Bump the bundler group across 0 directory with 10 updates

[dependabot]

Updates actionmailer from 7.0.8.4 to 7.1.6

Release notes

Sourced from actionmailer's releases.

7.1.6

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Gracefully handle Timeout.timeout firing during connection configuration.

  Use of Timeout.timeout could result in improperly initialized database connection.

  This could lead to a partially configured connection being used, resulting in various exceptions, the most common being with the PostgreSQLAdapter raising undefined method key?' for nil or TypeError: wrong argument type nil (expected PG::TypeMap)`.

  Jean Boussier

• Fix error handling during connection configuration.

  Active Record wasn't properly handling errors during the connection configuration phase. This could lead to a partially configured connection being used, resulting in various exceptions, the most common being with the PostgreSQLAdapter raising undefined method key?' for nil or TypeError: wrong argument type nil (expected PG::TypeMap)`.

  Jean Boussier

• Fix prepared statements on mysql2 adapter.

  Jean Boussier

• Fix a race condition in ActiveRecord::Base#method_missing when lazily defining attributes.

  If multiple thread were concurrently triggering attribute definition on the same model, it could result in a NoMethodError being raised.

  Jean Boussier

Action View

• No changes.

Action Pack

... (truncated)

Commits

• ffcbf6f Preparing for 7.1.6 release
• ddb56de Preparing for 7.1.5.2 release
• 14c115b Preparing for 7.1.5.1 release
• 625ec92 Preparing for 7.1.5 release
• 3ddbd08 Merge remote-tracking branch 'origin/7-1-sec' into 7-1-stable
• e52d670 Preparing for 7.1.4.2 release
• 75f0ae9 Fix NoMethodError in ActionMailer block_format
• 7021f21 [ci skip] Fix CHANGELOG lint errors
• 5b5f0da Preparing for 7.1.4.1 release
• 76ae935 Update CHANGELOGs
• Additional commits viewable in compare view

Updates actionpack from 7.0.8.4 to 7.1.6

Release notes

Sourced from actionpack's releases.

7.1.6

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Gracefully handle Timeout.timeout firing during connection configuration.

  Use of Timeout.timeout could result in improperly initialized database connection.

  This could lead to a partially configured connection being used, resulting in various exceptions, the most common being with the PostgreSQLAdapter raising undefined method key?' for nil or TypeError: wrong argument type nil (expected PG::TypeMap)`.

  Jean Boussier

• Fix error handling during connection configuration.

  Active Record wasn't properly handling errors during the connection configuration phase. This could lead to a partially configured connection being used, resulting in various exceptions, the most common being with the PostgreSQLAdapter raising undefined method key?' for nil or TypeError: wrong argument type nil (expected PG::TypeMap)`.

  Jean Boussier

• Fix prepared statements on mysql2 adapter.

  Jean Boussier

• Fix a race condition in ActiveRecord::Base#method_missing when lazily defining attributes.

  If multiple thread were concurrently triggering attribute definition on the same model, it could result in a NoMethodError being raised.

  Jean Boussier

Action View

• No changes.

Action Pack

... (truncated)

Commits

• ffcbf6f Preparing for 7.1.6 release
• 8457c89 Merge pull request #55106 from Edouard-chin/ec-dom-testing
• c0c4357 Merge pull request #52096 from ioquatix/rack-invalid-cookie-key
• d4db7b2 Merge pull request #54613 from ioquatix/rack-lint-compatibility
• de7d289 Merge branch '7-1-sec' into 7-1-stable
• ddb56de Preparing for 7.1.5.2 release
• 00c86a6 Merge pull request #55043 from byroot/declare-cgi-dependency
• 99c79fd Merge pull request #55005 from yahonda/selenium_webdriver_4_32_0
• 1aa9987 Merge pull request #53941 from byroot/rack-server-protocol
• 843eb2e Update rubocop and fix offenses
• Additional commits viewable in compare view

Updates actiontext from 7.0.8.4 to 7.1.6

Release notes

Sourced from actiontext's releases.

7.1.6

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Gracefully handle Timeout.timeout firing during connection configuration.

  Use of Timeout.timeout could result in improperly initialized database connection.

  This could lead to a partially configured connection being used, resulting in various exceptions, the most common being with the PostgreSQLAdapter raising undefined method key?' for nil or TypeError: wrong argument type nil (expected PG::TypeMap)`.

  Jean Boussier

• Fix error handling during connection configuration.

  Active Record wasn't properly handling errors during the connection configuration phase. This could lead to a partially configured connection being used, resulting in various exceptions, the most common being with the PostgreSQLAdapter raising undefined method key?' for nil or TypeError: wrong argument type nil (expected PG::TypeMap)`.

  Jean Boussier

• Fix prepared statements on mysql2 adapter.

  Jean Boussier

• Fix a race condition in ActiveRecord::Base#method_missing when lazily defining attributes.

  If multiple thread were concurrently triggering attribute definition on the same model, it could result in a NoMethodError being raised.

  Jean Boussier

Action View

• No changes.

Action Pack

... (truncated)

Commits

• ffcbf6f Preparing for 7.1.6 release
• ddb56de Preparing for 7.1.5.2 release
• 14c115b Preparing for 7.1.5.1 release
• 8ac074a Update vendored trix version to 2.1.10
• 625ec92 Preparing for 7.1.5 release
• 3ddbd08 Merge remote-tracking branch 'origin/7-1-sec' into 7-1-stable
• e52d670 Preparing for 7.1.4.2 release
• 7021f21 [ci skip] Fix CHANGELOG lint errors
• 5b5f0da Preparing for 7.1.4.1 release
• 76ae935 Update CHANGELOGs
• Additional commits viewable in compare view

Updates actionview from 7.0.8.4 to 7.1.6

Release notes

Sourced from actionview's releases.

7.1.6

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Gracefully handle Timeout.timeout firing during connection configuration.

  Use of Timeout.timeout could result in improperly initialized database connection.

  This could lead to a partially configured connection being used, resulting in various exceptions, the most common being with the PostgreSQLAdapter raising undefined method key?' for nil or TypeError: wrong argument type nil (expected PG::TypeMap)`.

  Jean Boussier

• Fix error handling during connection configuration.

  Active Record wasn't properly handling errors during the connection configuration phase. This could lead to a partially configured connection being used, resulting in various exceptions, the most common being with the PostgreSQLAdapter raising undefined method key?' for nil or TypeError: wrong argument type nil (expected PG::TypeMap)`.

  Jean Boussier

• Fix prepared statements on mysql2 adapter.

  Jean Boussier

• Fix a race condition in ActiveRecord::Base#method_missing when lazily defining attributes.

  If multiple thread were concurrently triggering attribute definition on the same model, it could result in a NoMethodError being raised.

  Jean Boussier

Action View

• No changes.

Action Pack

... (truncated)

Commits

• ffcbf6f Preparing for 7.1.6 release
• de7d289 Merge branch '7-1-sec' into 7-1-stable
• ddb56de Preparing for 7.1.5.2 release
• 40a0294 Remove outdated mathn related test
• 00c86a6 Merge pull request #55043 from byroot/declare-cgi-dependency
• ef88965 Merge pull request #54923 from Stazer/main
• 14c115b Preparing for 7.1.5.1 release
• 625ec92 Preparing for 7.1.5 release
• 3ddbd08 Merge remote-tracking branch 'origin/7-1-sec' into 7-1-stable
• e52d670 Preparing for 7.1.4.2 release
• Additional commits viewable in compare view

Updates activerecord from 7.0.8.4 to 7.1.6

Release notes

Sourced from activerecord's releases.

7.1.6

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Gracefully handle Timeout.timeout firing during connection configuration.

  Use of Timeout.timeout could result in improperly initialized database connection.

  This could lead to a partially configured connection being used, resulting in various exceptions, the most common being with the PostgreSQLAdapter raising undefined method key?' for nil or TypeError: wrong argument type nil (expected PG::TypeMap)`.

  Jean Boussier

• Fix error handling during connection configuration.

  Active Record wasn't properly handling errors during the connection configuration phase. This could lead to a partially configured connection being used, resulting in various exceptions, the most common being with the PostgreSQLAdapter raising undefined method key?' for nil or TypeError: wrong argument type nil (expected PG::TypeMap)`.

  Jean Boussier

• Fix prepared statements on mysql2 adapter.

  Jean Boussier

• Fix a race condition in ActiveRecord::Base#method_missing when lazily defining attributes.

  If multiple thread were concurrently triggering attribute definition on the same model, it could result in a NoMethodError being raised.

  Jean Boussier

Action View

• No changes.

Action Pack

... (truncated)

Commits

• ffcbf6f Preparing for 7.1.6 release
• 4df996b Sync changelog
• a1220b2 Merge pull request #55969 from rails/fix-explain-tests-mysql-9.5
• 1eb7d24 Merge pull request #53439 from yahonda/postgresql_18devel_drop_support_unlogg...
• de7d289 Merge branch '7-1-sec' into 7-1-stable
• ddb56de Preparing for 7.1.5.2 release
• b279e04 Update CHANGELOGs
• 3beef20 Call inspect on ids in RecordNotFound error
• d7fb6eb Merge pull request #54738 from byroot/configure-connection-timeout
• 556a8e8 Disconnect if configure_connection failed
• Additional commits viewable in compare view

Updates activestorage from 7.0.8.4 to 7.1.6

Release notes

Sourced from activestorage's releases.

7.1.6

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Gracefully handle Timeout.timeout firing during connection configuration.

  Use of Timeout.timeout could result in improperly initialized database connection.

  This could lead to a partially configured connection being used, resulting in various exceptions, the most common being with the PostgreSQLAdapter raising undefined method key?' for nil or TypeError: wrong argument type nil (expected PG::TypeMap)`.

  Jean Boussier

• Fix error handling during connection configuration.

  Active Record wasn't properly handling errors during the connection configuration phase. This could lead to a partially configured connection being used, resulting in various exceptions, the most common being with the PostgreSQLAdapter raising undefined method key?' for nil or TypeError: wrong argument type nil (expected PG::TypeMap)`.

  Jean Boussier

• Fix prepared statements on mysql2 adapter.

  Jean Boussier

• Fix a race condition in ActiveRecord::Base#method_missing when lazily defining attributes.

  If multiple thread were concurrently triggering attribute definition on the same model, it could result in a NoMethodError being raised.

  Jean Boussier

Action View

• No changes.

Action Pack

... (truncated)

Commits

• ffcbf6f Preparing for 7.1.6 release
• 1d82970 Add the Action Cable configuration
• 8323dd6 Merge pull request #54164 from zzak/asto-test-mini_magick-deprecation-warning
• d100e46 Don't load action cable in the activestorage dummy app
• 6d83efa Disable GCS tests in CI
• f7e7f46 Fix Active Storage CHANGELOG formatting
• ddb56de Preparing for 7.1.5.2 release
• b279e04 Update CHANGELOGs
• 1b1adf6 Active Storage: Remove dangerous transformations
• 14c115b Preparing for 7.1.5.1 release
• Additional commits viewable in compare view

Updates activesupport from 7.0.8.4 to 7.1.6

Release notes

Sourced from activesupport's releases.

7.1.6

Active Support

• No changes.

Active Model

• No changes.

Active Record

• Gracefully handle Timeout.timeout firing during connection configuration.

  Use of Timeout.timeout could result in improperly initialized database connection.

  This could lead to a partially configured connection being used, resulting in various exceptions, the most common being with the PostgreSQLAdapter raising undefined method key?' for nil or TypeError: wrong argument type nil (expected PG::TypeMap)`.

  Jean Boussier

• Fix error handling during connection configuration.

  Active Record wasn't properly handling errors during the connection configuration phase. This could lead to a partially configured connection being used, resulting in various exceptions, the most common being with the PostgreSQLAdapter raising undefined method key?' for nil or TypeError: wrong argument type nil (expected PG::TypeMap)`.

  Jean Boussier

• Fix prepared statements on mysql2 adapter.

  Jean Boussier

• Fix a race condition in ActiveRecord::Base#method_missing when lazily defining attributes.

  If multiple thread were concurrently triggering attribute definition on the same model, it could result in a NoMethodError being raised.

  Jean Boussier

Action View

• No changes.

Action Pack

... (truncated)

Commits

• ffcbf6f Preparing for 7.1.6 release
• 0d8321c Remove trailing whitespace from Active Support changelog
• be47f90 Add missing ActiveSupport 7.1.4 changelog entry
• 4718aa2 Add code example to reverted changelog entry
• ccbcc81 Revert "Remove changelog entry for reverted ActiveSupport change [ci skip]"
• 8c087be Remove changelog entry for reverted ActiveSupport change [ci skip]
• c441eee BigDecimal now works with floats without precision
• de7d289 Merge branch '7-1-sec' into 7-1-stable
• ddb56de Preparing for 7.1.5.2 release
• cd89cc1 Revert "Merge pull request #54371 from byroot/fix-on-rotate-callback"
• Additional commits viewable in compare view

Updates nokogiri from 1.16.6 to 1.19.2

Release notes

Sourced from nokogiri's releases.

v1.19.2 / 2026-03-19

Dependencies

• [JRuby] Saxon-HE is updated to 12.7, from 9.6.0-4. Saxon-HE is a transitive dependency of nu.validator:jing, and this update addresses CVEs in Saxon-HE's own transitive dependencies JDOM and dom4j. We don't think this warrants a security release, however we're cutting a patch release to help users whose security scanners are flagging this. #3611 @​flavorjones

SHA256 Checksums

c34d5c8208025587554608e98fd88ab125b29c80f9352b821964e9a5d5cfbd19  nokogiri-1.19.2-aarch64-linux-gnu.gem
7f6b4b0202d507326841a4f790294bf75098aef50c7173443812e3ac5cb06515  nokogiri-1.19.2-aarch64-linux-musl.gem
b7fa1139016f3dc850bda1260988f0d749934a939d04ef2da13bec060d7d5081  nokogiri-1.19.2-arm-linux-gnu.gem
61114d44f6742ff72194a1b3020967201e2eb982814778d130f6471c11f9828c  nokogiri-1.19.2-arm-linux-musl.gem
58d8ea2e31a967b843b70487a44c14c8ba1866daa1b9da9be9dbdf1b43dee205  nokogiri-1.19.2-arm64-darwin.gem
e9d67034bc80ca71043040beea8a91be5dc99b662daa38a2bfb361b7a2cc8717  nokogiri-1.19.2-java.gem
8ccf25eea3363a2c7b3f2e173a3400582c633cfead27f805df9a9c56d4852d1a  nokogiri-1.19.2-x64-mingw-ucrt.gem
7d9af11fda72dfaa2961d8c4d5380ca0b51bc389dc5f8d4b859b9644f195e7a4  nokogiri-1.19.2-x86_64-darwin.gem
fa8feca882b73e871a9845f3817a72e9734c8e974bdc4fbad6e4bc6e8076b94f  nokogiri-1.19.2-x86_64-linux-gnu.gem
93128448e61a9383a30baef041bf1f5817e22f297a1d400521e90294445069a8  nokogiri-1.19.2-x86_64-linux-musl.gem
38fdd8b59db3d5ea9e7dfb14702e882b9bf819198d5bf976f17ebce12c481756  nokogiri-1.19.2.gem

Full Changelog: sparklemotion/nokogiri@v1.19.1...v1.19.2

v1.19.1 / 2026-02-16

Security

• [CRuby] Address unchecked return value from xmlC14NExecute which was a contributing cause to ruby-saml GHSA-x4h9-gwv3-r4m4. See GHSA-wx95-c6cv-8532 for more information.

cfdb0eafd9a554a88f12ebcc688d2b9005f9fce42b00b970e3dc199587b27f32  nokogiri-1.19.1-aarch64-linux-gnu.gem
1e2150ab43c3b373aba76cd1190af7b9e92103564063e48c474f7600923620b5  nokogiri-1.19.1-aarch64-linux-musl.gem
0a39ed59abe3bf279fab9dd4c6db6fe8af01af0608f6e1f08b8ffa4e5d407fa3  nokogiri-1.19.1-arm-linux-gnu.gem
3a18e559ee499b064aac6562d98daab3d39ba6cbb4074a1542781b2f556db47d  nokogiri-1.19.1-arm-linux-musl.gem
dfe2d337e6700eac47290407c289d56bcf85805d128c1b5a6434ddb79731cb9e  nokogiri-1.19.1-arm64-darwin.gem
1e0bda88b1c6409f0edb9e0c25f1bf9ff4fa94c3958f492a10fcf50dda594365  nokogiri-1.19.1-java.gem
110d92ae57694ae7866670d298a5d04cd150fae5a6a7849957d66f171e6aec9b  nokogiri-1.19.1-x64-mingw-ucrt.gem
7093896778cc03efb74b85f915a775862730e887f2e58d6921e3fa3d981e68bf  nokogiri-1.19.1-x86_64-darwin.gem
1a4902842a186b4f901078e692d12257678e6133858d0566152fe29cdb98456a  nokogiri-1.19.1-x86_64-linux-gnu.gem
4267f38ad4fc7e52a2e7ee28ed494e8f9d8eb4f4b3320901d55981c7b995fc23  nokogiri-1.19.1-x86_64-linux-musl.gem
598b327f36df0b172abd57b68b18979a6e14219353bca87180c31a51a00d5ad3  nokogiri-1.19.1.gem

v1.19.0 / 2025-12-28

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.19.2 / 2026-03-19

Dependencies

• [JRuby] Saxon-HE is updated to 12.7, from 9.6.0-4. Saxon-HE is a transitive dependency of nu.validator:jing, and this update addresses CVEs in Saxon-HE's own transitive dependencies JDOM and dom4j. We don't think this warrants a security release, however we're cutting a patch release to help users whose security scanners are flagging this. #3611 @​flavorjones

v1.19.1 / 2026-02-16

Security

• [CRuby] Address unchecked return value from xmlC14NExecute which was a contributing cause to ruby-saml GHSA-x4h9-gwv3-r4m4. See GHSA-wx95-c6cv-8532 for more information.

v1.19.0 / 2025-12-28

Ruby

This release is focused on changes to Ruby version support, and is otherwise functionally identical to v1.18.10.

• Introduce native gem support for Ruby 4.0. #3590
• End support for Ruby 3.1, for which upstream support ended 2025-03-26.
• End support for JRuby 9.4 (which targets Ruby 3.1 compatibility).

v1.18.10 / 2025-09-15

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.9. Note that the security fixes published in v2.13.9 were already present in Nokogiri v1.18.9.
• [CRuby] [Windows and MacOS] Vendored libiconv is updated to v1.18

v1.18.9 / 2025-07-20

Security

• [CRuby] Applied upstream libxml2 patches to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. See GHSA-353f-x4gh-cqq8 for more information.

v1.18.8 / 2025-04-21

Security

• [CRuby] Vendored libxml2 is updated to v2.13.8 to address CVE-2025-32414 and CVE-2025-32415. See GHSA-5w6v-399v-w3cc for more information.

v1.18.7 / 2025-03-31

Dependencies

... (truncated)

Commits

• 6f5d025 version bump to v1.19.2
• 6d4677f dep: upgrade Saxon-HE from 9.6.0-4 to 12.7 [v1.19.x backport] (#3614)
• acf9527 dep: upgrade Saxon-HE from 9.6.0-4 to 12.7
• b42e620 Skip compressed file SAX test on libxml2 >= 2.15
• d913045 version bump to v1.19.1
• b81cb98 doc: update CHANGELOG for upcoming v1.19.1
• 8e66809 C14n raise on failure (#3600)
• 5b77f3d Raise RuntimeError when canonicalization fails
• edc5595 Thank sponsors in the README
• d4dc245 dep: update rdoc to v7
• Additional commits viewable in compare view

Updates rack from 2.2.9 to 3.2.6

Release notes

Sourced from rack's releases.

v3.2.6

Full Changelog: rack/rack@v3.2.5...v3.2.6

v3.2.4

No release notes provided.

v3.0.9.1

What's Changed

• Fixed ReDoS in Accept header parsing [CVE-2024-26146]
• Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
• Reject Range headers which are too large [CVE-2024-26141]

Full Changelog: rack/rack@v3.0.9...v3.0.9.1

v3.0.9

What's Changed

• Fix content-length calcuation in Rack:Response#write #2150

Full Changelog: rack/rack@v3.0.8...v3.0.9

v3.0.8

What's Changed

• Backport "Fix some unused variable verbose warnings" by @​skipkayhil in rack/rack#2084

New Contributors

• @​skipkayhil made their first contribution in rack/rack#2084

Full Changelog: rack/rack@v3.0.7...v3.0.8

v3.0.7

What's Changed

• Backport "Make query parameters without = have nil values". by @​jeremyevans in rack/rack#2060

Full Changelog: rack/rack@v3.0.6.1...v3.0.7

v3.0.6.1

No release notes provided.

v3.0.4.1

Full Changelog: rack/rack@v3.0.4...v3.0.4.1

v3.0.4

Full Changelog: rack/rack@v3.0.3...v3.0.4

v3.0.3

What's Changed

• Release v3.0.3 by @​ioquatix in rack/rack#2000

... (truncated)

Changelog

Sourced from rack's changelog.

[3.2.6] - 2026-04-01

Security

• CVE-2026-34763 Root directory disclosure via unescaped regex interpolation in Rack::Directory.
• CVE-2026-34230 Avoid O(n^2) algorithm in Rack::Utils.select_best_encoding which could lead to denial of service.
• CVE-2026-32762 Forwarded header semicolon injection enables Host and Scheme spoofing.
• CVE-2026-26961 Raise error for multipart requests with multiple boundary parameters.
• CVE-2026-34786 Rack::Static header_rules bypass via URL-encoded path mismatch.
• CVE-2026-34831 Content-Length mismatch in Rack::Files error responses.
• CVE-2026-34826 Multipart byte range processing allows denial of service via excessive overlapping ranges.
• CVE-2026-34835 Rack::Request accepts invalid Host characters, enabling host allowlist bypass.
• CVE-2026-34830 Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect.
• CVE-2026-34785 Rack::Static prefix matching can expose unintended files under the static root.
• CVE-2026-34829 Multipart parsing without Content-Length header allows unbounded chunked file uploads.
• CVE-2026-34827 Multipart header parsing allows denial of service via escape-heavy quoted parameters.
• CVE-2026-26962 Improper unfolding of folded multipart headers preserves CRLF in parsed parameter values.

[3.2.5] - 2026-02-16

Security

• CVE-2026-25500 XSS injection via malicious filename in Rack::Directory.
• CVE-2026-22860 Directory traversal via root prefix bypass in Rack::Directory.

Fixed

• Fix Rack::MockResponse#body when the body is a Proc. (#2420, #2423, @​tavianator, [@​ioquatix])

[3.2.4] - 2025-11-03

Fixed

• Multipart parser: limit MIME header size check to the unread buffer region to avoid false multipart mime part header too large errors when previously read data accumulates in the scan buffer. (#2392, @​alpaca-tc, @​willnet, @​krororo)

[3.2.3] - 2025-10-10

Security

• CVE-2025-61780 Improper handling of headers in Rack::Sendfile may allow proxy bypass.
• CVE-2025-61919 Unbounded read in Rack::Request form parsing can lead to memory exhaustion.

[3.2.2] - 2025-10-07

Security

• CVE-2025-61772 Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
• CVE-2025-61771 Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
• CVE-2025-61770 Unbounded multipart preamble buffering enables DoS (memory exhaustion)

... (truncated)

Commits

• e1f22fd Bump patch version.
• 31989fd Fix typo in test.
• d268165 Fix test expectation.
• 8f425de Add Ruby v4.0 to the test matrix.
• bf83042 Drop EOL Rubies from external tests.
• d50c4d3 Implement OBS unfolding for multipart requests per RFC 5322 2.2.3
• bfb6914 Limit the number of quoted escapes during multipart parsing
• b3e5945 Add Content-Length size check in Rack::Multipart::Parser
• 7a8f326 Fix root prefix bug in Rack::Static
• a57bc14 Only do a simple substitution on the x-accel-mapping paths
• Additional commits viewable in compare view

Updates rails-html-sanitizer from 1.6.0 to 1.7.0

Release notes

Sourced from rails-html-sanitizer's releases.

v1.7.0 / 2026-02-24

• Add Rails::HTML::Sanitizer.allowed_uri? which delegates to Loofah::HTML5::Scrub.allowed_uri?, allowing the Rails framework to check URI safety without a direct dependency on Loofah.

  The minimum Loofah dependency is now ~> 2.25.

  Mike Dalessio @​flavorjones

v1.6.2 / 2024-12-12

• PermitScrubber fully supports frozen "allowed tags".

  v1.6.1 introduced safety checks that may remove unsafe tags from the allowed list, which introduced a regression for applications passing a frozen array of allowed tags. Tags and attributes are now properly copied when they are passed to the scrubber.

  Fixes #195.

  Mike Dalessio

1.6.1 / 2024-12-02

This is a performance and security release which addresses several possible XSS vulnerabilities.

• The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.

  This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).

  Mike Dalessio

• Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content), regardless of the prune: option value. Previously, disallowed tags were "stripped" unless the gem was configured with the prune: true option.

  The CVEs addressed by this change are:

  • CVE-2024-53986 (GHSA-638j-pmjw-jq48)
  • CVE-2024-53987 (GHSA-2x5m-9ch4-qgrr)

  Mike Dalessio

• The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags are removed from the allow-list.

  The CVEs addressed by this change are:

... (truncated)

Changelog

Sourced from rails-html-sanitizer's changelog.

v1.7.0 / 2026-02-24

• Add Rails::HTML::Sanitizer.allowed_uri? which delegates to Loofah::HTML5::Scrub.allowed_uri?, allowing the Rails framework to check URI safety without a direct dependency on Loofah.

  The minimum Loofah dependency is now ~> 2.25.

  Mike Dalessio

v1.6.2 / 2024-12-12

• PermitScrubber fully supports frozen "allowed tags".

  v1.6.1 introduced safety checks that may remove unsafe tags from the allowed list, which introduced a regression for applications passing a frozen array of allowed tags. Tags and attributes are now properly copied when they are passed to the scrubber.

  Fixes #195.

  Mike Dalessio

1.6.1 / 2024-12-02

This is a performance and security release which addresses several possible XSS vulnerabilities.

• The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.

  This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).

  Mike Dalessio

• Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content), regardless of the prune: option value. Previously, disallowed tags were "stripped" unless the gem was configured with the prune: true option.

  The CVEs addressed by this change are:

  • CVE-2024-53986 (GHSA-638j-pmjw-jq48)
  • CVE-2024-53987 (GHSA-2x5m-9ch4-qgrr)

  Mike Dalessio

• The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags are removed from the allow-list.

  The CVEs addressed by this change are:

... (truncated)

Commits

• a8a0413 version bump to v1.7.0
• ea9e7a4 Merge pull request #214 from rails/add-allowed-uri
• f26dc35 Add Rails::HTML::Sanitizer.allowed_uri? delegating to Loofah
• cc83f51 Merge pull request #213 from rails/flavorjones/ruby-4-support
• ee54515 dev: ruby 4 support
• 2a8fe89 Merge pull request #208 from rails/dependabot/bundler/rack-3.1.17
• 2b0ecc7 build(deps-dev): bump rack from 3.1.16 to 3.1.17
• c7ab9f2 Merge pull request #206 from rails/dependabot/bundler/rack-3.1.16
• 0283ca4 build(deps-dev): bump rack from 3.1.14 to 3.1.16
• ba7a284 Merge pull request #204 from rails/dependabot/bundler/rack-3.1.14
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml