Skip to content

Bump the bundler group across 1 directory with 5 updates#7

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/bundler/bundler-29c4a983e1
Open

Bump the bundler group across 1 directory with 5 updates#7
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/bundler/bundler-29c4a983e1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 11, 2026

Copy link
Copy Markdown

Bumps the bundler group with 2 updates in the / directory: activesupport and excon.

Updates activesupport from 4.2.11.1 to 7.2.3.1

Release notes

Sourced from activesupport's releases.

7.2.3.1

Active Support

  • Reject scientific notation in NumberConverter

    [CVE-2026-33176]

    Jean Boussier

  • Fix SafeBuffer#% to preserve unsafe status

    [CVE-2026-33170]

    Jean Boussier

  • Improve performance of NumberToDelimitedConverter

    [CVE-2026-33169]

    Jean Boussier

Active Model

  • No changes.

Active Record

  • No changes.

Action View

  • Skip blank attribute names in tag helpers to avoid generating invalid HTML.

    [CVE-2026-33168]

    Mike Dalessio

Action Pack

  • No changes.

Active Job

  • No changes.

... (truncated)

Commits
  • ba76fca Preparing for 7.2.3.1 release
  • 8a379f4 Update changelog
  • b54a4b3 Improve performance of NumberToDelimitedConverter
  • c1ad0e8 Fix SafeBuffer#% to preserve unsafe status
  • ebd6be1 NumberConverter: reject scientific notation
  • 4a155f1 Lock some dependencies
  • bb2bdef Preparing for 7.2.3 release
  • fe41a9f Merge pull request #55840 from zzak/asup-xml-mini-bigdecimal-float-precision
  • 12040a3 Merge pull request #55808 from olivier-thatch/fix-enum-sole
  • 58630e1 Merge pull request #55794 from rails/fix-55513
  • Additional commits viewable in compare view

Updates addressable from 2.7.0 to 2.9.0

Changelog

Sourced from addressable's changelog.

Addressable 2.9.0

  • fixes ReDoS vulnerability in Addressable::Template#match (fixes incomplete remediation in 2.8.10)

Addressable 2.8.10

  • fixes ReDoS vulnerability in Addressable::Template#match

Addressable 2.8.9

  • Reduce gem size by excluding test files (#569)
  • No need for bundler as development dependency (#571, 5fc1d93)
  • idna/pure: stop building the useless COMPOSITION_TABLE (removes the Addressable::IDNA::COMPOSITION_TABLE constant) (#564)

#569: sporkmonger/addressable#569 #571: sporkmonger/addressable#571 #564: sporkmonger/addressable#564

Addressable 2.8.8

  • Replace the unicode.data blob by a ruby constant (#561)
  • Allow public_suffix 7 (#558)

#561: sporkmonger/addressable#561 #558: sporkmonger/addressable#558

Addressable 2.8.7

  • Allow public_suffix 6 (#535)

#535: sporkmonger/addressable#535

Addressable 2.8.6

  • Memoize regexps for common character classes (#524)

#524: sporkmonger/addressable#524

Addressable 2.8.5

  • Fix thread safety issue with encoding tables (#515)
  • Define URI::NONE as a module to avoid serialization issues (#509)
  • Fix YAML serialization (#508)

#508: sporkmonger/addressable#508 #509: sporkmonger/addressable#509 #515: sporkmonger/addressable#515

Addressable 2.8.4

  • Restore Addressable::IDNA.unicode_normalize_kc as a deprecated method (#504)

#504: sporkmonger/addressable#504

Addressable 2.8.3

  • Fix template expand level 2 hash support for non-string objects (#499, #498)

... (truncated)

Commits
  • 0c3e858 Revving version and changelog
  • 91915c1 Fixing additional vulnerable paths
  • a091e39 Add many more adversarial test cases to ensure we don't have any ReDoS regres...
  • 463a819 Regenerate gemspec on newer rubygems
  • 0afcb0b Improve from O(n^2) to O(n)
  • c87f768 Fix a ReDoS vulnerability in URI template matching
  • 0d7e9b2 Fix links for 2.8.9 in CHANGELOG (#573)
  • e209120 Update version, gemspec, and CHANGELOG for 2.8.9 (#572)
  • 3875874 Reduce gem size by excluding test files (#569)
  • 3e57cc6 CI: back to windows-2022 for MRI job
  • Additional commits viewable in compare view

Updates cocoapods-downloader from 1.3.0 to 2.1

Release notes

Sourced from cocoapods-downloader's releases.

2.1

Enhancements
  • None.
Bug Fixes
  • Revert minimum required Ruby version to 2.6 to support macOS system ruby installations
    Eric Amorde #142

2.0

Enhancements
  • None.
Bug Fixes
  • None.
Other
  • Drop support for Bazaar (bzr)

1.6.3

Enhancements
  • None.
Bug Fixes
  • None.

1.6.2

Enhancements
  • None.
Bug Fixes
  • None.

1.6.1

Enhancements
  • None.
Bug Fixes
  • None.

... (truncated)

Changelog

Sourced from cocoapods-downloader's changelog.

2.1 (2023-11-19)

Enhancements
  • None.
Bug Fixes
  • Revert minimum required Ruby version to 2.6 to support macOS system ruby installations
    Eric Amorde #142

2.0 (2023-10-26)

Enhancements
  • None.
Bug Fixes
  • None.
Other
  • Drop support for Bazaar (bzr)

1.6.3 (2022-04-01)

Enhancements
  • None.
Bug Fixes
  • None.

1.6.2 (2022-03-28)

Enhancements
  • None.
Bug Fixes
  • None.

... (truncated)

Commits
  • 946c550 Release 2.1
  • b5983f2 Merge pull request #142 from CocoaPods/amorde/macos-system-ruby-support
  • a1859be Revert minimum required Ruby version to 2.6 to support macOS system Ruby
  • 3492e7b Merge pull request #140 from CocoaPods/2-0-stable
  • 9072f2d [CHANGELOG] Add empty Master section
  • 2d3691d Release 2.0
  • d9844ca Merge pull request #139 from CocoaPods/amorde/specs-macos
  • e84cb5e Explicitly enable file protocol in submodule test
  • 7366166 Update specs to run on macOS 12
  • e9ab295 Merge pull request #137 from CocoaPods/amorde/bump-minimum-ruby
  • Additional commits viewable in compare view

Updates concurrent-ruby from 1.1.5 to 1.3.7

Release notes

Sourced from concurrent-ruby's releases.

v1.3.7

There are 3 security fixes in this release, so updating is recommended. These security vulnerabilities are not very likely to be hit in practice and have a corresponding Low severity score.

What's Changed

New Contributors

Full Changelog: ruby-concurrency/concurrent-ruby@v1.3.6...v1.3.7

v1.3.6

What's Changed

New Contributors

Full Changelog: ruby-concurrency/concurrent-ruby@v1.3.5...v1.3.6

... (truncated)

Changelog

Sourced from concurrent-ruby's changelog.

Release v1.3.7 (16 June 2026)

concurrent-ruby:

Release v1.3.6 (13 December 2025)

concurrent-ruby:

Release v1.3.5, edge v0.7.2 (15 January 2025)

concurrent-ruby:

  • (#1062) Remove dependency on logger.

concurrent-ruby-edge:

  • (#1062) Remove dependency on logger.

Release v1.3.4 (10 August 2024)

  • (#1060) Fix bug with return value of Concurrent.available_processor_count when cpu.cfs_quota_us is -1.
  • (#1058) Add Concurrent.cpu_shares that is cgroups aware.

Release v1.3.3 (9 June 2024)

  • (#1053) Improve the speed of Concurrent.physical_processor_count on Windows.

Release v1.3.2, edge v0.7.1 (7 June 2024)

concurrent-ruby:

  • (#1051) Remove dependency on win32ole.

concurrent-ruby-edge:

  • (#1052) Fix dependency on concurrent-ruby to allow the latest release.

Release v1.3.1 (29 May 2024)

  • Release 1.3.0 was broken when pushed to RubyGems. 1.3.1 is a packaging fix.

Release v1.3.0 (28 May 2024)

  • (#1042) Align Java Executor Service behavior for shuttingdown?, shutdown?
  • (#1038) Add Concurrent.available_processor_count that is cgroups aware.

... (truncated)

Commits
  • 4c8fc28 Release 1.3.7
  • d91ca94 Fix AtomicReference#update livelock when stored value is Float::NAN on JRuby ...
  • 7e4d711 Fix ReentrantReadWriteLock read hold overflow into write-lock bit
  • 6e37e06 Fix AtomicReference#update livelock when stored value is Float::NAN
  • 2825cfa Cleanup spec
  • 3fd4932 Fix ReadWriteLock wrong-thread write release and stray read release
  • 1974b47 Add Ruby 4.0 in CI
  • df8706d Add SECURITY.md (#1104)
  • 7a1b789 Bump actions/upload-pages-artifact from 4 to 5
  • 9b2dbf7 Bump actions/deploy-pages from 4 to 5
  • Additional commits viewable in compare view

Updates excon from 0.71.1 to 1.5.0

Changelog

Sourced from excon's changelog.

1.5.0 2026-05-03

  • update bundled certs
  • invalid parameter error for nil host
  • close security issues around headers and redirect following

1.4.1 2026-03-18

  • change cgi require to cgi/escape for ruby 4.0+

1.4.0 2026-03-02

  • fixes for ruby4
  • add ruby 4.0 and drop 3.2 from ci
  • add user-configurable global resolver factory
  • add SOCK5 proxy support

1.3.2 2025-12-03

  • update bundled certs

1.3.1 2025-11-05

  • update bundled certs

1.3.0 2025-08-18

  • proxy connect should always include port, regardless of default

1.2.9 2025-08-15

  • bump actions/checkout
  • update bundled certs

1.2.8 2025-07-16

  • update bundled certs

1.2.7 2025-05-27

  • freezes caused inadvertent breaking changes, so partially rolling back

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the bundler group with 2 updates in the / directory: [activesupport](https://github.com/rails/rails) and [excon](https://github.com/excon/excon).


Updates `activesupport` from 4.2.11.1 to 7.2.3.1
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/activesupport/CHANGELOG.md)
- [Commits](rails/rails@v4.2.11.1...v7.2.3.1)

Updates `addressable` from 2.7.0 to 2.9.0
- [Changelog](https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md)
- [Commits](sporkmonger/addressable@addressable-2.7.0...addressable-2.9.0)

Updates `cocoapods-downloader` from 1.3.0 to 2.1
- [Release notes](https://github.com/CocoaPods/cocoapods-downloader/releases)
- [Changelog](https://github.com/CocoaPods/cocoapods-downloader/blob/master/CHANGELOG.md)
- [Commits](CocoaPods/cocoapods-downloader@1.3.0...2.1)

Updates `concurrent-ruby` from 1.1.5 to 1.3.7
- [Release notes](https://github.com/ruby-concurrency/concurrent-ruby/releases)
- [Changelog](https://github.com/ruby-concurrency/concurrent-ruby/blob/master/CHANGELOG.md)
- [Commits](ruby-concurrency/concurrent-ruby@v1.1.5...v1.3.7)

Updates `excon` from 0.71.1 to 1.5.0
- [Changelog](https://github.com/excon/excon/blob/master/changelog.txt)
- [Commits](excon/excon@v0.71.1...v1.5.0)

---
updated-dependencies:
- dependency-name: activesupport
  dependency-version: 7.2.3.1
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: addressable
  dependency-version: 2.9.0
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: cocoapods-downloader
  dependency-version: '2.1'
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: concurrent-ruby
  dependency-version: 1.3.7
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: excon
  dependency-version: 1.5.0
  dependency-type: indirect
  dependency-group: bundler
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code labels Jul 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants