Bump the bundler group across 1 directory with 5 updates

[dependabot]

Bumps the bundler group with 4 updates in the /docs directory: activesupport, addressable, erb and nokogiri.

Updates activesupport from 8.1.1 to 8.1.2.1

Release notes

Sourced from activesupport's releases.

8.1.2.1

Active Support

• Reject scientific notation in NumberConverter

  [CVE-2026-33176]

  Jean Boussier

• Fix SafeBuffer#% to preserve unsafe status

  [CVE-2026-33170]

  Jean Boussier

• Improve performance of NumberToDelimitedConverter

  [CVE-2026-33169]

  Jean Boussier

Active Model

• No changes.

Active Record

• No changes.

Action View

• Skip blank attribute names in tag helpers to avoid generating invalid HTML.

  [CVE-2026-33168]

  Mike Dalessio

Action Pack

• Fix possible XSS in DebugExceptions middleware

  [CVE-2026-33167]

  John Hawthorn

... (truncated)

Changelog

Sourced from activesupport's changelog.

Rails 8.1.2.1 (March 23, 2026)

• Reject scientific notation in NumberConverter

  [CVE-2026-33176]

  Jean Boussier

• Fix SafeBuffer#% to preserve unsafe status

  [CVE-2026-33170]

  Jean Boussier

• Improve performance of NumberToDelimitedConverter

  [CVE-2026-33169]

  Jean Boussier

Rails 8.1.2 (January 08, 2026)

• Make delegate and delegate_missing_to work in BasicObject subclasses.

  Rafael Mendonça França

• Fix Inflectors when using a locale that fallbacks to :en.

  Said Kaldybaev

• Fix ActiveSupport::TimeWithZone#as_json to consistently return UTF-8 strings.

  Previously the returned string would sometime be encoded in US-ASCII, which in some cases may be problematic.

  Now the method consistently always return UTF-8 strings.

  Jean Boussier

• Fix TimeWithZone#xmlschema when wrapping a DateTime instance in local time.

  Previously it would return an invalid time.

  Dmytro Rymar

• Implement LocalCache strategy on ActiveSupport::Cache::MemoryStore. The memory store needs to respond to the same interface as other cache stores (e.g. ActiveSupport::NullStore).

  Mikey Gough

... (truncated)

Commits

• 1db4b89 Preparing for 8.1.2.1 release
• 1c7d1cf Update changelog
• ec1a0e2 Improve performance of NumberToDelimitedConverter
• 50d732a Fix SafeBuffer#% to preserve unsafe status
• 19dbab5 NumberConverter: reject scientific notation
• d7c8ae6 Preparing for 8.1.2 release
• 3ea2701 CHANGELOG sync
• 0f8014a [8-1-stable] Minitest 6 support
• 991ccf3 Merge pull request #56393 from rails/add-exclude-keys-to-live-controller
• c86465f Merge pull request #56353 from rails/rmf-delegation-basic-object
• Additional commits viewable in compare view

Updates addressable from 2.8.8 to 2.9.0

Changelog

Sourced from addressable's changelog.

Addressable 2.9.0

• fixes ReDoS vulnerability in Addressable::Template#match (fixes incomplete remediation in 2.8.10)

Addressable 2.8.10

• fixes ReDoS vulnerability in Addressable::Template#match

Addressable 2.8.9

• Reduce gem size by excluding test files (#569)
• No need for bundler as development dependency (#571, 5fc1d93)
• idna/pure: stop building the useless COMPOSITION_TABLE (removes the Addressable::IDNA::COMPOSITION_TABLE constant) (#564)

#569: sporkmonger/addressable#569 #571: sporkmonger/addressable#571 #564: sporkmonger/addressable#564

Commits

• 0c3e858 Revving version and changelog
• 91915c1 Fixing additional vulnerable paths
• a091e39 Add many more adversarial test cases to ensure we don't have any ReDoS regres...
• 463a819 Regenerate gemspec on newer rubygems
• 0afcb0b Improve from O(n^2) to O(n)
• c87f768 Fix a ReDoS vulnerability in URI template matching
• 0d7e9b2 Fix links for 2.8.9 in CHANGELOG (#573)
• e209120 Update version, gemspec, and CHANGELOG for 2.8.9 (#572)
• 3875874 Reduce gem size by excluding test files (#569)
• 3e57cc6 CI: back to windows-2022 for MRI job
• Additional commits viewable in compare view

Updates erb from 4.0.4 to 4.0.4.1

Changelog

Sourced from erb's changelog.

4.0.4.1

• Prohibit def_method on marshal-loaded ERB instances

Commits

• 6a2e4a7 Version 4.0.4.1
• c3b721f Prohibit def_method on marshal-loaded ERB instances
• See full diff in compare view

Updates json from 2.18.0 to 2.19.5

Release notes

Sourced from json's releases.

v2.19.5

What's Changed

• Cap the parser to emit a maximum of 5 deprecation warnings per document. Emitting more is not helpful.

Full Changelog: ruby/json@v2.19.4...v2.19.5

v2.19.4

What's Changed

• Fix parsing of out of range floats (very large exponents that lead to either 0.0 or Inf).

Full Changelog: ruby/json@v2.19.2...v2.19.4

v2.19.3

• Fix handling of unescaped control characters preceeded by a backslash.

Full Changelog: ruby/json@v2.19.2...v2.19.3

v2.19.2

What's Changed

• Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210

Full Changelog: ruby/json@v2.19.1...v2.19.2

v2.19.1

What's Changed

• Fix a compiler dependent GC bug introduced in 2.18.0.

Full Changelog: ruby/json@v2.19.0...v2.19.1

v2.19.0

What's Changed

• Fix allow_blank parsing option to no longer allow invalid types (e.g. load([], allow_blank: true) now raise a type error).
• Add allow_invalid_escape parsing option to ignore backslashes that aren't followed by one of the valid escape characters.

Full Changelog: ruby/json@v2.18.1...v2.19.0

v2.18.1

What's Changed

• Fix a potential crash in very specific circumstance if GC triggers during a call to to_json without first invoking a user defined #to_json method.

Full Changelog: ruby/json@v2.18.0...v2.18.1

Changelog

Sourced from json's changelog.

2026-05-04 (2.19.5)

• Cap the parser to emit a maximum of 5 deprecation warnings per document. Emitting more is not helpful.

2026-04-19 (2.19.4)

• Fix parsing of out of range floats (very large exponents that lead to either 0.0 or Inf).

2026-03-25 (2.19.3)

• Fix handling of unescaped control characters preceeded by a backslash.

2026-03-18 (2.19.2)

• Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210.

2026-03-08 (2.19.1)

• Fix a compiler dependent GC bug introduced in 2.18.0.

2026-03-06 (2.19.0)

• Fix allow_blank parsing option to no longer allow invalid types (e.g. load([], allow_blank: true) now raise a type error).
• Add allow_invalid_escape parsing option to ignore backslashes that aren't followed by one of the valid escape characters.

2026-02-03 (2.18.1)

• Fix a potential crash in very specific circumstance if GC triggers during a call to to_json without first invoking a user defined #to_json method.

Commits

• 4a1a4a4 Release 2.19.5
• f6ca597 Avoid spamming too many deprecations while parsing
• fa0671c Test TruffleRuby release in CI for improved stability
• cfbe356 Force ensure_valid_encoding to be inlined.
• 4ef7a45 Use RB_ENC_CODERANGE to first check the cached coderange before calling rb_en...
• 7dd6b63 Fix typo in changelog
• 6688a81 Release 2.19.4
• f1e6163 Fix references to NAN and INFINITY in documentation comments
• 18d5475 Reduce warnings
• 1072482 Fix parsing of negative out of bound floats.
• Additional commits viewable in compare view

Updates nokogiri from 1.18.10 to 1.19.3

Release notes

Sourced from nokogiri's releases.

v1.19.3 / 2026-04-27

Fixed / Security

• Address exponential regex backtracking in CSS selector tokenizer. See GHSA-c4rq-3m3g-8wgx for more information.
• [CRuby] Address memory leak in XSLT::Stylesheet#transform. See GHSA-v2fc-qm4h-8hqv for more information.

46b89e5d7b9e844c2ee360794240c6ea2a4e6fa0c5892a4ed487db621224b639  nokogiri-1.19.3-aarch64-linux-gnu.gem
8392dfdcd21be7a94dbbe9ccc138dea01b97b24cb2dc02a114ca98bfb1d9a0b7  nokogiri-1.19.3-aarch64-linux-musl.gem
3919d5ffc334ad778a4a9eb88fda7dcb8b1fb58c8a52ac640c6dcd2f038e774f  nokogiri-1.19.3-arm-linux-gnu.gem
9ce1cb6346bb9c67b1550eb537aa183ead91e4b6eadb2f36ade02d8dd2a79fb6  nokogiri-1.19.3-arm-linux-musl.gem
71b9bd424b1b7abc18b05052a1a3cfd3627abdca62be280854cc411791357e42  nokogiri-1.19.3-arm64-darwin.gem
40ea6ebf5cf2005dae1dee26dd557d3afb41fb6de6c9764aca8cf06fdb841db1  nokogiri-1.19.3-java.gem
8bb7132cad356c879a1286eaabcb5e68326cb2490317984280fbc62f456d506a  nokogiri-1.19.3-x64-mingw-ucrt.gem
77f3fba57d46c53ab31e62fc6c28f705109d1bf6264356c76f132b2be5728d4d  nokogiri-1.19.3-x86_64-darwin.gem
2f5078620fe12e83669b5b17311b32532a8153d02eee7ad06948b926d6080976  nokogiri-1.19.3-x86_64-linux-gnu.gem
248c906d2166eca5efb56d52fdee5f9a1f51d69a72e2b64fdac647b4ce39ea3f  nokogiri-1.19.3-x86_64-linux-musl.gem
78312cbac32a40c812780d9678221b79d51288eec00054c1a8d15f7ce05960e8  nokogiri-1.19.3.gem

v1.19.2 / 2026-03-19

Dependencies

• [JRuby] Saxon-HE is updated to 12.7, from 9.6.0-4. Saxon-HE is a transitive dependency of nu.validator:jing, and this update addresses CVEs in Saxon-HE's own transitive dependencies JDOM and dom4j. We don't think this warrants a security release, however we're cutting a patch release to help users whose security scanners are flagging this. #3611 @​flavorjones

SHA256 Checksums

c34d5c8208025587554608e98fd88ab125b29c80f9352b821964e9a5d5cfbd19  nokogiri-1.19.2-aarch64-linux-gnu.gem
7f6b4b0202d507326841a4f790294bf75098aef50c7173443812e3ac5cb06515  nokogiri-1.19.2-aarch64-linux-musl.gem
b7fa1139016f3dc850bda1260988f0d749934a939d04ef2da13bec060d7d5081  nokogiri-1.19.2-arm-linux-gnu.gem
61114d44f6742ff72194a1b3020967201e2eb982814778d130f6471c11f9828c  nokogiri-1.19.2-arm-linux-musl.gem
58d8ea2e31a967b843b70487a44c14c8ba1866daa1b9da9be9dbdf1b43dee205  nokogiri-1.19.2-arm64-darwin.gem
e9d67034bc80ca71043040beea8a91be5dc99b662daa38a2bfb361b7a2cc8717  nokogiri-1.19.2-java.gem
8ccf25eea3363a2c7b3f2e173a3400582c633cfead27f805df9a9c56d4852d1a  nokogiri-1.19.2-x64-mingw-ucrt.gem
7d9af11fda72dfaa2961d8c4d5380ca0b51bc389dc5f8d4b859b9644f195e7a4  nokogiri-1.19.2-x86_64-darwin.gem
fa8feca882b73e871a9845f3817a72e9734c8e974bdc4fbad6e4bc6e8076b94f  nokogiri-1.19.2-x86_64-linux-gnu.gem
93128448e61a9383a30baef041bf1f5817e22f297a1d400521e90294445069a8  nokogiri-1.19.2-x86_64-linux-musl.gem
38fdd8b59db3d5ea9e7dfb14702e882b9bf819198d5bf976f17ebce12c481756  nokogiri-1.19.2.gem

Full Changelog: sparklemotion/nokogiri@v1.19.1...v1.19.2

v1.19.1 / 2026-02-16

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.19.3 / 2026-04-27

Fixed / Security

• Address exponential regex backtracking in CSS selector tokenizer. See GHSA-c4rq-3m3g-8wgx for more information.
• [CRuby] Address memory leak in XSLT::Stylesheet#transform. See GHSA-v2fc-qm4h-8hqv for more information.

v1.19.2 / 2026-03-19

Dependencies

• [JRuby] Saxon-HE is updated to 12.7, from 9.6.0-4. Saxon-HE is a transitive dependency of nu.validator:jing, and this update addresses CVEs in Saxon-HE's own transitive dependencies JDOM and dom4j. We don't think this warrants a security release, however we're cutting a patch release to help users whose security scanners are flagging this. #3611 @​flavorjones

v1.19.1 / 2026-02-16

Security

• [CRuby] Address unchecked return value from xmlC14NExecute which was a contributing cause to ruby-saml GHSA-x4h9-gwv3-r4m4. See GHSA-wx95-c6cv-8532 for more information.

v1.19.0 / 2025-12-28

Ruby

This release is focused on changes to Ruby version support, and is otherwise functionally identical to v1.18.10.

• Introduce native gem support for Ruby 4.0. #3590
• End support for Ruby 3.1, for which upstream support ended 2025-03-26.
• End support for JRuby 9.4 (which targets Ruby 3.1 compatibility).

Commits

• c139a3d version bump to v1.19.3
• 7501a63 fix: backtracking in CSS tokenizer rules (v1.19.x backport) (#3627)
• 03e7968 test: skip CSS tokenizer benchmarks on JRuby
• b984b7e fix: ReDoS in CSS tokenizer ident rule
• 0092623 fix: ReDoS in CSS tokenizer STRING rule
• ee17d33 fix: memory leak in XSLT transform (backport to v1.19.x) (#3624)
• ce188a3 doc: update CHANGELOG
• caeaac4 fix: memory leak in XSLT transform
• 25220bf dep(test): test against libxml-ruby v6 (#3618)
• 0caeb21 doc: add security warnings for untrusted XSLT stylesheets
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.