chore(deps): bump the bundler group across 3 directories with 11 updates

[dependabot]

Bumps the bundler group with 1 update in the /examples/tracing/ruby directory: sinatra.
Bumps the bundler group with 3 updates in the /examples/language-sdk-instrumentation/ruby/rideshare_rails directory: puma, rack and actionmailer.
Bumps the bundler group with 1 update in the /examples/language-sdk-instrumentation/ruby/rideshare directory: sinatra.

Updates sinatra from 4.1.1 to 4.2.0

Changelog

Sourced from sinatra's changelog.

4.2.0 / 2025-10-08

• New: Add :static_headers setting for custom headers in static file responses (#2089)
• Fix: Fix regex in etag_matches? to prevent ReDoS (#2121)
• Fix: PATH_INFO can never be empty (#2114)
• Fix: Fix malformed Content-Type headers (#2081)
• Fix: Avoid crash for integer values in content_type parameters (#2078)

Commits

• f2ad45f 4.2.0 release (#2122)
• 3fe8c38 Fix regex in etag_matches? to prevent ReDoS (#2121)
• fa99a21 PATH_INFO can never be empty. (#2114)
• ea0d3fa Skip broken tests. (#2115)
• 5e15985 Sync changelog for v4.0.1
• 91cfb54 Add :static_headers setting for custom headers in static file responses (#2089)
• c918134 Set rubygems_mfa_required for the sinatra gem (#2087)
• ac3ff23 README: Remove duplicate mention of installing puma (#2091)
• cfcc70d CI: don't use Rack::Lint on invalid hostname (#2086)
• c235249 CI: Test with Ruby 3.4 (#2083)
• Additional commits viewable in compare view

Updates rack from 3.1.16 to 3.2.4

Changelog

Sourced from rack's changelog.

[2.2.20] - 2025-10-10

Security

• CVE-2025-61780 Improper handling of headers in Rack::Sendfile may allow proxy bypass.
• CVE-2025-61919 Unbounded read in Rack::Request form parsing can lead to memory exhaustion.

[2.2.19] - 2025-10-07

Security

• CVE-2025-61772 Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
• CVE-2025-61771 Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
• CVE-2025-61770 Unbounded multipart preamble buffering enables DoS (memory exhaustion)

[2.2.18] - 2025-09-25

Security

• CVE-2025-59830 Unbounded parameter parsing in Rack::QueryParser can lead to memory exhaustion via semicolon-separated parameters.

[2.2.17] - 2025-06-03

• Backport Rack::MediaType#params now handles parameters without values. (#2263, @​AllyMarthaJ)

[2.2.16] - 2025-05-22

• Fix incorrect backport of optional CGI::Cookie support. (#2335, [@​jeremyevans])

[2.2.15] - 2025-05-18

• Optional support for CGI::Cookie if not available. (#2327, #2333, [@​earlopain])

[2.2.14] - 2025-05-06

⚠️ This release includes a security fix that may cause certain routes in previously working applications to fail if query parameters exceed 4,096 in count or 4 MB in total size. See rack/rack#2356 for more details.

Security

• CVE-2025-46727 Unbounded parameter parsing in Rack::QueryParser can lead to memory exhaustion.

[2.2.13] - 2025-03-11

Security

• CVE-2025-27610 Local file inclusion in Rack::Static.

[2.2.12] - 2025-03-04

Security

... (truncated)

Commits

• 6ef5915 Bump patch version.
• 4e2c903 Unbounded read in Rack::Request form parsing can lead to memory exhaustion.
• fba2c8b Improper handling of proxy headers in Rack::Sendfile may allow proxy bypass.
• ed3d834 Normalize adivsories links.
• 4c4ea29 Bump patch version.
• c370dcd Limit amount of retained data when parsing multipart requests
• d869fed Fix denial of service vulnerbilties in multipart parsing
• 0f76d43 Bump patch version.
• 493a411 Fix thin integration.
• 54e4ffd Unbounded parameter parsing in Rack::QueryParser.
• Additional commits viewable in compare view

Updates puma from 5.6.8 to 5.6.9

Changelog

Sourced from puma's changelog.

5.6.9 / 2024-09-19

• Security
  • Discards any headers using underscores if the non-underscore version also exists. Without this, an attacker could overwrite values set by intermediate proxies (e.g. X-Forwarded-For). (CVE-2024-45614/GHSA-9hf4-67fc-4vf4)
• JRuby
  • Must use at least Java >= 9 to compile. You can no longer build from source on Java 8.

Commits

• f196b23 Merge commit from fork
• 24eec19 5.6.9
• 3c8e8b0 5.6.9 release note [ci skip]
• See full diff in compare view

Updates rack from 2.2.8.1 to 2.2.20

Changelog

Sourced from rack's changelog.

[2.2.20] - 2025-10-10

Security

• CVE-2025-61780 Improper handling of headers in Rack::Sendfile may allow proxy bypass.
• CVE-2025-61919 Unbounded read in Rack::Request form parsing can lead to memory exhaustion.

[2.2.19] - 2025-10-07

Security

• CVE-2025-61772 Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
• CVE-2025-61771 Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
• CVE-2025-61770 Unbounded multipart preamble buffering enables DoS (memory exhaustion)

[2.2.18] - 2025-09-25

Security

• CVE-2025-59830 Unbounded parameter parsing in Rack::QueryParser can lead to memory exhaustion via semicolon-separated parameters.

[2.2.17] - 2025-06-03

• Backport Rack::MediaType#params now handles parameters without values. (#2263, @​AllyMarthaJ)

[2.2.16] - 2025-05-22

• Fix incorrect backport of optional CGI::Cookie support. (#2335, [@​jeremyevans])

[2.2.15] - 2025-05-18

• Optional support for CGI::Cookie if not available. (#2327, #2333, [@​earlopain])

[2.2.14] - 2025-05-06

⚠️ This release includes a security fix that may cause certain routes in previously working applications to fail if query parameters exceed 4,096 in count or 4 MB in total size. See rack/rack#2356 for more details.

Security

• CVE-2025-46727 Unbounded parameter parsing in Rack::QueryParser can lead to memory exhaustion.

[2.2.13] - 2025-03-11

Security

• CVE-2025-27610 Local file inclusion in Rack::Static.

[2.2.12] - 2025-03-04

Security

... (truncated)

Commits

• 6ef5915 Bump patch version.
• 4e2c903 Unbounded read in Rack::Request form parsing can lead to memory exhaustion.
• fba2c8b Improper handling of proxy headers in Rack::Sendfile may allow proxy bypass.
• ed3d834 Normalize adivsories links.
• 4c4ea29 Bump patch version.
• c370dcd Limit amount of retained data when parsing multipart requests
• d869fed Fix denial of service vulnerbilties in multipart parsing
• 0f76d43 Bump patch version.
• 493a411 Fix thin integration.
• 54e4ffd Unbounded parameter parsing in Rack::QueryParser.
• Additional commits viewable in compare view

Updates actionmailer from 7.0.8.1 to 7.0.8.5

Release notes

Sourced from actionmailer's releases.

7.0.8.5

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Avoid regex backtracking in HTTP Token authentication

  [CVE-2024-47887]

• Avoid regex backtracking in query parameter filtering

  [CVE-2024-41128]

Active Job

• No changes.

Action Mailer

• Avoid regex backtracking in block_format helper

  [CVE-2024-47889]

Action Cable

• No changes.

Active Storage

... (truncated)

Commits

• f61f4ef Preparing for 7.0.8.5 release
• d666c96 Update CHANGELOGs
• 30abd6b Merge pull request #52962 from rails/rm-releser
• 0e5694f Avoid backtracking in ActionMailer block_format
• 40d8b92 Merge pull request #51510 from fatkodima/remove-ostruct
• ec7f253 Preparing for 7.0.8.4 release
• f12d5ae update changelog
• 08bc3ce Preparing for 7.0.8.3 release
• 7c8d2a1 Preparing for 7.0.8.2 release
• See full diff in compare view

Updates actionpack from 7.0.8.1 to 7.0.8.5

Release notes

Sourced from actionpack's releases.

7.0.8.5

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Avoid regex backtracking in HTTP Token authentication

  [CVE-2024-47887]

• Avoid regex backtracking in query parameter filtering

  [CVE-2024-41128]

Active Job

• No changes.

Action Mailer

• Avoid regex backtracking in block_format helper

  [CVE-2024-47889]

Action Cable

• No changes.

Active Storage

... (truncated)

Commits

• f61f4ef Preparing for 7.0.8.5 release
• d666c96 Update CHANGELOGs
• 30abd6b Merge pull request #52962 from rails/rm-releser
• b1241f4 Avoid backtracking in filtered_query_string
• 56b2fc3 Avoid backtracking in Token#raw_params
• 40d8b92 Merge pull request #51510 from fatkodima/remove-ostruct
• 6da6af8 Merge pull request #52176 from zzak/7-0-selenium-webdriver
• 67c2813 Merge pull request #52143 from skipkayhil/hm-fix-7-0-stable-ci
• ec7f253 Preparing for 7.0.8.4 release
• f12d5ae update changelog
• Additional commits viewable in compare view

Updates actiontext from 7.0.8.1 to 7.0.8.5

Release notes

Sourced from actiontext's releases.

7.0.8.5

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Avoid regex backtracking in HTTP Token authentication

  [CVE-2024-47887]

• Avoid regex backtracking in query parameter filtering

  [CVE-2024-41128]

Active Job

• No changes.

Action Mailer

• Avoid regex backtracking in block_format helper

  [CVE-2024-47889]

Action Cable

• No changes.

Active Storage

... (truncated)

Commits

• f61f4ef Preparing for 7.0.8.5 release
• d666c96 Update CHANGELOGs
• 30abd6b Merge pull request #52962 from rails/rm-releser
• 727b094 ActionText: Avoid backtracing in plain_text_for_blockquote_node
• ec7f253 Preparing for 7.0.8.4 release
• f12d5ae update changelog
• 08bc3ce Preparing for 7.0.8.3 release
• 73fac32 Keep actiontext depending on trix 1.3.1
• 83e6a75 Merge pull request #51851 from skipkayhil/hm-fix-7-0-trix
• 7c8d2a1 Preparing for 7.0.8.2 release
• Additional commits viewable in compare view

Updates activerecord from 7.0.8.1 to 7.0.8.5

Release notes

Sourced from activerecord's releases.

7.0.8.5

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Avoid regex backtracking in HTTP Token authentication

  [CVE-2024-47887]

• Avoid regex backtracking in query parameter filtering

  [CVE-2024-41128]

Active Job

• No changes.

Action Mailer

• Avoid regex backtracking in block_format helper

  [CVE-2024-47889]

Action Cable

• No changes.

Active Storage

... (truncated)

Commits

• f61f4ef Preparing for 7.0.8.5 release
• 30abd6b Merge pull request #52962 from rails/rm-releser
• 40d8b92 Merge pull request #51510 from fatkodima/remove-ostruct
• 67c2813 Merge pull request #52143 from skipkayhil/hm-fix-7-0-stable-ci
• ec7f253 Preparing for 7.0.8.4 release
• f12d5ae update changelog
• 08bc3ce Preparing for 7.0.8.3 release
• 7c8d2a1 Preparing for 7.0.8.2 release
• See full diff in compare view

Updates activestorage from 7.0.8.1 to 7.0.8.5

Release notes

Sourced from activestorage's releases.

7.0.8.5

Active Support

• No changes.

Active Model

• No changes.

Active Record

• No changes.

Action View

• No changes.

Action Pack

• Avoid regex backtracking in HTTP Token authentication

  [CVE-2024-47887]

• Avoid regex backtracking in query parameter filtering

  [CVE-2024-41128]

Active Job

• No changes.

Action Mailer

• Avoid regex backtracking in block_format helper

  [CVE-2024-47889]

Action Cable

• No changes.

Active Storage

... (truncated)

Commits

• f61f4ef Preparing for 7.0.8.5 release
• 30abd6b Merge pull request #52962 from rails/rm-releser
• 67c2813 Merge pull request #52143 from skipkayhil/hm-fix-7-0-stable-ci
• ec7f253 Preparing for 7.0.8.4 release
• f12d5ae update changelog
• 08bc3ce Preparing for 7.0.8.3 release
• 7c8d2a1 Preparing for 7.0.8.2 release
• See full diff in compare view

Updates net-imap from 0.4.10 to 0.5.12

Release notes

Sourced from net-imap's releases.

v0.5.12

What's Changed

TruffleRuby is not (yet) "officially supported" but it seems to work (with a few small caveats). Several tests are still marked as pending, but the rest all pass. #528 protects us from merging PRs that break TruffleRuby and (in some cases) JRuby.

Fixed

• 🐛 Fix loading of net/imap for JRuby/TruffleRuby by @​nevans in ruby/net-imap#530

Miscellaneous

• ✅ Test overriding inherited ::Data methods by @​nevans in ruby/net-imap#531
• ✅ Add TruffleRuby to CI by @​nevans in ruby/net-imap#528

Full Changelog: ruby/net-imap@v0.5.11...v0.5.12

v0.5.11

What's Changed

Added

• ✨ Add ESearchResult#to_sequence_set by @​nevans in ruby/net-imap#511
• ✨ Add ESearchResult#each by @​nevans in ruby/net-imap#513
• ✨ Add VanishedData#each, delegated to #uids.each_number by @​nevans in ruby/net-imap#522
• support new Ractor.shareable_proc by @​ko1 in ruby/net-imap#525

Fixed

• 🐛 Fix SearchResult#== for LHS with no modseq by @​nevans in ruby/net-imap#514

Other Changes

• ✨ Allow obj.to_sequence_set => nil in try_convert by @​nevans in ruby/net-imap#512
• ♻️ Allow VanishedData#uids to be SequenceSet.empty by @​nevans in ruby/net-imap#517
• 🥅 Raise ArgumentError for #fetch with partial by @​nevans in ruby/net-imap#521

Documentation

• 📚 Fix rdoc call-seq for uid_expunge by @​nevans in ruby/net-imap#516
• 📚 Add QRESYNC to #enable (docs only) by @​nevans in ruby/net-imap#518

Miscellaneous

• ✅ Organize test files by @​nevans in ruby/net-imap#515
• ✅ Fix flaky tests with FakeServer#Connection#close mutex by @​nevans in ruby/net-imap#520
• Bump step-security/harden-runner from 2.13.0 to 2.13.1 by @​dependabot[bot] in ruby/net-imap#524

New Contributors

• @​ko1 made their first contribution in ruby/net-imap#525

Full Changelog: ruby/net-imap@v0.5.10...v0.5.11

v0.5.10

What's Changed

Added

• 🔎 Update SequenceSet#inspect format to Net::IMAP::SequenceSet(#{string}) by @​nevans in ruby/net-imap#501

... (truncated)

Commits

• bab9dfb 🔖 Bump version to 0.5.12
• 4ec0f83 🔀 Merge pull request #528 from ruby/add-truffleruby-to-ci
• ad5eb96 ✅🚧 Run CI with TruffleRuby (experimental for now)
• 50f83b8 ✅🚧 Mark 2 ConnectionState tests as pending for TruffleRuby
• 6d42c16 ✅🚧 Mark 1 ::Data test as pending for TruffleRuby
• 9b9a89c ✅ Add TruffleRuby/JRuby pend/omit test helpers
• c7a6b43 ✅ Skip simplecov for non-CRuby engines
• cb4a646 ✅ Test overriding inherited ::Data methods
• 8c282c0 🐛 Fix loading of Net::IMAP::Config for JRuby
• b97b414 🔖 Bump version to 0.5.11
• Additional commits viewable in compare view

Updates nokogiri from 1.16.2 to 1.18.10

Release notes

Sourced from nokogiri's releases.

v1.18.10 / 2025-09-15

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.9. Note that the security fixes published in v2.13.9 were already present in Nokogiri v1.18.9.
• [CRuby] [Windows and MacOS] Vendored libiconv is updated to v1.18

7fb87235d729c74a2be635376d82b1d459230cc17c50300f8e4fcaabc6195344  nokogiri-1.18.10-aarch64-linux-gnu.gem
7e74e58314297cc8a8f1b533f7212d1999dbe2639a9ee6d97b483ea2acc18944  nokogiri-1.18.10-aarch64-linux-musl.gem
51f4f25ab5d5ba1012d6b16aad96b840a10b067b93f35af6a55a2c104a7ee322  nokogiri-1.18.10-arm-linux-gnu.gem
1c6ea754e51cecc85c30ee8ab1e6aa4ce6b6e134d01717e9290e79374a9e00aa  nokogiri-1.18.10-arm-linux-musl.gem
c2b0de30770f50b92c9323fa34a4e1cf5a0af322afcacd239cd66ee1c1b22c85  nokogiri-1.18.10-arm64-darwin.gem
cd431a09c45d84a2f870ba0b7e8f571199b3727d530f2b4888a73639f76510b5  nokogiri-1.18.10-java.gem
64f40d4a41af9f7f83a4e236ad0cf8cca621b97e31f727b1bebdae565a653104  nokogiri-1.18.10-x64-mingw-ucrt.gem
536e74bed6db2b5076769cab5e5f5af0cd1dccbbd75f1b3e1fa69d1f5c2d79e2  nokogiri-1.18.10-x86_64-darwin.gem
ff5ba26ba2dbce5c04b9ea200777fd225061d7a3930548806f31db907e500f72  nokogiri-1.18.10-x86_64-linux-gnu.gem
0651fccf8c2ebbc2475c8b1dfd7ccac3a0a6d09f8a41b72db8c21808cb483385  nokogiri-1.18.10-x86_64-linux-musl.gem
d5cc0731008aa3b3a87b361203ea3d19b2069628cb55e46ac7d84a0445e69cc1  nokogiri-1.18.10.gem

v1.18.9 / 2025-07-20

Security

• [CRuby] Applied upstream libxml2 patches to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. See GHSA-353f-x4gh-cqq8 for more information.

5bcfdf7aa8d1056a7ad5e52e1adffc64ef53d12d0724fbc6f458a3af1a4b9e32  nokogiri-1.18.9-aarch64-linux-gnu.gem
55e9e6ca46c4ad1715e313f407d8481d15be1e3b65d9f8e52ba1c124d01676a7  nokogiri-1.18.9-aarch64-linux-musl.gem
eea3f1f06463ff6309d3ff5b88033c4948d0da1ab3cc0a3a24f63c4d4a763979  nokogiri-1.18.9-arm64-darwin.gem
fe611ae65880e445a9c0f650d52327db239f3488626df4173c05beafd161d46e  nokogiri-1.18.9-arm-linux-gnu.gem
935605e14c0ba17da18d203922440bf6c0676c602659278d855d4622d756a324  nokogiri-1.18.9-arm-linux-musl.gem
ac5a7d93fd0e3cef388800b037407890882413feccca79eb0272a2715a82fa33  nokogiri-1.18.9.gem
1fe5b7aa4a054eda689a969bb4e03999960a6ea806582d327207d687168bceb5  nokogiri-1.18.9-java.gem
6b4fc1523aa0370c78653e38c94cb50e7f3ab786425de66ba7ad24222c1164a3  nokogiri-1.18.9-x64-mingw-ucrt.gem
e0d2deb03d3d7af8016e8c9df5ff4a7d692159cefb135cbb6a4109f265652348  nokogiri-1.18.9-x86_64-darwin.gem
b52f5defedc53d14f71eeaaf990da66b077e1918a2e13088b6a96d0230f44360  nokogiri-1.18.9-x86_64-linux-gnu.gem
e69359d6240c17e64cc9f43970d54f13bfc7b8cc516b819228f687e953425e69  nokogiri-1.18.9-x86_64-linux-musl.gem

v1.18.8 / 2025-04-21

Security

... (truncated)

Changelog

Sourced from nokogiri's changelog.

v1.18.10 / 2025-09-15

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.9. Note that the security fixes published in v2.13.9 were already present in Nokogiri v1.18.9.
• [CRuby] [Windows and MacOS] Vendored libiconv is updated to v1.18

v1.18.9 / 2025-07-20

Security

• [CRuby] Applied upstream libxml2 patches to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. See GHSA-353f-x4gh-cqq8 for more information.

v1.18.8 / 2025-04-21

Security

• [CRuby] Vendored libxml2 is updated to v2.13.8 to address CVE-2025-32414 and CVE-2025-32415. See GHSA-5w6v-399v-w3cc for more information.

v1.18.7 / 2025-03-31

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.7, which is a bugfix release.

v1.18.6 / 2025-03-24

Fixed

• [JRuby] In HTML documents, Node#attribute now returns the correct attribute. This has been broken, and returning nil, since v1.17.0. (#3487) @​flavorjones

v1.18.5 / 2025-03-19

Fixed

• [JRuby] Update JRuby's XML serialization so it outputs namespaces exactly like CRuby. (#3455, #3456) @​johnnyshields

v1.18.4 / 2025-03-14

Security

• [CRuby] Vendored libxslt is updated to v1.1.43 to address CVE-2025-24855 and CVE-2024-55549. See GHSA-mrxw-mxhj-p664 for more information.

... (truncated)

Commits

• 6803740 version bump to v1.18.10
• 93337de dep: bump vendored libxml2 to v2.13.9 (#3555)
• 15dde17 ci: work around repeated bundler deadlocks
• 9906071 dep: bump vendored libxml2 to v2.13.9
• adf72e3 [v1.18.x] backport libiconv upgrade to v1.18 (#3550)
• 92cab09 dep: update vendored libiconv to 1.18
• f1c5ea8 Use mirror site to download libiconv
• dcd2721 ci: stop testing Ruby 3.1 windows source builds
• cf856e6 ci: fix the aarch64 segfault by using a more modern qemu
• 6d77443 Fix errors building Ruby 3.1 on windows
• Additional commits viewable in compare view

Updates rails-html-sanitizer from 1.6.0 to 1.6.2

Release notes

Sourced from rails-html-sanitizer's releases.

v1.6.2 / 2024-12-12

• PermitScrubber fully supports frozen "allowed tags".

  v1.6.1 introduced safety checks that may remove unsafe tags from the allowed list, which introduced a regression for applications passing a frozen array of allowed tags. Tags and attributes are now properly copied when they are passed to the scrubber.

  Fixes #195.

  Mike Dalessio

1.6.1 / 2024-12-02

This is a performance and security release which addresses several possible XSS vulnerabilities.

• The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.

  This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).

  Mike Dalessio

• Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content), regardless of the prune: option value. Previously, disallowed tags were "stripped" unless the gem was configured with the prune: true option.

  The CVEs addressed by this change are:

  • CVE-2024-53986 (GHSA-638j-pmjw-jq48)
  • CVE-2024-53987 (GHSA-2x5m-9ch4-qgrr)

  Mike Dalessio

• The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags are removed from the allow-list.

  The CVEs addressed by this change are:

  • CVE-2024-53988 (GHSA-cfjx-w229-hgx5)
  • CVE-2024-53989 (GHSA-rxv5-gxqc-xx8g)

  Please note that we may restore support for allowing "noscript" in a future release. We do not expect to ever allow "mglyph" or "malignmark", though, especially since browser support is minimal for these tags.

  Mike Dalessio

... (truncated)

Changelog

Sourced from rails-html-sanitizer's changelog.

v1.6.2 / 2024-12-12

• PermitScrubber fully supports frozen "allowed tags".

  v1.6.1 introduced safety checks that may remove unsafe tags from the allowed list, which introduced a regression for applications passing a frozen array of allowed tags. Tags and attributes are now properly copied when they are passed to the scrubber.

  Fixes #195.

  Mike Dalessio

1.6.1 / 2024-12-02

This is a performance and security release which addresses several possible XSS vulnerabilities.

• The dependency on Nokogiri is updated to v1.15.7 or >=1.16.8.

  This change addresses CVE-2024-53985 (GHSA-w8gc-x259-rc7x).

  Mike Dalessio

• Disallowed tags will be pruned when they appear in foreign content (i.e. SVG or MathML content), regardless of the prune: option value. Previously, disallowed tags were "stripped" unless the gem was configured with the prune: true option.

  The CVEs addressed by this change are:

  • CVE-2024-53986 (GHSA-638j-pmjw-jq48)
  • CVE-2024-53987 (GHSA-2x5m-9ch4-qgrr)

  Mike Dalessio

• The tags "noscript", "mglyph", and "malignmark" will not be allowed, even if explicitly added to the allowlist. If applications try to allow any of these tags, a warning is emitted and the tags are removed from the allow-list.

  The CVEs addressed by this change are:

  • CVE-2024-53988 (GHSA-cfjx-w229-hgx5)
  • CVE-2024-53989 (GHSA-rxv5-gxqc-xx8g)

  Please note that we may restore support for allowing "noscript" in a future release. We do not expect to ever allow "mglyph" or "malignmark", though, especially since browser support is minimal for these tags.

  Mike Dalessio

• Improve performance by eliminating needless operations on attributes that are being removed. #188

... (truncated)

Commits

• 9160d49 version bump to v1.6.2
• 5843d4d fix: PermitScrubber accepts frozen tags
• 5e96b19 version bump to v1.6.1
• 383cc7c doc: update CHANGELOG with assigned CVEs
• a7b0cfe Combine the noscript/mglyph prevention blocks
• 5658335 Merge branch 'h1-2509647-noscript' into flavorjones-2024-security-fixes
• 65fb72f Merge branch 'h1-2519936-mglyph-foster-parenting' into flavorjones-2024-secur...
• 3fe22a8 Merge branch 'h1-2519936-foreign-ns-confusion' into flavorjones-2024-security...
• d7a94c1 Merge branch 'h1-2503220-nokogiri-serialization' into flavorjones-2024-securi...
• 3fd6e65 doc: update CHANGELOG
• Additional commits viewable in compare view

Updates sinatra from 4.1.1 to 4.2.0

Changelog

Sourced from sinatra's changelog.

4.2.0 / 2025-10-08

• New: Add :static_headers setting for custom headers in static file responses (#2089)
• Fix: Fix regex in etag_matches? to prevent ReDoS (#2121)
• Fix: PATH_INFO can never be empty (#2114)
• Fix: Fix malformed Content-Type headers (#2081)
• Fix: Avoid crash for integer values in content_type parameters (#2078)

Commits

• f2ad45f 4.2.0 release (#2122)
• 3fe8c38 Fix regex in etag_matches? to prevent ReDoS (#2121)
• fa99a21 PATH_INFO can never be empty. (#2114)
• ea0d3fa Skip broken tests. (#2115)
• 5e15985 Sync changelog for v4.0.1
• 91cfb54 Add :static_headers setting for custom headers in static file responses (#2089)
• c918134 Set rubygems_mfa_required for the sinatra gem (#2087)
• ac3ff23 README: Remove duplicate mention of installing puma (#2091)
• cfcc70d CI: don't use Rack::Lint on invalid hostname (#2086)
• c235249 CI: Test with Ruby 3.4 (#2083)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.