Skip to content

build(deps): bump the bundler group across 1 directory with 8 updates#310

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/bundler/bundler-e5443f5039
Closed

build(deps): bump the bundler group across 1 directory with 8 updates#310
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/bundler/bundler-e5443f5039

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Apr 7, 2026
edited
Loading

Bumps the bundler group with 6 updates in the / directory:

Package From To
haml_lint 0.72.0 0.73.0
addressable 2.8.9 2.9.0
bigdecimal 4.0.1 4.1.1
minitest 6.0.2 6.0.3
rack 3.2.5 3.2.6
rack-session 2.1.1 2.1.2

Updates haml_lint from 0.72.0 to 0.73.0

Changelog

Sourced from haml_lint's changelog.

0.73.0

  • Relax parallel dependency from ~> 1.10 to >= 1.10
Commits

Updates addressable from 2.8.9 to 2.9.0

Changelog

Sourced from addressable's changelog.

Addressable 2.9.0

  • fixes ReDoS vulnerability in Addressable::Template#match (fixes incomplete remediation in 2.8.10)

Addressable 2.8.10

  • fixes ReDoS vulnerability in Addressable::Template#match
Commits
  • 0c3e858 Revving version and changelog
  • 91915c1 Fixing additional vulnerable paths
  • a091e39 Add many more adversarial test cases to ensure we don't have any ReDoS regres...
  • 463a819 Regenerate gemspec on newer rubygems
  • 0afcb0b Improve from O(n^2) to O(n)
  • c87f768 Fix a ReDoS vulnerability in URI template matching
  • See full diff in compare view

Updates bigdecimal from 4.0.1 to 4.1.1

Release notes

Sourced from bigdecimal's releases.

v4.1.1

What's Changed

New Contributors

Full Changelog: ruby/bigdecimal@v4.1.0...v4.1.1

v4.1.0

What's Changed

New Contributors

... (truncated)

Changelog

Sourced from bigdecimal's changelog.

4.1.1

4.1.0

Commits

Updates minitest from 6.0.2 to 6.0.3

Changelog

Sourced from minitest's changelog.

=== 6.0.3 / 2026-03-31

  • 1 bug fix:

    • assert_same(nil, value) no longer allowed. Use assert_nil to be explicit. (paddor)
Commits
  • 649b075 prepped for release
  • a2d0904 - assert_same(nil, value) no longer allowed. Use assert_nil to be explicit. (...
  • See full diff in compare view

Updates parallel from 1.27.0 to 1.28.0

Changelog

Sourced from parallel's changelog.

1.28.0

Fixed

  • Dump undumpable exceptions without cause if that fixes the issue
Commits
  • e141db9 v1.28.0
  • 679f6ec Merge pull request #360 from grosser/grosser/dump
  • 0da8239 dump undumpable exceptions without cause if that fixes the issue
  • 8d638d0 Merge pull request #358 from grosser/grosser/up
  • 998ce26 bundle and cleanup test duplication
  • See full diff in compare view

Updates rack from 3.2.5 to 3.2.6

Release notes

Sourced from rack's releases.

v3.2.6

Full Changelog: rack/rack@v3.2.5...v3.2.6

Changelog

Sourced from rack's changelog.

[3.2.6] - 2026-04-01

Security

  • CVE-2026-34763 Root directory disclosure via unescaped regex interpolation in Rack::Directory.
  • CVE-2026-34230 Avoid O(n^2) algorithm in Rack::Utils.select_best_encoding which could lead to denial of service.
  • CVE-2026-32762 Forwarded header semicolon injection enables Host and Scheme spoofing.
  • CVE-2026-26961 Raise error for multipart requests with multiple boundary parameters.
  • CVE-2026-34786 Rack::Static header_rules bypass via URL-encoded path mismatch.
  • CVE-2026-34831 Content-Length mismatch in Rack::Files error responses.
  • CVE-2026-34826 Multipart byte range processing allows denial of service via excessive overlapping ranges.
  • CVE-2026-34835 Rack::Request accepts invalid Host characters, enabling host allowlist bypass.
  • CVE-2026-34830 Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect.
  • CVE-2026-34785 Rack::Static prefix matching can expose unintended files under the static root.
  • CVE-2026-34829 Multipart parsing without Content-Length header allows unbounded chunked file uploads.
  • CVE-2026-34827 Multipart header parsing allows denial of service via escape-heavy quoted parameters.
  • CVE-2026-26962 Improper unfolding of folded multipart headers preserves CRLF in parsed parameter values.
Commits
  • e1f22fd Bump patch version.
  • 31989fd Fix typo in test.
  • d268165 Fix test expectation.
  • 8f425de Add Ruby v4.0 to the test matrix.
  • bf83042 Drop EOL Rubies from external tests.
  • d50c4d3 Implement OBS unfolding for multipart requests per RFC 5322 2.2.3
  • bfb6914 Limit the number of quoted escapes during multipart parsing
  • b3e5945 Add Content-Length size check in Rack::Multipart::Parser
  • 7a8f326 Fix root prefix bug in Rack::Static
  • a57bc14 Only do a simple substitution on the x-accel-mapping paths
  • Additional commits viewable in compare view

Updates rack-session from 2.1.1 to 2.1.2

Changelog

Sourced from rack-session's changelog.

v2.1.2

  • CVE-2026-39324 Don't fall back to unencrypted coder if encryptors are present.
Commits
  • 504367b Bump patch version.
  • f43638c Don't fall back to unencrypted coder if encryptors are present.
  • dadcfe6 Bump actions/checkout from 4 to 5 (#54)
  • 4eb9ea8 Add top level session spec to validate existing formats.
  • 8f94577 Add rails to external tests.
  • 38ea47d Allow the v2 encryptor to serialize messages with Marshal (#44)
  • 43f2e3a Fix compatibility with older Rubies.
  • 6a060b8 Support UTF-8 data when using the JSON serializer (#39)
  • 8ce0146 Fix auth_tag retrieval on JRuby (#32)
  • 7727185 Add AEAD encryption (#23)
  • See full diff in compare view

Updates regexp_parser from 2.11.3 to 2.12.0

Changelog

Sourced from regexp_parser's changelog.

[2.12.0] - 2026-04-04 - Janosch Müller

Added

  • support for new unicode properties of Ruby 4.0.0
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
build(deps): bump the bundler group across 1 directory with 8 updates
24bda3f 
Bumps the bundler group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [haml_lint](https://github.com/sds/haml-lint) | `0.72.0` | `0.73.0` |
| [addressable](https://github.com/sporkmonger/addressable) | `2.8.9` | `2.9.0` |
| [bigdecimal](https://github.com/ruby/bigdecimal) | `4.0.1` | `4.1.1` |
| [minitest](https://github.com/minitest/minitest) | `6.0.2` | `6.0.3` |
| [rack](https://github.com/rack/rack) | `3.2.5` | `3.2.6` |
| [rack-session](https://github.com/rack/rack-session) | `2.1.1` | `2.1.2` |



Updates `haml_lint` from 0.72.0 to 0.73.0
- [Release notes](https://github.com/sds/haml-lint/releases)
- [Changelog](https://github.com/sds/haml-lint/blob/main/CHANGELOG.md)
- [Commits](sds/haml-lint@v0.72.0...v0.73.0)

Updates `addressable` from 2.8.9 to 2.9.0
- [Changelog](https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md)
- [Commits](sporkmonger/addressable@addressable-2.8.9...addressable-2.9.0)

Updates `bigdecimal` from 4.0.1 to 4.1.1
- [Release notes](https://github.com/ruby/bigdecimal/releases)
- [Changelog](https://github.com/ruby/bigdecimal/blob/master/CHANGES.md)
- [Commits](ruby/bigdecimal@v4.0.1...v4.1.1)

Updates `minitest` from 6.0.2 to 6.0.3
- [Changelog](https://github.com/minitest/minitest/blob/master/History.rdoc)
- [Commits](minitest/minitest@v6.0.2...v6.0.3)

Updates `parallel` from 1.27.0 to 1.28.0
- [Changelog](https://github.com/grosser/parallel/blob/master/CHANGELOG.md)
- [Commits](grosser/parallel@v1.27.0...v1.28.0)

Updates `rack` from 3.2.5 to 3.2.6
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/main/CHANGELOG.md)
- [Commits](rack/rack@v3.2.5...v3.2.6)

Updates `rack-session` from 2.1.1 to 2.1.2
- [Release notes](https://github.com/rack/rack-session/releases)
- [Changelog](https://github.com/rack/rack-session/blob/main/releases.md)
- [Commits](rack/rack-session@v2.1.1...v2.1.2)

Updates `regexp_parser` from 2.11.3 to 2.12.0
- [Changelog](https://github.com/ammar/regexp_parser/blob/master/CHANGELOG.md)
- [Commits](ammar/regexp_parser@v2.11.3...v2.12.0)

---
updated-dependencies:
- dependency-name: haml_lint
  dependency-version: 0.73.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: bundler
- dependency-name: addressable
  dependency-version: 2.9.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: bundler
- dependency-name: bigdecimal
  dependency-version: 4.1.1
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: bundler
- dependency-name: minitest
  dependency-version: 6.0.3
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: bundler
- dependency-name: parallel
  dependency-version: 1.28.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: bundler
- dependency-name: rack
  dependency-version: 3.2.6
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: bundler
- dependency-name: rack-session
  dependency-version: 2.1.2
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: bundler
- dependency-name: regexp_parser
  dependency-version: 2.12.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: bundler
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code labels Apr 7, 2026
@dependabot @github
Copy link
Copy Markdown
Author

dependabot Bot commented on behalf of github Apr 9, 2026

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this Apr 9, 2026
@dependabot dependabot Bot deleted the dependabot/bundler/bundler-e5443f5039 branch April 9, 2026 06:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants