🚨 [security] Update webmock 3.18.1 → 3.25.2 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ webmock (3.18.1 → 3.25.2) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ addressable (indirect, 2.8.1 → 2.8.7) · Repo · Changelog

Release Notes

2.8.7 (from changelog)

• Allow public_suffix 6 (#535)

2.8.6 (from changelog)

• Memoize regexps for common character classes (#524)

2.8.5 (from changelog)

• Fix thread safety issue with encoding tables (#515)
• Define URI::NONE as a module to avoid serialization issues (#509)
• Fix YAML serialization (#508)

2.8.4 (from changelog)

• Restore Addressable::IDNA.unicode_normalize_kc as a deprecated method (#504)

2.8.3 (from changelog)

• Fix template expand level 2 hash support for non-string objects (#499, #498)

2.8.2 (from changelog)

• Improve cache hits and JIT friendliness (#486)
• Improve code style and test coverage (#482)
• Ensure reset of deferred validation (#481)
• Resolve normalization differences between IDNA::Native and IDNA::Pure (#408, #492)
• Remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438) (accidentally reverted by #449 merge but added back in #492)

Does any of this look wrong? Please let us know.

↗️ crack (indirect, 0.4.5 → 1.0.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 23 commits:

• Bump version to v1.0.1
• Bump actions/checkout from 4 to 5 (#88)
• Add dependabot to keep CI up-to-date (#87)
• Fix deprecation warnings for Minitest 6 (#86)
• Handle new "No root element" error from REXML #84 (#85)
• Merge pull request #83 from kiskoza/github-actions-os-fix
• Update Github Action OS to ubuntu-latest
• Merge pull request #81 from kiskoza/ruby-3-4
• Add Ruby 3.4 to the CI matrix
• Bump version to v1.0.0 to indicate that the gem is stable (#80)
• chore: add bundler gem tasks
• New release (#79)
• Merge pull request #68 from voxik/patch-2
• Merge pull request #77 from kiskoza/parse-dates
• Fix parse issue with consecutive dates
• Merge pull request #75 from koic/add_bigdecimal_to_runtime_dependency
• Merge pull request #78 from kiskoza/ci/remove-allow-failures
• Remove allow failures from stable ruby versions
• Merge pull request #74 from dmorehouse/master
• Use GitHub actions (#76)
• Add BigDecimal to gem dependency
• Add Ruby 3.1 support that is backwards compatible
• Ship LICENSE file with the gem

↗️ hashdiff (indirect, 1.0.1 → 1.2.1) · Repo · Changelog

Release Notes

1.2.1 (from changelog)

• Use HTTPS for the source in the Gemfile #101 (@krzysiek1507)

1.2.0 (from changelog)

• Added :preserve_key_order option to maintain original hash key order #99 (@robkiessling)

1.1.2 (from changelog)

• Fix bundler cache #96 (@olleolleolle)
• Quote the '3.0' in YAML #95 (@olleolleolle)
• Fix version in source code #97 (@liufengyun)

1.1.1 (from changelog)

• Fix bug in ignore_keys option #88 (@MatzFan)
• Exclude spec files from gem package #94 (@amatsuda)

1.1.0 (from changelog)

• Add ignore_keys option (#86 @MatzFan)
• Remove pinned version of rake < 11
• Bump rspec dep ~> 3.5
• Bump rubocop dep >= 1.52.1
• Bump rubocop-rspec dep > 1.16.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 32 commits:

• Link to users and issues/PRs in changelog
• Add release note
• Merge pull request #101 from liufengyun/krzysiek1507-patch-1
• Use HTTPS for the source in the Gemfile
• Release 1.1.3
• Merge pull request #99 from robkiessling/preserve-key-order
• Fixed rubocop offenses
• Added :preserve_key_order option to maintain original hash key order
• Release 1.1.2
• Merge pull request #96 from olleolleolle/patch-2
• Merge pull request #95 from olleolleolle/patch-1
• CI: Use bundler-cache in ruby/setup-ruby
• CI: Quote the '3.0' in YAML, to make it render as a full string
• Bump version to 1.1.1
• Merge pull request #94 from amatsuda/exclude_specs_from_gem_package
• Merge pull request #93 from MatzFan/ignore_keys_fix
• Exclude spec files from gem package
• fix #88 bug in ignore_keys option
• Merge pull request #91 from nishidayuya/chore_follow_rubocop_changes
• chore: migrate from Metrics/LineLength to Layout/LineLength
• chore: follow rubocop changes
• Merge pull request #90 from nishidayuya/ci_add_github_actions_workflow
• docs: fix repository path to original repository owner
• docs: add badge for GitHub Actions
• ci: add GitHub Actions workflow
• Merge pull request #89 from IvanVIII/master
• Update changelog.md
• Update version number in spec to v1.1.0
• Bump version to v1.1.0
• Merge pull request #87 from MatzFan/ignore_keys
• add README suggestion re custom comparison
• add ignore_keys options, fixes #86

↗️ public_suffix (indirect, 5.0.1 → 6.0.2) · Repo · Changelog

Release Notes

6.0.2 (from changelog)

Changed

• Updated definitions.

6.0.1 (from changelog)

Changed

• Updated definitions.

6.0.0 (from changelog)

Same as 5.1.0. Re-releasing as a major version change due to a major ruby version requirement change.

Changed

• Updated definitions.
• Minimum Ruby version is 3.0

5.1.1 (from changelog)

No significant changes. Releasing a mini version to address 5.1.0 release with major ruby requirement change (GH-315).

5.1.0 (from changelog)

Changed

• Updated definitions.
• Minimum Ruby version is 3.0

5.0.5 (from changelog)

Changed

• Updated definitions.

5.0.4 (from changelog)

Changed

• Reduced .gem file size (GH-259). [Thanks @ybiquitous]
• Updated definitions.

5.0.3 (from changelog)

Fixed

• Fixed automated release workflow.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rexml (indirect, 3.3.9 → 3.4.4) · Repo · Changelog

Security Advisories 🚨

🚨 REXML has DoS condition when parsing malformed XML file

Impact

The REXML gems from 3.3.3 to 3.4.1 have a DoS vulnerability when parsing XML containing multiple XML declarations.
If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

Patches

REXML gems 3.4.2 or later include the patches to fix these vulnerabilities.

Workarounds

Don't parse untrusted XMLs.

References

• https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767/ : An announcement on www.ruby-lang.org

Release Notes

3.4.4

Improvement

• Accept REXML::Document.new("") for backward compatibility
  • GH-296
  • GH-295
  • Patch by NAITOH Jun
  • Reported by Joe Rafaniello

Thanks

• NAITOH Jun

• Joe Rafaniello

3.4.3

Improvement

• Reject no root element XML as an invalid XML
  • GH-289
  • GH-291
  • Patch by NAITOH Jun
  • Reported by Sutou Kouhei

Fixes

• Fixed an issue with IOSource#read_until when reaching the end of a file
  • GH-287
  • GH-288
  • Patch by NAITOH Jun
  • Reported by Jason Thomas

Thanks

• NAITOH Jun

• Sutou Kouhei

• Jason Thomas

3.4.2

Improvement

• Improved performance.

  • GH-244
  • GH-245
  • GH-246
  • GH-249
  • GH-256
  • Patch by NAITOH Jun

• Raise appropriate exception when failing to match start tag in DOCTYPE

  • GH-247
  • Patch by NAITOH Jun

• Deprecate accepting array as an element in XPath.match, first and each

  • GH-252
  • Patch by tomoya ishida

• Don't call needless encoding_updated

  • GH-259
  • Patch by Sutou Kouhei

• Reuse XPath::match

  • GH-263
  • Patch by pboling

• Cache redundant calls for doctype

  • GH-264
  • Patch by pboling

• Use Safe Navigation (&.) from Ruby 2.3

  • GH-265
  • Patch by pboling

• Remove redundant return statements

  • GH-266
  • Patch by pboling

• Added XML declaration check & Source#skip_spaces method

  • GH-282
  • Patch by NAITOH Jun
  • Reported by Sofi Aberegg

Fixes

• Fix docs typo

  • GH-248
  • Patch by James Coleman

• Fix reverse sort in xpath_parser

  • GH-251
  • Patch by tomoya ishida

• Fix duplicate responses in XPath following, following-sibling, preceding, preceding-sibling

  • GH-255
  • Patch by NAITOH Jun

• Fix wrong Encoding resolution

  • GH-258
  • Patch by Sutou Kouhei

• Handle nil when parsing fragment

  • GH-267
  • GH-268
  • Patch by pboling

• [Documentation] Use # to reference instance methods

  • GH-269
  • GH-270
  • Patch by pboling

• Fix & Deprecate REXML::Text#text_indent

  • GH-273
  • GH-275
  • Patch by pboling

• remove bundler from dev deps

  • GH-276
  • GH-277
  • Patch by pboling

• remove ostruct from dev deps

  • GH-280
  • GH-281
  • Patch by pboling

Thanks

• NAITOH Jun

• tomoya ishida

• James Coleman

• pboling

• Sutou Kouhei

• Sofi Aberegg

3.4.1

Improvement

• Improved performance.
  • GH-226
  • GH-227
  • GH-237
  • Patch by NAITOH Jun

Fixes

• Fix serialization of ATTLIST is incorrect
  • GH-233
  • GH-234
  • Patch by OlofKalufs
  • Reported by OlofKalufs

Thanks

• NAITOH Jun

• OlofKalufs

3.4.0

Improvement

• Improved performance.

  • GH-216
  • Patch by NAITOH Jun

• JRuby: Improved parse performance.

  • GH-219
  • Patch by João Duarte

• Added support for reusing pull parser.

  • GH-214
  • GH-220
  • Patch by Dmitry Pogrebnoy

• Improved error handling when source is IO.

  • GH-221
  • Patch by NAITOH Jun

Thanks

• NAITOH Jun

• João Duarte

• Dmitry Pogrebnoy

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 53 commits:

• Add 3.4.4 entry (#297)
• Accept `REXML::Document.new("")` for backward compatibility (#295)
• Bump version
• Add 3.4.3 entry (#293)
• Reject no root element XML as an invalid XML (#291)
• The Zlib::GzipReader in JRuby does not behave as expected with REXML, so the test is skipped (#292)
• Fixed an issue with `IOSource#read_until` when reaching the end of a file (#288)
• Bump version
• Add 3.4.2 entry (#284)
• Added XML declaration check & `Source#skip_spaces` method (#282)
• Bump actions/checkout from 4 to 5 (#283)
• Remove ostruct from dev deps (#281)
• Remove bundler from dev deps (#277)
• Fix & Deprecate REXML::Text#text_indent (#275)
• Fix a bug that XPath can't be used for no document element (#268)
• Remove redundant return statements (#266)
• Use Safe Navigation (&.) from Ruby 2.3 (#265)
• Avoid redundant calls for doctype (#264)
• docs: Use # to reference instance methods (#270)
• Reuse XPath.match (#263)
• Don't call needless encoding_updated (#259)
• Fix wrong Encoding resolution (#258)
• Improve `Text.check` performance (#256)
• Improve using `//` in XPath performance (#249)
• Deprecate accepting array as an element in XPath.match, first and each (#252)
• Fix duplicate responses in XPath following, following-sibling, preceding, preceding-sibling (#255)
• Fix reverse sort in xpath_parser (#251)
• NEWS.md : Fix the mentioned of the PR in CVE-2024-35176. (#253)
• Fix docs typo in code example (#248)
• Raise appropriate exception when failing to match start tag in DOCTYPE (#247)
• Improve CDATA and comment parse performance (#246)
• Improve comment parse performance (#245)
• Improve CDATA parse performance (#244)
• Bump version
• Add 3.4.1 entry (#239)
• Reduced regular expression processing in the form of processing white space first (#237)
• Changed benchmark target to Ruby latest (#236)
• Fix serialization of ATTLIST is incorrect (#234)
• Added rdoc as a development dependency (for Ruby 3.5+) (#235)
• Use `StringScanner#peek_byte` to get double or single quotation mark (#227)
• Optimize `IOSource#read_until` method by using `StringScanner#check_until(string)` (#226)
• Bump version
• Add 3.4.0 entry
• release: use Trusted Publishing
• Remove old code for Ruby 1.8 (#223)
• test: Fix NameError: uninitialized constant REXML::Parsers::PullParser (#222)
• Fix error handling when parsing XML via IO.pipe (#221)
• parser pull: Add support for reusing parser (#220)
• Stop requiring stringio dynamically (#219)
• Clarify variable name (#218)
• Add `IOSource#match?` method (#216)
• test jruby: omit fragile test
• Bump version

🆕 bigdecimal (added, 3.3.1)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[coveralls]

coverage: 100.0%. remained the same
when pulling 2cd56a4 on depfu/update/webmock-3.25.2
into e97f939 on master.

[coveralls]

coverage: 100.0%. remained the same
when pulling 2cd56a4 on depfu/update/webmock-3.25.2
into e97f939 on master.