Bump the bundler group across 1 directory with 13 updates

[dependabot]

Bumps the bundler group with 3 updates in the / directory: rails, puma and rexml.

Updates rails from 7.0.4.2 to 8.0.2.1

Release notes

Sourced from rails's releases.

8.0.2.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Call inspect on ids in RecordNotFound error

  [CVE-2025-55193]

  Gannon McGibbon, John Hawthorn

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

Remove dangerous transformations
[CVE-2025-24293]

... (truncated)

Commits

• b0c813b Preparing for 8.0.2.1 release
• a6d50ae Update CHANGELOGs
• 568c0bc Call inspect on ids in RecordNotFound error
• 2d61273 Active Storage: Remove dangerous transformations
• 3235827 Preparing for 8.0.2 release
• 3e98891 Upgrade development gems
• 0a87e3e Merge pull request #54239 from byroot/docker-test-ruby-upgrade
• e2b9a41 Sync CHANGELOG
• 4bf434c Merge pull request #54735 from flavorjones/flavorjones-sqlite-adapter-quote-i...
• 1f5de2f Merge pull request #54649 from yedhink/54529-doc-plural-table-names-limitation
• Additional commits viewable in compare view

Updates puma from 5.6.5 to 5.6.9

Release notes

Sourced from puma's releases.

5.6.7

Security Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields (GHSA-68xg-gqqm-vgj8)

Changelog

Sourced from puma's changelog.

5.6.9 / 2024-09-19

• Security
  • Discards any headers using underscores if the non-underscore version also exists. Without this, an attacker could overwrite values set by intermediate proxies (e.g. X-Forwarded-For). (CVE-2024-45614/GHSA-9hf4-67fc-4vf4)
• JRuby
  • Must use at least Java >= 9 to compile. You can no longer build from source on Java 8.

5.6.8 / 2024-01-08

• Security
  • Limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. (GHSA-c2f4-cvqm-65w2)

5.6.7 / 2023-08-18

• Security
  • Address HTTP request smuggling vulnerabilities with zero-length Content Length header and trailer fields (GHSA-68xg-gqqm-vgj8)

5.6.6 / 2023-06-21

• Bugfix
  • Prevent loading with rack 3 (#3166)

Commits

• f196b23 Merge commit from fork
• 24eec19 5.6.9
• 3c8e8b0 5.6.9 release note [ci skip]
• 1293573 5.6.8
• bbb880f Merge pull request from GHSA-c2f4-cvqm-65w2
• 78393bf 5.6.7
• 7405a21 Merge pull request from GHSA-68xg-gqqm-vgj8
• d33424b 5.6.7 release note [ci skip]
• f8c7b23 5.6.6
• 08af1b5 5.6.6 release note
• Additional commits viewable in compare view

Updates actionmailer from 7.0.4.2 to 8.0.2.1

Release notes

Sourced from actionmailer's releases.

8.0.2.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Call inspect on ids in RecordNotFound error

  [CVE-2025-55193]

  Gannon McGibbon, John Hawthorn

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

Remove dangerous transformations
[CVE-2025-24293]

... (truncated)

Changelog

Sourced from actionmailer's changelog.

Rails 8.0.2.1 (August 13, 2025)

• No changes.

Rails 8.0.2 (March 12, 2025)

• No changes.

Rails 8.0.2 (March 12, 2025)

• No changes.

Rails 8.0.1 (December 13, 2024)

• No changes.

Rails 8.0.0.1 (December 10, 2024)

• No changes.

Rails 8.0.0 (November 07, 2024)

• No changes.

Rails 8.0.0.rc2 (October 30, 2024)

• No changes.

Rails 8.0.0.rc1 (October 19, 2024)

• No changes.

Rails 8.0.0.beta1 (September 26, 2024)

Please check 7-2-stable for previous changes.

Commits

• b0c813b Preparing for 8.0.2.1 release
• 3235827 Preparing for 8.0.2 release
• 84f47ad Merge pull request #54702 from fatkodima/fix-action_mailer-default_options-docs
• 6644442 Merge pull request #54617 from byroot/move-strict-warnings
• f97b866 Use monospace formatting [ci-skip]
• cf6ff17 Preparing for 8.0.1 release
• a993c27 Preparing for 8.0.0.1 release
• dd8f718 Preparing for 8.0.0 release
• 6283314 Preparing for 8.0.0.rc2 release
• 97c97e3 Merge pull request #53426 from jhawthorn/security_forward_ports
• Additional commits viewable in compare view

Updates actionpack from 7.0.4.2 to 8.0.2.1

Release notes

Sourced from actionpack's releases.

8.0.2.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Call inspect on ids in RecordNotFound error

  [CVE-2025-55193]

  Gannon McGibbon, John Hawthorn

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

Remove dangerous transformations
[CVE-2025-24293]

... (truncated)

Changelog

Sourced from actionpack's changelog.

Rails 8.0.2.1 (August 13, 2025)

• No changes.

Rails 8.0.2 (March 12, 2025)

• No changes.

Rails 8.0.2 (March 12, 2025)

• Improve with_routing test helper to not rebuild the middleware stack.

  Otherwise some middleware configuration could be lost.

  Édouard Chin

• Add resource name to the ArgumentError that's raised when invalid :only or :except options are given to #resource or #resources

  This makes it easier to locate the source of the problem, especially for routes drawn by gems.

  Before:

  :only and :except must include only [:index, :create, :new, :show, :update, :destroy, :edit], but also included [:foo, :bar]
  

  After:

  Route `resources :products` - :only and :except must include only [:index, :create, :new, :show, :update, :destroy, :edit], but also included [:foo, :bar]
  

  Jeremy Green

• Fix url_for to handle :path_params gracefully when it's not a Hash.

  Prevents various security scanners from causing exceptions.

  Martin Emde

• Fix ActionDispatch::Executor to unwrap exceptions like other error reporting middlewares.

  Jean Boussier

Rails 8.0.1 (December 13, 2024)

• Add ActionDispatch::Request::Session#store method to conform Rack spec.

  Yaroslav

... (truncated)

Commits

• b0c813b Preparing for 8.0.2.1 release
• 3235827 Preparing for 8.0.2 release
• 97752ef Merge pull request #54705 from Edouard-chin/ec-with-routing
• 6644442 Merge pull request #54617 from byroot/move-strict-warnings
• f842b84 Merge pull request #54613 from ioquatix/rack-lint-compatibility
• ba1b691 Remove RDoc syntax in code example comments [ci-skip]
• 9b70ddc Merge pull request #54289 from seanpdoyle/csrf-doc-formatting
• 24dc650 Link javascript_include_tag and stylesheet_link_tag [ci-skip]
• 740acb6 Merge pull request #54455 from Shopify/report_all_errors
• f11286a Merge pull request #54434 from ryenski/ryenski/fix-nomethod-error-in-non-stri...
• Additional commits viewable in compare view

Updates actiontext from 7.0.4.2 to 8.0.2.1

Release notes

Sourced from actiontext's releases.

8.0.2.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Call inspect on ids in RecordNotFound error

  [CVE-2025-55193]

  Gannon McGibbon, John Hawthorn

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

Remove dangerous transformations
[CVE-2025-24293]

... (truncated)

Changelog

Sourced from actiontext's changelog.

Rails 8.0.2.1 (August 13, 2025)

• No changes.

Rails 8.0.2 (March 12, 2025)

• No changes.

Rails 8.0.2 (March 12, 2025)

• No changes.

Rails 8.0.1 (December 13, 2024)

• No changes.

Rails 8.0.0.1 (December 10, 2024)

• Update vendored trix version to 2.1.10

  John Hawthorn

Rails 8.0.0 (November 07, 2024)

• No changes.

Rails 8.0.0.rc2 (October 30, 2024)

• No changes.

Rails 8.0.0.rc1 (October 19, 2024)

• No changes.

Rails 8.0.0.beta1 (September 26, 2024)

• Dispatch direct-upload events on attachment uploads

  When using Action Text's rich textarea, it's possible to attach files to the editor. Previously, that action didn't dispatch any events, which made it hard to react to the file uploads. For instance, if an upload failed, there was no way to notify the user about it, or remove the attachment from the editor.

... (truncated)

Commits

• b0c813b Preparing for 8.0.2.1 release
• 3235827 Preparing for 8.0.2 release
• 6644442 Merge pull request #54617 from byroot/move-strict-warnings
• 6448839 Update vendored Trix version to 2.1.12 (#54099) (#54385)
• cf6ff17 Preparing for 8.0.1 release
• a993c27 Preparing for 8.0.0.1 release
• 54b0daf Update vendored trix version to 2.1.10
• dd8f718 Preparing for 8.0.0 release
• 6283314 Preparing for 8.0.0.rc2 release
• 97c97e3 Merge pull request #53426 from jhawthorn/security_forward_ports
• Additional commits viewable in compare view

Updates actionview from 7.0.4.2 to 8.0.2.1

Release notes

Sourced from actionview's releases.

8.0.2.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Call inspect on ids in RecordNotFound error

  [CVE-2025-55193]

  Gannon McGibbon, John Hawthorn

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

Remove dangerous transformations
[CVE-2025-24293]

... (truncated)

Changelog

Sourced from actionview's changelog.

Rails 8.0.2.1 (August 13, 2025)

• No changes.

Rails 8.0.2 (March 12, 2025)

• No changes.

Rails 8.0.2 (March 12, 2025)

• Respect html_options[:form] when collection_checkboxes generates the hidden <input>.

  Riccardo Odone

• Layouts have access to local variables passed to render.

  This fixes #31680 which was a regression in Rails 5.1.

  Mike Dalessio

• Argument errors related to strict locals in templates now raise an ActionView::StrictLocalsError, and all other argument errors are reraised as-is.

  Previously, any ArgumentError raised during template rendering was swallowed during strict local error handling, so that an ArgumentError unrelated to strict locals (e.g., a helper method invoked with incorrect arguments) would be replaced by a similar ArgumentError with an unrelated backtrace, making it difficult to debug templates.

  Now, any ArgumentError unrelated to strict locals is reraised, preserving the original backtrace for developers.

  Also note that ActionView::StrictLocalsError is a subclass of ArgumentError, so any existing code that rescues ArgumentError will continue to work.

  Fixes #52227.

  Mike Dalessio

• Fix stack overflow error in dependency tracker when dealing with circular dependencies

  Jean Boussier

Rails 8.0.1 (December 13, 2024)

• Fix a crash in ERB template error highlighting when the error occurs on a line in the compiled template that is past the end of the source template.

... (truncated)

Commits

• b0c813b Preparing for 8.0.2.1 release
• 3235827 Preparing for 8.0.2 release
• 6644442 Merge pull request #54617 from byroot/move-strict-warnings
• f1857b6 Merge pull request #54567 from flavorjones/flavorjones-document-sanitizer
• d89a641 Autolink FormBuilder#text_field [ci-skip]
• 3957dcf Autolink FormBuilder#fields_for [ci-skip]
• 1f3ba9b Avoid autolinking FormBuilder#fields_for to itself [ci-skip]
• 74cf3ff Autolink FormBuilder#form_with [ci-skip]
• 1239ba5 Autolink UncacheableFragmentError [ci-skip]
• ba1b691 Remove RDoc syntax in code example comments [ci-skip]
• Additional commits viewable in compare view

Updates activerecord from 7.0.4.2 to 8.0.2.1

Release notes

Sourced from activerecord's releases.

8.0.2.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Call inspect on ids in RecordNotFound error

  [CVE-2025-55193]

  Gannon McGibbon, John Hawthorn

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

Remove dangerous transformations
[CVE-2025-24293]

... (truncated)

Changelog

Sourced from activerecord's changelog.

Rails 8.0.2.1 (August 13, 2025)

• Call inspect on ids in RecordNotFound error

  [CVE-2025-55193]

  Gannon McGibbon, John Hawthorn

Rails 8.0.2 (March 12, 2025)

• No changes.

Rails 8.0.2 (March 12, 2025)

• Fix inverting rename_enum_value when :from/:to are provided.

  fatkodima

• Prevent persisting invalid record.

  Edouard Chin

• Fix inverting drop_table without options.

  fatkodima

• Fix count with group by qualified name on loaded relation.

  Ryuta Kamizono

• Fix sum with qualified name on loaded relation.

  Chris Gunther

• The SQLite3 adapter quotes non-finite Numeric values like "Infinity" and "NaN".

  Mike Dalessio

• Handle libpq returning a database version of 0 on no/bad connection in PostgreSQLAdapter.

  Before, this version would be cached and an error would be raised during connection configuration when comparing it with the minimum required version for the adapter. This meant that the connection could never be successfully configured on subsequent reconnection attempts.

  Now, this is treated as a connection failure consistent with libpq, raising a ActiveRecord::ConnectionFailed and ensuring the version isn't cached, which allows the version to be retrieved on the next connection attempt.

  Joshua Young, Rian McGuire

... (truncated)

Commits

• b0c813b Preparing for 8.0.2.1 release
• a6d50ae Update CHANGELOGs
• 568c0bc Call inspect on ids in RecordNotFound error
• 3235827 Preparing for 8.0.2 release
• e2b9a41 Sync CHANGELOG
• 4bf434c Merge pull request #54735 from flavorjones/flavorjones-sqlite-adapter-quote-i...
• f1611d6 Merge pull request #54713 from joshuay03/handle-libpq-server-version-0
• 7e4716b Merge pull request #54711 from byroot/ensure-configured-connection
• 13183c6 Merge pull request #54645 from fatkodima/fix-async-aggregations-for-contradic...
• 6644442 Merge pull request #54617 from byroot/move-strict-warnings
• Additional commits viewable in compare view

Updates activestorage from 7.0.4.2 to 8.0.2.1

Release notes

Sourced from activestorage's releases.

8.0.2.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Call inspect on ids in RecordNotFound error

  [CVE-2025-55193]

  Gannon McGibbon, John Hawthorn

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

Remove dangerous transformations
[CVE-2025-24293]

... (truncated)

Changelog

Sourced from activestorage's changelog.

Rails 8.0.2.1 (August 13, 2025)

Remove dangerous transformations
[CVE-2025-24293]
Zack Deveau

Rails 8.0.2 (March 12, 2025)

• No changes.

Rails 8.0.2 (March 12, 2025)

• A Blob will no longer autosave associated Attachment.

  This fixes an issue where a record with an attachment would have its dirty attributes reset, preventing your after commit callbacks on that record to behave as expected.

  Note that this change doesn't require any changes on your application and is supposed to be internal. Active Storage Attachment will continue to be autosaved (through a different relation).

  Edouard-chin

Rails 8.0.1 (December 13, 2024)

• No changes.

Rails 8.0.0.1 (December 10, 2024)

• No changes.

Rails 8.0.0 (November 07, 2024)

• No changes.

Rails 8.0.0.rc2 (October 30, 2024)

• No changes.

Rails 8.0.0.rc1 (October 19, 2024)

... (truncated)

Commits

• b0c813b Preparing for 8.0.2.1 release
• a6d50ae Update CHANGELOGs
• 2d61273 Active Storage: Remove dangerous transformations
• 3235827 Preparing for 8.0.2 release
• 6644442 Merge pull request #54617 from byroot/move-strict-warnings
• 4a60957 Merge pull request #54164 from zzak/asto-test-mini_magick-deprecation-warning
• 5177095 Merge pull request #54142 from rails/rm-fix-precompile-missconfigured-active-...
• 4d7a105 Fix CHANGELOG formatting
• e9e9b6b Merge pull request #53623 from Edouard-chin/ec-autosave-blob
• cf6ff17 Preparing for 8.0.1 release
• Additional commits viewable in compare view

Updates activesupport from 7.0.4.2 to 8.0.2.1

Release notes

Sourced from activesupport's releases.

8.0.2.1

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Call inspect on ids in RecordNotFound error

  [CVE-2025-55193]

  Gannon McGibbon, John Hawthorn

Action View

• No changes.

Action Pack

• No changes.

Active Job

• No changes.

Action Mailer

• No changes.

Action Cable

• No changes.

Active Storage

Remove dangerous transformations
[CVE-2025-24293]

... (truncated)

Changelog

Sourced from activesupport's changelog.

Rails 8.0.2.1 (August 13, 2025)

• No changes.

Rails 8.0.2 (March 12, 2025)

• No changes.

Rails 8.0.2 (March 12, 2025)

• Fix setting to_time_preserves_timezone from new_framework_defaults_8_0.rb.

  fatkodima

• Fix Active Support Cache fetch_multi when local store is active.

  fetch_multi now properly yield to the provided block for missing entries that have been recorded as such in the local store.

  Jean Boussier

• Fix execution wrapping to report all exceptions, including Exception.

  If a more serious error like SystemStackError or NoMemoryError happens, the error reporter should be able to report these kinds of exceptions.

  Gannon McGibbon

• Fix RedisCacheStore and MemCacheStore to also handle connection pool related errors.

  These errors are rescued and reported to Rails.error.

  Jean Boussier

• Fix ActiveSupport::Cache#read_multi to respect version expiry when using local cache.

  zzak

• Fix ActiveSupport::MessageVerifier and ActiveSupport::MessageEncryptor configuration of on_rotation callback.

  verifier.rotate(old_secret).on_rotation { ... }

  Now both work as documented.

  Jean Boussier

... (truncated)

Commits

• b0c813b Preparing for 8.0.2.1 release
• 3235827 Preparing for 8.0.2 release
• e2b9a41 Sync CHANGELOG
• c34be20 Merge pull request #54646 from Edouard-chin/ec-current-attribute-fix
• c3ad0af Merge pull request #54641 from etiennebarrie/json-doc
• 6644442 Merge pull request #54617 from byroot/move-strict-warnings
• dae2bea Merge pull request #54586 from byroot/local-store-fetch-multi-recorded-miss
• e11c613 Use ::new instead of #initialize for ghost methods [ci-skip]
• d1ad075 Add MessageVerifiers#rotate block form signature [ci-skip]
• 69867ec Use delete_prefix in add_filter example [ci-skip]
• Additional commits viewable in compare view

Updates net-imap from 0.3.4 to 0.5.9

Release notes

Sourced from net-imap's releases.

v0.5.9

What's Changed

Added

• ✨ Add Net::IMAP::SequenceSet() coercion method by @​nevans in ruby/net-imap#490

Fixed

• 🐛 Fix SequenceSet#include? handling of invalid inputs by @​nevans in ruby/net-imap#479
• 🐛 Always remove idle response handler after done by @​nevans in ruby/net-imap#481
• 🧵 Improve synchronization of connection_state transitions by @​nevans in ruby/net-imap#494

Documentation

• 📚🐛 Fix SequenceSet documentation errors by @​nevans in ruby/net-imap#480
• 📚🐛 Fix doc & error msg for SequenceSet coersion by @​nevans in ruby/net-imap#483
• 📚 RDoc updates for SequenceSet by @​nevans in ruby/net-imap#489

Other Changes

• ♻️ Short-circuit frozen SequenceSet modifications by @​nevans in ruby/net-imap#473
• ♻️ Move SequenceSet autoload by @​nevans in ruby/net-imap#491
• ♻️ Avoid unnecessary allocation in SequenceSet[] by @​nevans in ruby/net-imap#492
• 🧵 Close socket in #disconnect before waiting for lock & thread join by @​nevans in ruby/net-imap#493

Miscellaneous

• ♻️ Generate same stringprep tables with ruby 3.4 by @​nevans in ruby/net-imap#469
• ✅ CI: Mark ruby head on windows as "experimental" by @​nevans in ruby/net-imap#472
• ✅ Update Regexp.linear_time? tests for non-CRuby by @​nevans in ruby/net-imap#477
• ✅ Add timeouts to CI workflow by @​nevans in ruby/net-imap#478
• ✅ Update ResponseReader, UIDFetchData, DeprecatedClientOptions tests by @​nevans in ruby/net-imap#476
• ⏪ Revert #472 (✅ CI: Mark ruby head on windows as "experimental") by @​nevans in ruby/net-imap#482
• ➕ Add benchmark to Gemfile to silence warnings by @​nevans in ruby/net-imap#486
• ⬆️ Bump step-security/harden-runner from 2.12.0 to 2.12.1 by @​dependabot in ruby/net-imap#488

Full Changelog: ruby/net-imap@v0.5.8...v0.5.9

v0.5.8

What's Changed

Added

• ✨ Add SequenceSet#min(count) and #max(count) by @​nevans in ruby/net-imap#460
• ✨ Add SequenceSet#above and SequenceSet#below by @​nevans in ruby/net-imap#462

Fixed

• 🐛 Check for Ractor (for JRuby, TruffleRuby) by @​nevans in ruby/net-imap#453, reported by @​rammpeter in ruby/net-imap#452
• 🐛 Fix SequenceSet#slice with range (start...0) by @​nevans in ruby/net-imap#456
• 🐛 Fix inconsistently frozen SequenceSet#[] result by @​nevans in ruby/net-imap#458
• 🐛 Fix SequenceSet#xor crash when set is frozen by @​nevans in ruby/net-imap#457
• 🐛 Fix SequenceSet#slice when length > result size by @​nevans in ruby/net-imap#459

Documentation

• 📚 Various SequenceSet rdoc improvements by @​nevans in ruby/net-imap#465

Miscellaneous

• ⬆️ Bump step-security/harden-runner from 2.11.1 to 2.12.0 by @​dependabot in ruby/net-imap#455

... (truncated)

Commits

• 0f8c37a 🔖 Bump version to 0.5.9
• 0c89bb1 🔀 Merge pull request #494 from ruby/synchronize-state-transitions
• b6e8e5a 🔀 Merge pull request #493 from ruby/synchronize-disconnect-logout
• 0d7810e 🧵 Synchronize state_authenticated!
• 0c919fb ♻️ Simplify shutdown of socket in #disconnect
• ff6dd40 🧵 Set logout state earlier (in reciever thread)
• 9becbf1 🧵 Don't lock around socket close in #disconnect
• e4a8c0e 🧵 Short-circuit logout state transition
• 5bddf68 📖 Document that #disconnect joins receiver thread
• 17b6463 🧵 Join the receiver after closing the socket
• Additional commits viewable in compare view

Updates nokogiri from 1.14.2 to 1.18.9

Release notes

Sourced from nokogiri's releases.

v1.18.9 / 2025-07-20

Security

• [CRuby] Applied upstream libxml2 patches to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. See GHSA-353f-x4gh-cqq8 for more information.

5bcfdf7aa8d1056a7ad5e52e1adffc64ef53d12d0724fbc6f458a3af1a4b9e32  nokogiri-1.18.9-aarch64-linux-gnu.gem
55e9e6ca46c4ad1715e313f407d8481d15be1e3b65d9f8e52ba1c124d01676a7  nokogiri-1.18.9-aarch64-linux-musl.gem
eea3f1f06463ff6309d3ff5b88033c4948d0da1ab3cc0a3a24f63c4d4a763979  nokogiri-1.18.9-arm64-darwin.gem
fe611ae65880e445a9c0f650d52327db239f3488626df4173c05beafd161d46e  nokogiri-1.18.9-arm-linux-gnu.gem
935605e14c0ba17da18d203922440bf6c0676c602659278d855d4622d756a324  nokogiri-1.18.9-arm-linux-musl.gem
ac5a7d93fd0e3cef388800b037407890882413feccca79eb0272a2715a82fa33  nokogiri-1.18.9.gem
1fe5b7aa4a054eda689a969bb4e03999960a6ea806582d327207d687168bceb5  nokogiri-1.18.9-java.gem
6b4fc1523aa0370c78653e38c94cb50e7f3ab786425de66ba7ad24222c1164a3  nokogiri-1.18.9-x64-mingw-ucrt.gem
e0d2deb03d3d7af8016e8c9df5ff4a7d692159cefb135cbb6a4109f265652348  nokogiri-1.18.9-x86_64-darwin.gem
b52f5defedc53d14f71eeaaf990da66b077e1918a2e13088b6a96d0230f44360  nokogiri-1.18.9-x86_64-linux-gnu.gem
e69359d6240c17e64cc9f43970d54f13bfc7b8cc516b819228f687e953425e69  nokogiri-1.18.9-x86_64-linux-musl.gem

v1.18.8 / 2025-04-21

Security

• [CRuby] Vendored libxml2 is updated to v2.13.8 to address CVE-2025-32414 and CVE-2025-32415. See GHSA-5w6v-399v-w3cc for more information.

36badd2eb281fca6214a5188e24a34399b15d89730639a068d12931e2adc210e  nokogiri-1.18.8-aarch64-linux-gnu.gem
664e0f9a77a7122a66d6c03abba7641ca610769a4728db55ee1706a0838b78a2  nokogiri-1.18.8-aarch64-linux-musl.gem
483b5b9fb33653f6f05cbe00d09ea315f268f0e707cfc809aa39b62993008212  nokogiri-1.18.8-arm64-darwin.gem
17de01ca3adf9f8e187883ed73c672344d3dbb3c260f88ffa1008e8dc255a28e  nokogiri-1.18.8-arm-linux-gnu.gem
6e6d7e71fc39572bd613a82d528cf54392c3de1ba5ce974f05c832b8187a040b  nokogiri-1.18.8-arm-linux-musl.gem
8c7464875d9ca7f71080c24c0db7bcaa3940e8be3c6fc4bcebccf8b9a0016365  nokogiri-1.18.8.gem
41002596960ff854198a20aaeb34cff0d445406d5ad85ba7ca9c3fd0c8f03de0  nokogiri-1.18.8-java.gem
11ab0f76772c5f2d718fb253fca5b74c6ef7628b72bbf8deba6ab1ffc93344cf  nokogiri-1.18.8-x64-mingw-ucrt.gem
024cdfe7d9ae3466bba6c06f348fb2a8395d9426b66a3c82f1961b907945cc0c  nokogiri-1.18.8-x86_64-darwin.gem
4a747875db873d18a2985ee2c320a6070c4a414ad629da625fbc58d1a20e5ecc  nokogiri-1.18.8-x86_64-linux-gnu.gem
ddd735fba49475a395b9ea793bb6474e3a3125b89960339604d08a5397de1165  nokogiri-1.18.8-x86_64-linux-musl.gem

v1.18.7 / 2025-03-31

Dependencies

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.18.9 / 2025-07-20

Security

• [CRuby] Applied upstream libxml2 patches to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. See GHSA-353f-x4gh-cqq8 for more information.

v1.18.8 / 2025-04-21

Security

• [CRuby] Vendored libxml2 is updated to v2.13.8 to address CVE-2025-32414 and CVE-2025-32415. See GHSA-5w6v-399v-w3cc for more information.

v1.18.7 / 2025-03-31

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.7, which is a bugfix release.

v1.18.6 / 2025-03-24

Fixed

• [JRuby] In HTML documents, Node#attribute now returns the correct attribute. This has been broken, and returning nil, since v1.17.0. (#3487) @​flavorjones

v1.18.5 / 2025-03-19

Fixed

• [JRuby] Update JRuby's XML serialization so it outputs namespaces exactly like CRuby. (#3455, #3456) @​johnnyshields

v1.18.4 / 2025-03-14

Security

• [CRuby] Vendored libxslt is updated to v1.1.43 to address CVE-2025-24855 and CVE-2024-55549. See GHSA-mrxw-mxhj-p664 for more information.

v1.18.3 / 2025-02-18

Security

• [CRuby] Vendored libxml2 is updated v2.13.6 to address CVE-2025-24928 and CVE-2024-56171. See GHSA-vvfq-8hwr-qm4m for more information.

v1.18.2 / 2024-01-19

... (truncated)

Commits

• 1dcd8ce version bump to v1.18.9
• a05d2b4 Apply upstream patches to address multiple vulnerabilities (#3526)
• 947a55e Apply upstream patches to address multiple vulnerabilities
• 9187f4a version bump to v1.18.8
• 1deea04 dep: libxml2 to v2.13.8 (branch v1.18.x) (#3509)
• 6457fe6 dep: libxml2 to v2.13.8
• 13e8aa4 version bump to v1.18.7
• 605699d dep: bump libxml2 to 2.13.7 (v1.18.x backport) (#3495)
• 804e590 dep: bump libxml2 to 2.13.7
• 52bf15b dep(dev): drop Rubocop from JRuby deps
• Additional commits viewable in compare view

Updates rack from 2.2.6.2 to 3.2.0

Release notes

Sourced from rack's releases.

v3.0.9.1

What's Changed

• Fixed ReDoS in Accept header parsing [CVE-2024-26146]
• Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
• Reject Range headers which are too large [CVE-2024-26141]

Full Changelog: rack/rack@v3.0.9...v3.0.9.1

v3.0.9

What's Changed

• Fix content-length calcuation in Rack:Response#write #2150

Full Changelog: rack/rack@v3.0.8...v3.0.9

v3.0.8

What's Changed

• Backport "Fix some unused variable verbose warnings" by @​skipkayhil in rack/rack#2084

New Contributors

• @​skipkayhil made their first contribution in rack/rack#2084

Full Changelog: rack/rack@v3.0.7...v3.0.8

v3.0.7

What's Changed

• Backport "Make query parameters without = have nil values". by @​jeremyevans in rack/rack#2060

Full Changelog: rack/rack@v3.0.6.1...v3.0.7

v3.0.6.1

No release notes provided.

v3.0.4.1

Full Changelog: rack/rack@v3.0.4...v3.0.4.1

v3.0.4

Full Changelog: rack/rack@v3.0.3...v3.0.4

v3.0.3

What's Changed

• Release v3.0.3 by @​ioquatix in rack/rack#2000

Full Changelog: rack/rack@v3.0.2...v3.0.3

v3.0.2

Full Changelog: rack/rack@v3.0.1...v3.0.2

... (truncated)

Changelog

Sourced from rack's changelog.

[3.2.0] - 2025-07-31

This release continues Rack's evolution toward a cleaner, more efficient foundation while maintaining backward compatibility for most applications. The breaking changes primarily affect deprecated functionality, so most users should experience a smooth upgrade with improved performance and standards compliance.

SPEC Changes

• Request environment keys must now be strings. (#2310, [@​jeremyevans])
• Add nil as a valid return from a Response body.to_path (#2318, [@​MSP-Greg])
• Rack::Lint#check_header_value is relaxed, only disallowing CR/LF/NUL characters. (#2354, [@​ioquatix])

Added

• Introduce Rack::VERSION constant. (#2199, [@​ioquatix])
• ISO-2022-JP encoded parts within MIME Multipart sections of an HTTP request body will now be converted to UTF-8. (#2245, @​nappa)
• Add Rack::Request#query_parser= to allow setting the query parser to use. (#2349, [@​jeremyevans])
• Add Rack::Request#form_pairs to access form data as raw key-value pairs, preserving duplicate keys. (#2351, [@​matthewd])

Changed

• Invalid cookie keys will now raise an error. (#2193, [@​ioquatix])
• Rack::MediaType#params now handles empty strings. (#2229, [@​jeremyevans])
• Avoid unnecessary calls to the ip_filter lambda to evaluate Request#ip (#2287, [@​willbryant])
• Only calculate Request#ip once per request (#2292, [@​willbryant])
• Rack::Builder #use, #map, and #run methods now return nil. (#2355, [@​ioquatix])
• Directly close the body in Rack::ConditionalGet when the response is 304 Not Modified. (#2353, [@​ioquatix])
• Directly close the body in Rack::Head when the request method is HEAD(#2360, @​skipkayhil)

Deprecated

• Rack::Auth::AbstractRequest#request is deprecated without replacement. (#2229, [@​jeremyevans])
• Rack::Request#parse_multipart (private method designed to be overridden in subclasses) is deprecated without replacement. (#2229, [@​jeremyevans])

Removed

• Rack::Request#values_at is removed. (#2200, [Description has been truncated