Skip to content

Bump the ruby-deps group with 13 updates#1293

Merged
chadlwilson merged 1 commit intomasterfrom
dependabot/bundler/ruby-deps-567966b3a5
Apr 1, 2026
Merged

Bump the ruby-deps group with 13 updates#1293
chadlwilson merged 1 commit intomasterfrom
dependabot/bundler/ruby-deps-567966b3a5

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Apr 1, 2026

Bumps the ruby-deps group with 13 updates:

Package From To
aws-sdk-s3 1.217.0 1.218.0
html-proofer 5.2.0 5.2.1
activesupport 8.1.2.1 8.1.3
aws-partitions 1.1229.0 1.1233.0
bigdecimal 3.3.1 4.1.0
ffi 1.17.3 1.17.4
json 2.19.2 2.19.3
mime-types-data 3.2026.0317 3.2026.0331
minitest 6.0.2 6.0.3
padrino-helpers 0.16.0 0.16.1
padrino-support 0.16.0 0.16.1
rack 3.1.20 3.1.21
ttfunk 1.8.0 1.7.0

Updates aws-sdk-s3 from 1.217.0 to 1.218.0

Changelog

Sourced from aws-sdk-s3's changelog.

1.218.0 (2026-03-31)

  • Feature - Add Bucket Metrics configuration support to directory buckets

1.217.1 (2026-03-30)

  • Issue - Fix require_https_for_sse_cpk option being ignored; the HTTPS enforcement for SSE-CPK operations now correctly respects the configured value, allowing it to be disabled for local development.
Commits

Updates html-proofer from 5.2.0 to 5.2.1

Release notes

Sourced from html-proofer's releases.

v5.2.1

What's Changed

New Contributors

Full Changelog: gjtorikian/html-proofer@v5.2.0...v5.2.1

Changelog

Sourced from html-proofer's changelog.

[v5.2.1] - 29-03-2026

What's Changed

New Contributors

Full Changelog: gjtorikian/html-proofer@v5.2.0...v5.2.1

Commits
  • 68a8936 Merge pull request #874 from gjtorikian/release/v5.2.1
  • e78eb51 [skip test] update changelog
  • 53a456f Merge pull request #873 from ZoeLeBlanc/fix-internal-hash-validation
  • 3bb7947 bump to 5.2.1
  • dc3907c correct rubocop again
  • f0e8f8c correct Rubocop issues
  • 06d6fe4 Revert "Fix Rubocop offenses"
  • 07495d8 Fix Rubocop offenses
  • 68b1812 Add test for hash validation on index URLs
  • 1e53fb0 Fix XPath syntax errors and hash validation false positives
  • Additional commits viewable in compare view

Updates activesupport from 8.1.2.1 to 8.1.3

Release notes

Sourced from activesupport's releases.

8.1.3

Active Support

  • Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

    When hash keys are custom objects whose as_json returns a Hash, the encoder now calls to_s on the original key object instead of on the as_json result.

    Before: hash = {CustomKey.new(123) => "value"} hash.to_json # => {"{:id=>123}":"value"}

    After: hash.to_json # => {"custom_123":"value"}

    Dan Sharp

  • Fix inflections to better handle overlapping acronyms.

    ActiveSupport::Inflector.inflections(:en) do |inflect|
  inflect.acronym "USD"
  inflect.acronym "USDC"
end
"USDC".underscore # => "usdc"

    Said Kaldybaev

  • Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

    zzak

Active Model

  • Fix Ruby 4.0 delegator warning when calling inspect on attributes.

    Hammad Khan

  • Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

    The performance optimisation that replaced @range with @max/@min broke Marshal compatibility. Objects serialised under 8.0 (with @range) and deserialised under 8.1 (expecting @max/@min) would crash with undefined method '<=' for nil because Marshal.load restores instance variables without calling initialize.

... (truncated)

Changelog

Sourced from activesupport's changelog.

Rails 8.1.3 (March 24, 2026)

  • Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

    When hash keys are custom objects whose as_json returns a Hash, the encoder now calls to_s on the original key object instead of on the as_json result.

    Before: hash = {CustomKey.new(123) => "value"} hash.to_json # => {"{:id=>123}":"value"}

    After: hash.to_json # => {"custom_123":"value"}

    Dan Sharp

  • Fix inflections to better handle overlapping acronyms.

    ActiveSupport::Inflector.inflections(:en) do |inflect|
  inflect.acronym "USD"
  inflect.acronym "USDC"
end
"USDC".underscore # => "usdc"

    Said Kaldybaev

  • Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

    zzak

Commits
  • fa8f081 Preparing for 8.1.3 release
  • 63cef3d Merge branch '8-1-sec' into 8-1-stable
  • c315744 Merge pull request #56889 from alpaca-tc/support-spring-on-test-environment
  • 2ac86a8 Revert benchmark.rb to a silent shim (#56832)
  • 8e8c955 Merge pull request #56785 from drsharp/dan/fix-json-encoder-bug
  • 38e8df6 Fix activesupport/CHANGELOG.md offense at 8-1-stable
  • f5266ee Merge pull request #56679 from Saidbek/fix-overlapping-acronyms-order
  • 8080d2d Fix changelog formatting
  • 594357c Merge pull request #56652 from zzak/re-56588
  • 055902a Handle Ruby 4.1 stabby lambda in Proc#source_location start_column
  • Additional commits viewable in compare view

Updates aws-partitions from 1.1229.0 to 1.1233.0

Changelog

Sourced from aws-partitions's changelog.

1.1233.0 (2026-03-31)

  • Feature - Added support for enumerating regions for Aws::Sustainability.

  • Feature - Added support for enumerating regions for Aws::SecurityAgent.

1.1232.0 (2026-03-30)

  • Feature - Added support for enumerating regions for Aws::DevOpsAgent.

1.1231.0 (2026-03-26)

  • Feature - Updated the partitions source data the determines the AWS service regions and endpoints.

1.1230.0 (2026-03-25)

  • Feature - Added support for enumerating regions for Aws::Uxc.
Commits

Updates bigdecimal from 3.3.1 to 4.1.0

Release notes

Sourced from bigdecimal's releases.

v4.1.0

What's Changed

New Contributors

Full Changelog: ruby/bigdecimal@v4.0.1...v4.1.0

v4.0.1

What's Changed

Full Changelog: ruby/bigdecimal@v4.0.0...v4.0.1

v4.0.0

What's Changed

... (truncated)

Changelog

Sourced from bigdecimal's changelog.

4.1.0

4.0.1

4.0.0

... (truncated)

Commits
  • e64c502 Bump version to 4.1.0 (#505)
  • 4782fc5 Fix error compiling with ruby.wasm (#504)
  • 39853fa Increase BigMath converge test precisions (#503)
  • 4a7268e Fix erfc(x,prec) precision when x is huge (#502)
  • 34e4715 Update depend files, etc (#499)
  • 0a47ee4 Use bit_length to calculate NTT bit size (#498)
  • fa02252 Remove DECDIG=uint16_t branch. BigDecimal already requires uint64_t from v3.1...
  • af72ebd Simplify butterfly operation of Number Theoretic Transform (#496)
  • dba0783 Merge pull request #494 from ruby/dependabot/github_actions/rubygems/release-...
  • 0bafaae Merge pull request #495 from ruby/dependabot/github_actions/step-security/har...
  • Additional commits viewable in compare view

Updates ffi from 1.17.3 to 1.17.4

Changelog

Sourced from ffi's changelog.

1.17.4 / 2026-03-26

Fixed:

  • Fix union by-value ABI mismatch with float and double types on ARM64 and X86_64. See #1177 and #1178 for details.
  • Exclude libffi files, which are unnecessary. #1176
Commits
  • 949809c Bump VERSION to 1.17.4
  • 9271775 Merge pull request #1178 from cfis/fix-union-arm64-abi
  • 3743839 Skip failing specs on JRuby
  • 7078a4e Fix MSVC build.
  • 93a85ca Move union-by-value argument tests to the section excluded by Truffleruby
  • b0c95a9 Correctly handle unions with mixed floating point types.
  • 5348a51 Simplify the union type selection
  • dd15f68 Extend the union tests
  • 372045e Fix union by-value ABI mismatch on ARM64. See #1177 for details.
  • 60dbd77 Merge pull request #1180 from ffi/add-more-arm64
  • Additional commits viewable in compare view

Updates json from 2.19.2 to 2.19.3

Release notes

Sourced from json's releases.

v2.19.3

  • Fix handling of unescaped control characters preceeded by a backslash.

Full Changelog: ruby/json@v2.19.2...v2.19.3

Changelog

Sourced from json's changelog.

2026-03-25 (2.19.3)

  • Fix handling of unescaped control characters preceeded by a backslash.
Commits
  • 779d441 Release 2.19.3
  • 75e2f64 Fix handling of unescaped control characters preceeded by a backslash
  • See full diff in compare view

Updates mime-types-data from 3.2026.0317 to 3.2026.0331

Changelog

Sourced from mime-types-data's changelog.

3.2026.0331 / 2026-03-31

  • Updated registry entries from the IANA [media registry][registry] and [provisional media registry][provisional] and the [Apache Tika media registry][tika] as of the release date.
Commits

Updates minitest from 6.0.2 to 6.0.3

Changelog

Sourced from minitest's changelog.

=== 6.0.3 / 2026-03-31

  • 1 bug fix:

    • assert_same(nil, value) no longer allowed. Use assert_nil to be explicit. (paddor)
Commits
  • 649b075 prepped for release
  • a2d0904 - assert_same(nil, value) no longer allowed. Use assert_nil to be explicit. (...
  • See full diff in compare view

Updates padrino-helpers from 0.16.0 to 0.16.1

Changelog

Sourced from padrino-helpers's changelog.

== 0.16.1 (2026-03-27)

  • FIX #2312 Change HAML setup to support newer versions (@​crashtech)
  • FIX #2311 Loosen bundler version pinning (achiurizo)
Commits

Updates padrino-support from 0.16.0 to 0.16.1

Updates rack from 3.1.20 to 3.1.21

Changelog

Sourced from rack's changelog.

Changelog

All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference Keep A Changelog.

Unreleased

Security

  • CVE-2026-34763 Root directory disclosure via unescaped regex interpolation in Rack::Directory.
  • Escape non-printable characters in Rack::ShowExceptions#dump_exception output to prevent CRLF injection via exception messages containing user-controlled data. (@​haruki0409)
  • CVE-2026-34230 Avoid O(n^2) algorithm in Rack::Utils.select_best_encoding which could lead to denial of service.
  • CVE-2026-32762 Forwarded header semicolon injection enables Host and Scheme spoofing.
  • CVE-2026-26961 Raise error for multipart requests with multiple boundary parameters.
  • CVE-2026-34786 Rack::Static header_rules bypass via URL-encoded path mismatch.
  • CVE-2026-34831 Content-Length mismatch in Rack::Files error responses.
  • CVE-2026-34826 Multipart byte range processing allows denial of service via excessive overlapping ranges.
  • CVE-2026-34835 Rack::Request accepts invalid Host characters, enabling host allowlist bypass.
  • CVE-2026-34830 Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect.
  • CVE-2026-34785 Rack::Static prefix matching can expose unintended files under the static root.
  • CVE-2026-34829 Multipart parsing without Content-Length header allows unbounded chunked file uploads.
  • CVE-2026-34827 Quadratic-time multipart header parsing allows denial of service via escape-heavy quoted parameters.
  • CVE-2026-26962 Improper unfolding of folded multipart headers preserves CRLF in parsed parameter values.

SPEC Changes

Added

  • Add Rack::Files#assign_headers to allow overriding how the configured file headers are set. (#2377, @​codergeek121)
  • Add support for rack.response_finished to Rack::TempfileReaper. (#2363, @​skipkayhil)
  • Add support for streaming bodies when using Rack::Events. (#2375, @​unflxw)
  • Add deflaters option to Rack::Deflater to enable custom compression algorithms like zstd. (#2168, @​alexanderadam)
  • Add Rack::Request#prefetch? for identifying requests with Sec-Purpose: prefetch header set. (#2405, @​glaszig)
  • Add rack.request.trusted_proxy environment key to indicate whether the request is coming from a trusted proxy.

Changed

  • Raise before exceeding a part limit, not after. (#2362, @​matthew-puku)
  • Rack::Deflater now uses a fixed GZip mtime value. (#2372, @​bensheldon)
  • Multipart parser drops support for RFC 2231 filename* parameter (prohibited by RFC 7578) and now properly handles UTF-8 encoded filenames via percent-encoding and direct UTF-8 bytes. (#2398, @​wtn)
  • The query parser now raises Rack::QueryParser::IncompatibleEncodingError if we try to parse params that are not ASCII compatible. (#2416, @​bquorning)

Fixed

  • Multipart parser: limit MIME header size check to the unread buffer region to avoid false multipart mime part header too large errors when previously read data accumulates in the scan buffer. (#2392, @​alpaca-tc, @​willnet, @​krororo)
  • Multipart parser: add nil guards to prevent NoMethodError crashes when handling Content-Disposition without parameters and Content-Type parameters without '='. (@​haruki0409)

[3.2.5] - 2026-02-16

... (truncated)

Commits
  • ae84311 Bump patch version.
  • 87961c3 Fix typo in test.
  • fd1c23d Add logger to gemfile.
  • c59d924 Fix test expectation.
  • 176f468 Add Ruby v4.0 to the test matrix.
  • 2856934 Drop EOL Rubies from external tests.
  • 17ce783 Limit the number of quoted escapes during multipart parsing
  • 367a2a0 Add Content-Length size check in Rack::Multipart::Parser
  • a17cb99 Fix root prefix bug in Rack::Static
  • 59a0966 Only do a simple substitution on the x-accel-mapping paths
  • Additional commits viewable in compare view

Updates ttfunk from 1.8.0 to 1.7.0

Changelog

Sourced from ttfunk's changelog.

[1.8.0][] - 2024-03-05

Fixed

  • Corrupted CFF index data

    there was a subtle bug in cff index implementation that resulted in a data corruption. in certain circumstances some items didn't get properly encoded. this happened when items were not previously accessed.

    this resulted, for instance, in missing glyphs. but only sometimes because indexes might've still contain data that shouldn't've been there. in combination with incorrect encoding (see further) this resulted in some glyphs still being rendered, sometimes even correctly.

    along with the fix a rather large api change landed. this resulted in quite a big diff.

    Alexander Mankuta

  • Incorrect CFF encoding in subsets

    TTFunk used to reuse encoding from the original font. This mapping was incorrect for subset fonts which used not just a subset of glyphs but also a different encoding.

    A separate issue was that some fonts have empty CFF encoding. This incorrect mapping resulted in encoding that mapped all codes to glyph 0.

    This had impact on Prawn in particular. PDF spec explicitly says that CFF encoding is not to be used in OpenType fonts. cmap table should directly index charstrings in the CFF table. Despite this PDF renderers still use CFF encoding to retrieve glyphs. So TTFunk has to discard the original CFF encoding and supply its own.

    Alexander Mankuta

  • maxp table

    The table is now correctly parsed and encoded for both TrueType and CFF-based OpenType fonts.

    Cameron Dutro, Alexander Mankuta

  • Files are closed sooner

    Files were garbage collected but could stay open for longer than necessary.

    Jon Burgess

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the ruby-deps group with 13 updates
7545226 
Bumps the ruby-deps group with 13 updates:

| Package | From | To |
| --- | --- | --- |
| [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby) | `1.217.0` | `1.218.0` |
| [html-proofer](https://github.com/gjtorikian/html-proofer) | `5.2.0` | `5.2.1` |
| [activesupport](https://github.com/rails/rails) | `8.1.2.1` | `8.1.3` |
| [aws-partitions](https://github.com/aws/aws-sdk-ruby) | `1.1229.0` | `1.1233.0` |
| [bigdecimal](https://github.com/ruby/bigdecimal) | `3.3.1` | `4.1.0` |
| [ffi](https://github.com/ffi/ffi) | `1.17.3` | `1.17.4` |
| [json](https://github.com/ruby/json) | `2.19.2` | `2.19.3` |
| [mime-types-data](https://github.com/mime-types/mime-types-data) | `3.2026.0317` | `3.2026.0331` |
| [minitest](https://github.com/minitest/minitest) | `6.0.2` | `6.0.3` |
| [padrino-helpers](https://github.com/padrino/padrino-framework) | `0.16.0` | `0.16.1` |
| [padrino-support](http://www.padrinorb.com) | `0.16.0` | `0.16.1` |
| [rack](https://github.com/rack/rack) | `3.1.20` | `3.1.21` |
| [ttfunk](https://github.com/prawnpdf/ttfunk) | `1.8.0` | `1.7.0` |


Updates `aws-sdk-s3` from 1.217.0 to 1.218.0
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-s3/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/commits)

Updates `html-proofer` from 5.2.0 to 5.2.1
- [Release notes](https://github.com/gjtorikian/html-proofer/releases)
- [Changelog](https://github.com/gjtorikian/html-proofer/blob/main/CHANGELOG.md)
- [Commits](gjtorikian/html-proofer@v5.2.0...v5.2.1)

Updates `activesupport` from 8.1.2.1 to 8.1.3
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/activesupport/CHANGELOG.md)
- [Commits](rails/rails@v8.1.2.1...v8.1.3)

Updates `aws-partitions` from 1.1229.0 to 1.1233.0
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-partitions/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/commits)

Updates `bigdecimal` from 3.3.1 to 4.1.0
- [Release notes](https://github.com/ruby/bigdecimal/releases)
- [Changelog](https://github.com/ruby/bigdecimal/blob/master/CHANGES.md)
- [Commits](ruby/bigdecimal@v3.3.1...v4.1.0)

Updates `ffi` from 1.17.3 to 1.17.4
- [Changelog](https://github.com/ffi/ffi/blob/master/CHANGELOG.md)
- [Commits](ffi/ffi@v1.17.3...v1.17.4)

Updates `json` from 2.19.2 to 2.19.3
- [Release notes](https://github.com/ruby/json/releases)
- [Changelog](https://github.com/ruby/json/blob/master/CHANGES.md)
- [Commits](ruby/json@v2.19.2...v2.19.3)

Updates `mime-types-data` from 3.2026.0317 to 3.2026.0331
- [Changelog](https://github.com/mime-types/mime-types-data/blob/main/CHANGELOG.md)
- [Commits](mime-types/mime-types-data@v3.2026.0317...v3.2026.0331)

Updates `minitest` from 6.0.2 to 6.0.3
- [Changelog](https://github.com/minitest/minitest/blob/master/History.rdoc)
- [Commits](minitest/minitest@v6.0.2...v6.0.3)

Updates `padrino-helpers` from 0.16.0 to 0.16.1
- [Changelog](https://github.com/padrino/padrino-framework/blob/master/CHANGES.rdoc)
- [Commits](padrino/padrino-framework@0.16.0...0.16.1)

Updates `padrino-support` from 0.16.0 to 0.16.1

Updates `rack` from 3.1.20 to 3.1.21
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/main/CHANGELOG.md)
- [Commits](rack/rack@v3.1.20...v3.1.21)

Updates `ttfunk` from 1.8.0 to 1.7.0
- [Release notes](https://github.com/prawnpdf/ttfunk/releases)
- [Changelog](https://github.com/prawnpdf/ttfunk/blob/master/CHANGELOG.md)
- [Commits](prawnpdf/ttfunk@1.8.0...1.7.0)

---
updated-dependencies:
- dependency-name: aws-sdk-s3
  dependency-version: 1.218.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: ruby-deps
- dependency-name: html-proofer
  dependency-version: 5.2.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: ruby-deps
- dependency-name: activesupport
  dependency-version: 8.1.3
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: ruby-deps
- dependency-name: aws-partitions
  dependency-version: 1.1233.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: ruby-deps
- dependency-name: bigdecimal
  dependency-version: 4.1.0
  dependency-type: indirect
  update-type: version-update:semver-major
  dependency-group: ruby-deps
- dependency-name: ffi
  dependency-version: 1.17.4
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: ruby-deps
- dependency-name: json
  dependency-version: 2.19.3
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: ruby-deps
- dependency-name: mime-types-data
  dependency-version: 3.2026.0331
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: ruby-deps
- dependency-name: minitest
  dependency-version: 6.0.3
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: ruby-deps
- dependency-name: padrino-helpers
  dependency-version: 0.16.1
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: ruby-deps
- dependency-name: padrino-support
  dependency-version: 0.16.1
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: ruby-deps
- dependency-name: rack
  dependency-version: 3.1.21
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: ruby-deps
- dependency-name: ttfunk
  dependency-version: 1.7.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: ruby-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code labels Apr 1, 2026
@chadlwilson chadlwilson merged commit b0921ed into master Apr 1, 2026
1 check passed
@dependabot dependabot bot deleted the dependabot/bundler/ruby-deps-567966b3a5 branch April 1, 2026 08:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chadlwilson