v2.19.9

• Fix buffer overflow that could lead to a crash when writing JSON directly into an IO
  with JSON.generate(object, io). [CVE-PENDING].

Full Changelog: v2.19.8...v2.19.9

v2.19.8

What's Changed

• Fix 1-byte buffer overread on EOS errors.
• Handle invalid types passed as max_nesting option.

Full Changelog: v2.19.7...v2.19.8

v2.19.7

What's Changed

• Fix some more edge cases with out of range floats.
• Ensure the string provided to JSON.parse can't be mutated during parsing.
• Add missing write barriers in State#dup.
• Further validate generator depth config.

Full Changelog: v2.19.6...v2.19.7

v2.19.6

What's Changed

• Cleanly handle overly large depth generator argument.
• Add missing write barrier in ParserConfig.

Full Changelog: v2.19.5...v2.19.6

v2.19.5

What's Changed

• Cap the parser to emit a maximum of 5 deprecation warnings per document. Emitting more is not helpful.

Full Changelog: v2.19.4...v2.19.5

v2.19.4

What's Changed

• Fix parsing of out of range floats (very large exponents that lead to either 0.0 or Inf).

Full Changelog: v2.19.2...v2.19.4

v2.19.3

• Fix handling of unescaped control characters preceeded by a backslash.

Full Changelog: v2.19.2...v2.19.3

v2.19.2

What's Changed

• Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210

Full Changelog: v2.19.1...v2.19.2

v2.17.1.2

• Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210

Full Changelog: v2.17.1...v2.17.1.2

v2.15.2.1

• Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210

Full Changelog: v2.15.2...v2.15.2.1