Bump the bundler group across 1 directory with 13 updates

[dependabot]

Bumps the bundler group with 3 updates in the / directory: jquery-rails, twitter-bootstrap-rails and bootstrap-sass.

Updates jquery-rails from 2.1.1 to 4.6.1

Changelog

Sourced from jquery-rails's changelog.

4.6.1

• update jquery to 3.7.1

4.6.0

• update jquery to 3.7.0

4.5.1

• update jquery to 3.6.1
• update jquery-ujs to 1.2.3

4.5.0

• update jquery to 3.6.0

4.4.0

• update jquery to 3.5.1 (note: 3.5.0 contains important security updates)
• unescape dollar signs and backticks in assert_select_jquery to match Rails updated behavior.

4.3.5

• update jquery to 3.4.1

4.3.4

• update jquery to 3.4.0

4.3.3

• update jquery to 3.3.1

4.3.2

• update jquery to 3.3.0
• Add possibility to test HTML: all, attribute prefix, attribute contains, attribute ends with, child, and class selectors
• Fix matching multiple calls for the same selector/function exception

4.3.1

• update jquery to 3.2.1

4.3.0

• update jquery to 3.2.0
• Add possibility to test HTML attribute selectors

... (truncated)

Commits

• 0342960 Release v4.6.1 with jQuery v3.7.1
• 039b12e Update jquery to v3.7.1 (#305)
• 12869da Release v4.6.0 with jQuery v3.7.0
• 65a9c73 Update jquery to 3.7.0
• fb5a7a8 Merge pull request #293 from MichaelHoste/patch-1
• d9dfbe1 Merge pull request #296 from okuramasafumi/patch-1
• f34a439 Update CHANGELOG.md
• b9e5aa7 Fix typo in CHANGELOG.md (usj => ujs)
• de8792d Release v4.5.1 with jquery 3.6.1 and jquery-ujs 1.2.3
• 7e6f508 Update jquery-ujs to latest v1.2.3
• Additional commits viewable in compare view

Updates twitter-bootstrap-rails from 2.1.1 to 5.1.0

Changelog

Sourced from twitter-bootstrap-rails's changelog.

... (truncated)

Commits

• See full diff in compare view

Updates bootstrap-sass from 2.0.4.0 to 3.4.1

Release notes

Sourced from bootstrap-sass's releases.

v3.4.1

• Security: Fixed an XSS vulnerability (CVE-2019-8331) in our tooltip and popover plugins by implementing a new HTML sanitizer
• Handle bad selectors (#) in data-target for Dropdowns
• Clarified tooltip selector documentation
• Added support for NuGet contentFiles

v3.4.0

• New: Added a .row-no-gutters class.
• New: Added docs searching via Algolia.
• Fixed: Resolved an XSS issue in Alert, Carousel, Collapse, Dropdown, Modal, and Tab components. See https://snyk.io/vuln/npm:bootstrap:20160627 for details.
• Fixed: Added padding to .navbar-fixed-* on modal open
• Fixed: Removed the double border on elements.
• Removed Gist creation in web-based Customizer since anonymous gists were disabled long ago by GitHub.
• Removed drag and drop support from Customizer since it didn’t work anymore.

Framework version: Bootstrap v3.4.0 See the upstream blog post for a detailed overview.

v3.3.6

• Bumps Sass dependency to 3.3.4+ to avoid compatibility issues with @​at-root.
• Bumps node-sass dependency to ~3.4.2 for Node.js v5 compatibility. #986
• Fixes breadcrumb content issues on libsass. #919
• Fixes a Rails 5 compatibility issue. #965

Framework version: Bootstrap v3.3.6 See the upstream blog post for style and JavaScript changes.

v3.3.5

Fix for standalone Compass extension compatibility. #914

Framework version: Bootstrap v3.3.5

• Blog post.
• Upstream release notes.

v3.3.4

No Sass-specific changes.

Framework version: Bootstrap v3.3.4.

The Ruby gem was originally released as v3.3.4, but has been re-released as v3.3.4.1 due to a file permissions issue. Non-rubygem releases are not affected.

• Blog post.
• Upstream release notes.

v3.3.3

Released on 2015-01-19. This is a re-packaged release of v3.3.2.1 (v3.3.2+1). It includes the Sass-specific Glyphicons regression fix (daeb43dcc7b0ab06328acaca0549ee68c039aaa6) from v3.3.2.1.

bootstrap-sass versions will be strictly SemVer from now on. The PATCH version may be ahead of the upstream twbs/bootstrap version due to Sass-specific fixes. To avoid confusion, there is not, and will never be, an upstream Bootstrap v3.3.3.

... (truncated)

Changelog

Sourced from bootstrap-sass's changelog.

Changelog

3.4.3 (non-ruby only)

• Fix malformed math.div expressions. #1225

3.4.2 (non-ruby only)

• Compatibility with Sass 1.33. #1221

3.4.0

• Bootstrap rubygem now depends on SassC instead of Sass.
• Compass no longer supported.

3.3.7

• Allows jQuery 3.x in bower.json. #1048
• Adds the style and sass fields to package.json. #1045
• Adds Eyeglass support. #1007

3.3.6

• Bumps Sass dependency to 3.3.4+ to avoid compatibility issues with @​at-root.
• Bumps node-sass dependency to ~3.4.2 for Node.js v5 compatibility. #986
• Fixes breadcrumb content issues on libsass. #919
• Fixes a Rails 5 compatibility issue. #965

Framework version: Bootstrap v3.3.6

3.3.5

Fix for standalone Compass extension compatibility. #914

Framework version: Bootstrap v3.3.5

3.3.4

No Sass-specific changes.

Framework version: Bootstrap v3.3.4

3.3.3

This is a re-packaged release of 3.3.2.1 (v3.3.2+1).

Versions are now strictly semver. The PATCH version may be ahead of the upstream.

Framework version: Bootstrap v3.3.2.

... (truncated)

Commits

• b34765d Rakefile: require 'bundler/gem_tasks'
• 143aa6a Bump bootstrap-sass to 3.4.1
• 69157ce rake convert[v3.4.1]
• bb7dbf8 v3.4.0
• 3c126b3 Revert relative imports change
• dcdef9b Test Rails app: Depend on sassc-rails
• cd1542b rake convert[v3.4.0]
• 07b9b64 less_conversion.rb: Update stylelint comment removal
• 6634d0a Remove compass support
• 489b6f2 lotus -> hanami
• Additional commits viewable in compare view

Updates twitter-bootstrap-rails from 2.1.1 to 5.1.0

Changelog

Sourced from twitter-bootstrap-rails's changelog.

... (truncated)

Commits

• See full diff in compare view

Updates actionmailer from 3.2.7 to 8.1.2

Release notes

Sourced from actionmailer's releases.

8.1.2

Active Support

• Make delegate and delegate_missing_to work in BasicObject subclasses.

  Rafael Mendonça França

• Fix Inflectors when using a locale that fallbacks to :en.

  Said Kaldybaev

• Fix ActiveSupport::TimeWithZone#as_json to consistently return UTF-8 strings.

  Previously the returned string would sometime be encoded in US-ASCII, which in some cases may be problematic.

  Now the method consistently always return UTF-8 strings.

  Jean Boussier

• Fix TimeWithZone#xmlschema when wrapping a DateTime instance in local time.

  Previously it would return an invalid time.

  Dmytro Rymar

• Implement LocalCache strategy on ActiveSupport::Cache::MemoryStore. The memory store needs to respond to the same interface as other cache stores (e.g. ActiveSupport::NullStore).

  Mikey Gough

• Fix ActiveSupport::Inflector.humanize with international characters.

  ActiveSupport::Inflector.humanize("áÉÍÓÚ")  # => "Áéíóú"
  ActiveSupport::Inflector.humanize("аБВГДЕ") # => "Абвгде"

  Jose Luis Duran

Active Model

• No changes.

Active Record

• Fix counting cached queries in ActiveRecord::RuntimeRegistry.

... (truncated)

Changelog

Sourced from actionmailer's changelog.

Rails 8.1.2 (January 08, 2026)

• No changes.

Rails 8.1.1 (October 28, 2025)

• No changes.

Rails 8.1.0 (October 22, 2025)

• Add structured events for Action Mailer:

  • action_mailer.delivered
  • action_mailer.processed

  Gannon McGibbon

• Add deliver_all_later to enqueue multiple emails at once.

  user_emails = User.all.map { |user| Notifier.welcome(user) }
  ActionMailer.deliver_all_later(user_emails)
  use a custom queue
  ActionMailer.deliver_all_later(user_emails, queue: :my_queue)

  This can greatly reduce the number of round-trips to the queue datastore. For queue adapters that do not implement the enqueue_all method, we fall back to enqueuing email jobs indvidually.

  fatkodima

Please check 8-0-stable for previous changes.

Commits

• d7c8ae6 Preparing for 8.1.2 release
• dc94813 Merge pull request #56050 from jclusso/fix-stylesheet-tag-nonce-mailer
• 90a1eaa Preparing for 8.1.1 release
• df9f432 Allow methods starting with underscore to be action methods.
• 53c4ed8 Merge pull request #55973 from rails/fix-ci
• f77a1c3 Require 'rails' at the top of railltie files to ensure Rails is loaded first
• 1cdd190 Preparing for 8.1.0 release
• 1ace683 Preparing for 8.1.0.rc1 release
• d6f9f62 Make the Structured Event Subscriber emit events in format that are useful fo...
• d2518fa Merge pull request #55748 from Shopify/event_with_debug_helper
• Additional commits viewable in compare view

Updates actionpack from 3.2.7 to 8.1.2

Release notes

Sourced from actionpack's releases.

8.1.2

Active Support

• Make delegate and delegate_missing_to work in BasicObject subclasses.

  Rafael Mendonça França

• Fix Inflectors when using a locale that fallbacks to :en.

  Said Kaldybaev

• Fix ActiveSupport::TimeWithZone#as_json to consistently return UTF-8 strings.

  Previously the returned string would sometime be encoded in US-ASCII, which in some cases may be problematic.

  Now the method consistently always return UTF-8 strings.

  Jean Boussier

• Fix TimeWithZone#xmlschema when wrapping a DateTime instance in local time.

  Previously it would return an invalid time.

  Dmytro Rymar

• Implement LocalCache strategy on ActiveSupport::Cache::MemoryStore. The memory store needs to respond to the same interface as other cache stores (e.g. ActiveSupport::NullStore).

  Mikey Gough

• Fix ActiveSupport::Inflector.humanize with international characters.

  ActiveSupport::Inflector.humanize("áÉÍÓÚ")  # => "Áéíóú"
  ActiveSupport::Inflector.humanize("аБВГДЕ") # => "Абвгде"

  Jose Luis Duran

Active Model

• No changes.

Active Record

• Fix counting cached queries in ActiveRecord::RuntimeRegistry.

... (truncated)

Changelog

Sourced from actionpack's changelog.

Rails 8.1.2 (January 08, 2026)

• Add config.action_controller.live_streaming_excluded_keys to control execution state sharing in ActionController::Live.

  When using ActionController::Live, actions are executed in a separate thread that shares state from the parent thread. This new configuration allows applications to opt-out specific state keys that should not be shared.

  This is useful when streaming inside a connected_to block, where you may want the streaming thread to use its own database connection context.

  # config/application.rb
  config.action_controller.live_streaming_excluded_keys = [:active_record_connected_to_stack]

  By default, all keys are shared.

  Eileen M. Uchitelle

• Fix IpSpoofAttackError message to include Forwarded header content.

  Without it, the error message may be misleading.

  zzak

Rails 8.1.1 (October 28, 2025)

• Allow methods starting with underscore to be action methods.

  Disallowing methods starting with an underscore from being action methods was an unintended side effect of the performance optimization in 207a254.

  Fixes #55985.

  Rafael Mendonça França

Rails 8.1.0 (October 22, 2025)

• Submit test requests using as: :html with Content-Type: x-www-form-urlencoded

  Sean Doyle

• Add link-local IP ranges to ActionDispatch::RemoteIp default proxies.

  Link-local addresses (169.254.0.0/16 for IPv4 and fe80::/10 for IPv6) are now included in the default trusted proxy list, similar to private IP ranges.

... (truncated)

Commits

• d7c8ae6 Preparing for 8.1.2 release
• df98a0d Merge pull request #56440 from zzak/ac-live-streaming-keys-typo
• 0f8014a [8-1-stable] Minitest 6 support
• 991ccf3 Merge pull request #56393 from rails/add-exclude-keys-to-live-controller
• 662609d Merge pull request #56252 from callmesangio/fix-testing-docs
• 81dca9c Merge pull request #56285 from markokajzer/main
• c98c994 Merge pull request #56256 from zzak/re-56186
• 4388688 Fix redirect_test leaking subscription state
• 13589db Fix dependency on Rails constant
• 27e709a Merge pull request #56059 from Shopify/hm-zpvonttrlztqnryl
• Additional commits viewable in compare view

Updates activerecord from 3.2.7 to 8.1.2

Release notes

Sourced from activerecord's releases.

8.1.2

Active Support

• Make delegate and delegate_missing_to work in BasicObject subclasses.

  Rafael Mendonça França

• Fix Inflectors when using a locale that fallbacks to :en.

  Said Kaldybaev

• Fix ActiveSupport::TimeWithZone#as_json to consistently return UTF-8 strings.

  Previously the returned string would sometime be encoded in US-ASCII, which in some cases may be problematic.

  Now the method consistently always return UTF-8 strings.

  Jean Boussier

• Fix TimeWithZone#xmlschema when wrapping a DateTime instance in local time.

  Previously it would return an invalid time.

  Dmytro Rymar

• Implement LocalCache strategy on ActiveSupport::Cache::MemoryStore. The memory store needs to respond to the same interface as other cache stores (e.g. ActiveSupport::NullStore).

  Mikey Gough

• Fix ActiveSupport::Inflector.humanize with international characters.

  ActiveSupport::Inflector.humanize("áÉÍÓÚ")  # => "Áéíóú"
  ActiveSupport::Inflector.humanize("аБВГДЕ") # => "Абвгде"

  Jose Luis Duran

Active Model

• No changes.

Active Record

• Fix counting cached queries in ActiveRecord::RuntimeRegistry.

... (truncated)

Changelog

Sourced from activerecord's changelog.

Rails 8.1.2 (January 08, 2026)

• Fix counting cached queries in ActiveRecord::RuntimeRegistry.

  fatkodima

• Fix merging relations with arel equality predicates with null relations.

  fatkodima

• Fix SQLite3 schema dump for non-autoincrement integer primary keys.

  Previously, schema.rb should incorrectly restore that table with an auto incrementing primary key.

  Chris Hasiński

• Fix PostgreSQL schema_search_path not being reapplied after reset! or reconnect!.

  The schema_search_path configured in database.yml is now correctly reapplied instead of falling back to PostgreSQL defaults.

  Tobias Egli

• Restore the ability of enum to be foats.

  enum :rating, { low: 0.0, medium: 0.5, high: 1.0 },

  In Rails 8.1.0, enum values are eagerly validated, and floats weren't expected.

  Said Kaldybaev

• Ensure batched preloaded associations accounts for klass when grouping to avoid issues with STI.

  zzak, Stjepan Hadjic

• Fix ActiveRecord::SoleRecordExceeded#record to return the relation.

  This was the case until Rails 7.2, but starting from 8.0 it started mistakenly returning the model class.

  Jean Boussier

• Improve PostgreSQLAdapter resilience to Timeout.timeout.

  Better handle asynchronous exceptions being thrown inside the reconnect! method.

... (truncated)

Commits

• d7c8ae6 Preparing for 8.1.2 release
• 3ea2701 CHANGELOG sync
• 53e82ef Merge pull request #56534 from khasinski/fix-sqlite3-schema-dump-default-nil
• adcface Fix PostgreSQL schema_search_path after reconnect and reset
• 13952d5 Merge pull request #56447 from Saidbek/fix-enum-float-values-support
• 642baed Merge pull request #56482 from fatkodima/fix-merge-arel-equality-and-null
• 49a1f72 Merge pull request #56415 from zzak/re-56047
• 1b2a755 Fix CI rerun command for active record tests
• 186d51e Merge pull request #56304 from fatkodima/fix-dumping-views-indexes
• 7acf8b3 Merge pull request #56287 from byroot/fix-sole-error-record
• Additional commits viewable in compare view

Updates activesupport from 3.2.7 to 8.1.2

Release notes

Sourced from activesupport's releases.

8.1.2

Active Support

• Make delegate and delegate_missing_to work in BasicObject subclasses.

  Rafael Mendonça França

• Fix Inflectors when using a locale that fallbacks to :en.

  Said Kaldybaev

• Fix ActiveSupport::TimeWithZone#as_json to consistently return UTF-8 strings.

  Previously the returned string would sometime be encoded in US-ASCII, which in some cases may be problematic.

  Now the method consistently always return UTF-8 strings.

  Jean Boussier

• Fix TimeWithZone#xmlschema when wrapping a DateTime instance in local time.

  Previously it would return an invalid time.

  Dmytro Rymar

• Implement LocalCache strategy on ActiveSupport::Cache::MemoryStore. The memory store needs to respond to the same interface as other cache stores (e.g. ActiveSupport::NullStore).

  Mikey Gough

• Fix ActiveSupport::Inflector.humanize with international characters.

  ActiveSupport::Inflector.humanize("áÉÍÓÚ")  # => "Áéíóú"
  ActiveSupport::Inflector.humanize("аБВГДЕ") # => "Абвгде"

  Jose Luis Duran

Active Model

• No changes.

Active Record

• Fix counting cached queries in ActiveRecord::RuntimeRegistry.

... (truncated)

Changelog

Sourced from activesupport's changelog.

Rails 8.1.2 (January 08, 2026)

• Make delegate and delegate_missing_to work in BasicObject subclasses.

  Rafael Mendonça França

• Fix Inflectors when using a locale that fallbacks to :en.

  Said Kaldybaev

• Fix ActiveSupport::TimeWithZone#as_json to consistently return UTF-8 strings.

  Previously the returned string would sometime be encoded in US-ASCII, which in some cases may be problematic.

  Now the method consistently always return UTF-8 strings.

  Jean Boussier

• Fix TimeWithZone#xmlschema when wrapping a DateTime instance in local time.

  Previously it would return an invalid time.

  Dmytro Rymar

• Implement LocalCache strategy on ActiveSupport::Cache::MemoryStore. The memory store needs to respond to the same interface as other cache stores (e.g. ActiveSupport::NullStore).

  Mikey Gough

• Fix ActiveSupport::Inflector.humanize with international characters.

  ActiveSupport::Inflector.humanize("áÉÍÓÚ")  # => "Áéíóú"
  ActiveSupport::Inflector.humanize("аБВГДЕ") # => "Абвгде"

  Jose Luis Duran

Rails 8.1.1 (October 28, 2025)

• No changes.

Rails 8.1.0 (October 22, 2025)

• Remove deprecated passing a Time object to Time#since.

  Rafael Mendonça França

... (truncated)

Commits

• d7c8ae6 Preparing for 8.1.2 release
• 3ea2701 CHANGELOG sync
• 0f8014a [8-1-stable] Minitest 6 support
• 991ccf3 Merge pull request #56393 from rails/add-exclude-keys-to-live-controller
• c86465f Merge pull request #56353 from rails/rmf-delegation-basic-object
• fce726b Merge pull request #56344 from Saidbek/fix-inflections-fallback-to-en-locale
• efd9bd9 Merge pull request #56324 from jeremyevans/activesupport-uri-require
• 81dca9c Merge pull request #56285 from markokajzer/main
• a5c1af3 Merge pull request #56294 from fatkodima/fix-mem_cache_store-newer-connection...
• 923f8e9 Merge pull request #56292 from fatkodima/fix-redis_cache_store-newer-connecti...
• Additional commits viewable in compare view

Updates addressable from 2.3.2 to 2.8.8

Changelog

Sourced from addressable's changelog.

Addressable 2.8.8

• Replace the unicode.data blob by a ruby constant (#561)
• Allow public_suffix 7 (#558)

#561: sporkmonger/addressable#561 #558: sporkmonger/addressable#558

Addressable 2.8.7

• Allow public_suffix 6 (#535)

#535: sporkmonger/addressable#535

Addressable 2.8.6

• Memoize regexps for common character classes (#524)

#524: sporkmonger/addressable#524

Addressable 2.8.5

• Fix thread safety issue with encoding tables (#515)
• Define URI::NONE as a module to avoid serialization issues (#509)
• Fix YAML serialization (#508)

#508: sporkmonger/addressable#508 #509: sporkmonger/addressable#509 #515: sporkmonger/addressable#515

Addressable 2.8.4

• Restore Addressable::IDNA.unicode_normalize_kc as a deprecated method (#504)

#504: sporkmonger/addressable#504

Addressable 2.8.3

• Fix template expand level 2 hash support for non-string objects (#499, #498)

#499: sporkmonger/addressable#499 #498: sporkmonger/addressable#498

Addressable 2.8.2

• Improve cache hits and JIT friendliness (#486)
• Improve code style and test coverage (#482)
• Ensure reset of deferred validation (#481)
• Resolve normalization differences between IDNA::Native and IDNA::Pure (#408, #492)
• Remove redundant colon in Addressable::URI::CharacterClasses::AUTHORITY regex (#438) (accidentally reverted by #449 merge but added back in #492)

#492: sporkmonger/addressable#492

Addressable 2.8.1

• refactor Addressable::URI.normalize_path to address linter offenses (#430)
• update gemspec to reflect supported Ruby versions (#466, #464, #463)
• compatibility w/ public_suffix 5.x (#466, #465, #460)

... (truncated)

Commits

• 111af8e Update version, gemspec, and CHANGELOG for 2.8.8
• d923a5e Fix heading levels in README and Changelog
• 88f1472 Bump actions/checkout from 5 to 6 (#560)
• 2252813 Replace the unicode.data blob by a ruby constant (#561)
• af2d3f6 Allow public_suffix v7 (#558)
• aaa53fe CI: restore older rubies for public_suffix jobs
• 49fc474 CI: fix profile:template_match_memory task for Ruby >2.7
• c0f98d5 CI: use latest stable ruby outside the version matrix
• 7cb10aa CI: test with modern JVM Rubies
• dd1adcf CI: less ubuntu-22.04, more ubuntu-24.04
• Additional commits viewable in compare view

Updates i18n from 0.6.0 to 1.14.8

Release notes

Sourced from i18n's releases.

v1.14.8

Full Changelog: ruby-i18n/i18n@v1.14.7...v1.14.8

What's Changed

• Remove unused cgi require for Ruby 3.5 compatibility by @​Earlopain in ruby-i18n/i18n#713
• Explicitly require pathname by @​voxik in ruby-i18n/i18n#708
• CI: Add Ruby 3.4 to CI Matrix by @​taketo1113 in ruby-i18n/i18n#722
• Fix: I18n.locale reset in Fiber context by using Thread#thread_variable by @​lee266 in ruby-i18n/i18n#724
• CI: Use actions/checkout@v5 by @​olleolleolle in ruby-i18n/i18n#721
• Fix compatibility with --enable-frozen-string-literal by @​byroot in ruby-i18n/i18n#726

New Contributors

• @​Earlopain made their first contribution in ruby-i18n/i18n#713
• @​taketo1113 made their first contribution in ruby-i18n/i18n#722
• @​lee266 made their first contribution in ruby-i18n/i18n#724
• @​byroot made their first contribution in ruby-i18n/i18n#726

Full Changelog: ruby-i18n/i18n@v1.14.7...v1.14.8

v1.14.7

What's Changed

• Ruby 3.4 Hash#inspect compatibility. by @​voxik in ruby-i18n/i18n#709
• Removed (annoying) post-install message that was triggering on all Rubies, rather than the specified versions.

Full Changelog: ruby-i18n/i18n@v1.14.6...v1.14.7

v1.14.6

What's Changed

Ruby < 3.2 support will be dropped April 2025. Upgrade now to continue using i18n after that date.

• fix issues with RDoc generation by @​davetron5000 in ruby-i18n/i18n#698
• Fix loading of .rb locale files when load_path is not a string by @​stevegeek in ruby-i18n/i18n#701
• Fixes strings being interpolated multiple times by @​alexpls in ruby-i18n/i18n#699
• Optimize pluralization logic in test data by @​zachmargolis in ruby-i18n/i18n#697
• [FIX] Raise ArgumentError on nil key in exists? by @​KinWang-2013 in ruby-i18n/i18n#696

New Contributors

• @​davetron5000 made their first contribution in ruby-i18n/i18n#698
• @​stevegeek made their first contribution in ruby-i18n/i18n#701
• @​alexpls made their first contribution in ruby-i18n/i18n#699
• @​zachmargolis made their first contribution in ruby-i18n/i18n#697
• @​KinWang-2013 made their first contribution in ruby-i18n/i18n#696

Full Changelog: ruby-i18n/i18n@v1.14.5...v1.14.6

v1.14.5

... (truncated)

Commits

• f2fb6a5 Bump to 1.14.9
• ef62253 Merge pull request #726 from byroot/fstr-compat
• 0022013 Merge branch 'master' into fstr-compat
• dee96b6 Remove testing for EOL Rubies 3.1 + 3.0
• c6873f9 Merge remote-tracking branch 'olleolleolle/patch-1'
• 2134338 Merge pull request #724 from lee266/fix/i18n-locale-thread-variable
• 3f9ae64 Fix compatibility with --enable-frozen-string-literal
• d64a88d Merge pull request #722 from taketo1113/ci-ruby-3.4
• 0e5484f CI: Fix rails version specification in gemfiles to run with the specified min...
• 960ab2b CI: Add ruby 3.4 to CI Matrix
• Additional commits viewable in compare view

Updates nokogiri from 1.5.5 to 1.19.0

Release notes

Sourced from nokogiri's releases.

v1.19.0 / 2025-12-28

Ruby

This release is focused on changes to Ruby version support, and is otherwise functionally identical to v1.18.10.

• Introduce native gem support for Ruby 4.0. #3590
• End support for Ruby 3.1, for which upstream support ended 2025-03-26.
• End support for JRuby 9.4 (which targets Ruby 3.1 compatibility).

11a97ecc3c0e7e5edcf395720b10860ef493b768f6aa80c539573530bc933767  nokogiri-1.19.0-aarch64-linux-gnu.gem
eb70507f5e01bc23dad9b8dbec2b36ad0e61d227b42d292835020ff754fb7ba9  nokogiri-1.19.0-aarch64-linux-musl.gem
572a259026b2c8b7c161fdb6469fa2d0edd2b61cd599db4bbda93289abefbfe5  nokogiri-1.19.0-arm-linux-gnu.gem
23ed90922f1a38aed555d3de4d058e90850c731c5b756d191b3dc8055948e73c  nokogiri-1.19.0-arm-linux-musl.gem
0811dfd936d5f6dd3f6d32ef790568bf29b2b7bead9ba68866847b33c9cf5810  nokogiri-1.19.0-arm64-darwin.gem
5f3a70e252be641d8a4099f7fb4cc25c81c632cb594eec9b4b8f2ca8be4374f3  nokogiri-1.19.0-java.gem
05d7ed2d95731edc9bef2811522dc396df3e476ef0d9c76793a9fca81cab056b  nokogiri-1.19.0-x64-mingw-ucrt.gem
1dad56220b603a8edb9750cd95798bffa2b8dd9dd9aa47f664009ee5b43e3067  nokogiri-1.19.0-x86_64-darwin.gem
f482b95c713d60031d48c44ce14562f8d2ce31e3a9e8dd0ccb131e9e5a68b58c  nokogiri-1.19.0-x86_64-linux-gnu.gem
1c4ca6b381622420073ce6043443af1d321e8ed93cc18b08e2666e5bd02ffae4  nokogiri-1.19.0-x86_64-linux-musl.gem
e304d21865f62518e04f2bf59f93bd3a97ca7b07e7f03952946d8e1c05f45695  nokogiri-1.19.0.gem

v1.18.10 / 2025-09-15

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.9. Note that the security fixes published in v2.13.9 were already present in Nokogiri v1.18.9.
• [CRuby] [Windows and MacOS] Vendored libiconv is updated to v1.18

7fb87235d729c74a2be635376d82b1d459230cc17c50300f8e4fcaabc6195344  nokogiri-1.18.10-aarch64-linux-gnu.gem
7e74e58314297cc8a8f1b533f7212d1999dbe2639a9ee6d97b483ea2acc18944  nokogiri-1.18.10-aarch64-linux-musl.gem
51f4f25ab5d5ba1012d6b16aad96b840a10b067b93f35af6a55a2c104a7ee322  nokogiri-1.18.10-arm-linux-gnu.gem
1c6ea754e51cecc85c30ee8ab1e6aa4ce6b6e134d01717e9290e79374a9e00aa  nokogiri-1.18.10-arm-linux-musl.gem
c2b0de30770f50b92c9323fa34a4e1cf5a0af322afcacd239cd66ee1c1b22c85  nokogiri-1.18.10-arm64-darwin.gem
cd431a09c45d84a2f870ba0b7e8f571199b3727d530f2b4888a73639f76510b5  nokogiri-1.18.10-java.gem
64f40d4a41af9f7f83a4e236ad0cf8cca621b97e31f727b1bebdae565a653104  nokogiri-1.18.10-x64-mingw-ucrt.gem
536e74bed6db2b5076769cab5e5f5af0cd1dccbbd75f1b3e1fa69d1f5c2d79e2  nokogiri-1.18.10-x86_64-darwin.gem
ff5ba26ba2dbce5c04b9ea200777fd225061d7a3930548806f31db907e500f72  nokogiri-1.18.10-x86_64-linux-gnu.gem
0651fccf8c2ebbc2475c8b1dfd7ccac3a0a6d09f8a41b72db8c21808cb483385  nokogiri-1.18.10-x86_64-linux-musl.gem
d5cc0731008aa3b3a87b361203ea3d19b2069628cb55e46ac7d84a0445e69cc1  nokogiri-1.18.10.gem
</tr></table> 

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.19.0 / 2025-12-28

Ruby

This release is focused on changes to Ruby version support, and is otherwise functionally identical to v1.18.10.

• Introduce native gem support for Ruby 4.0. #3590
• End support for Ruby 3.1, for which upstream support ended 2025-03-26.
• End support for JRuby 9.4 (which targets Ruby 3.1 compatibility).

v1.18.10 / 2025-09-15

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.9. Note that the security fixes published in v2.13.9 were already present in Nokogiri v1.18.9.
• [CRuby] [Windows and MacOS] Vendored libiconv is updated to v1.18

v1.18.9 / 2025-07-20

Security

• [CRuby] Applied upstream libxml2 patches to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. See GHSA-353f-x4gh-cqq8 for more information.

v1.18.8 / 2025-04-21

Security

• [CRuby] Vendored libxml2 is updated to v2.13.8 to address CVE-2025-32414 and CVE-2025-32415. See GHSA-5w6v-399v-w3cc for more information.

v1.18.7 / 2025-03-31

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.7, which is a bugfix release.

v1.18.6 / 2025-03-24

Fixed

• [JRuby] In HTML documents, Node#attribute now returns the correct attribute. This has been broken, and returning nil, since v1.17.0. (#3487) @​flavorjones

v1.18.5 / 2025-03-19

Fixed

... (truncated)

Commits

• d77bfb6 version bump to v1.19.0
• 1eb5c2c dev: convert scripts/test-gem-set to use mise
• 88a120f dep: Add native Ruby 4 support, drop Ruby 3.1 support (v1.19.x) (#3592)
• f8c8f74 Skip the parser compression test for Windows system libs
• e91c0fc ci: temporarily pin to setup-ruby with windows ruby 4
• 1b08acc dep: update to minitest 6
• 404487d dep: require JRuby >= 10.0
• 19b22ea dep: add support for native Ruby 4.0 gem
• ec57d11 ci: bump versions in CI images
• f7b640f ci: avoid bundler collisions in downstream tests
• Additional commits viewable in compare view

Updates rack from 1.4.1 to 3.2.4

Release notes

Sourced from rack's releases.

v3.2.4

No release notes provided.

v3.0.9.1

What's Changed

• Fixed ReDoS in Accept header parsing [CVE-2024-26146]
• Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
• Reject Range headers which are too large [CVE-2024-26141]

Full Changelog: rack/rack@v3.0.9...v3.0.9.1

v3.0.9

What's Changed

• Fix content-length calcuation in Rack:Response#write #2150

Full Changelog: rack/rack@v3.0.8...v3.0.9

v3.0.8

What's Changed

• Backport "Fix some unused variable verbose warnings" by @​skipkayhil in rack/rack#2084

New Contributors

• @​skipkayhil made their first contribution in rack/rack#2084

Full Changelog: rack/rack@v3.0.7...v3.0.8

v3.0.7

What's Changed

• Backport "Make query parameters without = have nil values". by @​jeremyevans in rack/rack#2060

Full Changelog: rack/rack@v3.0.6.1...v3.0.7

v3.0.6.1

No release notes provided.

v3.0.4.1

Full Changelog: rack/rack@v3.0.4...v3.0.4.1

v3.0.4

Full Changelog: rack/rack@v3.0.3...v3.0.4

v3.0.3

What's Changed

• Release v3.0.3 by @​ioquatix in rack/rack#2000

Full Changelog: rack/rack@v3.0.2...v3.0.3

... (truncated)

Changelog

Sourced from rack's changelog.

[3.2.4] - 2025-11-03

Fixed

• Multipart parser: limit MIME header size check to the unread buffer region to avoid false multipart mime part header too large errors when previously read data accumulates in the scan buffer. (#2392, @​alpaca-tc, @​willnet, @​krororo)

[3.2.3] - 2025-10-10

SecurityDescription has been truncated