Skip to content

chore(deps): bump the ruby group with 5 updates#1197

Merged
mergify[bot] merged 1 commit into
mainfrom
dependabot/bundler/ruby-b89c4e581c
Jun 29, 2026
Merged

chore(deps): bump the ruby group with 5 updates#1197
mergify[bot] merged 1 commit into
mainfrom
dependabot/bundler/ruby-b89c4e581c

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps the ruby group with 5 updates:

Package From To
html2rss 510ba84 b613d83
async 2.39.0 2.41.0
crass 1.0.6 1.0.7
io-event 1.16.2 1.17.0
json 2.19.9 2.20.0

Updates html2rss from 510ba84 to b613d83

Commits
  • b613d83 chore(release): bump version to v0.22.2 (#399)
  • ea5eed9 fix(request_service): implement remaining time budget across fallback strateg...
  • 5fade88 chore(release): bump version to v0.22.1 (#397)
  • c7e12e0 refactor(extractor): use HtmlNavigator helpers in SemanticAnchorCandidates
  • e626921 perf(auto_source): optimize microdata DOM traversals with parent-pointer walking
  • 4734fb5 fix(auto_source): filter nested candidate containers and prevent list catch-all
  • 80c0cd7 feat: extract and prepend teaser kicker to article title
  • 22f3ba3 feat: reduce dependency on anchor availability in scrape heuristics
  • 4b4b9fe chore(release): bump version to v0.22.0 (#394)
  • 8031b02 feat(auto_source): add generic class-clustering fallback for anchorless pages...
  • Additional commits viewable in compare view

Updates async from 2.39.0 to 2.41.0

Release notes

Sourced from async's releases.

v2.41.0

  • Fixed: Protect initial task from Interrupt exceptions.

v2.40.0

  • Introduce Async::Condition#waiting_count. This allows you to see how many tasks are currently waiting on the condition, which can be useful for debugging and monitoring purposes.
Changelog

Sourced from async's changelog.

v2.41.0

  • Fixed: Protect initial task from Interrupt exceptions.

v2.40.0

  • Introduce Async::Condition#waiting_count. This allows you to see how many tasks are currently waiting on the condition, which can be useful for debugging and monitoring purposes.
Commits

Updates crass from 1.0.6 to 1.0.7

Release notes

Sourced from crass's releases.

v1.0.7

Security

  • High: Fixed a denial of service vulnerability in which a large numeric exponent could consume disproportionate CPU and memory before the value was clamped. Exponents are now bounded before 10**exponent is computed. (GHSA-6wmf-3r64-vcwv)

  • Moderate: Fixed a scenario in which deeply nested simple blocks or functions could exhaust the Ruby stack and raise SystemStackError, or could result in excessive memory usage. Parser nesting is now limited to a configurable maximum depth via a new option (:maximum_depth, with a conservative default of 25). Constructs nested more deeply are discarded as an :error node with the value "maximum-depth-exceeded". (GHSA-6jxj-px6v-747w)

  • Moderate: Fixed a scenario in which a long run of adjacent comments could exhaust the Ruby stack and raise SystemStackError. Discarded comments are now skipped iteratively rather than recursively. (GHSA-wwpr-jff3-395c)

  • Moderate: Fixed a denial of service vulnerability in which inputs containing many non-ASCII characters could cause excessive CPU usage due to inefficient handling of multi-byte characters during tokenization. (GHSA-8vfg-2r28-hvhj)

Changelog

Sourced from crass's changelog.

1.0.7 (2026-06-25)

Security

  • High: Fixed a denial of service vulnerability in which a large numeric exponent could consume disproportionate CPU and memory before the value was clamped. Exponents are now bounded before 10**exponent is computed. (GHSA-6wmf-3r64-vcwv)

  • Moderate: Fixed a scenario in which deeply nested simple blocks or functions could exhaust the Ruby stack and raise SystemStackError, or could result in excessive memory usage. Parser nesting is now limited to a configurable maximum depth via a new option (:maximum_depth, with a conservative default of 25). Constructs nested more deeply are discarded as an :error node with the value "maximum-depth-exceeded". (GHSA-6jxj-px6v-747w)

  • Moderate: Fixed a scenario in which a long run of adjacent comments could exhaust the Ruby stack and raise SystemStackError. Discarded comments are now skipped iteratively rather than recursively. (GHSA-wwpr-jff3-395c)

  • Moderate: Fixed a denial of service vulnerability in which inputs containing many non-ASCII characters could cause excessive CPU usage due to inefficient handling of multi-byte characters during tokenization. (GHSA-8vfg-2r28-hvhj)

Commits
  • cfd5daa Release 1.0.7
  • da29664 Fix inefficient handling of non-ASCII characters during tokenization
  • 25d78cc Prevent a long run of adjacent comments from exhausting the stack
  • cf68287 Limit recursion depth to prevent stack overflow and memory exhaustion
  • ea6726b Prevent resource exhaustion denial of service via excessively large exponents
  • 2b87347 Bump version to 1.0.7
  • 0d3be20 Update CI workflow dependencies
  • a3cc4f7 Update CI test matrix
  • 846de61 Upgrade minitest and rake
  • b51a88e Merge pull request #18 from stoivo/main
  • Additional commits viewable in compare view

Updates io-event from 1.16.2 to 1.17.0

Release notes

Sourced from io-event's releases.

v1.17.0

  • Report inherited selector objects as closed after fork, and avoid closing descriptors they no longer own.

v1.16.4

  • Correctly implement Interrupt#signal so that it is robust enough to be called by Scheduler#unblock.

v1.16.3

  • Handle IOError raised while shutting down the pure Ruby interrupt pipe, so IO::Event::Interrupt#close does not leak expected shutdown errors from the interrupt fiber.
Changelog

Sourced from io-event's changelog.

v1.17.0

  • Report inherited selector objects as closed after fork, and avoid closing descriptors they no longer own.

v1.16.4

  • Correctly implement Interrupt#signal so that it is robust enough to be called by Scheduler#unblock.

v1.16.3

  • Handle IOError raised while shutting down the pure Ruby interrupt pipe, so IO::Event::Interrupt#close does not leak expected shutdown errors from the interrupt fiber.
Commits

Updates json from 2.19.9 to 2.20.0

Release notes

Sourced from json's releases.

v2.20.0

What's Changed

  • Both C and Java parsers are no longer recursive, so parsing very deep documents with max_nesting: false will no longer result in SystemStackError stack level too deep errors.
    • The :max_nesting option still defaults to 100.
  • Optimized floating point number parsing further by replacing the ryu algorithm by a port of Eisel-Lemire Fast Float.
  • Added JSON::ResumableParser to parse streams of JSON documents. Not yet available on JRuby.
  • Deprecate default support of JavaScript comments in the parser and add allow_comments: true parsing option.
  • Integrate with Ruby 4.1 ruby_sized_xfree.

Full Changelog: ruby/json@v2.19.8...v2.20.0

Changelog

Sourced from json's changelog.

2026-06-23 (2.20.0)

  • Both C and Java parsers are no longer recursive, so parsing very deep documents with max_nesting: false will no longer result in SystemStackError stack level too deep errors.
    • The :max_nesting option still defaults to 100.
  • Optimized floating point number parsing further by replacing the ryu algorithm by a port of Eisel-Lemire Fast Float.
  • Added JSON::ResumableParser to parse streams of JSON documents. Not yet available on JRuby.
  • Deprecate default support of JavaScript comments in the parser and add allow_comments: true parsing option.
  • Integrate with Ruby 4.1 ruby_sized_xfree.
Commits
  • 1316292 Release 2.20.0
  • 1443265 Remove useless executable bits
  • 532065c Preserve UTF-8 encoding when reallocating a frozen ResumableParser buffer
  • 7c8af4b Update extconf.rb guard to use RUBY_ENGINE_VERSION
  • 2afd1a9 Cleanup the rb_catch_obj workaround
  • 9892514 Simplify parser_config_init
  • b30a8f8 ResumableParser: eagerly drop the buffer when reaching EOS
  • f08c663 ResumableParser: accept only keyword arguments
  • 9d8efcb Workaround TruffleRuby buggy rb_catch_obj implementation
  • 4bd1e9b ResumableParser: use throw rather than raise for handled EOS
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the ruby group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [html2rss](https://github.com/html2rss/html2rss) | ``510ba84`` | ``b613d83`` |
| [async](https://github.com/socketry/async) | `2.39.0` | `2.41.0` |
| [crass](https://github.com/rgrove/crass) | `1.0.6` | `1.0.7` |
| [io-event](https://github.com/socketry/io-event) | `1.16.2` | `1.17.0` |
| [json](https://github.com/ruby/json) | `2.19.9` | `2.20.0` |


Updates `html2rss` from `510ba84` to `b613d83`
- [Release notes](https://github.com/html2rss/html2rss/releases)
- [Commits](html2rss/html2rss@510ba84...b613d83)

Updates `async` from 2.39.0 to 2.41.0
- [Release notes](https://github.com/socketry/async/releases)
- [Changelog](https://github.com/socketry/async/blob/main/releases.md)
- [Commits](socketry/async@v2.39.0...v2.41.0)

Updates `crass` from 1.0.6 to 1.0.7
- [Release notes](https://github.com/rgrove/crass/releases)
- [Changelog](https://github.com/rgrove/crass/blob/main/HISTORY.md)
- [Commits](rgrove/crass@v1.0.6...v1.0.7)

Updates `io-event` from 1.16.2 to 1.17.0
- [Release notes](https://github.com/socketry/io-event/releases)
- [Changelog](https://github.com/socketry/io-event/blob/main/releases.md)
- [Commits](socketry/io-event@v1.16.2...v1.17.0)

Updates `json` from 2.19.9 to 2.20.0
- [Release notes](https://github.com/ruby/json/releases)
- [Changelog](https://github.com/ruby/json/blob/master/CHANGES.md)
- [Commits](ruby/json@v2.19.9...v2.20.0)

---
updated-dependencies:
- dependency-name: html2rss
  dependency-version: b613d83a81f02e033869ec3513c792c5e6706831
  dependency-type: direct:production
  dependency-group: ruby
- dependency-name: async
  dependency-version: 2.41.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: ruby
- dependency-name: crass
  dependency-version: 1.0.7
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: ruby
- dependency-name: io-event
  dependency-version: 1.17.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: ruby
- dependency-name: json
  dependency-version: 2.20.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: ruby
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code labels Jun 29, 2026
@mergify

mergify Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Queued — the merge queue status continues in this comment ↓.

@mergify mergify Bot added the queued label Jun 29, 2026
@mergify

mergify Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Merge Queue Status

This pull request spent 1 minute 33 seconds in the queue, including 1 minute 12 seconds running CI.

Required conditions to merge
  • author=dependabot[bot]
  • base=main
  • status-success=build
  • any of [🛡 GitHub repository ruleset rule main]:
    • check-success = @github-actions/build
    • check-neutral = @github-actions/build
    • check-skipped = @github-actions/build
  • any of [🛡 GitHub repository ruleset rule main]:
    • check-success = @github-actions/lint
    • check-neutral = @github-actions/lint
    • check-skipped = @github-actions/lint

mergify Bot added a commit that referenced this pull request Jun 29, 2026
@mergify mergify Bot merged commit 80cd39a into main Jun 29, 2026
6 checks passed
@mergify mergify Bot deleted the dependabot/bundler/ruby-b89c4e581c branch June 29, 2026 07:16
@mergify mergify Bot removed the queued label Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants