[ruby] Update gon 7.0.0 → 7.1.0 (minor)

[depfu]

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ gon (7.0.0 → 7.1.0) · Repo · Changelog

Release Notes

7.1.0

What's Changed

• Support both old and new multi_json by @willnet in #305

Full Changelog: v7.0.0...v7.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• prepare 7.1.0
• Merge pull request #305 from gazay/multi-json
• Support both old and new multi_json

↗️ concurrent-ruby (indirect, 1.3.6 → 1.3.7) · Repo · Changelog

Release Notes

1.3.7

There are 3 security fixes in this release, so updating is recommended.
These security vulnerabilities are not very likely to be hit in practice and have a corresponding Low severity score.

What's Changed

• CVE-2026-54904 AtomicReference#update livelocks when the stored value is Float::NAN. Fix by @joshuay03 and @eregon
• CVE-2026-54905 ReentrantReadWriteLock read-count overflow grants a write lock without exclusivity. Fix by @joshuay03
• CVE-2026-54906 ReadWriteLock allows wrong-thread write release and stray read-release counter corruption. Fix by @joshuay03
• concurrent-ruby-ext: fix build on Darwin 32-bit by @barracuda156 in #1064
• Add SECURITY.md by @eregon in #1104
• Add Ruby 4.0 in CI by @eregon in #1106

New Contributors

• @barracuda156 made their first contribution in #1064

Full Changelog: v1.3.6...v1.3.7

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 14 commits:

• Release 1.3.7
• Fix AtomicReference#update livelock when stored value is Float::NAN on JRuby and TruffleRuby
• Fix `ReentrantReadWriteLock` read hold overflow into write-lock bit
• Fix `AtomicReference#update` livelock when stored value is `Float::NAN`
• Cleanup spec
• Fix `ReadWriteLock` wrong-thread write release and stray read release
• Add Ruby 4.0 in CI
• Add SECURITY.md (#1104)
• Bump actions/upload-pages-artifact from 4 to 5
• Bump actions/deploy-pages from 4 to 5
• concurrent-ruby-ext: fix build on Darwin 32-bit
• Increase max waiting time in ReentrantReadWriteLock specs to avoid transients
• Run the docs workflow when pushing a tag
• Update release post steps

↗️ i18n (indirect, 1.14.8 → 1.15.1) · Repo · Changelog

Release Notes

1.15.1

What's Changed

• Fix feature fiber storage by @YashaVinter in #736
• Ignore Ruby 3.2 + Rails main from the matrix by @radar in #737

New Contributors

• @YashaVinter made their first contribution in #736

Full Changelog: v1.15.0...v1.15.1

1.15.0

What's Changed

• Make lazy loading of I18n translations thread safe ( part 2 ) by @chaadow in #729
• Add support to not replace non-ASCII chars not in map by @sobrinho in #720
• Add transliteration for O with ogonek by @radar in #733
• CI: exclude Ruby 3.2 from rails-main matrix by @radar in #734
• Fiber-aware I18n config storage by @lee266 in #731

New Contributors

• @chaadow made their first contribution in #729
• @sobrinho made their first contribution in #720

Full Changelog: v1.14.8...v1.15.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 23 commits:

• Bump to 1.15.1
• Merge pull request #737 from ruby-i18n/ignore-ruby32-rails-main
• Ignore Ruby 3.2 + Rails main from the matrix
• Merge pull request #736 from YashaVinter/fix-feature-fiber-storage
• Test against Ruby 3.2
• fix https://github.com/ruby-i18n/i18n/issues/735 NoMethodError: undefined method [] for Fiber:Class
• Bump to 1.15.0
• Merge pull request #731 from lee266/feature/fiber-storage
• remove 3.2 builds from ruby.yml
• Merge branch 'master' into feature/fiber-storage
• Support Ruby >= 3.1
• Merge pull request #734 from ruby-i18n/ci-drop-ruby-3.2-rails-main
• Merge pull request #733 from ruby-i18n/transliterate-o-ogonek
• CI: exclude Ruby 3.2 from rails-main matrix
• Merge pull request #720 from sobrinho/sobrinho/add-none-replacement
• Add transliteration for O with ogonek
• feat: require Ruby 3.2+ and simplify Fiber-based config storage
• chore: temp fix
• feat(config): add immutable config updates with freeze
• feat: add owner-based CoW for Fiber-stored config
• feat: add basic Fiber-backed I18n config storage
• Merge pull request #729 from chaadow/patch-1
• Make lazy loading of I18n translations thread safe ( part 2 )

↗️ multi_json (indirect, 1.19.1 → 1.21.1) · Repo · Changelog

Release Notes

1.21.1

Full Changelog: v1.21.0...v1.21.1

1.21.0

Full Changelog: v1.20.1...v1.21.0

1.20.1 (from changelog)

Fixed

• Fix JsonGem#load raising ParseError on ASCII-8BIT strings that contain valid UTF-8 bytes (#64). Ruby HTTP clients tag response bodies as ASCII-8BIT by default; the 1.20.0 change from force_encoding to encode broke the dominant real-world case by trying to transcode each byte individually. Switch back to force_encoding followed by a valid_encoding? guard so genuinely invalid byte sequences still surface as ParseError.

Added

• Validate custom adapters during MultiJson.use and MultiJson.load/dump with an :adapter option, raising MultiJson::AdapterError immediately if the adapter does not respond to .load, .dump, or define a ParseError constant.
• Validate OptionsCache.max_cache_size= to reject nil, zero, negative, and non-integer values with a clear ArgumentError.
• Expand the benchmark suite (benchmark.rb) into a full adapter comparison matrix covering load, dump, and round-trip across small, medium, and large payloads in both object-heavy and array-heavy shapes.

1.20.0 (from changelog)

• Drop the UnannotatedEmptyCollection Steep diagnostic override by inline-annotating Options::EMPTY_OPTIONS with #: options and routing MultiJson.current_adapter's ||= fallback through that constant. Also enable rubocop's Layout/LeadingCommentSpace AllowSteepAnnotation / AllowRBSInlineAnnotation so future inline #: casts don't need a per-line disable.
• Hoist the block_given? check in MutexStore#fetch outside @mutex.synchronize so the no-block read path runs the check once per call instead of inside the critical section.
• Short-circuit Adapter.blank? on inputs that start with { or [ so the dominant JSON object and array load paths skip the blank-pattern regex entirely.
• Drop the (...) argument forwarding in MultiJson::Options#load_options, dump_options, resolve_options, and invoke_callable in favor of explicit *args so the signatures document that they forward positional arguments to a callable provider and nothing else.
• Collapse the five MultiJson::Concurrency.synchronize_* wrapper methods into a single Concurrency.synchronize(name, &block) keyed by symbol, with the mutex catalog in a MUTEXES hash. The synchronization surface is now one method instead of five and adding a new mutex is a one-line entry.
• Walk the superclass chain manually in Adapter.walk_default_options instead of allocating an ancestors array on every call. The dump/load hot path no longer pays for an iteration over the (mostly module) ancestor list when looking up an adapter's defaults.
• Add a # frozen_string_literal: true magic comment to every Ruby file in lib/ and test/, and flip the Style/FrozenStringLiteralComment rubocop cop to EnforcedStyle: always so future files inherit the freeze.
• Include the original exception's class name in MultiJson::AdapterError.build's formatted message so a downstream consumer reading just the wrapped error can distinguish a LoadError from a validator ArgumentError without having to inspect error.cause separately.
• Mark the five MultiJson::Concurrency mutex constants as private_constant and add matching synchronize_* wrapper methods so callers don't reach into the module's internals.
• DRY up lib/multi_json/deprecated.rb with a small deprecate_alias / deprecate_method DSL so adding or removing a deprecation is a one-liner instead of a 4-line copy of the warn-then-delegate template.
• Hoist a shared Gson::Decoder and Gson::Encoder to handle the empty-options case in the JRuby Gson adapter so the dominant MultiJson.load(json) / MultiJson.dump(obj) call path no longer allocates a fresh decoder/encoder per call.
• Memoize the per-adapter ParseError lookup in MultiJson.parse_error_class_for so the constant resolution runs at most once per adapter, instead of on every MultiJson.load call.
• Walk the superclass chain in Adapter.default_load_options / default_dump_options instead of copying the parent's defaults into the subclass at inheritance time, so a parent calling defaults :load, ... after a subclass has been defined now propagates to the subclass.
• Hold @eviction_mutex around ConcurrentStore#reset's @cache.clear so a JRuby fetcher in the middle of its evict-then-insert sequence cannot interleave with a concurrent reset, mirroring MutexStore#reset's mutex usage.
• Collect the five process-wide mutexes that protect MultiJson's lazy initializers and adapter swap into a new MultiJson::Concurrency module so the library's concurrency surface is documented in one place.
• Replace the per-adapter loaded lambdas in AdapterSelector::ADAPTERS with constant name strings, walked through Object.const_defined? directly. The lookup table is half as large and no longer holds six closure objects whose only job was to call defined?.
• Wrap AdapterSelector#default_adapter_excluding in DEFAULT_ADAPTER_MUTEX so concurrent callers can't both walk the detection chain and double-fire fallback_adapter's one-time warning.
• Raise a clear MultiJson::AdapterError when a custom adapter passed to MultiJson.load does not define a ParseError constant, instead of letting the bare NameError from the rescue clause propagate.
• Drop the duplicate Adapter::EMPTY_OPTIONS constant in favor of the MultiJson::Options::EMPTY_OPTIONS it was shadowing.
• Defer the fast_jsonparser adapter's dump-delegate resolution until the first dump call instead of locking it in at file load time. The adapter no longer inherits from another adapter, so loading multi_json/adapters/fast_jsonparser before oj no longer locks the dump path to whichever adapter happened to be available at that moment.
• Make the lazy default_load_options and default_dump_options initializers in MultiJson::Options thread-safe so two threads accessing an adapter's defaults for the first time can't both run the ||= initializer.
• Make AdapterSelector#default_adapter's lazy ||= initializer thread-safe so two threads racing past the unset @default_adapter ivar can't both run detection (and double-emit the fallback warning in the no-adapters-installed branch).
• Wrap MultiJson.use's OptionsCache.reset and @adapter swap in a mutex so two threads calling use concurrently can't interleave their cache reset and adapter assignment.
• Stop relying on Oj::ParseError's ::SyntaxError ancestor when matching exceptions in Oj::ParseError.===. Walk the exception's ancestor chain by class name instead, so a future Oj release that re-parents its error class doesn't silently break our rescue clauses.
• Improve AdapterSelector#load_adapter's error message for unrecognized adapter specs so it names the expected types and shows the offender's inspect output instead of just to_s.
• Validate the value argument in Adapter.defaults so a non-Hash (e.g. defaults :load, "oops") raises ArgumentError at definition time instead of crashing later in the merge path.
• Skip String#scrub in Adapter.blank? when the input is already valid UTF-8 so the common load path no longer allocates a scrubbed copy on every call.
• Move Oj#load's :symbolize_keys translation into a private translate_load_options helper that drops the redundant :symbolize_keys passthrough alongside :symbol_keys, mirroring the cleanup already in JsonGem#load.
• Skip the per-call hash merge in JsonGem#dump when pretty: true is the only option, passing PRETTY_STATE_PROTOTYPE directly.
• Type-check the Yajl, JrJackson, and Gson adapter wrappers under Steep, with stubbed RBS sigs for the underlying libraries living in sig/external_libraries.rbs.
• Unify LOADED_ADAPTER_DETECTORS and REQUIREMENT_MAP in AdapterSelector into a single ADAPTERS source-of-truth so the require path and detection lambda for each adapter live in one place.
• Extract deprecated public API (decode, encode, engine, engine=, default_engine, with_engine, default_options, default_options=, cached_options, reset_cached_options!) into lib/multi_json/deprecated.rb and drop the matching Style/Documentation, Style/ModuleFunction, and Style/OpenStructUse rubocop opt-outs.
• Validate the action argument in Adapter.defaults so a typo (e.g. defaults :encode, ...) raises ArgumentError at definition time instead of silently producing a no-op default.
• Drop the stale ok_json reference from the fast_jsonparser adapter's docstring.
• Remove the MultiJson::REQUIREMENT_MAP legacy alias; the canonical map already lives on MultiJson::AdapterSelector.
• Drop the dead JrJackson dump arity branch (and its SimpleCov filter). JrJackson 0.4.18+ accepts an options hash as the second argument to Json.dump.
• Drop the redundant options.except(:adapter) allocation in JsonGem#dump; Adapter.merged_dump_options already strips :adapter before the cached hash reaches the adapter.
• Forward all merged options through Yajl#load instead of honoring only :symbolize_keys.
• Tighten Adapter.blank? so it scrubs invalid UTF-8 bytes up front instead of swallowing every ArgumentError from the underlying String calls.
• Guard ConcurrentStore eviction against a TOCTOU race so two concurrent JRuby threads cannot both pass the size check and briefly exceed OptionsCache.max_cache_size.
• Synchronize warn_deprecation_once so concurrent fibers and threads cannot race past the membership check and emit the same one-time deprecation warning twice.
• Stop resetting OptionsCache when MultiJson.use raises so a failed use(:nonexistent) no longer discards the cached entries belonging to the still-active previous adapter.
• Stop mutating cached options in JsonGem#load, mirroring the cache-pollution fix already in place for Oj#load.
• Empty the mutant ignore list. The Gson and JrJackson ignores were dead — those adapters ship in the java-platform gem and aren't present when mutant runs on MRI — and Store#reset's mutex wrapper is now directly tested by stubbing Mutex#synchronize.
• Remove the vendored ok_json adapter. The json gem has been a Ruby default gem since 1.9, so an external pure-Ruby fallback is no longer needed on any supported Ruby version. The last-resort fallback when no other JSON library can be loaded is now json_gem. The ConvertibleHashKeys helper module, which only ok_json used, is also removed.
• Surface parse error locations as error.line and error.column on MultiJson::ParseError, extracted from the underlying adapter's message for adapters that include one (Oj, the json gem).
• Make MultiJson::OptionsCache.max_cache_size configurable so applications that generate many distinct option hashes can raise the cache ceiling at runtime.
• Reorganize lib/multi_json.rb into clearer sections and document why both the module_function and singleton-only definition patterns coexist.
• Restructure OptionsCache backend selection so MRI and JRuby execute the same physical require_relative line, restoring JRuby's line coverage threshold to 100%.
• Drop the ALIASES constant in AdapterSelector in favor of an inline check; the only entry, jrjackson → jr_jackson, is now inlined into load_adapter_by_name.
• Document the fast_jsonparser adapter's parent class freeze at file load time.
• Stop mass-requiring adapter gems at the top of adapter_selection_test.rb, which polluted the global require cache and let later tests silently depend on adapters they had not explicitly loaded.
• Restore the mutex around MutexStore#reset for TruffleRuby, where the unguarded clear could race with concurrent fetches in a way the MRI GVL otherwise prevents.
• Fix TestHelpers.yajl? to check the actual yajl-ruby gem name.
• Stop requiring the oj gem from the fast_jsonparser adapter: fast_jsonparser only implements parsing, so the adapter's dump side now inherits from whichever adapter MultiJson would otherwise pick (oj → yajl → jr_jackson → json_gem → gson → ok_json). Users who install fast_jsonparser no longer need to also install oj.
• Split the gem into ruby and java platform variants: the java variant adds concurrent-ruby ~> 1.2 as a runtime dependency and ships the gson and jr_jackson adapters; the ruby variant has no runtime dependencies and ships the MRI-only adapters. Bundler selects the correct variant automatically.
• Drop Oj 2.x compatibility branch: the Oj adapter now requires Oj ~> 3.0.
• Drop support for Ruby 3.0, Ruby 3.1, and JRuby 9.4.
• Add Ruby 4.0 to the CI matrix.
• Make with_adapter overrides fiber-local so concurrent fibers and threads each observe their own adapter without racing on a shared module variable.
• Raise MultiJson::ParseError on invalid UTF-8 in the json_gem adapter instead of silently reinterpreting bytes with force_encoding.
• Warn once for deprecated method aliases: decode, encode, engine, engine=, default_engine, and with_engine now emit a one-time deprecation warning on first call and are scheduled for removal in a future major release.
• Emit deprecation warnings only once per process for default_options, default_options=, cached_options, and reset_cached_options! instead of on every call.
• Document public API methods as @api public so load, dump, use, with_adapter, current_adapter, adapter, load_options, and dump_options appear in generated docs.
• Add YARD documentation for the Adapters module and ParseError constants.
• Stop mutating cached options in Oj#load: the adapter previously assigned options[:symbol_keys] on the shared cached hash, slowly polluting it with extra keys.
• Stop mutating cached options in OjCommon#prepare_dump_options: merge!(PRETTY_STATE_PROTOTYPE) on the cached options hash removed :pretty and added prototype keys on every call, producing accidentally-correct results through cache reuse.
• Call to_h on options to properly handle JSON::State objects.
• Avoid allocating an options hash on the dump/load hot path by reusing a shared frozen empty hash for the no-options case.
• Short-circuit empty input in Adapter.blank? before falling back to the regex match.
• Replace the LOADERS strategy table with a case statement in AdapterSelector#load_adapter.
• Move REQUIREMENT_MAP from MultiJson into AdapterSelector; MultiJson::REQUIREMENT_MAP remains as a deprecated alias.
• Fix Bundler 4.0 permission error in CI.
• Revert the Steep removal and restore the Steepfile, sig directory, and typecheck workflow.
• Add workflow badges for linter, mutant, steep, and docs.
• Bump actions/checkout from 4 to 6.
• Update copyright year and alphabetize contributors by last name.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.19.3 → 1.19.4) · Repo · Changelog

Release Notes

1.19.4

v1.19.4 / 2026-06-18

Security

• [CRuby] (Low) Fixed a possible invalid memory read when XML::Node#initialize_copy_with_args is called with an argument that is not a Node. See GHSA-g9g8-vgvw-g3vf for more information.
• [CRuby] (Low) Fixed a possible use-after-free when an XML::XPathContext is used after its source document has been garbage collected. See GHSA-p67v-3w7g-wjg7 for more information.
• [CRuby] (Low) Fixed a possible use-after-free during XInclude processing via Node#do_xinclude. See GHSA-wfpw-mmfh-qq69 for more information.
• [CRuby] (Low) Fixed a possible use-after-free when Document#root= is assigned a non-element node. See GHSA-wjv4-x9w8-wm3h for more information.
• [CRuby] (Low) Fixed a possible use-after-free when setting an attribute value via XML::Attr#value= or #content=. See GHSA-phwj-rprq-35pp for more information.
• [CRuby] (Low) Fixed a null pointer dereference when methods are called on uninitialized wrapper objects (e.g. via allocate); these now raise instead of crashing the process. See GHSA-9cv2-cfxc-v4v2 for more information.
• [CRuby] (Low) Fixed a possible use-after-free when Document#encoding= raises an exception. See GHSA-5v8h-3h3q-446p for more information.
• [CRuby] (Medium) Fixed an out-of-bounds read in XML::NodeSet#[] (alias #slice) when given a large negative index. See GHSA-5prr-v3j2-97mh for more information.
• [JRuby] (Low) XML::Schema now enforces the NONET parse option, which Nokogiri enables by default. It was not enforced on JRuby, so a schema parsed with default options could still fetch external resources over the network, potentially enabling SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See GHSA-8678-w3jw-xfc2 for more information.

SHA256 checksums

1269fb644a6de405057a53dd5c762b1209b43ca7424f839454d3dbc677c31a8f  nokogiri-1.19.4-aarch64-linux-gnu.gem
35c65b9ce72b3bb03207bdbe7067915019dc18c1b9b59139684bd6690fdd01af  nokogiri-1.19.4-aarch64-linux-musl.gem
a301313e38bb065d68239e79734bcd6f56fb6efaacebde29e9abf2a4735340ca  nokogiri-1.19.4-arm-linux-gnu.gem
588923c101bcfa78869734d247d25b598674323e7f22474fc468f6e5647311eb  nokogiri-1.19.4-arm-linux-musl.gem
a46db9853286e6597b36ebc6953817d15acf3a299583eb3f89fdc6f91dd63527  nokogiri-1.19.4-arm64-darwin.gem
ce04b9e268c9626852231a48b49128ed52034f1ccb39484a6da3875491cd709e  nokogiri-1.19.4-java.gem
051da97b8eccfdb5444fed40246a35e10d7298b9efe759b4cd25455ea04c587e  nokogiri-1.19.4-x64-mingw-ucrt.gem
7fd17057d3e1f00e9954a74b3cd76595d3d4a5ef233b7ed9599047c204f70551  nokogiri-1.19.4-x86_64-darwin.gem
379fae440b28915e3f19d752ce2dcf8465ed2b2fbefd2a7ca0dd497bc981a06a  nokogiri-1.19.4-x86_64-linux-gnu.gem
17dfb7c1fa194ae02fbf7c51a7afc8d278045ab3fdacfd86f91d02d7b274470b  nokogiri-1.19.4-x86_64-linux-musl.gem
50c951611c92bca05c51411aef45f1cbc50f2821c4802758c5c6d34696533ab5  nokogiri-1.19.4.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 26 commits:

• version bump to v1.19.4
• fix: JRuby NONET bypass in XML::Schema (v1.19.x) (#3639)
• fix(CRuby): use-after-free in Document#encoding= when setter raises (v1.19.x) (#3646)
• fix: JRuby NONET bypass in XML::Schema
• fix(CRuby): use-after-free in Document#encoding= when setter raises
• fix(CRuby): out-of-bounds read in NodeSet#[] with large negative index (v1.19.x) (#3647)
• fix: avoid NPE on uninitialized XML::Node structs (v1.19.x) (#3645)
• fix(CRuby): avoid UAF in XML::Attr#value= (v1.19.x) (#3644)
• fix: `Document#root=` rejects non-element nodes (v1.19.x) (#3643)
• fix(CRuby): use-after-free in XPathContext document lifetime (v1.19.x) (#3641)
• fix: `Node#initialize_copy_with_args` rejects non-Node sources (v1.19.x) (#3640)
• fix: use-after-free in `Node#do_xinclude` (v1.19.x) (#3642)
• fix: use-after-free in `Node#do_xinclude`
• test: skip int truncation tests where long==int
• fix(CRuby): out-of-bounds read in NodeSet#[] with large negative index
• fix(CRuby): use-after-free in XPathContext document lifetime
• fix: avoid NPE on uninitialized XML:Node structs
• fix(CRuby): avoid UAF in XML::Attr#value=
• fix: `Document#root=` rejects non-element nodes
• fix: `Node#initialize_copy_with_args` rejects non-Node sources
• style: disable SpaceInsidePercentLiteralDelimiters
• Merge branch 'better-valgrind-assertion-v1.19.x' into v1.19.x
• test(dev): extend refute_valgrind_errors with yield_on_jruby
• test(dev): add a test:memory_suite:valgrind rake target
• test(dev): improve refute_valgrind_errors
• test(dev): Extract memory debugger helpers

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)