chore: Bump the bundler group across 1 directory with 4 updates

[dependabot]

Bumps the bundler group with 3 updates in the /docs directory: activesupport, addressable and nokogiri.

Updates activesupport from 8.0.2.1 to 8.0.4.1

Release notes

Sourced from activesupport's releases.

8.0.4.1

Active Support

• Reject scientific notation in NumberConverter

  [CVE-2026-33176]

  Jean Boussier

• Fix SafeBuffer#% to preserve unsafe status

  [CVE-2026-33170]

  Jean Boussier

• Improve performance of NumberToDelimitedConverter

  [CVE-2026-33169]

  Jean Boussier

Active Model

• No changes.

Active Record

• No changes.

Action View

• Skip blank attribute names in tag helpers to avoid generating invalid HTML.

  [CVE-2026-33168]

  Mike Dalessio

Action Pack

• No changes.

Active Job

• No changes.

... (truncated)

Commits

• a79efed Preparing for 8.0.4.1 release
• ac7979b Update changelog
• 29154f1 Improve performance of NumberToDelimitedConverter
• 6e8a811 Fix SafeBuffer#% to preserve unsafe status
• ee2c59e NumberConverter: reject scientific notation
• 5b6ad9d Lock some dependencies
• 624fe3c Preparing for 8.0.4 release
• 0ddf2c9 Delete test that now fails with new version of benchmark gem
• 3c7a8a8 Merge pull request #55864 from RicardoTrindade/patch-2
• 00e1dfa Merge pull request #55840 from zzak/asup-xml-mini-bigdecimal-float-precision
• Additional commits viewable in compare view

Updates addressable from 2.8.7 to 2.9.0

Changelog

Sourced from addressable's changelog.

Addressable 2.9.0

• fixes ReDoS vulnerability in Addressable::Template#match (fixes incomplete remediation in 2.8.10)

Addressable 2.8.10

• fixes ReDoS vulnerability in Addressable::Template#match

Addressable 2.8.9

• Reduce gem size by excluding test files (#569)
• No need for bundler as development dependency (#571, 5fc1d93)
• idna/pure: stop building the useless COMPOSITION_TABLE (removes the Addressable::IDNA::COMPOSITION_TABLE constant) (#564)

#569: sporkmonger/addressable#569 #571: sporkmonger/addressable#571 #564: sporkmonger/addressable#564

Addressable 2.8.8

• Replace the unicode.data blob by a ruby constant (#561)
• Allow public_suffix 7 (#558)

#561: sporkmonger/addressable#561 #558: sporkmonger/addressable#558

Commits

• 0c3e858 Revving version and changelog
• 91915c1 Fixing additional vulnerable paths
• a091e39 Add many more adversarial test cases to ensure we don't have any ReDoS regres...
• 463a819 Regenerate gemspec on newer rubygems
• 0afcb0b Improve from O(n^2) to O(n)
• c87f768 Fix a ReDoS vulnerability in URI template matching
• 0d7e9b2 Fix links for 2.8.9 in CHANGELOG (#573)
• e209120 Update version, gemspec, and CHANGELOG for 2.8.9 (#572)
• 3875874 Reduce gem size by excluding test files (#569)
• 3e57cc6 CI: back to windows-2022 for MRI job
• Additional commits viewable in compare view

Updates nokogiri from 1.18.9 to 1.19.4

Release notes

Sourced from nokogiri's releases.

v1.19.4 / 2026-06-18

Security

• [CRuby] (Low) Fixed a possible invalid memory read when XML::Node#initialize_copy_with_args is called with an argument that is not a Node. See GHSA-g9g8-vgvw-g3vf for more information.
• [CRuby] (Low) Fixed a possible use-after-free when an XML::XPathContext is used after its source document has been garbage collected. See GHSA-p67v-3w7g-wjg7 for more information.
• [CRuby] (Low) Fixed a possible use-after-free during XInclude processing via Node#do_xinclude. See GHSA-wfpw-mmfh-qq69 for more information.
• [CRuby] (Low) Fixed a possible use-after-free when Document#root= is assigned a non-element node. See GHSA-wjv4-x9w8-wm3h for more information.
• [CRuby] (Low) Fixed a possible use-after-free when setting an attribute value via XML::Attr#value= or #content=. See GHSA-phwj-rprq-35pp for more information.
• [CRuby] (Low) Fixed a null pointer dereference when methods are called on uninitialized wrapper objects (e.g. via allocate); these now raise instead of crashing the process. See GHSA-9cv2-cfxc-v4v2 for more information.
• [CRuby] (Low) Fixed a possible use-after-free when Document#encoding= raises an exception. See GHSA-5v8h-3h3q-446p for more information.
• [CRuby] (Medium) Fixed an out-of-bounds read in XML::NodeSet#[] (alias #slice) when given a large negative index. See GHSA-5prr-v3j2-97mh for more information.
• [JRuby] (Low) XML::Schema now enforces the NONET parse option, which Nokogiri enables by default. It was not enforced on JRuby, so a schema parsed with default options could still fetch external resources over the network, potentially enabling SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See GHSA-8678-w3jw-xfc2 for more information.

1269fb644a6de405057a53dd5c762b1209b43ca7424f839454d3dbc677c31a8f  nokogiri-1.19.4-aarch64-linux-gnu.gem
35c65b9ce72b3bb03207bdbe7067915019dc18c1b9b59139684bd6690fdd01af  nokogiri-1.19.4-aarch64-linux-musl.gem
a301313e38bb065d68239e79734bcd6f56fb6efaacebde29e9abf2a4735340ca  nokogiri-1.19.4-arm-linux-gnu.gem
588923c101bcfa78869734d247d25b598674323e7f22474fc468f6e5647311eb  nokogiri-1.19.4-arm-linux-musl.gem
a46db9853286e6597b36ebc6953817d15acf3a299583eb3f89fdc6f91dd63527  nokogiri-1.19.4-arm64-darwin.gem
ce04b9e268c9626852231a48b49128ed52034f1ccb39484a6da3875491cd709e  nokogiri-1.19.4-java.gem
051da97b8eccfdb5444fed40246a35e10d7298b9efe759b4cd25455ea04c587e  nokogiri-1.19.4-x64-mingw-ucrt.gem
7fd17057d3e1f00e9954a74b3cd76595d3d4a5ef233b7ed9599047c204f70551  nokogiri-1.19.4-x86_64-darwin.gem
379fae440b28915e3f19d752ce2dcf8465ed2b2fbefd2a7ca0dd497bc981a06a  nokogiri-1.19.4-x86_64-linux-gnu.gem
17dfb7c1fa194ae02fbf7c51a7afc8d278045ab3fdacfd86f91d02d7b274470b  nokogiri-1.19.4-x86_64-linux-musl.gem
50c951611c92bca05c51411aef45f1cbc50f2821c4802758c5c6d34696533ab5  nokogiri-1.19.4.gem

v1.19.3 / 2026-04-27

Fixed / Security

• Address exponential regex backtracking in CSS selector tokenizer. See GHSA-c4rq-3m3g-8wgx for more information.
• [CRuby] Address memory leak in XSLT::Stylesheet#transform. See GHSA-v2fc-qm4h-8hqv for more information.

46b89e5d7b9e844c2ee360794240c6ea2a4e6fa0c5892a4ed487db621224b639  nokogiri-1.19.3-aarch64-linux-gnu.gem
8392dfdcd21be7a94dbbe9ccc138dea01b97b24cb2dc02a114ca98bfb1d9a0b7  nokogiri-1.19.3-aarch64-linux-musl.gem
3919d5ffc334ad778a4a9eb88fda7dcb8b1fb58c8a52ac640c6dcd2f038e774f  nokogiri-1.19.3-arm-linux-gnu.gem
9ce1cb6346bb9c67b1550eb537aa183ead91e4b6eadb2f36ade02d8dd2a79fb6  nokogiri-1.19.3-arm-linux-musl.gem
71b9bd424b1b7abc18b05052a1a3cfd3627abdca62be280854cc411791357e42  nokogiri-1.19.3-arm64-darwin.gem
40ea6ebf5cf2005dae1dee26dd557d3afb41fb6de6c9764aca8cf06fdb841db1  nokogiri-1.19.3-java.gem
8bb7132cad356c879a1286eaabcb5e68326cb2490317984280fbc62f456d506a  nokogiri-1.19.3-x64-mingw-ucrt.gem
</tr></table> 

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.19.4 / 2026-06-18

Security

• [CRuby] (Low) Fixed a possible invalid memory read when XML::Node#initialize_copy_with_args is called with an argument that is not a Node. See GHSA-g9g8-vgvw-g3vf for more information.
• [CRuby] (Low) Fixed a possible use-after-free when an XML::XPathContext is used after its source document has been garbage collected. See GHSA-p67v-3w7g-wjg7 for more information.
• [CRuby] (Low) Fixed a possible use-after-free during XInclude processing via Node#do_xinclude. See GHSA-wfpw-mmfh-qq69 for more information.
• [CRuby] (Low) Fixed a possible use-after-free when Document#root= is assigned a non-element node. See GHSA-wjv4-x9w8-wm3h for more information.
• [CRuby] (Low) Fixed a possible use-after-free when setting an attribute value via XML::Attr#value= or #content=. See GHSA-phwj-rprq-35pp for more information.
• [CRuby] (Low) Fixed a null pointer dereference when methods are called on uninitialized wrapper objects (e.g. via allocate); these now raise instead of crashing the process. See GHSA-9cv2-cfxc-v4v2 for more information.
• [CRuby] (Low) Fixed a possible use-after-free when Document#encoding= raises an exception. See GHSA-5v8h-3h3q-446p for more information.
• [CRuby] (Medium) Fixed an out-of-bounds read in XML::NodeSet#[] (alias #slice) when given a large negative index. See GHSA-5prr-v3j2-97mh for more information.
• [JRuby] (Low) XML::Schema now enforces the NONET parse option, which Nokogiri enables by default. It was not enforced on JRuby, so a schema parsed with default options could still fetch external resources over the network, potentially enabling SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See GHSA-8678-w3jw-xfc2 for more information.

v1.19.3 / 2026-04-27

Fixed / Security

• Address exponential regex backtracking in CSS selector tokenizer. See GHSA-c4rq-3m3g-8wgx for more information.
• [CRuby] Address memory leak in XSLT::Stylesheet#transform. See GHSA-v2fc-qm4h-8hqv for more information.

v1.19.2 / 2026-03-19

Dependencies

• [JRuby] Saxon-HE is updated to 12.7, from 9.6.0-4. Saxon-HE is a transitive dependency of nu.validator:jing, and this update addresses CVEs in Saxon-HE's own transitive dependencies JDOM and dom4j. We don't think this warrants a security release, however we're cutting a patch release to help users whose security scanners are flagging this. #3611 @​flavorjones

v1.19.1 / 2026-02-16

Security

• [CRuby] Address unchecked return value from xmlC14NExecute which was a contributing cause to ruby-saml GHSA-x4h9-gwv3-r4m4. See GHSA-wx95-c6cv-8532 for more information.

v1.19.0 / 2025-12-28

Ruby

This release is focused on changes to Ruby version support, and is otherwise functionally identical to v1.18.10.

• Introduce native gem support for Ruby 4.0. #3590
• End support for Ruby 3.1, for which upstream support ended 2025-03-26.
• End support for JRuby 9.4 (which targets Ruby 3.1 compatibility).

v1.18.10 / 2025-09-15

... (truncated)

Commits

• 8cfb9da version bump to v1.19.4
• a856d1e fix: JRuby NONET bypass in XML::Schema (v1.19.x) (#3639)
• 6a0aa1e fix(CRuby): use-after-free in Document#encoding= when setter raises (v1.19.x)...
• f658a54 fix: JRuby NONET bypass in XML::Schema
• 39d26fe fix(CRuby): use-after-free in Document#encoding= when setter raises
• 04a09dd fix(CRuby): out-of-bounds read in NodeSet#[] with large negative index (v1.19...
• 7799fbd fix: avoid NPE on uninitialized XML::Node structs (v1.19.x) (#3645)
• ef19e13 fix(CRuby): avoid UAF in XML::Attr#value= (v1.19.x) (#3644)
• 5524fa9 fix: Document#root= rejects non-element nodes (v1.19.x) (#3643)
• 9891ad1 fix(CRuby): use-after-free in XPathContext document lifetime (v1.19.x) (#3641)
• Additional commits viewable in compare view

Updates uri from 1.0.3 to 1.1.1

Release notes

Sourced from uri's releases.

v1.1.1

What's Changed

• Re-allow consecutive, leading and trailing dots in EMAIL_REGEXP by @​osyoyu in ruby/uri#189

New Contributors

• @​osyoyu made their first contribution in ruby/uri#189

Full Changelog: ruby/uri@v1.1.0...v1.1.1

v1.1.0

What's Changed

• Update to use the latest version of setup-ruby and bump up to Ruby 3.4 by @​hsbt in ruby/uri#158
• Fix the mention to removed URI.escape/URI::Escape by @​y-yagi in ruby/uri#146
• Use a fully qualified name in warning messages by @​y-yagi in ruby/uri#150
• Support Ractor#value by @​hsbt in ruby/uri#163
• Removed unnecessary workaround by @​hsbt in ruby/uri#164
• Escape reserved characters in scheme name by @​nobu in ruby/uri#148
• [DOC] State that uri library is needed to call Kernel#URI by @​nobu in ruby/uri#167
• Prefer dedicated assertion methods by @​nobu in ruby/uri#169
• Fix the message for unexpected argument by @​nobu in ruby/uri#171
• Make URI::regexp schemes case sensitive (#38) by @​nobu in ruby/uri#170
• The local part should not contain leading or trailing dots in the EMAIL_REGEXP by @​nlevchuk in ruby/uri#124
• More checks in EMAIL_REGEXP by @​nobu in ruby/uri#172
• Do not allow empty host names, as they are not allowed by RFC 3986 by @​jeremyevans in ruby/uri#116
• Improve performance of URI::MailTo::EMAIL_REGEXP by @​nobu in ruby/uri#173
• Performance test stability by @​nobu in ruby/uri#174
• Update documents that used URI::Parser by @​nobu in ruby/uri#175
• Add a workflow to sync commits to ruby/ruby by @​k0kubun in ruby/uri#183
• Add irb to the Gemfile to fix the warning by @​y-yagi in ruby/uri#182
• Replace reference to the obsolete URI.escape with URI::RFC2396_PARSER.escape by @​vivshaw in ruby/uri#166
• Switch a parsing behavior completely when switching a parser by @​y-yagi in ruby/uri#161
• improve error message by @​soda92 in ruby/uri#130
• Use generic version number to VERSION by @​hsbt in ruby/uri#187

New Contributors

• @​y-yagi made their first contribution in ruby/uri#146
• @​nlevchuk made their first contribution in ruby/uri#124
• @​vivshaw made their first contribution in ruby/uri#166
• @​soda92 made their first contribution in ruby/uri#130

Full Changelog: ruby/uri@v1.0.4...v1.1.0

v1.0.4

Security fixes

• CVE-2025-61594

... (truncated)

Commits

• f1b05c8 v1.1.1
• 8557e8d Merge pull request #189 from osyoyu/restore-whatwg-email-regexp
• c551d70 Re-allow consecutive, leading and trailing dots in EMAIL_REGEXP
• c41903b v1.1.0
• b433f34 Merge pull request #187 from ruby/switch-version-code
• 1fc4f04 Use generic version number to VERSION and generate VERSION_CODE from that
• e830680 Exclude dependabot updates from release note
• 70d245f Merge pull request #130 from soda92/improve-error-message
• d629c8c Merge pull request #161 from y-yagi/fix_changing_parser
• fec6733 Merge pull request #166 from vivshaw/vivshaw/correct-obsolete-parse
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.