memory leak in XSLT::Stylesheet#transform. See GHSA-v2fc-qm4h-8hqv for more information.

v1.19.2 / 2026-03-19

Dependencies

• [JRuby] Saxon-HE is updated to 12.7, from 9.6.0-4. Saxon-HE is a transitive dependency of nu.validator:jing, and this update addresses CVEs in Saxon-HE's own transitive dependencies JDOM and dom4j. We don't think this warrants a security release, however we're cutting a patch release to help users whose security scanners are flagging this. #3611 @​flavorjones

v1.19.1 / 2026-02-16

Security

• [CRuby] Address unchecked return value from xmlC14NExecute which was a contributing cause to ruby-saml GHSA-x4h9-gwv3-r4m4. See GHSA-wx95-c6cv-8532 for more information.

v1.19.0 / 2025-12-28

Ruby

This release is focused on changes to Ruby version support, and is otherwise functionally identical to v1.18.10.

• Introduce native gem support for Ruby 4.0. #3590
• End support for Ruby 3.1, for which upstream support ended 2025-03-26.
• End support for JRuby 9.4 (which targets Ruby 3.1 compatibility).

v1.18.10 / 2025-09-15

... (truncated)

Commits

• 8cfb9da version bump to v1.19.4
• a856d1e fix: JRuby NONET bypass in XML::Schema (v1.19.x) (#3639)
• 6a0aa1e fix(CRuby): use-after-free in Document#encoding= when setter raises (v1.19.x)...
• f658a54 fix: JRuby NONET bypass in XML::Schema
• 39d26fe fix(CRuby): use-after-free in Document#encoding= when setter raises
• 04a09dd fix(CRuby): out-of-bounds read in NodeSet#[] with large negative index (v1.19...
• 7799fbd fix: avoid NPE on uninitialized XML::Node structs (v1.19.x) (#3645)
• ef19e13 fix(CRuby): avoid UAF in XML::Attr#value= (v1.19.x) (#3644)
• 5524fa9 fix: Document#root= rejects non-element nodes (v1.19.x) (#3643)
• 9891ad1 fix(CRuby): use-after-free in XPathContext document lifetime (v1.19.x) (#3641)
• Additional commits viewable in compare view

Updates rack from 2.2.6.2 to 2.2.23

Release notes

Sourced from rack's releases.

v2.2.8.1

What's Changed

• Fixed ReDoS in Accept header parsing [CVE-2024-26146]
• Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
• Reject Range headers which are too large [CVE-2024-26141]

Full Changelog: rack/rack@v2.2.8...v2.2.8.1

v2.2.8

What's Changed

• Limit file extension length of multipart tempfiles (2.2 backport) by @​dentarg in rack/rack#2075
• CHANGELOG: Add missing 2.2.7 by @​tisba in rack/rack#2081
• Update cookie.rb by @​dchandekstark in rack/rack#2092
• Prefer ubuntu-latest for testing. by @​ioquatix in rack/rack#2095
• Fix inefficient assert pattern in Rack::Lint [2-2-stable] by @​skipkayhil in rack/rack#2101
• Regenerate SPEC [2-2-stable] by @​skipkayhil in rack/rack#2102

New Contributors

• @​tisba made their first contribution in rack/rack#2081
• @​dchandekstark made their first contribution in rack/rack#2092

Full Changelog: rack/rack@v2.2.7...v2.2.8

v2.2.7

What's Changed

• Correct the year number in the changelog by @​kimulab in rack/rack#2015
• Support underscore in host names for Rack 2.2 (Fixes #2070) by @​jeremyevans in rack/rack#2071

New Contributors

• @​kimulab made their first contribution in rack/rack#2015

Full Changelog: rack/rack@v2.2.6.4...v2.2.7

v2.2.6.4

No release notes provided.

Changelog

Sourced from rack's changelog.

[2.2.23] - 2026-04-01

Security

• CVE-2026-34763 Root directory disclosure via unescaped regex interpolation in Rack::Directory.
• CVE-2026-34230 Avoid O(n^2) algorithm in Rack::Utils.select_best_encoding which could lead to denial of service.
• CVE-2026-26961 Raise error for multipart requests with multiple boundary parameters.
• CVE-2026-34786 Rack::Static header_rules bypass via URL-encoded path mismatch.
• CVE-2026-34831 Content-Length mismatch in Rack::Files error responses.
• CVE-2026-34826 Multipart byte range processing allows denial of service via excessive overlapping ranges.
• CVE-2026-34830 Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect.
• CVE-2026-34785 Rack::Static prefix matching can expose unintended files under the static root.
• CVE-2026-34829 Multipart parsing without Content-Length header allows unbounded chunked file uploads.

[2.2.22] - 2026-02-16

Security

• CVE-2026-25500 XSS injection via malicious filename in Rack::Directory.
• CVE-2026-22860 Directory traversal via root prefix bypass in Rack::Directory.

[2.2.21] - 2025-11-03

Fixed

• Multipart parser: limit MIME header size check to the unread buffer region to avoid false multipart mime part header too large errors when previously read data accumulates in the scan buffer. (#2392, @​alpaca-tc, @​willnet, @​krororo)

[2.2.20] - 2025-10-10

Security

• CVE-2025-61780 Improper handling of headers in Rack::Sendfile may allow proxy bypass.
• CVE-2025-61919 Unbounded read in Rack::Request form parsing can lead to memory exhaustion.

[2.2.19] - 2025-10-07

Security

• CVE-2025-61772 Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
• CVE-2025-61771 Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
• CVE-2025-61770 Unbounded multipart preamble buffering enables DoS (memory exhaustion)

[2.2.18] - 2025-09-25

Security

• CVE-2025-59830 Unbounded parameter parsing in Rack::QueryParser can lead to memory exhaustion via semicolon-separated parameters.

[2.2.17] - 2025-06-03

... (truncated)

Commits

• f2af0c8 Bump patch version.
• 345b744 Fix tests for old Rubies.
• e2d8e30 Add version guard around non-default gems.
• add1a80 Fix handling of Errno::EPIPE in multipart tests.
• 54261ec Fix typo in test.
• a36f48b Add ostruct to Gemfile.
• 8883f0d Fix test expectation.
• 2287a3b Add logger to gemfile.
• e6540e5 Add Ruby v4.0 to the test matrix.
• c42e357 Add Content-Length size check in Rack::Multipart::Parser
• Additional commits viewable in compare view

Updates puma from 4.3.12 to 7.2.1

Release notes

Sourced from puma's releases.

v7.2.1

• Bugfixes
  • Limit and anchor PROXY protocol v1 parsing to prevent abuse via crafted inputs (#3947)
  • Parse PROXY protocol only once per connection to prevent injection on keep-alive requests (#3947)

Security advisories

• CVE-2026-47736 / GHSA-qpgp-93vx-g8v8: Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
• CVE-2026-47737 / GHSA-2vqw-3mp8-cgmx: Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections

v7.2.0 - On The Corner

• Features

  • Add workers :auto (#3827)
  • Make it possible to restrict control server commands to stats (#3787)

• Bugfixes

  • Don't break if WEB_CONCURRENCY is set to a blank string (#3837)
  • Don't share server between worker 0 and descendants on refork (#3602)
  • Fix phase check race condition in Puma::Cluster#check_workers (#3690)
  • Fix advertising of CLI config before config files are loaded (#3823)

• Performance

  • 17% faster HTTP parsing through pre-interning env keys (#3825)
  • Implement dsize and dcompact functions for Puma::HttpParser, which makes Puma's C-extension GC-compactible (#3828)

• Refactor

  • Remove NoMethodError rescue in Reactor#select_loop (#3831)
  • Various cleanups in the C extension (#3814)
  • Monomorphize handle_request return (#3802)

• Docs

  • Change link to docs/deployment.md in README.md (#3848)
  • Fix formatting for each signal description in signals.md (#3813)
  • Update deployment and Kubernetes docs with Puma configuration tips (#3807)
  • Rename master to main (#3809, #3808, #3800)
  • Fix some minor typos in the docs (#3804)
  • Add GOVERNANCE.md, MAINTAINERS (#3826)
  • Remove Code Climate badge (#3820)
  • Add @​joshuay03 to the maintainer list

• CI

  • Use Minitest 6 where applicable (