Skip to content

build(deps): bump the most-gems group across 1 directory with 26 updates#1277

Open
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/bundler/most-gems-ebfb248d5a
Open

build(deps): bump the most-gems group across 1 directory with 26 updates#1277
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/bundler/most-gems-ebfb248d5a

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps the most-gems group with 18 updates in the / directory:

Package From To
httpx 1.7.8 1.8.0
nokogiri 1.19.3 1.19.4
rubocop-rspec 3.9.0 3.10.2
faraday 2.14.2 2.14.3
aws-sdk-lambda 1.181.0 1.185.0
aws-sdk-sqs 1.115.0 1.116.0
aws-sdk-cloudwatch 1.138.0 1.140.0
aws-sdk-s3 1.224.0 1.226.0
concurrent-ruby 1.3.6 1.3.7
console 1.35.1 1.36.0
elastic-transport 8.5.1 8.5.2
elasticsearch-api 9.4.0 9.4.3
google-protobuf 4.35.0 4.35.1
i18n 1.14.8 1.15.2
io-event 1.16.1 1.16.3
pp 0.6.3 0.6.4
psych 5.3.1 5.4.0
sass-embedded 1.100.0 1.101.0

Updates httpx from 1.7.8 to 1.8.0

Commits
  • c35a340 bump version to 1.8.0
  • 8c220c7 proxy: unescape user/password values for proxy options
  • 7a6aeb5 set minimum version of http-2 to 1.2.0
  • 87f036c Merge branch 'ping-timeout' into 'master'
  • bd3a58f Merge branch 'issue-383' into 'master'
  • 8b03569 new option: :ping_timeout
  • 54038bb new options: max_response_body_size, max_response_headers,
  • fa18331 Merge branch 'sse' into 'master'
  • 56840e1 test against incoming http-2 changes
  • faf50b7 fix sig for SSRFFilter.unsafe_ip_address?
  • Additional commits viewable in compare view

Updates nokogiri from 1.19.3 to 1.19.4

Release notes

Sourced from nokogiri's releases.

v1.19.4 / 2026-06-18

Security

  • [CRuby] (Low) Fixed a possible invalid memory read when XML::Node#initialize_copy_with_args is called with an argument that is not a Node. See GHSA-g9g8-vgvw-g3vf for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when an XML::XPathContext is used after its source document has been garbage collected. See GHSA-p67v-3w7g-wjg7 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free during XInclude processing via Node#do_xinclude. See GHSA-wfpw-mmfh-qq69 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#root= is assigned a non-element node. See GHSA-wjv4-x9w8-wm3h for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when setting an attribute value via XML::Attr#value= or #content=. See GHSA-phwj-rprq-35pp for more information.
  • [CRuby] (Low) Fixed a null pointer dereference when methods are called on uninitialized wrapper objects (e.g. via allocate); these now raise instead of crashing the process. See GHSA-9cv2-cfxc-v4v2 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#encoding= raises an exception. See GHSA-5v8h-3h3q-446p for more information.
  • [CRuby] (Medium) Fixed an out-of-bounds read in XML::NodeSet#[] (alias #slice) when given a large negative index. See GHSA-5prr-v3j2-97mh for more information.
  • [JRuby] (Low) XML::Schema now enforces the NONET parse option, which Nokogiri enables by default. It was not enforced on JRuby, so a schema parsed with default options could still fetch external resources over the network, potentially enabling SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See GHSA-8678-w3jw-xfc2 for more information.
1269fb644a6de405057a53dd5c762b1209b43ca7424f839454d3dbc677c31a8f  nokogiri-1.19.4-aarch64-linux-gnu.gem
35c65b9ce72b3bb03207bdbe7067915019dc18c1b9b59139684bd6690fdd01af  nokogiri-1.19.4-aarch64-linux-musl.gem
a301313e38bb065d68239e79734bcd6f56fb6efaacebde29e9abf2a4735340ca  nokogiri-1.19.4-arm-linux-gnu.gem
588923c101bcfa78869734d247d25b598674323e7f22474fc468f6e5647311eb  nokogiri-1.19.4-arm-linux-musl.gem
a46db9853286e6597b36ebc6953817d15acf3a299583eb3f89fdc6f91dd63527  nokogiri-1.19.4-arm64-darwin.gem
ce04b9e268c9626852231a48b49128ed52034f1ccb39484a6da3875491cd709e  nokogiri-1.19.4-java.gem
051da97b8eccfdb5444fed40246a35e10d7298b9efe759b4cd25455ea04c587e  nokogiri-1.19.4-x64-mingw-ucrt.gem
7fd17057d3e1f00e9954a74b3cd76595d3d4a5ef233b7ed9599047c204f70551  nokogiri-1.19.4-x86_64-darwin.gem
379fae440b28915e3f19d752ce2dcf8465ed2b2fbefd2a7ca0dd497bc981a06a  nokogiri-1.19.4-x86_64-linux-gnu.gem
17dfb7c1fa194ae02fbf7c51a7afc8d278045ab3fdacfd86f91d02d7b274470b  nokogiri-1.19.4-x86_64-linux-musl.gem
50c951611c92bca05c51411aef45f1cbc50f2821c4802758c5c6d34696533ab5  nokogiri-1.19.4.gem
Changelog

Sourced from nokogiri's changelog.

v1.19.4 / 2026-06-18

Security

  • [CRuby] (Low) Fixed a possible invalid memory read when XML::Node#initialize_copy_with_args is called with an argument that is not a Node. See GHSA-g9g8-vgvw-g3vf for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when an XML::XPathContext is used after its source document has been garbage collected. See GHSA-p67v-3w7g-wjg7 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free during XInclude processing via Node#do_xinclude. See GHSA-wfpw-mmfh-qq69 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#root= is assigned a non-element node. See GHSA-wjv4-x9w8-wm3h for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when setting an attribute value via XML::Attr#value= or #content=. See GHSA-phwj-rprq-35pp for more information.
  • [CRuby] (Low) Fixed a null pointer dereference when methods are called on uninitialized wrapper objects (e.g. via allocate); these now raise instead of crashing the process. See GHSA-9cv2-cfxc-v4v2 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#encoding= raises an exception. See GHSA-5v8h-3h3q-446p for more information.
  • [CRuby] (Medium) Fixed an out-of-bounds read in XML::NodeSet#[] (alias #slice) when given a large negative index. See GHSA-5prr-v3j2-97mh for more information.
  • [JRuby] (Low) XML::Schema now enforces the NONET parse option, which Nokogiri enables by default. It was not enforced on JRuby, so a schema parsed with default options could still fetch external resources over the network, potentially enabling SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See GHSA-8678-w3jw-xfc2 for more information.
Commits
  • 8cfb9da version bump to v1.19.4
  • a856d1e fix: JRuby NONET bypass in XML::Schema (v1.19.x) (#3639)
  • 6a0aa1e fix(CRuby): use-after-free in Document#encoding= when setter raises (v1.19.x)...
  • f658a54 fix: JRuby NONET bypass in XML::Schema
  • 39d26fe fix(CRuby): use-after-free in Document#encoding= when setter raises
  • 04a09dd fix(CRuby): out-of-bounds read in NodeSet#[] with large negative index (v1.19...
  • 7799fbd fix: avoid NPE on uninitialized XML::Node structs (v1.19.x) (#3645)
  • ef19e13 fix(CRuby): avoid UAF in XML::Attr#value= (v1.19.x) (#3644)
  • 5524fa9 fix: Document#root= rejects non-element nodes (v1.19.x) (#3643)
  • 9891ad1 fix(CRuby): use-after-free in XPathContext document lifetime (v1.19.x) (#3641)
  • Additional commits viewable in compare view

Updates rubocop-rspec from 3.9.0 to 3.10.2

Release notes

Sourced from rubocop-rspec's releases.

RuboCop RSpec v3.10.2

  • Fix false positives for RSpec/SpecFilePathFormat when CustomTransform maps a namespace to an empty string. (@​sakuro)
  • Fix RSpec/MatchWithSimpleRegex to ignore regular expressions with options. (@​bquorning)

RuboCop RSpec v3.10.1

  • Add Strict option to RSpec/SharedContext to flag shared_context whenever it contains examples, even alongside setup code. (@​Darhazer)
  • Add NegatedMatcher configuration option RSpec/ExpectChange. (@​Darhazer)
  • Fix RSpec/MatchWithSimpleRegex to ignore regular expressions with interpolations. (@​bquorning)

RuboCop RSpec v3.10.0

  • Add new cop RSpec/MatchWithSimpleRegex to suggest include matcher when match is used with simple string literals without regex-specific features. (@​bquorning)
  • Add new cop RSpec/DiscardedMatcher to detect matchers in void context (e.g. missing .and between compound matchers). (@​ydakuka)
  • Add support for itblock nodes. (@​Darhazer)
  • RSpec/ScatteredLet now preserves the order of lets during auto-correction. (@​Darhazer)
  • Fix a false negative for RSpec/EmptyLineAfterFinalLet inside shared_examples / include_examples / it_behaves_like blocks. (@​Darhazer)
  • Fix a false positive for RSpec/ContainExactly when contain_exactly has multiple splat arguments. (@​ydah)
  • Add autocorrect support for RSpec/SubjectDeclaration. (@​eugeneius)
  • Fix false negatives for RSpec/SpecFilePathFormat when the expected class path only partially matches a path segment. (@​ydah)
  • Fix a false negative for RSpec/ExpectActual when the matcher takes no arguments (e.g. expect("foo").to be_present, expect(1).to be). (@​cvx)
Changelog

Sourced from rubocop-rspec's changelog.

3.10.2 (2026-06-06)

  • Fix false positives for RSpec/SpecFilePathFormat when CustomTransform maps a namespace to an empty string. ([@​sakuro])
  • Fix RSpec/MatchWithSimpleRegex to ignore regular expressions with options. ([@​bquorning])

3.10.1 (2026-06-05)

  • Add Strict option to RSpec/SharedContext to flag shared_context whenever it contains examples, even alongside setup code. ([@​Darhazer])
  • Add NegatedMatcher configuration option RSpec/ExpectChange. ([@​Darhazer])
  • Fix RSpec/MatchWithSimpleRegex to ignore regular expressions with interpolations. ([@​bquorning])

3.10.0 (2026-06-05)

  • Add new cop RSpec/MatchWithSimpleRegex to suggest include matcher when match is used with simple string literals without regex-specific features. ([@​bquorning])
  • Add new cop RSpec/DiscardedMatcher to detect matchers in void context (e.g. missing .and between compound matchers). ([@​ydakuka])
  • Add support for itblock nodes. ([@​Darhazer])
  • RSpec/ScatteredLet now preserves the order of lets during auto-correction. ([@​Darhazer])
  • Fix a false negative for RSpec/EmptyLineAfterFinalLet inside shared_examples / include_examples / it_behaves_like blocks. ([@​Darhazer])
  • Fix a false positive for RSpec/ContainExactly when contain_exactly has multiple splat arguments. ([@​ydah])
  • Add autocorrect support for RSpec/SubjectDeclaration. ([@​eugeneius])
  • Fix false negatives for RSpec/SpecFilePathFormat when the expected class path only partially matches a path segment. ([@​ydah])
  • Fix a false negative for RSpec/ExpectActual when the matcher takes no arguments (e.g. expect("foo").to be_present, expect(1).to be). ([@​cvx])
Commits
  • 2488441 Merge pull request #2189 from rubocop/release
  • c9e53cf Bump version to 3.10.2
  • 7ae0a42 Merge pull request #2186 from sakuro/fix/spec-file-path-format-empty-custom-t...
  • 8b0b5e9 Merge branch 'master' into fix/spec-file-path-format-empty-custom-transform
  • dc4465c Merge pull request #2188 from rubocop/fix-2185
  • d5de6b2 Consider regexp with options a non-simple regexp
  • bad0cb3 🐛 Fix RSpec/SpecFilePathFormat false positives when CustomTransform maps ...
  • ec3eeab Merge pull request #2183 from rubocop/fix-match-with-simple-regex-with-interp...
  • 16bbf49 Bump version to 3.10.1
  • 2a78abd Ignore interpolation in MatchWithSimpleRegex
  • Additional commits viewable in compare view

Updates faraday from 2.14.2 to 2.14.3

Release notes

Sourced from faraday's releases.

v2.14.3

Security Note

This release contains a security fix, we recommend all users to upgrade as soon as possible. A Security Advisory with more details will be posted shortly.

What's Changed

New Contributors

Full Changelog: lostisland/faraday@v2.14.2...v2.14.3

Commits

Updates aws-sdk-lambda from 1.181.0 to 1.185.0

Changelog

Sourced from aws-sdk-lambda's changelog.

1.185.0 (2026-06-22)

  • Feature - Add support for tagging Network Connector resources in AWS Lambda.

1.184.0 (2026-06-18)

  • Feature - Converging and fixing existing documentation gaps in Lambda SDK

1.183.0 (2026-06-02)

  • Feature - Adds configuration for tag propagation to Lambda-managed resources.

1.182.0 (2026-06-01)

  • Feature - Adding new BDD representation of endpoint ruleset
Commits

Updates aws-sdk-sqs from 1.115.0 to 1.116.0

Changelog

Sourced from aws-sdk-sqs's changelog.

1.116.0 (2026-06-02)

  • Feature - Adding new BDD representation of endpoint ruleset
Commits

Updates aws-sdk-cloudwatch from 1.138.0 to 1.140.0

Changelog

Sourced from aws-sdk-cloudwatch's changelog.

1.140.0 (2026-06-09)

  • Feature - This release adds the APIs (AssociateDatasetKmsKey, DisassociateDatasetKmsKey, GetDataset) to manage encryption at rest for OpenTelemetry metrics in CloudWatch using AWS KMS customer managed keys.

1.139.0 (2026-06-02)

  • Feature - Adding new BDD representation of endpoint ruleset
Commits

Updates aws-sdk-s3 from 1.224.0 to 1.226.0

Changelog

Sourced from aws-sdk-s3's changelog.

1.226.0 (2026-06-16)

  • Feature - Added support for annotations. You can now attach up to 1000 annotations (up to 1 MB each) directly to objects and create, retrieve, list, and delete them using new annotation APIs. Also added support for configuring an annotation table in S3 Metadata.

  • Feature - Multipart copies now support tags_directive, annotations_directive, and metadata_directive options for controlling which source properties are copied to the destination.

  • Issue - Fix error when performing cross-region multipart copies with copy_source_region.

1.225.1 (2026-06-10)

  • Issue - Fix download_file single-request mode not writing to a temporary file when given a String/Pathname destination.

1.225.0 (2026-06-02)

  • Feature - Adding new BDD representation of endpoint ruleset
Commits

Updates aws-partitions from 1.1253.0 to 1.1262.0

Changelog

Sourced from aws-partitions's changelog.

1.1262.0 (2026-06-22)

  • Feature - Added support for enumerating regions for Aws::LambdaMicrovms.

  • Feature - Added support for enumerating regions for Aws::LambdaCore.

1.1261.0 (2026-06-16)

  • Feature - Updated the partitions source data that determines the AWS service regions and endpoints.

1.1260.0 (2026-06-12)

  • Feature - Updated the partitions source data that determines the AWS service regions and endpoints.

1.1259.0 (2026-06-09)

  • Feature - Updated the partitions source data that determines the AWS service regions and endpoints.

1.1258.0 (2026-06-05)

  • Feature - Updated the partitions source data that determines the AWS service regions and endpoints.

1.1257.0 (2026-06-03)

  • Feature - Updated the partitions source data that determines the AWS service regions and endpoints.

1.1256.0 (2026-06-02)

  • Feature - Added support for enumerating regions for Aws::SagemakerJobRuntime.

1.1255.0 (2026-05-29)

  • Feature - Updated the partitions source data that determines the AWS service regions and endpoints.

1.1254.0 (2026-05-28)

  • Feature - Added support for enumerating regions for Aws::Resiliencehubv2.
Commits

Updates aws-sdk-core from 3.249.0 to 3.252.0

Changelog

Sourced from aws-sdk-core's changelog.

3.252.0 (2026-06-10)

  • Feature - Updated Aws::Signin::Client with the latest API changes.

  • Feature - AWS Sign-In now allows customers to control access to the AWS Management Console using resource-based policies. With this release customers can restrict console access based on network perimeters such as VPC IDs, VPC endpoints, and IP addresses.

3.251.0 (2026-06-02)

  • Feature - Adding new BDD representation of endpoint ruleset

3.250.0 (2026-05-28)

  • Feature - Adding new BDD representation of endpoint ruleset

  • Issue - Prevent unbounded recursion in CBOR decoder that could cause process termination on malformed responses.

Commits

Updates aws-sdk-kms from 1.128.0 to 1.129.0

Changelog

Sourced from aws-sdk-kms's changelog.

1.129.0 (2026-06-01)

  • Feature - Adding new BDD representation of endpoint ruleset
Commits

Updates concurrent-ruby from 1.3.6 to 1.3.7

Release notes

Sourced from concurrent-ruby's releases.

v1.3.7

There are 3 security fixes in this release, so updating is recommended. These security vulnerabilities are not very likely to be hit in practice and have a corresponding Low severity score.

What's Changed

New Contributors

Full Changelog: ruby-concurrency/concurrent-ruby@v1.3.6...v1.3.7

Changelog

Sourced from concurrent-ruby's changelog.

Release v1.3.7 (16 June 2026)

concurrent-ruby:

Commits
  • 4c8fc28 Release 1.3.7
  • d91ca94 Fix AtomicReference#update livelock when stored value is Float::NAN on JRuby ...
  • 7e4d711 Fix ReentrantReadWriteLock read hold overflow into write-lock bit
  • 6e37e06 Fix AtomicReference#update livelock when stored value is Float::NAN
  • 2825cfa Cleanup spec
  • 3fd4932 Fix ReadWriteLock wrong-thread write release and stray read release
  • 1974b47 Add Ruby 4.0 in CI
  • df8706d Add SECURITY.md (#1104)
  • 7a1b789 Bump actions/upload-pages-artifact from 4 to 5
  • 9b2dbf7 Bump actions/deploy-pages from 4 to 5
  • Additional commits viewable in compare view

Updates console from 1.35.1 to 1.36.0

Release notes

Sourced from console's releases.

v1.36.0

  • Add a size_limit to Console::Format::Safe (default 16KiB) which rebuilds oversized records field-by-field, keeping as many top-level fields as fit within the limit.
  • Degraded fields are recorded in a truncated object that maps each field name to why it was truncated: true (dropped for size) or the error (the value could not be serialized directly and a safe representation was kept in its place).
  • Rename Console::Format::Safe's limit: to depth_limit: (with a deprecated limit: alias) to clarify its purpose alongside the new size_limit:.
Changelog

Sourced from console's changelog.

v1.36.0

  • Add a size_limit to Console::Format::Safe (default 16KiB) which rebuilds oversized records field-by-field, keeping as many top-level fields as fit within the limit.
  • Degraded fields are recorded in a truncated object that maps each field name to why it was truncated: true (dropped for size) or the error (the value could not be serialized directly and a safe representation was kept in its place).
  • Rename Console::Format::Safe's limit: to depth_limit: (with a deprecated limit: alias) to clarify its purpose alongside the new size_limit:.

v1.35.0

  • Fix handling of Errno::ENODEV errors when calculating the width of a terminal that was been re-opened to File::NULL.

v1.34.1

  • Add process_id to serialized output records for clarity (pid is still included for backwards compatibility).
    • Add object_id to serialized output records only when the subject is not a string or class/module.

v1.34.0

  • Allow Console::Compatible::Logger#add to accept **options.

v1.32.0

  • Add fiber_id to serialized output records to help identify which fiber logged the message.
  • Ractor support appears broken in older Ruby versions, so we now require Ruby 3.4 or later for Ractor compatibility, if you need Ractor support.

v1.31.0

Ractor compatibility.

The console library now works correctly with Ruby's Ractor concurrency model. Previously, attempting to use console logging within Ractors would fail with errors about non-shareable objects. This has been fixed by ensuring the default configuration is properly frozen.

# This now works without errors:
ractor = Ractor.new do
	require "console"
	Console.info("Hello from Ractor!")
	"Ractor completed successfully"
end
result = ractor.take
puts result # => 'Ractor completed successfully'

The fix is minimal and maintains full backward compatibility while enabling safe parallel logging across multiple Ractors.

Symbol log level compatibility.

Previously, returning symbols from custom log_level methods in configuration files would cause runtime errors like "comparison of Integer with :debug failed". This has been fixed to properly convert symbols to their corresponding integer values.

# config/console.rb - This now works correctly:
</tr></table> 

... (truncated)

Commits

Updates elastic-transport from 8.5.1 to 8.5.2

Release notes

Sourced from elastic-transport's releases.

v8.5.2

  • Minor refactor to curb implementation.
  • Updated yard development dependency to > 0.9.42.
  • Fix multi_json deprecation warnings. Some deprecations were introduced in multi_json 1.21.0. Pull Request: #112.
  • Reduced gem size. Pull Request: #114.
  • Addresses duplicate content-type header in Manticore. Pull Request: #115.
Commits
  • 2f4b0ce Bumps version to 8.5.2 and updates CHANGELOG
  • a86ebe7 [CI] Updates GitHub Actions
  • 0537f4f Fix multi_json deprecation warnings
  • 7eec945 Reduce gem size (#114)
  • 162be46 Refactors tests for content-type
  • f0fa496 Addresses duplicate content-type header in Manticore
  • ccdd640 Updates Gemfiles
  • 30a32cc [CI] Bumps actions/checkout to v6
  • 6d101ca Updates yard development dependency to > 0.9.42
  • See full diff in compare view

Updates elasticsearch-api from 9.4.0 to 9.4.3

Release notes

Sourced from elasticsearch-api's releases.

v9.4.3

  • Fixes header conflict when using Elasticsearch Serverless. Pull Request

v9.4.2

  • Fixes NoMethodError when Content-Type lacks compatible-with parameter. Pull Request
  • Updates elasticsearch-api, source code documentation for beta/experimental APIs.

v9.4.1

  • Updates elasticsearch-api to the latest Elasticsearch 9.4 specification.
  • Better handling of content-type headers when using Manticore and JRuby to avoid duplication.
Changelog

Sourced from elasticsearch-api's changelog.

9.4.3

  • Fixes header conflict when using Elasticsearch Serverless. Pull Request

9.4.2

  • Updates elasticsearch-api, source code documentation for beta/experimental APIs.
  • Fixes NoMethodError when Content-Type lacks compatible-with parameter. Pull Request

9.4.1

  • Updates elasticsearch-api to the latest Elasticsearch 9.4 specification.
  • Better handling of content-type headers when using Manticore and JRuby to avoid duplication.
Commits
  • b40cf88 Bumps version to 9.4.3 and updates CHANGELOG
  • 613b0dd Backports #2984 - Fixes header conflict on Serverless
  • b6bc5aa Bumps version to 9.4.2 and updates CHANGELOG
  • d045a6c [API] Generates 90feb8f8d
  • 962739f Fixes NoMethodError when Content-Type lacks compatible-with parameter
  • a5fd821 Bumps version to 9.4.1 and updates CHANGELOG
  • 241abdf [API] Generates 1bc1d4e50
  • See full diff in compare view

Updates faraday-net_http from 3.4.3 to 3.4.4

Release notes

Sourced from faraday-net_http's releases.

v3.4.4

What's Changed

New Contributors

Full Changelog: lostisland/faraday-net_http@v3.4.3...v3.4.4

Commits

Updates google-protobuf from 4.35.0 to 4.35.1

Commits

Updates http-2 from 1.1.3 to 1.2.0

Changelog

Sourced from http-2's changelog.

1.2.0

Improvements

A lot of optimizations around reducing allocated objects, avoiding expensive frequent operations, and simpler data structures. A few highlights:

  • precompute huffman padding bytes.
  • use String#bytesplice (when available) to save an intermediate string in buffer ops.
  • bookkeep header dynamic table offsets to improve lookups.
  • streams recently closed: use Hash#delete_if with early break instead of Hash#delete_while to avoid intermediate hash.
  • Store frame flags as integers instead of arrays of symbols in frame hashes.
    • NOTE: while frame hashes are an internal representation, they get exposed via :frame_received or :frame_sent callbacks. in case you're relying on the :flags field, you'll have to adapt your code accordingly.
Commits
  • e42ee74 Merge pull request #190 from HoneyryderChuck/opts
  • bec2bc4 bump version to 1.2.0
  • 3e2ee88 set minimum coverage on merge
  • 54a5bf1 remove extra local pending setting
  • f6d7d09 only post simplecov results if working from the main repo
  • 518582a turn off typecheck when running h2spec
  • 2bc6cbe make sure a string is returned.
  • ab55a71 frame buffer: forego allocation of intermediate string while parittioning max...
  • fac31e7 use Hash#delete_if instead of Hash#delete_while for streams-recently-closed m...
  • 04d110e create continuation frame hash instead of merging with headers
  • Additional commits viewable in compare view

Updates i18n from 1.14.8 to 1.15.2

Release notes

Sourced from i18n's releases.

v1.15.2

What's Changed

Full Changelog: ruby-i18n/i18n@v1.15.1...v1.15.2

v1.15.1

What's Changed

New Contributors

Full Changelog: ruby-i18n/i18n@v1.15.0...v1.15.1

v1.15.0

What's Changed

New Contributors

Full Changelog: ruby-i18n/i18n@v1.14.8...v1.15.0

Commits

Updates io-event from 1.16.1 to 1.16.3

Release notes

Sourced from io-event's releases.

v1.16.3

  • Handle IOError raised while shutting down the pure Ruby interrupt pipe, so IO::Event::Interrupt#close does not leak expected shutdown errors from the interrupt fiber.

v1.16.2

  • Improve timer heap performance by batching scheduled timer insertion, compacting cancelled timers during flush, and avoiding unnecessary heap rebuilds for small incremental inserts.
Changelog

Sourced from io-event's changelog.

v1.16.3

  • Handle IOError raised while shutting down the pure Ruby interrupt pipe, so IO::Event::Interrupt#close does not leak expected shutdown errors from the interrupt fiber.

v1.16.2

  • Improve timer heap performance by batching scheduled timer insertion, compacting cancelled timers during flush, and avoiding unnecessary heap rebuilds for small incremental inserts.
Commits

Updates json from 2.19.5 to 2.20.0

Release notes

Sourced from json's releases.

v2.20.0

What's Changed

  • Both C and Java parsers are no longer recursive, so parsing very deep documents with max_nesting: false will no longer result in SystemStackError stack level too deep errors.
    • The :max_nesting option still defaults to 100.
  • Optimized floating point number parsing further by replacing the ryu algorithm by a port of Eisel-Lemire Fast Float.
  • Added JSON::ResumableParser to parse streams of JSON documents. Not yet available on JRuby.
  • Deprecate default support of JavaScript comments in the parser and add allow_comments: true parsing option.
  • Integrate with Ruby 4.1 ruby_sized_xfree.

Full Changelog: ruby/json@v2.19.8...v2.20.0

v2.19.9

  • Fix buffer overflow that could lead to a crash when writing JSON directly into an IO with JSON.generate(object, io). [CVE-2026-54696].

Full Changelog: ruby/json@v2.19.8...v2.19.9

v2.19.8

What's Changed

  • Fix 1-byte buffer overread on EOS errors.
  • Handle invalid types passed as max_nesting option.

Full Changelog: ruby/json@v2.19.7...v2.19.8

v2.19.7

What's Changed

  • Fix some more edge cases with out of range floats.
  • Ensure the string provided to JSON.parse can't be mutated during parsing.
  • Add missing write barriers in State#dup.
  • Further validate generator depth config.

Full Changelog: ruby/json@v2.19.6...v2.19.7

v2.19.6

What's Changed

  • Cleanly handle overly large depth generator argument.
  • Add missing write barrier in ParserConfig.

Full Changelog: ruby/json@v2.19.5...v2.19.6

Changelog

Sourced from json's changelog.

2026-06-23 (2.20.0)

  • Both C and Java parsers are no longer recursive, so parsing very deep documents with max_nesting: false will no longer result in SystemStackError stack level too deep errors.
    • The :max_nesting option still defaults to 100.
  • Optimized floating point number parsing further by replacing the ryu algorithm by a port of Eisel-Lemire Fast Float.
  • Added JSON::ResumableParser to parse streams of JSON documents. Not yet available on JRuby.
  • Deprecate default support of JavaScript comments in the parser and add allow_comments: true parsing option.
  • Integrate with Ruby 4.1 ruby_sized_xfree.

2026-06-11 (2.19.9)

  • Fix buffer overflow that could lead to a crash when writing JSON directly into an IO with JSON.generate(object, io). [CVE-2026-54696].

2026-06-03 (2.19.8)

  • Fix 1-by...

    Description has been truncated

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code labels Jun 29, 2026
@dependabot dependabot Bot requested a review from BrianSigafoos-SQ as a code owner June 29, 2026 22:44
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 29, 2026
@dependabot dependabot Bot requested review from bsorbo and jwils as code owners June 29, 2026 22:44
@dependabot dependabot Bot added the ruby Pull requests that update Ruby code label Jun 29, 2026
myronmarston added a commit that referenced this pull request Jul 1, 2026
## Why

A batch of dependency-bump PRs (#1236, #1245, #1267, #1272, #1276,
#1277, #1279, #1280) are all failing Steep with `declaration is
duplicated` errors.

Root cause: the new `elasticgraph-json_ingestion` gem ships RBS
signatures (`sig/`) and is a dev dependency of 6 other EG gems, but it
was never added to `rbs_collection.yaml` with `ignore: true`. When `rbs
collection install` runs, it pulls the gem's signatures in via bundler
while those same signatures _also_ exist locally in this monorepo, so
Steep sees duplicate declarations and fails.

Every EG gem that ships signatures must be ignored in
`rbs_collection.yaml` for this reason (see the explanatory comment in
that file). Nothing in CI caught the omission.

## What

- **Fix**: add `elasticgraph-json_ingestion` to `rbs_collection.yaml`
with `ignore: true`.
- **Guard**: add a spec to `gem_spec.rb` asserting that the EG gems with
a `sig/` directory match (via `match_array`) the `elasticgraph*` entries
marked `ignore: true`. This catches both a newly-added gem missing its
entry _and_ a stale entry, so this mistake can't recur silently.

The bootstrap gem `elasticgraph` (no dash) ships no signatures and is
correctly exempt.

## Verification

- New spec fails before the yaml fix (`missing elements:
["elasticgraph-json_ingestion"]`), passes after.
- `bundle exec rspec elasticgraph/spec/unit/elastic_graph/gem_spec.rb` →
205 examples, 0 failures.
- `script/type_check` → No type error detected. 🫖

🤖 Generated with [Claude Code](https://claude.com/claude-code)
@myronmarston

Copy link
Copy Markdown
Collaborator

🤖 (via Claude Code on Myron's behalf)

@dependabot recreate

Bumps the most-gems group with 18 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [httpx](https://gitlab.com/os85/httpx) | `1.7.8` | `1.8.0` |
| [nokogiri](https://github.com/sparklemotion/nokogiri) | `1.19.3` | `1.19.4` |
| [rubocop-rspec](https://github.com/rubocop/rubocop-rspec) | `3.9.0` | `3.10.2` |
| [faraday](https://github.com/lostisland/faraday) | `2.14.2` | `2.14.3` |
| [aws-sdk-lambda](https://github.com/aws/aws-sdk-ruby) | `1.181.0` | `1.185.0` |
| [aws-sdk-sqs](https://github.com/aws/aws-sdk-ruby) | `1.115.0` | `1.116.0` |
| [aws-sdk-cloudwatch](https://github.com/aws/aws-sdk-ruby) | `1.138.0` | `1.140.0` |
| [aws-sdk-s3](https://github.com/aws/aws-sdk-ruby) | `1.224.0` | `1.226.0` |
| [concurrent-ruby](https://github.com/ruby-concurrency/concurrent-ruby) | `1.3.6` | `1.3.7` |
| [console](https://github.com/socketry/console) | `1.35.1` | `1.36.0` |
| [elastic-transport](https://github.com/elastic/elastic-transport-ruby) | `8.5.1` | `8.5.2` |
| [elasticsearch-api](https://github.com/elastic/elasticsearch-ruby) | `9.4.0` | `9.4.3` |
| [google-protobuf](https://github.com/protocolbuffers/protobuf) | `4.35.0` | `4.35.1` |
| [i18n](https://github.com/ruby-i18n/i18n) | `1.14.8` | `1.15.2` |
| [io-event](https://github.com/socketry/io-event) | `1.16.1` | `1.16.3` |
| [pp](https://github.com/ruby/pp) | `0.6.3` | `0.6.4` |
| [psych](https://github.com/ruby/psych) | `5.3.1` | `5.4.0` |
| [sass-embedded](https://github.com/sass-contrib/sass-embedded-host-ruby) | `1.100.0` | `1.101.0` |



Updates `httpx` from 1.7.8 to 1.8.0
- [Commits](https://gitlab.com/os85/httpx/compare/v1.7.8...v1.8.0)

Updates `nokogiri` from 1.19.3 to 1.19.4
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](sparklemotion/nokogiri@v1.19.3...v1.19.4)

Updates `rubocop-rspec` from 3.9.0 to 3.10.2
- [Release notes](https://github.com/rubocop/rubocop-rspec/releases)
- [Changelog](https://github.com/rubocop/rubocop-rspec/blob/master/CHANGELOG.md)
- [Commits](rubocop/rubocop-rspec@v3.9.0...v3.10.2)

Updates `faraday` from 2.14.2 to 2.14.3
- [Release notes](https://github.com/lostisland/faraday/releases)
- [Changelog](https://github.com/lostisland/faraday/blob/main/CHANGELOG.md)
- [Commits](lostisland/faraday@v2.14.2...v2.14.3)

Updates `aws-sdk-lambda` from 1.181.0 to 1.185.0
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-lambda/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/commits)

Updates `aws-sdk-sqs` from 1.115.0 to 1.116.0
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-sqs/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/commits)

Updates `aws-sdk-cloudwatch` from 1.138.0 to 1.140.0
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-cloudwatch/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/commits)

Updates `aws-sdk-s3` from 1.224.0 to 1.226.0
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-s3/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/commits)

Updates `aws-partitions` from 1.1253.0 to 1.1262.0
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-partitions/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/commits)

Updates `aws-sdk-core` from 3.249.0 to 3.252.0
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-core/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/commits)

Updates `aws-sdk-kms` from 1.128.0 to 1.129.0
- [Release notes](https://github.com/aws/aws-sdk-ruby/releases)
- [Changelog](https://github.com/aws/aws-sdk-ruby/blob/version-3/gems/aws-sdk-kms/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-ruby/commits)

Updates `concurrent-ruby` from 1.3.6 to 1.3.7
- [Release notes](https://github.com/ruby-concurrency/concurrent-ruby/releases)
- [Changelog](https://github.com/ruby-concurrency/concurrent-ruby/blob/master/CHANGELOG.md)
- [Commits](ruby-concurrency/concurrent-ruby@v1.3.6...v1.3.7)

Updates `console` from 1.35.1 to 1.36.0
- [Release notes](https://github.com/socketry/console/releases)
- [Changelog](https://github.com/socketry/console/blob/main/releases.md)
- [Commits](socketry/console@v1.35.1...v1.36.0)

Updates `elastic-transport` from 8.5.1 to 8.5.2
- [Release notes](https://github.com/elastic/elastic-transport-ruby/releases)
- [Changelog](https://github.com/elastic/elastic-transport-ruby/blob/main/CHANGELOG.md)
- [Commits](elastic/elastic-transport-ruby@v8.5.1...v8.5.2)

Updates `elasticsearch-api` from 9.4.0 to 9.4.3
- [Release notes](https://github.com/elastic/elasticsearch-ruby/releases)
- [Changelog](https://github.com/elastic/elasticsearch-ruby/blob/main/CHANGELOG.md)
- [Commits](elastic/elasticsearch-ruby@v9.4.0...v9.4.3)

Updates `faraday-net_http` from 3.4.3 to 3.4.4
- [Release notes](https://github.com/lostisland/faraday-net_http/releases)
- [Commits](lostisland/faraday-net_http@v3.4.3...v3.4.4)

Updates `google-protobuf` from 4.35.0 to 4.35.1
- [Release notes](https://github.com/protocolbuffers/protobuf/releases)
- [Commits](https://github.com/protocolbuffers/protobuf/commits)

Updates `http-2` from 1.1.3 to 1.2.0
- [Release notes](https://github.com/igrigorik/http-2/releases)
- [Changelog](https://github.com/igrigorik/http-2/blob/main/CHANGELOG.md)
- [Commits](igrigorik/http-2@v1.1.3...v1.2.0)

Updates `i18n` from 1.14.8 to 1.15.2
- [Release notes](https://github.com/ruby-i18n/i18n/releases)
- [Changelog](https://github.com/ruby-i18n/i18n/blob/master/CHANGELOG.md)
- [Commits](ruby-i18n/i18n@v1.14.8...v1.15.2)

Updates `io-event` from 1.16.1 to 1.16.3
- [Release notes](https://github.com/socketry/io-event/releases)
- [Changelog](https://github.com/socketry/io-event/blob/main/releases.md)
- [Commits](socketry/io-event@v1.16.1...v1.16.3)

Updates `json` from 2.19.5 to 2.20.0
- [Release notes](https://github.com/ruby/json/releases)
- [Changelog](https://github.com/ruby/json/blob/master/CHANGES.md)
- [Commits](ruby/json@v2.19.5...v2.20.0)

Updates `parallel` from 1.28.0 to 2.1.0
- [Changelog](https://github.com/grosser/parallel/blob/master/CHANGELOG.md)
- [Commits](grosser/parallel@v1.28.0...v2.1.0)

Updates `pp` from 0.6.3 to 0.6.4
- [Release notes](https://github.com/ruby/pp/releases)
- [Commits](ruby/pp@v0.6.3...v0.6.4)

Updates `psych` from 5.3.1 to 5.4.0
- [Release notes](https://github.com/ruby/psych/releases)
- [Commits](ruby/psych@v5.3.1...v5.4.0)

Updates `rubocop` from 1.84.2 to 1.87.0
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](rubocop/rubocop@v1.84.2...v1.87.0)

Updates `sass-embedded` from 1.100.0 to 1.101.0
- [Commits](sass-contrib/sass-embedded-host-ruby@v1.100.0...v1.101.0)

---
updated-dependencies:
- dependency-name: aws-partitions
  dependency-version: 1.1262.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: most-gems
- dependency-name: aws-sdk-cloudwatch
  dependency-version: 1.140.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: most-gems
- dependency-name: aws-sdk-core
  dependency-version: 3.252.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: most-gems
- dependency-name: aws-sdk-kms
  dependency-version: 1.129.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: most-gems
- dependency-name: aws-sdk-lambda
  dependency-version: 1.185.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: most-gems
- dependency-name: aws-sdk-s3
  dependency-version: 1.226.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: most-gems
- dependency-name: aws-sdk-sqs
  dependency-version: 1.116.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: most-gems
- dependency-name: concurrent-ruby
  dependency-version: 1.3.7
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: most-gems
- dependency-name: console
  dependency-version: 1.36.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: most-gems
- dependency-name: elastic-transport
  dependency-version: 8.5.2
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: most-gems
- dependency-name: elasticsearch-api
  dependency-version: 9.4.3
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: most-gems
- dependency-name: faraday
  dependency-version: 2.14.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: most-gems
- dependency-name: faraday-net_http
  dependency-version: 3.4.4
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: most-gems
- dependency-name: google-protobuf
  dependency-version: 4.35.1
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: most-gems
- dependency-name: http-2
  dependency-version: 1.2.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: most-gems
- dependency-name: httpx
  dependency-version: 1.8.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: most-gems
- dependency-name: i18n
  dependency-version: 1.15.2
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: most-gems
- dependency-name: io-event
  dependency-version: 1.16.2
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: most-gems
- dependency-name: json
  dependency-version: 2.19.9
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: most-gems
- dependency-name: nokogiri
  dependency-version: 1.19.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: most-gems
- dependency-name: parallel
  dependency-version: 2.1.0
  dependency-type: indirect
  update-type: version-update:semver-major
  dependency-group: most-gems
- dependency-name: pp
  dependency-version: 0.6.4
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: most-gems
- dependency-name: psych
  dependency-version: 5.4.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: most-gems
- dependency-name: rubocop
  dependency-version: 1.87.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: most-gems
- dependency-name: rubocop-rspec
  dependency-version: 3.10.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: most-gems
- dependency-name: sass-embedded
  dependency-version: 1.101.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: most-gems
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/bundler/most-gems-ebfb248d5a branch from 04082b4 to 4e17f10 Compare July 1, 2026 00:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant