Skip to content

build(deps-dev): bump json from 2.18.1 to 2.19.2#85

Merged
ryancyq merged 1 commit into
mainfrom
dependabot/bundler/json-2.19.2
Mar 30, 2026
Merged

build(deps-dev): bump json from 2.18.1 to 2.19.2#85
ryancyq merged 1 commit into
mainfrom
dependabot/bundler/json-2.19.2

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Mar 19, 2026
edited
Loading

Bumps json from 2.18.1 to 2.19.2.

Release notes

Sourced from json's releases.

v2.19.2

What's Changed

  • Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210

Full Changelog: ruby/json@v2.19.1...v2.19.2

v2.19.1

What's Changed

  • Fix a compiler dependent GC bug introduced in 2.18.0.

Full Changelog: ruby/json@v2.19.0...v2.19.1

v2.19.0

What's Changed

  • Fix allow_blank parsing option to no longer allow invalid types (e.g. load([], allow_blank: true) now raise a type error).
  • Add allow_invalid_escape parsing option to ignore backslashes that aren't followed by one of the valid escape characters.

Full Changelog: ruby/json@v2.18.1...v2.19.0

Changelog

Sourced from json's changelog.

2026-03-18 (2.19.2)

  • Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210.

2026-03-08 (2.19.1)

  • Fix a compiler dependent GC bug introduced in 2.18.0.

2026-03-06 (2.19.0)

  • Fix allow_blank parsing option to no longer allow invalid types (e.g. load([], allow_blank: true) now raise a type error).
  • Add allow_invalid_escape parsing option to ignore backslashes that aren't followed by one of the valid escape characters.
Commits
  • 54f8a87 Release 2.19.2
  • 393b41c Fix a format string injection vulnerability
  • dbf6bb1 Merge pull request #953 from ruby/dependabot/github_actions/actions/create-gi...
  • 7187315 Bump actions/create-github-app-token from 2 to 3
  • 4a42a04 Release 2.19.1
  • 13689c2 Add missing GC_GUARD in fbuffer_append_str
  • a11acc1 Release 2.19.0
  • 0a4fb79 fbuffer.h: Use size_t over unsigned long
  • a29fcdc Add depth validation to Jruby and TruffleRuby implementations
  • de993aa Reject negative depth; add overflow guards to prevent hang/crash
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code labels Mar 19, 2026
@ryancyq
Copy link
Copy Markdown
Owner

ryancyq commented Mar 30, 2026

@dependabot rebase

@dependabot
build(deps-dev): bump json from 2.18.1 to 2.19.2
789a4bc 
Bumps [json](https://github.com/ruby/json) from 2.18.1 to 2.19.2.
- [Release notes](https://github.com/ruby/json/releases)
- [Changelog](https://github.com/ruby/json/blob/master/CHANGES.md)
- [Commits](ruby/json@v2.18.1...v2.19.2)

---
updated-dependencies:
- dependency-name: json
  dependency-version: 2.19.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/bundler/json-2.19.2 branch from 39d01a2 to 789a4bc Compare March 30, 2026 17:45
@ryancyq ryancyq merged commit 6832ce3 into main Mar 30, 2026
33 of 42 checks passed
@ryancyq ryancyq deleted the dependabot/bundler/json-2.19.2 branch March 30, 2026 18:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ryancyq