🚨 [security] Update clerk-sdk-ruby 3.3.0 → 5.0.0 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ clerk-sdk-ruby (3.3.0 → 5.0.0) · Repo · Changelog

Release Notes

5.0.0

Generated by Speakeasy CLI

2026-01-30 16:09:52

Changes

Based on:

• OpenAPI Doc 2025-11-10
• Speakeasy CLI 1.700.2 (2.801.2) https://github.com/speakeasy-api/speakeasy

Generated

• [ruby v5.0.0] .

Releases

• [Ruby Gems v5.0.0] https://rubygems.org/gems/clerk-sdk-ruby/versions/5.0.0 - .

Publishing Completed

4.2.1 (from changelog)

• fix: Return only lowercase headers (Rack::Lint) [#97]

4.2.0

What's Changed

• feat: Enable older versions of Rack by @tmilewski in #95
• fix: Resilient v2 org claims by @tmilewski in #94
• feat: Handle lowercase headers explicitly by @tmilewski in #93

Full Changelog: v4.1.0...v4.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ faraday (2.12.2 → 2.14.0) · Repo · Changelog

Release Notes

2.14.0

What's Changed

New features ✨

• Use newer UnprocessableContent naming for 422 by @tylerhunt in #1638

Fixes 🐞

• Convert strings to UTF-8 by @c960657 in #1624
• Fix Response#to_hash when response not finished yet by @yykamei in #1639

Misc/Docs 📄

• Lint: use filter_map by @olleolleolle in #1637
• Bump actions/checkout from v4 to v5 by @dependabot[bot] in #1636
• Fixes documentation by @dharamgollapudi in #1635

New Contributors

• @c960657 made their first contribution in #1624
• @dharamgollapudi made their first contribution in #1635
• @tylerhunt made their first contribution in #1638

Full Changelog: v2.13.4...v2.14.0

2.13.4

What's Changed

• Improve error handling logic and add missing test coverage by @iMacTia in #1633

Full Changelog: v2.13.3...v2.13.4

2.13.3

What's Changed

• Fix type assumption in Faraday::Error by @iMacTia in #1630

Full Changelog: v2.13.2...v2.13.3

2.13.2

What's Changed

• CI against Ruby 3.4 by @Earlopain in #1622
• Only load what is required from cgi by @Earlopain in #1623
• Lint rack_builder.rb: avoid naming a method by @olleolleolle in #1626
• Add migrating from rest-client docs section. by @simi in #1625
• Include HTTP method and URL in Faraday::Error messages for improved exception log transparency by @nielsbuus in #1628

New Contributors

• @simi made their first contribution in #1625
• @nielsbuus made their first contribution in #1628

Full Changelog: v2.13.1...v2.13.2

2.13.1

What's Changed

• Logger middleware default options by @yenshirak in #1618
• Fix Style/RedundantParentheses in options/env.rb by @iMacTia in #1620

New Contributors

• @yenshirak made their first contribution in #1618

Full Changelog: v2.13.0...v2.13.1

2.13.0

What's Changed

• feat(ssl options): support SNI hostname by @bf4 in #1615

New Contributors

• @bf4 made their first contribution in #1615

Full Changelog: v2.12.3...v2.13.0

2.12.3

What's Changed

• Remove ruby2_keywords by @tisba in #1616
• Fix thread safety issue by avoiding mutation of proxy options hash by @QWYNG in #1617

New Contributors

• @QWYNG made their first contribution in #1617

Full Changelog: v2.12.2...v2.12.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 26 commits:

• Version bump to 2.14.0
• Fix `Faraday::Response#to_hash` when request is not finished yet (#1639)
• Use newer Unprocessable Content naming for 422 (#1638)
• Fixes typo (#1635)
• Convert strings to UTF-8 (#1624)
• Bump actions/checkout from 4 to 5 (#1636)
• Lint: use filter_map (#1637)
• Version bump to 2.13.4
• Improve error handling logic and add missing test coverage (#1633)
• Version bump to 2.13.3
• Fix type assumption in `Faraday::Error` (#1630)
• Version bump to 2.13.2
• Include HTTP method and URL in Faraday::Error messages for improved exception log transparency (#1628)
• CONTRIBUTING: update socials links to Mastodon
• Add migrating from rest-client docs section. (#1625)
• Lint rack_builder.rb: avoid naming a method (#1626)
• Only load what is required from `cgi` (#1623)
• CI against Ruby 3.4
• Version bump to 2.13.1
• Fix Style/RedundantParentheses in options/env.rb (#1620)
• Logger middleware default options (#1618)
• Version bump to 2.13.0
• feat(ssl options): support SNI hostname (#1615)
• Version bump to 2.12.3
• Fix thread safety issue by avoiding mutation of proxy options hash (#1617)
• removes ruby2_keywords usage

↗️ concurrent-ruby (indirect, 1.3.5 → 1.3.6) · Repo · Changelog

Release Notes

1.3.6

What's Changed

• Run tests without the C extension in CI by @eregon in #1081
• Fix typo in Promise docs by @danieldiekmeier in #1083
• Correct word in readme by @wwahammy in #1084
• Fix mistakes in MVar documentation by @trinistr in #1087
• Fix multi require concurrent/executor/cached_thread_pool by @OuYangJinTing in #1085
• Use typed data APIs by @nobu in #1096
• Add Joshua Young to the list of maintainers by @eregon in #1097
• Asynchronous pruning for RubyThreadPoolExecutor by @joshuay03 in #1082
• Mark RubySingleThreadExecutor as a SerialExecutorService by @meineerde in #1070
• Allow TimerTask to be safely restarted after shutdown and avoid duplicate tasks by @bensheldon in #1001
• Flaky test fix: allow ThreadPool to shutdown before asserting completed_task_count by @bensheldon in #1098
• ThreadPoolExecutor#kill will wait_for_termination in JRuby; ensure TimerSet timer thread shuts down cleanly by @bensheldon in #1044

New Contributors

• @danieldiekmeier made their first contribution in #1083
• @wwahammy made their first contribution in #1084
• @trinistr made their first contribution in #1087
• @OuYangJinTing made their first contribution in #1085
• @nobu made their first contribution in #1096
• @joshuay03 made their first contribution in #1082

Full Changelog: v1.3.5...v1.3.6

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 23 commits:

• Release 1.3.6
• Exclude dependabot updates from release notes
• ThreadPoolExecutor `kill` will `wait_for_termination` in JRuby; ensure TimerSet timer thread shuts down cleanly
• Flaky test fix: allow ThreadPool to shutdown before asserting completed_task_count (#1098)
• Allow TimerTask to be safely restarted after shutdown and avoid duplicate tasks (#1001)
• Mark RubySingleThreadExecutor as a SerialExecutorService
• Asynchronous pruning for RubyThreadPoolExecutor (#1082)
• Add Joshua Young to the list of maintainers (#1097)
• Use typed data APIs
• Use stdatomic.h on recent macOS
• Bump actions/checkout from 5 to 6
• Fix multi require concurrent/executor/cached_thread_pool
• Always fail-fast: false in CI
• Avoid creating a Fiber while loading the gem
• Bump actions/checkout from 4 to 5
• Bump actions/upload-pages-artifact from 3 to 4
• Fix mistakes in MVar documentation
• Correct word in readme
• Fix typo
• Add 3.4 in CI
• Run tests without the C extension in CI
• Fix guards in specs using C extension classes
• Document Bundler workaround for releasing

↗️ faraday-net_http (indirect, 3.4.0 → 3.4.2) · Repo · Changelog

Release Notes

3.4.2

What's Changed

• Use more conservative net-http version constraint by @RDeckard in #53

New Contributors

• @RDeckard made their first contribution in #53

Full Changelog: v3.4.1...v3.4.2

3.4.1

What's Changed

• Prepare Trusted Publisher by @djsmentya in #50

New Contributors

• @djsmentya made their first contribution in #50

Full Changelog: v3.4.0...v3.4.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

• Update ci.yml to allow manual runs
• Version bump to 3.4.2
• Use more conservative net-http version constraint (#53)
• Bump actions/checkout from 4 to 5 (#51)
• CI: Fix grammar error in Publish workflow
• CI: Ensure Rake is available in publish action
• v3.4.1
• CI: Add Ruby 3.4 to build matrix
• Use Ruby 3.4.4
• Prepare Trusted Publisher (#50)

↗️ json (indirect, 2.10.2 → 2.18.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ jwt (indirect, 2.10.1 → 2.10.2) · Repo · Changelog

Release Notes

2.10.2

v2.10.2 (2025-06-29)

Full Changelog

Fixes and enhancements:

• Avoid using the same digest across calls in JWT::JWA::Ecdsa and JWT::JWA::Rsa #697

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 4 commits:

• Version 2.10.2 (#703)
• Backport: Avoid using the same digest across calls (#697) (#701)
• Simplify CI on 2.10 branch (#702)
• Fix deprecation messages

↗️ net-http (indirect, 0.6.0 → 0.9.1) · Repo

Release Notes

0.9.1

What's Changed

• Raise Net::OpenTimeout when TCPSocket.open raises IO::TimeoutError. by @shioimm in #263
• Freeze more constants for Ractor compatibility by @rhenium in #256

New Contributors

• @shioimm made their first contribution in #263

Full Changelog: v0.9.0...v0.9.1

0.9.0

What's Changed

• open: Never call Timeout.timeout in rescue clause by @osyoyu in #250
• Fixed by misspell -w -error -source=text by @hsbt in #254
• Check whether TCPSocket#initialize supports open_timeout once and without exceptions by @eregon in #252
• Refactor HTTPS tests by @rhenium in #255

New Contributors

• @eregon made their first contribution in #252

Full Changelog: v0.8.0...v0.9.0

0.8.0

Breaking changes

• Minimum Ruby version raised to 2.7 along with the raise of minimum uri gem version (0.11.1)

What's Changed

• [DOC] Fix too stopped documentations by @nobu in #244
• Replace Timeout.timeout with TCPSocket.open(open_timeout:) when available by @osyoyu in #224
• Replace Ruby 3.5 with Ruby 4.0 by @yahonda in #246
• Fix handling of IPv6 literal hosts in Net::HTTPGenericRequest by @taketo1113 in #237
  • This fixes compatibility issue with uri gem 1.1.0+, which made relevant validations strict.

New Contributors

• @yahonda made their first contribution in #246
• @taketo1113 made their first contribution in #237

Full Changelog: v0.7.0...v0.8.0

0.7.0

What's Changed

• [DOC] Fix broken rdoc-ref links by @st0012 in #199
• Don't double-interrupt the test HTTP server by @headius in #197
• Provide a 'Changelog' link on rubygems.org/gems/net-http by @mark-young-atg in #201
• Freeze some constants to improve Ractor compatibility by @osyoyu in #206
• Don't set content type by default by @hsbt in #207
• Support pretty_print by @nobu in #160
• Add a workflow to sync commits to ruby/ruby by @k0kubun in #230

New Contributors

• @st0012 made their first contribution in #199
• @headius made their first contribution in #197
• @mark-young-atg made their first contribution in #201
• @osyoyu made their first contribution in #206

Full Changelog: v0.6.0...v0.7.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ uri (indirect, 1.0.3 → 1.1.1) · Repo

Security Advisories 🚨

🚨 URI Credential Leakage Bypass over CVE-2025-27221

Impact

In affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials.

When using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure.

The vulnerability affects the uri gem bundled with the following Ruby series:

• 0.12.4 and earlier (bundled in Ruby 3.2 series)
• 0.13.2 and earlier (bundled in Ruby 3.3 series)
• 1.0.3 and earlier (bundled in Ruby 3.4 series)

Patches

Upgrade to 0.12.5, 0.13.3 or 1.0.4

References

• https://www.ruby-lang.org/en/news/2025/02/26/security-advisories/
• https://hackerone.com/reports/2957667

Release Notes

1.1.1

What's Changed

• Re-allow consecutive, leading and trailing dots in EMAIL_REGEXP by @osyoyu in #189

New Contributors

• @osyoyu made their first contribution in #189

Full Changelog: v1.1.0...v1.1.1

1.1.0

What's Changed

• Update to use the latest version of setup-ruby and bump up to Ruby 3.4 by @hsbt in #158
• Fix the mention to removed URI.escape/URI::Escape by @y-yagi in #146
• Use a fully qualified name in warning messages by @y-yagi in #150
• Support Ractor#value by @hsbt in #163
• Removed unnecessary workaround by @hsbt in #164
• Escape reserved characters in scheme name by @nobu in #148
• [DOC] State that uri library is needed to call Kernel#URI by @nobu in #167
• Prefer dedicated assertion methods by @nobu in #169
• Fix the message for unexpected argument by @nobu in #171
• Make URI::regexp schemes case sensitive (#38) by @nobu in #170
• The local part should not contain leading or trailing dots in the EMAIL_REGEXP by @nlevchuk in #124
• More checks in EMAIL_REGEXP by @nobu in #172
• Do not allow empty host names, as they are not allowed by RFC 3986 by @jeremyevans in #116
• Improve performance of URI::MailTo::EMAIL_REGEXP by @nobu in #173
• Performance test stability by @nobu in #174
• Update documents that used URI::Parser by @nobu in #175
• Add a workflow to sync commits to ruby/ruby by @k0kubun in #183
• Add irb to the Gemfile to fix the warning by @y-yagi in #182
• Replace reference to the obsolete URI.escape with URI::RFC2396_PARSER.escape by @vivshaw in #166
• Switch a parsing behavior completely when switching a parser by @y-yagi in #161
• improve error message by @soda92 in #130
• Use generic version number to VERSION by @hsbt in #187

New Contributors

• @y-yagi made their first contribution in #146
• @nlevchuk made their first contribution in #124
• @vivshaw made their first contribution in #166
• @soda92 made their first contribution in #130

Full Changelog: v1.0.4...v1.1.0

1.0.4

Security fixes

• CVE-2025-61594

---

Full Changelog: v1.0.3...v1.0.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 71 commits:

• v1.1.1
• Merge pull request #189 from osyoyu/restore-whatwg-email-regexp
• Re-allow consecutive, leading and trailing dots in EMAIL_REGEXP
• v1.1.0
• Merge pull request #187 from ruby/switch-version-code
• Use generic version number to VERSION and generate VERSION_CODE from that
• Exclude dependabot updates from release note
• Merge pull request #130 from soda92/improve-error-message
• Merge pull request #161 from y-yagi/fix_changing_parser
• Merge pull request #166 from vivshaw/vivshaw/correct-obsolete-parse
• Merge pull request #182 from y-yagi/fix_irb_warning
• Update the latest versions of actions
• Merge tag 'v1.0.4'
• Bump up to v1.0.4
• Merge branch 'CVE-2025-61594-3-4' into HEAD
• Add a workflow to sync commits to ruby/ruby (#183)
• Add `irb` to the Gemfile to fix the warning
• Add authority accessor
• Clear user info totally at setting any of authority info
• Merge pull request #181 from ruby/dependabot/github_actions/step-security/harden-runner-2.13.1
• Bump step-security/harden-runner from 2.13.0 to 2.13.1
• Merge pull request #180 from ruby/dependabot/github_actions/actions/upload-pages-artifact-4
• Bump actions/upload-pages-artifact from 3 to 4
• Merge pull request #179 from ruby/dependabot/github_actions/actions/checkout-5
• Bump actions/checkout from 4 to 5
• Merge pull request #176 from ruby/dependabot/github_actions/step-security/harden-runner-2.13.0
• Bump step-security/harden-runner from 2.12.2 to 2.13.0
• Merge pull request #175 from nobu/doc-uri_parser
• [DOC] Update old use of `URI::Parser`
• [DOC] Document private visibility too
• [DOC] Fix references
• Merge pull request #174 from nobu/performance-test-scale
• Repeat matching to reduce deviations
• Test in exponential scale with rehearsal
• Merge pull request #173 from nobu/email_regexp-refine
• Improve performance of `URI::MailTo::EMAIL_REGEXP`
• Merge pull request #116 from jeremyevans/http-empty-host-reject-20686
• Merge pull request #172 from nobu/more-checks-in-email_regexp
• Prohibit successive dots in email
• More tests for `check_to`
• Merge pull request #124 from nlevchuk/prohibit-leading-and-trailing-dots-in-email-regexp
• Make URI::regexp schemes case sensitive (#38)
• Fix the message for unexpected argument
• Prefer dedicated assertion methods
• Merge pull request #168 from ruby/dependabot/github_actions/step-security/harden-runner-2.12.2
• Bump step-security/harden-runner from 2.12.1 to 2.12.2
• Merge pull request #167 from nobu/doc-Kernel.URI
• [DOC] State that uri library is needed to call Kernel#URI
• Merge pull request #148 from nobu/reserved-char-in-scheme
• Fix a typo
• Use Lo category chars as escaped chars
• Escape reserved characters in scheme name
• Use GITHUB_TOKEN instead of admin credential
• chore(docs): replace reference to the obsolete URI.escape with URI::RFC2396_PARSER.escape
• Merge pull request #165 from ruby/dependabot/github_actions/step-security/harden-runner-2.12.1
• Bump step-security/harden-runner from 2.12.0 to 2.12.1
• Merge pull request #164 from ruby/fixup-ractor-value
• Revert "Alias value or join to take in old Ruby"
• Use the latest version of assert_ractor for Ractor#value
• Merge pull request #163 from ruby/ractor-value
• Alias value or join to take in old Ruby
• `Ractor::Port`
• Merge pull request #162 from ruby/dependabot/github_actions/step-security/harden-runner-2.12.0
• Bump step-security/harden-runner from 2.11.1 to 2.12.0
• Switch a parsing behavior completely when switching a parser
• Merge pull request #159 from ruby/dependabot/github_actions/step-security/harden-runner-2.11.1
• Bump step-security/harden-runner from 2.11.0 to 2.11.1
• Merge pull request #150 from y-yagi/use_fully_qualified_name
• Merge pull request #146 from y-yagi/fix_doc_of_escape
• Merge pull request #158 from ruby/fixed-gh-pages
• Update to use the latest version of setup-ruby and bump up to Ruby 3.4

🆕 faraday-multipart (added, 1.2.0)

🆕 faraday-retry (added, 2.4.0)

🆕 multipart-post (added, 2.4.1)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

Go to the Depfu Dashboard to see the state of your dependencies and to customize how Depfu works.

[depfu]

Closed in favor of #867.