Bump the bundler group across 4 directories with 9 updates

[dependabot]

Bumps the bundler group with 3 updates in the /docs directory: activesupport, nokogiri and faraday.
Bumps the bundler group with 1 update in the /gemfiles/rails_61 directory: devise.
Bumps the bundler group with 1 update in the /gemfiles/rails_70 directory: devise.
Bumps the bundler group with 1 update in the /gemfiles/rails_71 directory: devise.

Updates activesupport from 7.2.1 to 7.2.3.1

Release notes

Sourced from activesupport's releases.

7.2.3.1

Active Support

• Reject scientific notation in NumberConverter

  [CVE-2026-33176]

  Jean Boussier

• Fix SafeBuffer#% to preserve unsafe status

  [CVE-2026-33170]

  Jean Boussier

• Improve performance of NumberToDelimitedConverter

  [CVE-2026-33169]

  Jean Boussier

Active Model

• No changes.

Active Record

• No changes.

Action View

• Skip blank attribute names in tag helpers to avoid generating invalid HTML.

  [CVE-2026-33168]

  Mike Dalessio

Action Pack

• No changes.

Active Job

• No changes.

... (truncated)

Commits

• ba76fca Preparing for 7.2.3.1 release
• 8a379f4 Update changelog
• b54a4b3 Improve performance of NumberToDelimitedConverter
• c1ad0e8 Fix SafeBuffer#% to preserve unsafe status
• ebd6be1 NumberConverter: reject scientific notation
• 4a155f1 Lock some dependencies
• bb2bdef Preparing for 7.2.3 release
• fe41a9f Merge pull request #55840 from zzak/asup-xml-mini-bigdecimal-float-precision
• 12040a3 Merge pull request #55808 from olivier-thatch/fix-enum-sole
• 58630e1 Merge pull request #55794 from rails/fix-55513
• Additional commits viewable in compare view

Updates nokogiri from 1.16.7 to 1.19.1

Release notes

Sourced from nokogiri's releases.

v1.19.1 / 2026-02-16

Security

• [CRuby] Address unchecked return value from xmlC14NExecute which was a contributing cause to ruby-saml GHSA-x4h9-gwv3-r4m4. See GHSA-wx95-c6cv-8532 for more information.

cfdb0eafd9a554a88f12ebcc688d2b9005f9fce42b00b970e3dc199587b27f32  nokogiri-1.19.1-aarch64-linux-gnu.gem
1e2150ab43c3b373aba76cd1190af7b9e92103564063e48c474f7600923620b5  nokogiri-1.19.1-aarch64-linux-musl.gem
0a39ed59abe3bf279fab9dd4c6db6fe8af01af0608f6e1f08b8ffa4e5d407fa3  nokogiri-1.19.1-arm-linux-gnu.gem
3a18e559ee499b064aac6562d98daab3d39ba6cbb4074a1542781b2f556db47d  nokogiri-1.19.1-arm-linux-musl.gem
dfe2d337e6700eac47290407c289d56bcf85805d128c1b5a6434ddb79731cb9e  nokogiri-1.19.1-arm64-darwin.gem
1e0bda88b1c6409f0edb9e0c25f1bf9ff4fa94c3958f492a10fcf50dda594365  nokogiri-1.19.1-java.gem
110d92ae57694ae7866670d298a5d04cd150fae5a6a7849957d66f171e6aec9b  nokogiri-1.19.1-x64-mingw-ucrt.gem
7093896778cc03efb74b85f915a775862730e887f2e58d6921e3fa3d981e68bf  nokogiri-1.19.1-x86_64-darwin.gem
1a4902842a186b4f901078e692d12257678e6133858d0566152fe29cdb98456a  nokogiri-1.19.1-x86_64-linux-gnu.gem
4267f38ad4fc7e52a2e7ee28ed494e8f9d8eb4f4b3320901d55981c7b995fc23  nokogiri-1.19.1-x86_64-linux-musl.gem
598b327f36df0b172abd57b68b18979a6e14219353bca87180c31a51a00d5ad3  nokogiri-1.19.1.gem

v1.19.0 / 2025-12-28

Ruby

This release is focused on changes to Ruby version support, and is otherwise functionally identical to v1.18.10.

• Introduce native gem support for Ruby 4.0. #3590
• End support for Ruby 3.1, for which upstream support ended 2025-03-26.
• End support for JRuby 9.4 (which targets Ruby 3.1 compatibility).

11a97ecc3c0e7e5edcf395720b10860ef493b768f6aa80c539573530bc933767  nokogiri-1.19.0-aarch64-linux-gnu.gem
eb70507f5e01bc23dad9b8dbec2b36ad0e61d227b42d292835020ff754fb7ba9  nokogiri-1.19.0-aarch64-linux-musl.gem
572a259026b2c8b7c161fdb6469fa2d0edd2b61cd599db4bbda93289abefbfe5  nokogiri-1.19.0-arm-linux-gnu.gem
23ed90922f1a38aed555d3de4d058e90850c731c5b756d191b3dc8055948e73c  nokogiri-1.19.0-arm-linux-musl.gem
0811dfd936d5f6dd3f6d32ef790568bf29b2b7bead9ba68866847b33c9cf5810  nokogiri-1.19.0-arm64-darwin.gem
5f3a70e252be641d8a4099f7fb4cc25c81c632cb594eec9b4b8f2ca8be4374f3  nokogiri-1.19.0-java.gem
05d7ed2d95731edc9bef2811522dc396df3e476ef0d9c76793a9fca81cab056b  nokogiri-1.19.0-x64-mingw-ucrt.gem
1dad56220b603a8edb9750cd95798bffa2b8dd9dd9aa47f664009ee5b43e3067  nokogiri-1.19.0-x86_64-darwin.gem
f482b95c713d60031d48c44ce14562f8d2ce31e3a9e8dd0ccb131e9e5a68b58c  nokogiri-1.19.0-x86_64-linux-gnu.gem
1c4ca6b381622420073ce6043443af1d321e8ed93cc18b08e2666e5bd02ffae4  nokogiri-1.19.0-x86_64-linux-musl.gem
e304d21865f62518e04f2bf59f93bd3a97ca7b07e7f03952946d8e1c05f45695  nokogiri-1.19.0.gem

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.19.1 / 2026-02-16

Security

• [CRuby] Address unchecked return value from xmlC14NExecute which was a contributing cause to ruby-saml GHSA-x4h9-gwv3-r4m4. See GHSA-wx95-c6cv-8532 for more information.

v1.19.0 / 2025-12-28

Ruby

This release is focused on changes to Ruby version support, and is otherwise functionally identical to v1.18.10.

• Introduce native gem support for Ruby 4.0. #3590
• End support for Ruby 3.1, for which upstream support ended 2025-03-26.
• End support for JRuby 9.4 (which targets Ruby 3.1 compatibility).

v1.18.10 / 2025-09-15

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.9. Note that the security fixes published in v2.13.9 were already present in Nokogiri v1.18.9.
• [CRuby] [Windows and MacOS] Vendored libiconv is updated to v1.18

v1.18.9 / 2025-07-20

Security

• [CRuby] Applied upstream libxml2 patches to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. See GHSA-353f-x4gh-cqq8 for more information.

v1.18.8 / 2025-04-21

Security

• [CRuby] Vendored libxml2 is updated to v2.13.8 to address CVE-2025-32414 and CVE-2025-32415. See GHSA-5w6v-399v-w3cc for more information.

v1.18.7 / 2025-03-31

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.7, which is a bugfix release.

v1.18.6 / 2025-03-24

Fixed

... (truncated)

Commits

• d913045 version bump to v1.19.1
• b81cb98 doc: update CHANGELOG for upcoming v1.19.1
• 8e66809 C14n raise on failure (#3600)
• 5b77f3d Raise RuntimeError when canonicalization fails
• edc5595 Thank sponsors in the README
• d4dc245 dep: update rdoc to v7
• d77bfb6 version bump to v1.19.0
• 1eb5c2c dev: convert scripts/test-gem-set to use mise
• 88a120f dep: Add native Ruby 4 support, drop Ruby 3.1 support (v1.19.x) (#3592)
• f8c8f74 Skip the parser compression test for Windows system libs
• Additional commits viewable in compare view

Updates faraday from 2.10.1 to 2.14.1

Release notes

Sourced from faraday's releases.

v2.14.1

Security Note

This release contains a security fix, we recommend all users to upgrade as soon as possible. A Security Advisory with more details will be posted shortly.

What's Changed

• Add comprehensive AI agent guidelines for Claude, Cursor, and GitHub Copilot by @​Copilot in lostisland/faraday#1642
• Add RFC document for Options architecture refactoring plan by @​Copilot in lostisland/faraday#1644
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in lostisland/faraday#1655
• Explicit top-level namespace reference by @​c960657 in lostisland/faraday#1657

New Contributors

• @​Copilot made their first contribution in lostisland/faraday#1642

Full Changelog: lostisland/faraday@v2.14.0...v2.14.1

v2.14.0

What's Changed

New features ✨

• Use newer UnprocessableContent naming for 422 by @​tylerhunt in lostisland/faraday#1638

Fixes 🐞

• Convert strings to UTF-8 by @​c960657 in lostisland/faraday#1624
• Fix Response#to_hash when response not finished yet by @​yykamei in lostisland/faraday#1639

Misc/Docs 📄

• Lint: use filter_map by @​olleolleolle in lostisland/faraday#1637
• Bump actions/checkout from v4 to v5 by @​dependabot[bot] in lostisland/faraday#1636
• Fixes documentation by @​dharamgollapudi in lostisland/faraday#1635

New Contributors

• @​c960657 made their first contribution in lostisland/faraday#1624
• @​dharamgollapudi made their first contribution in lostisland/faraday#1635
• @​tylerhunt made their first contribution in lostisland/faraday#1638

Full Changelog: lostisland/faraday@v2.13.4...v2.14.0

v2.13.4

What's Changed

• Improve error handling logic and add missing test coverage by @​iMacTia in lostisland/faraday#1633

Full Changelog: lostisland/faraday@v2.13.3...v2.13.4

v2.13.3

What's Changed

• Fix type assumption in Faraday::Error by @​iMacTia in lostisland/faraday#1630

... (truncated)

Commits

• 16cbd38 Version bump to 2.14.1
• a6d3a3a Merge commit from fork
• b23f710 Explicit top-level namespace reference (#1657)
• 49ba4ac Bump actions/checkout from 5 to 6 (#1655)
• 51a49bc Ensure Claude reads the guidelines and allow to plan in a gitignored .ai/PLAN...
• 894f65c Add RFC document for Options architecture refactoring plan (#1644)
• 397e3de Add comprehensive AI agent guidelines for Claude, Cursor, and GitHub Copilot ...
• d98c65c Update Faraday-specific AI agent guidelines
• 56c18ec Add AI agent guidelines specific to Faraday repository
• 3201a42 Version bump to 2.14.0
• Additional commits viewable in compare view

Updates uri from 0.13.0 to 1.1.1

Release notes

Sourced from uri's releases.

v1.1.1

What's Changed

• Re-allow consecutive, leading and trailing dots in EMAIL_REGEXP by @​osyoyu in ruby/uri#189

New Contributors

• @​osyoyu made their first contribution in ruby/uri#189

Full Changelog: ruby/uri@v1.1.0...v1.1.1

v1.1.0

What's Changed

• Update to use the latest version of setup-ruby and bump up to Ruby 3.4 by @​hsbt in ruby/uri#158
• Fix the mention to removed URI.escape/URI::Escape by @​y-yagi in ruby/uri#146
• Use a fully qualified name in warning messages by @​y-yagi in ruby/uri#150
• Support Ractor#value by @​hsbt in ruby/uri#163
• Removed unnecessary workaround by @​hsbt in ruby/uri#164
• Escape reserved characters in scheme name by @​nobu in ruby/uri#148
• [DOC] State that uri library is needed to call Kernel#URI by @​nobu in ruby/uri#167
• Prefer dedicated assertion methods by @​nobu in ruby/uri#169
• Fix the message for unexpected argument by @​nobu in ruby/uri#171
• Make URI::regexp schemes case sensitive (#38) by @​nobu in ruby/uri#170
• The local part should not contain leading or trailing dots in the EMAIL_REGEXP by @​nlevchuk in ruby/uri#124
• More checks in EMAIL_REGEXP by @​nobu in ruby/uri#172
• Do not allow empty host names, as they are not allowed by RFC 3986 by @​jeremyevans in ruby/uri#116
• Improve performance of URI::MailTo::EMAIL_REGEXP by @​nobu in ruby/uri#173
• Performance test stability by @​nobu in ruby/uri#174
• Update documents that used URI::Parser by @​nobu in ruby/uri#175
• Add a workflow to sync commits to ruby/ruby by @​k0kubun in ruby/uri#183
• Add irb to the Gemfile to fix the warning by @​y-yagi in ruby/uri#182
• Replace reference to the obsolete URI.escape with URI::RFC2396_PARSER.escape by @​vivshaw in ruby/uri#166
• Switch a parsing behavior completely when switching a parser by @​y-yagi in ruby/uri#161
• improve error message by @​soda92 in ruby/uri#130
• Use generic version number to VERSION by @​hsbt in ruby/uri#187

New Contributors

• @​y-yagi made their first contribution in ruby/uri#146
• @​nlevchuk made their first contribution in ruby/uri#124
• @​vivshaw made their first contribution in ruby/uri#166
• @​soda92 made their first contribution in ruby/uri#130

Full Changelog: ruby/uri@v1.0.4...v1.1.0

v1.0.4

Security fixes

• CVE-2025-61594

... (truncated)

Commits

• f1b05c8 v1.1.1
• 8557e8d Merge pull request #189 from osyoyu/restore-whatwg-email-regexp
• c551d70 Re-allow consecutive, leading and trailing dots in EMAIL_REGEXP
• c41903b v1.1.0
• b433f34 Merge pull request #187 from ruby/switch-version-code
• 1fc4f04 Use generic version number to VERSION and generate VERSION_CODE from that
• e830680 Exclude dependabot updates from release note
• 70d245f Merge pull request #130 from soda92/improve-error-message
• d629c8c Merge pull request #161 from y-yagi/fix_changing_parser
• fec6733 Merge pull request #166 from vivshaw/vivshaw/correct-obsolete-parse
• Additional commits viewable in compare view

Updates devise from 4.9.4 to 5.0.3

Release notes

Sourced from devise's releases.

v5.0.3

https://github.com/heartcombo/devise/blob/v5.0.3/CHANGELOG.md#503---2026-03-16

v5.0.2

https://github.com/heartcombo/devise/blob/v5.0.2/CHANGELOG.md#502---2026-02-18

v5.0.1

https://github.com/heartcombo/devise/blob/v5.0.1/CHANGELOG.md#501---2026-02-13

v5.0.0

https://github.com/heartcombo/devise/blob/v5.0.0/CHANGELOG.md#500---2026-01-23

v5.0.0.rc

https://github.com/heartcombo/devise/blob/v5.0.0.rc/CHANGELOG.md#500rc---2025-12-31

Changelog

Sourced from devise's changelog.

5.0.3 - 2026-03-16

• security fixes
  • Fix race condition vulnerability on confirmable "change email" which would allow confirming an email they don't own CVE-2026-32700 #5783 #5784

5.0.2 - 2026-02-18

• enhancements
  • Allow resource class scopes to override the global configuration for sign_in_after_change_password behaviour. #5825
    • Note: some users ran into an issue with this change because RegistrationsController now relies on a setting from the :registerable module. These users were configuring their own routes pointing to the RegistrationsController for resource edit/update actions mostly, without relying on the other registration actions (e.g. user sign up.), so they omitted :registerable from the model declaration. While using just a portion of the controller functionality is a valid use for :registerable (or any module really), the module must still be declared in the model, much like the other modules must be declared if you plan on using just a portion of their behavior. Please check this issue for more info.
  • Add sign_in_after_reset_password? check hook to passwords controller, to allow it to be customized by users. #5826

5.0.1 - 2026-02-13

• bug fixes
  • Fix translation issue with German E-Mail on invalid authentication messages caused by previous fix for incorrect grammar #5822

5.0.0 - 2026-01-23

no changes

5.0.0.rc - 2025-12-31

• breaking changes

  • Drop support to Ruby < 2.7

  • Drop support to Rails < 7.0

  • Remove deprecated :bypass option from sign_in helper, use bypass_sign_in instead. #5803

  • Remove deprecated devise_error_messages! helper, use render "devise/shared/error_messages", resource: resource instead. #5803

  • Remove deprecated scope second argument from sign_in(resource, :admin) controller test helper, use sign_in(resource, scope: :admin) instead. #5803

  • Remove deprecated Devise::TestHelpers, use Devise::Test::ControllerHelpers instead. #5803

  • Remove deprecated Devise::Models::Authenticatable::BLACKLIST_FOR_SERIALIZATION #5598

  • Remove deprecated Devise.activerecord51? method.

  • Remove SecretKeyFinder and use app.secret_key_base as the default secret key for Devise.secret_key if a custom Devise.secret_key is not provided.

    This is potentially a breaking change because Devise previously used the following order to find a secret key:

    app.credentials.secret_key_base > app.secrets.secret_key_base > application.config.secret_key_base > application.secret_key_base
    

    Now, it always uses application.secret_key_base. Make sure you're using the same secret key after the upgrade; otherwise, previously generated tokens for recoverable, lockable, and confirmable will be invalid. #5645

  • Change password instructions button label on devise view from Send me reset password instructions to Send me password reset instructions #5515

  • Change <br> tags separating form elements to wrapping them in <p> tags #5494

  • Replace [data-turbo-cache=false] with [data-turbo-temporary] on devise/shared/error_messages partial. This has been deprecated by Turbo since v7.3.0 (released on Mar 1, 2023).

    If you are using an older version of Turbo and the default devise template, you'll need to copy it over to your app and change that back to [data-turbo-cache=false].

• enhancements

  • Add Rails 8 support.

... (truncated)

Commits

• 2f80920 Release v5.0.3
• 5334707 Add CVE to changelog [ci skip]
• 0252777 Fix race condition vulnerability, by ensuring the unconfirmed_email is alwa...
• 879f79f Bundle update
• 0f4493b Configure default permissions as read-only for the workflow
• 8c78576 Ignore test/** folder for GH default code scanning
• c9e655e Bundle update, clear dependabot security issues
• 3fd0610 Add a note to the changelog about an edge case issue some users ran into
• 5b008ed Release v5.0.2
• 916f94e Add sign_in_after_reset_password? check hook to passwords controller (#5826)
• Additional commits viewable in compare view

Updates actionview from 6.1.7.8 to 8.1.3

Release notes

Sourced from actionview's releases.

8.1.3

Active Support

• Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

  When hash keys are custom objects whose as_json returns a Hash, the encoder now calls to_s on the original key object instead of on the as_json result.

  Before: hash = {CustomKey.new(123) => "value"} hash.to_json # => {"{:id=>123}":"value"}

  After: hash.to_json # => {"custom_123":"value"}

  Dan Sharp

• Fix inflections to better handle overlapping acronyms.

  ActiveSupport::Inflector.inflections(:en) do |inflect|
    inflect.acronym "USD"
    inflect.acronym "USDC"
  end
  "USDC".underscore # => "usdc"

  Said Kaldybaev

• Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

  zzak

Active Model

• Fix Ruby 4.0 delegator warning when calling inspect on attributes.

  Hammad Khan

• Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

  The performance optimisation that replaced @range with @max/@min broke Marshal compatibility. Objects serialised under 8.0 (with @range) and deserialised under 8.1 (expecting @max/@min) would crash with undefined method '<=' for nil because Marshal.load restores instance variables without calling initialize.

... (truncated)

Changelog

Sourced from actionview's changelog.

Rails 8.1.3 (March 24, 2026)

• Fix encoding errors for string locals containing non-ASCII characters.

  Kataoka Katsuki

• Fix collection caching to only forward expires_in argument if explicitly set.

  Pieter Visser

Rails 8.1.2.1 (March 23, 2026)

• Fix possible XSS in DebugExceptions middleware

  [CVE-2026-33167]

  John Hawthorn

• Skip blank attribute names in tag helpers to avoid generating invalid HTML.

  [CVE-2026-33168]

  Mike Dalessio

Rails 8.1.2 (January 08, 2026)

• Fix file_field to join mime types with a comma when provided as Array

  file_field(:article, :image, accept: ['image/png', 'image/gif', 'image/jpeg'])

  Now behaves likes:

  file_field(:article, :image, accept: 'image/png,image/gif,image/jpeg')
  

  Bogdan Gusiev

• Fix strict locals parsing to handle multiline definitions.

  Said Kaldybaev

• Fix content_security_policy_nonce error in mailers when using content_security_policy_nonce_auto setting.

  The content_security_policy_nonce helper is provided by ActionController::ContentSecurityPolicy, and it relies on request.content_security_policy_nonce. Mailers lack both the module and the request object.

  Jarrett Lusso

... (truncated)

Commits

• fa8f081 Preparing for 8.1.3 release
• 63cef3d Merge branch '8-1-sec' into 8-1-stable
• 1db4b89 Preparing for 8.1.2.1 release
• 1c7d1cf Update changelog
• e91694b Update CHANGELOG (8.1 only)
• 63f5ad8 Skip blank attribute names in Action View tag helpers
• e598b94 Merge pull request #56906 from kataokatsuki/fix-strict-locals-non-ascii-encoding
• c2ea79c Merge pull request #56891 from pietervisser/fix-collection-caching-to-preserv...
• d7c8ae6 Preparing for 8.1.2 release
• 27aa94f Merge pull request #56389 from bogdan/semantic-file-input-accept
• Additional commits viewable in compare view

Updates activestorage from 6.1.7.8 to 8.1.3

Release notes

Sourced from activestorage's releases.

8.1.3

Active Support

• Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

  When hash keys are custom objects whose as_json returns a Hash, the encoder now calls to_s on the original key object instead of on the as_json result.

  Before: hash = {CustomKey.new(123) => "value"} hash.to_json # => {"{:id=>123}":"value"}

  After: hash.to_json # => {"custom_123":"value"}

  Dan Sharp

• Fix inflections to better handle overlapping acronyms.

  ActiveSupport::Inflector.inflections(:en) do |inflect|
    inflect.acronym "USD"
    inflect.acronym "USDC"
  end
  "USDC".underscore # => "usdc"

  Said Kaldybaev

• Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

  zzak

Active Model

• Fix Ruby 4.0 delegator warning when calling inspect on attributes.

  Hammad Khan

• Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

  The performance optimisation that replaced @range with @max/@min broke Marshal compatibility. Objects serialised under 8.0 (with @range) and deserialised under 8.1 (expecting @max/@min) would crash with undefined method '<=' for nil because Marshal.load restores instance variables without calling initialize.

... (truncated)

Changelog

Sourced from activestorage's changelog.

Rails 8.1.3 (March 24, 2026)

• Fix ActiveStorage::Blob content type predicate methods to handle nil.

  Daichi KUDO

Rails 8.1.2.1 (March 23, 2026)

• Filter user supplied metadata in DirectUploadController

  [CVE-2026-33173]

  Jean Boussier

• Configurable maxmimum streaming chunk size

  Makes sure that byte ranges for blobs don't exceed 100mb by default. Content ranges that are too big can result in denial of service.

  [CVE-2026-33174]

  Gannon McGibbon

• Limit range requests to a single range

  [CVE-2026-33658]

  Jean Boussier

• Prevent path traversal in DiskService.

  DiskService#path_for now raises an InvalidKeyError when passed keys with dot segments (".", ".."), or if the resolved path is outside the storage root directory.

  #path_for also now consistently raises InvalidKeyError if the key is invalid in any way, for example containing null bytes or having an incompatible encoding. Previously, the exception raised may have been ArgumentError or Encoding::CompatibilityError.

  DiskController now explicitly rescues InvalidKeyError with appropriate HTTP status codes.

  [CVE-2026-33195]

  Mike Dalessio

• Prevent glob injection in DiskService#delete_prefixed.

  Escape glob metacharacters in the resolved path before passing to Dir.glob.

... (truncated)

Commits

• fa8f081 Preparing for 8.1.3 release
• 63cef3d Merge branch '8-1-sec' into 8-1-stable
• 1db4b89 Preparing for 8.1.2.1 release
• 1c7d1cf Update changelog
• 8c9676b Prevent glob injection in ActiveStorage DiskService#delete_prefixed
• 9b06fbc Prevent path traversal in ActiveStorage DiskService
• d9502f5 Active Storage: Filter user supplied metadata in DirectUploadController
• 85ec5b1 ActiveStorage::Streaming limit range requests to a single range
• 42012ea Configurable maxmimum streaming chunk size
• 064cea7 Merge pull request #56783 from kudoas/fix-activestorage-blob-content-type-nil
• Additional commits viewable in compare view

Updates activesupport from 6.1.7.8 to 8.1.3

Release notes

Sourced from activesupport's releases.

7.2.3.1

Active Support

• Reject scientific notation in NumberConverter

  [CVE-2026-33176]

  Jean Boussier

• Fix SafeBuffer#% to preserve unsafe status

  [CVE-2026-33170]

  Jean Boussier

• Improve performance of NumberToDelimitedConverter

  [CVE-2026-33169]

  Jean Boussier

Active Model

• No changes.

Active Record

• No changes.

Action View

• Skip blank attribute names in tag helpers to avoid generating invalid HTML.

  [CVE-2026-33168]

  Mike Dalessio

Action Pack

• No changes.

Active Job

• No changes.

... (truncated)

Commits

• ba76fca Preparing for 7.2.3.1 release
• 8a379f4 Update changelog
• b54a4b3 Improve performance of NumberToDelimitedConverter
• c1ad0e8 Fix SafeBuffer#% to preserve unsafe status
• ebd6be1 NumberConverter: reject scientific notation
• 4a155f1 Lock some dependencies
• bb2bdef Preparing for 7.2.3 release
• fe41a9f Merge pull request #55840 from zzak/asup-xml-mini-bigdecimal-float-precision
• 12040a3 Merge pull request #55808 from olivier-thatch/fix-enum-sole
• 58630e1 Merge pull request #55794 from rails/fix-55513
• Additional commits viewable in compare view

Updates bcrypt from 3.1.20 to 3.1.22

Release notes

Sourced from bcrypt's releases.

v3.1.22

What's Changed

• Move compilation after bundle install by @​tenderlove in bcrypt-ruby/bcrypt-ruby#291
• Add TruffleRuby in CI by @​tjschuck in bcrypt-ruby/bcrypt-ruby#293
• fix env url by @​tenderlove in bcrypt-ruby/bcrypt-ruby#294

Full Changelog: bcrypt-ruby/bcrypt-ruby@v3.1.21...v3.1.22

v3.1.21

What's Changed

• Provide a 'Changelog' link on rubygems.org/gems/bcrypt by @​mark-young-atg in bcrypt-ruby/bcrypt-ruby#274
• Support ruby 3.3 and 3.4.0-preview1 by @​m-nakamura145 in bcrypt-ruby/bcrypt-ruby#276
• Mark as ractor-safe by @​mohamedhafez in bcrypt-ruby/bcrypt-ruby#280
• Add == gotcha that can be unintuitive at first by @​federicoaldunate in bcrypt-ruby/bcrypt-ruby#279
• Constant compare by @​tenderlove in bcrypt-ruby/bcrypt-ruby#282
• try to modernize CI by @​tenderlove in bcrypt-ruby/bcrypt-ruby#287
• Try to deal with flaky tests by @​tenderlove in bcrypt-ruby/bcrypt-ruby#288
• Configure trusted publishing by @​tenderlove in bcrypt-ruby/bcrypt-ruby#289
• bump version by @​tenderlove in bcrypt-ruby/bcrypt-ruby#290

New Contributors

• @​mark-young-atg made their first contribution in bcrypt-ruby/bcrypt-ruby#274
• @​m-nakamura145 made their first contribution in bcrypt-ruby/bcrypt-ruby#276
• @​mohamedhafez made their first contribution in bcrypt-ruby/bcrypt-ruby#280
• @​federicoaldunate made their first contribution in bcrypt-ruby/bcrypt-ruby#279

Full Changelog: bcrypt-ruby/bcrypt-ruby@v3.1.20...v3.1.21

Changelog

Sourced from bcrypt's changelog.

3.1.22 Mar 18 2026

• [CVE-2026-33306] Fix integer overflow in Java extension

3.1.21 Dec 31 2025

• Use constant time comparisons
• Mark as Ractor safe

Commits

• 831ce64 Merge commit from fork
• 32e687e bump version update changelog
• 5faa274 Fix integer overflow in JRuby BCrypt rounds calculation
• aafc033 Merge pull request #294 from bcrypt-ruby/fix-publishing
• 01f947a fix env url
• 92ca1d6 Merge pull request #293 from bcrypt-ruby/truffleruby-ci-alt-implementation
• 4d1d95b Add TruffleRuby in CI
• 36a04a2 Merge pull request #291 from tenderlove/fix-publishing
• 01cc688 Move compilation after bundle install
• 82e6c4c Merge pull request #290 from tenderlove/bump
• Additional commits viewable in compare view

Updates nokogiri from 1.16.7 to 1.19.2

Release notes

Sourced from nokogiri's releases.

v1.19.1 / 2026-02-16

Security

• [CRuby] Address unchecked return value from xmlC14NExecute which was a contributing cause to ruby-saml GHSA-x4h9-gwv3-r4m4. See GHSA-wx95-c6cv-8532 for more information.

cfdb0eafd9a554a88f12ebcc688d2b9005f9fce42b00b970e3dc199587b27f32  nokogiri-1.19.1-aarch64-linux-gnu.gem
1e2150ab43c3b373aba76cd1190af7b9e92103564063e48c474f7600923620b5  nokogiri-1.19.1-aarch64-linux-musl.gem
0a39ed59abe3bf279fab9dd4c6db6fe8af01af0608f6e1f08b8ffa4e5d407fa3  nokogiri-1.19.1-arm-linux-gnu.gem
3a18e559ee499b064aac6562d98daab3d39ba6cbb4074a1542781b2f556db47d  nokogiri-1.19.1-arm-linux-musl.gem
dfe2d337e6700eac47290407c289d56bcf85805d128c1b5a6434ddb79731cb9e  nokogiri-1.19.1-arm64-darwin.gem
1e0bda88b1c6409f0edb9e0c25f1bf9ff4fa94c3958f492a10fcf50dda594365  nokogiri-1.19.1-java.gem
110d92ae57694ae7866670d298a5d04cd150fae5a6a7849957d66f171e6aec9b  nokogiri-1.19.1-x64-mingw-ucrt.gem
7093896778cc03efb74b85f915a775862730e887f2e58d6921e3fa3d981e68bf  nokogiri-1.19.1-x86_64-darwin.gem
1a4902842a186b4f901078e692d12257678e6133858d0566152fe29cdb98456a  nokogiri-1.19.1-x86_64-linux-gnu.gem
4267f38ad4fc7e52a2e7ee28ed494e8f9d8eb4f4b3320901d55981c7b995fc23  nokogiri-1.19.1-x86_64-linux-musl.gem
598b327f36df0b172abd57b68b18979a6e14219353bca87180c31a51a00d5ad3  nokogiri-1.19.1.gem

v1.19.0 / 2025-12-28

Ruby

This release is focused on changes to Ruby version support, and is otherwise functionally identical to v1.18.10.

• Introduce native gem support for Ruby 4.0. #3590
• End support for Ruby 3.1, for which upstream support ended 2025-03-26.
• End support for JRuby 9.4 (which targets Ruby 3.1 compatibility).

11a97ecc3c0e7e5edcf395720b10860ef493b768f6aa80c539573530bc933767  nokogiri-1.19.0-aarch64-linux-gnu.gem
eb70507f5e01bc23dad9b8dbec2b36ad0e61d227b42d292835020ff754fb7ba9  nokogiri-1.19.0-aarch64-linux-musl.gem
572a259026b2c8b7c161fdb6469fa2d0edd2b61cd599db4bbda93289abefbfe5  nokogiri-1.19.0-arm-linux-gnu.gem
23ed90922f1a38aed555d3de4d058e90850c731c5b756d191b3dc8055948e73c  nokogiri-1.19.0-arm-linux-musl.gem
0811dfd936d5f6dd3f6d32ef790568bf29b2b7bead9ba68866847b33c9cf5810  nokogiri-1.19.0-arm64-darwin.gem
5f3a70e252be641d8a4099f7fb4cc25c81c632cb594eec9b4b8f2ca8be4374f3  nokogiri-1.19.0-java.gem
05d7ed2d95731edc9bef2811522dc396df3e476ef0d9c76793a9fca81cab056b  nokogiri-1.19.0-x64-mingw-ucrt.gem
1dad56220b603a8edb9750cd95798bffa2b8dd9dd9aa47f664009ee5b43e3067  nokogiri-1.19.0-x86_64-darwin.gem
f482b95c713d60031d48c44ce14562f8d2ce31e3a9e8dd0ccb131e9e5a68b58c  nokogiri-1.19.0-x86_64-linux-gnu.gem
1c4ca6b381622420073ce6043443af1d321e8ed93cc18b08e2666e5bd02ffae4  nokogiri-1.19.0-x86_64-linux-musl.gem
e304d21865f62518e04f2bf59f93bd3a97ca7b07e7f03952946d8e1c05f45695  nokogiri-1.19.0.gem

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.19.1 / 2026-02-16

Security

• [CRuby] Address unchecked return value from xmlC14NExecute which was a contributing cause to ruby-saml GHSA-x4h9-gwv3-r4m4. See GHSA-wx95-c6cv-8532 for more information.

v1.19.0 / 2025-12-28

Ruby

This release is focused on changes to Ruby version support, and is otherwise functionally identical to v1.18.10.

• Introduce native gem support for Ruby 4.0. #3590
• End support for Ruby 3.1, for which upstream support ended 2025-03-26.
• End support for JRuby 9.4 (which targets Ruby 3.1 compatibility).

v1.18.10 / 2025-09-15

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.9. Note that the security fixes published in v2.13.9 were already present in Nokogiri v1.18.9.
• [CRuby] [Windows and MacOS] Vendored libiconv is updated to v1.18

v1.18.9 / 2025-07-20

Security

• [CRuby] Applied upstream libxml2 patches to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. See GHSA-353f-x4gh-cqq8 for more information.

v1.18.8 / 2025-04-21

Security

• [CRuby] Vendored libxml2 is updated to v2.13.8 to address CVE-2025-32414 and CVE-2025-32415. See GHSA-5w6v-399v-w3cc for more information.

v1.18.7 / 2025-03-31

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.7, which is a bugfix release.

v1.18.6 / 2025-03-24

Fixed

... (truncated)

Commits

• d913045 version bump to v1.19.1
• b81cb98 doc: update CHANGELOG for upcoming v1.19.1
• 8e66809 C14n raise on failure (#3600)
• 5b77f3d Raise RuntimeError when canonicalization fails
• <...

  Description has been truncated