Skip to content

DEPS: Bump the gems group across 1 directory with 6 updates#53

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bundler/gems-ec90222116
Open

DEPS: Bump the gems group across 1 directory with 6 updates#53
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bundler/gems-ec90222116

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 24, 2026

Copy link
Copy Markdown
Contributor

Bumps the gems group with 6 updates in the / directory:

Package From To
nokogiri 1.19.3 1.19.4
concurrent-ruby 1.3.6 1.3.7
json 2.19.9 2.20.0
pp 0.6.3 0.6.4
rubocop 1.87.0 1.88.0
sorbet-runtime 0.6.13295 0.6.13312

Updates nokogiri from 1.19.3 to 1.19.4

Release notes

Sourced from nokogiri's releases.

v1.19.4 / 2026-06-18

Security

  • [CRuby] (Low) Fixed a possible invalid memory read when XML::Node#initialize_copy_with_args is called with an argument that is not a Node. See GHSA-g9g8-vgvw-g3vf for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when an XML::XPathContext is used after its source document has been garbage collected. See GHSA-p67v-3w7g-wjg7 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free during XInclude processing via Node#do_xinclude. See GHSA-wfpw-mmfh-qq69 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#root= is assigned a non-element node. See GHSA-wjv4-x9w8-wm3h for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when setting an attribute value via XML::Attr#value= or #content=. See GHSA-phwj-rprq-35pp for more information.
  • [CRuby] (Low) Fixed a null pointer dereference when methods are called on uninitialized wrapper objects (e.g. via allocate); these now raise instead of crashing the process. See GHSA-9cv2-cfxc-v4v2 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#encoding= raises an exception. See GHSA-5v8h-3h3q-446p for more information.
  • [CRuby] (Medium) Fixed an out-of-bounds read in XML::NodeSet#[] (alias #slice) when given a large negative index. See GHSA-5prr-v3j2-97mh for more information.
  • [JRuby] (Low) XML::Schema now enforces the NONET parse option, which Nokogiri enables by default. It was not enforced on JRuby, so a schema parsed with default options could still fetch external resources over the network, potentially enabling SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See GHSA-8678-w3jw-xfc2 for more information.
1269fb644a6de405057a53dd5c762b1209b43ca7424f839454d3dbc677c31a8f  nokogiri-1.19.4-aarch64-linux-gnu.gem
35c65b9ce72b3bb03207bdbe7067915019dc18c1b9b59139684bd6690fdd01af  nokogiri-1.19.4-aarch64-linux-musl.gem
a301313e38bb065d68239e79734bcd6f56fb6efaacebde29e9abf2a4735340ca  nokogiri-1.19.4-arm-linux-gnu.gem
588923c101bcfa78869734d247d25b598674323e7f22474fc468f6e5647311eb  nokogiri-1.19.4-arm-linux-musl.gem
a46db9853286e6597b36ebc6953817d15acf3a299583eb3f89fdc6f91dd63527  nokogiri-1.19.4-arm64-darwin.gem
ce04b9e268c9626852231a48b49128ed52034f1ccb39484a6da3875491cd709e  nokogiri-1.19.4-java.gem
051da97b8eccfdb5444fed40246a35e10d7298b9efe759b4cd25455ea04c587e  nokogiri-1.19.4-x64-mingw-ucrt.gem
7fd17057d3e1f00e9954a74b3cd76595d3d4a5ef233b7ed9599047c204f70551  nokogiri-1.19.4-x86_64-darwin.gem
379fae440b28915e3f19d752ce2dcf8465ed2b2fbefd2a7ca0dd497bc981a06a  nokogiri-1.19.4-x86_64-linux-gnu.gem
17dfb7c1fa194ae02fbf7c51a7afc8d278045ab3fdacfd86f91d02d7b274470b  nokogiri-1.19.4-x86_64-linux-musl.gem
50c951611c92bca05c51411aef45f1cbc50f2821c4802758c5c6d34696533ab5  nokogiri-1.19.4.gem
Changelog

Sourced from nokogiri's changelog.

v1.19.4 / 2026-06-18

Security

  • [CRuby] (Low) Fixed a possible invalid memory read when XML::Node#initialize_copy_with_args is called with an argument that is not a Node. See GHSA-g9g8-vgvw-g3vf for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when an XML::XPathContext is used after its source document has been garbage collected. See GHSA-p67v-3w7g-wjg7 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free during XInclude processing via Node#do_xinclude. See GHSA-wfpw-mmfh-qq69 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#root= is assigned a non-element node. See GHSA-wjv4-x9w8-wm3h for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when setting an attribute value via XML::Attr#value= or #content=. See GHSA-phwj-rprq-35pp for more information.
  • [CRuby] (Low) Fixed a null pointer dereference when methods are called on uninitialized wrapper objects (e.g. via allocate); these now raise instead of crashing the process. See GHSA-9cv2-cfxc-v4v2 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#encoding= raises an exception. See GHSA-5v8h-3h3q-446p for more information.
  • [CRuby] (Medium) Fixed an out-of-bounds read in XML::NodeSet#[] (alias #slice) when given a large negative index. See GHSA-5prr-v3j2-97mh for more information.
  • [JRuby] (Low) XML::Schema now enforces the NONET parse option, which Nokogiri enables by default. It was not enforced on JRuby, so a schema parsed with default options could still fetch external resources over the network, potentially enabling SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See GHSA-8678-w3jw-xfc2 for more information.
Commits
  • 8cfb9da version bump to v1.19.4
  • a856d1e fix: JRuby NONET bypass in XML::Schema (v1.19.x) (#3639)
  • 6a0aa1e fix(CRuby): use-after-free in Document#encoding= when setter raises (v1.19.x)...
  • f658a54 fix: JRuby NONET bypass in XML::Schema
  • 39d26fe fix(CRuby): use-after-free in Document#encoding= when setter raises
  • 04a09dd fix(CRuby): out-of-bounds read in NodeSet#[] with large negative index (v1.19...
  • 7799fbd fix: avoid NPE on uninitialized XML::Node structs (v1.19.x) (#3645)
  • ef19e13 fix(CRuby): avoid UAF in XML::Attr#value= (v1.19.x) (#3644)
  • 5524fa9 fix: Document#root= rejects non-element nodes (v1.19.x) (#3643)
  • 9891ad1 fix(CRuby): use-after-free in XPathContext document lifetime (v1.19.x) (#3641)
  • Additional commits viewable in compare view

Updates concurrent-ruby from 1.3.6 to 1.3.7

Release notes

Sourced from concurrent-ruby's releases.

v1.3.7

There are 3 security fixes in this release, so updating is recommended. These security vulnerabilities are not very likely to be hit in practice and have a corresponding Low severity score.

What's Changed

New Contributors

Full Changelog: ruby-concurrency/concurrent-ruby@v1.3.6...v1.3.7

Changelog

Sourced from concurrent-ruby's changelog.

Release v1.3.7 (16 June 2026)

concurrent-ruby:

Commits
  • 4c8fc28 Release 1.3.7
  • d91ca94 Fix AtomicReference#update livelock when stored value is Float::NAN on JRuby ...
  • 7e4d711 Fix ReentrantReadWriteLock read hold overflow into write-lock bit
  • 6e37e06 Fix AtomicReference#update livelock when stored value is Float::NAN
  • 2825cfa Cleanup spec
  • 3fd4932 Fix ReadWriteLock wrong-thread write release and stray read release
  • 1974b47 Add Ruby 4.0 in CI
  • df8706d Add SECURITY.md (#1104)
  • 7a1b789 Bump actions/upload-pages-artifact from 4 to 5
  • 9b2dbf7 Bump actions/deploy-pages from 4 to 5
  • Additional commits viewable in compare view

Updates json from 2.19.9 to 2.20.0

Release notes

Sourced from json's releases.

v2.20.0

What's Changed

  • Both C and Java parsers are no longer recursive, so parsing very deep documents with max_nesting: false will no longer result in SystemStackError stack level too deep errors.
    • The :max_nesting option still defaults to 100.
  • Optimized floating point number parsing further by replacing the ryu algorithm by a port of Eisel-Lemire Fast Float.
  • Added JSON::ResumableParser to parse streams of JSON documents. Not yet available on JRuby.
  • Deprecate default support of JavaScript comments in the parser and add allow_comments: true parsing option.
  • Integrate with Ruby 4.1 ruby_sized_xfree.

Full Changelog: ruby/json@v2.19.8...v2.20.0

Changelog

Sourced from json's changelog.

2026-06-23 (2.20.0)

  • Both C and Java parsers are no longer recursive, so parsing very deep documents with max_nesting: false will no longer result in SystemStackError stack level too deep errors.
    • The :max_nesting option still defaults to 100.
  • Optimized floating point number parsing further by replacing the ryu algorithm by a port of Eisel-Lemire Fast Float.
  • Added JSON::ResumableParser to parse streams of JSON documents. Not yet available on JRuby.
  • Deprecate default support of JavaScript comments in the parser and add allow_comments: true parsing option.
  • Integrate with Ruby 4.1 ruby_sized_xfree.
Commits
  • 1316292 Release 2.20.0
  • 1443265 Remove useless executable bits
  • 532065c Preserve UTF-8 encoding when reallocating a frozen ResumableParser buffer
  • 7c8af4b Update extconf.rb guard to use RUBY_ENGINE_VERSION
  • 2afd1a9 Cleanup the rb_catch_obj workaround
  • 9892514 Simplify parser_config_init
  • b30a8f8 ResumableParser: eagerly drop the buffer when reaching EOS
  • f08c663 ResumableParser: accept only keyword arguments
  • 9d8efcb Workaround TruffleRuby buggy rb_catch_obj implementation
  • 4bd1e9b ResumableParser: use throw rather than raise for handled EOS
  • Additional commits viewable in compare view

Updates pp from 0.6.3 to 0.6.4

Release notes

Sourced from pp's releases.

v0.6.4

What's Changed

New Contributors

Full Changelog: ruby/pp@v0.6.3...v0.6.4

Commits
  • 29552e8 v0.6.4
  • e08d84c Exclude dependabot updates from release note
  • 91079ce Merge pull request #87 from ruby/dependabot/github_actions/rubygems/release-g...
  • a39f73e Bump rubygems/release-gem from 1.2.0 to 1.4.0
  • 5a688e4 Merge pull request #86 from ruby/dependabot/github_actions/step-security/hard...
  • d649a95 Bump step-security/harden-runner from 2.19.3 to 2.19.4
  • 54a425d Merge pull request #85 from ruby/dependabot/github_actions/step-security/hard...
  • 34941a3 Bump step-security/harden-runner from 2.19.1 to 2.19.3
  • 670c8c0 Merge pull request #84 from ruby/dependabot/github_actions/step-security/hard...
  • bd8165d Bump step-security/harden-runner from 2.19.0 to 2.19.1
  • Additional commits viewable in compare view

Updates rubocop from 1.87.0 to 1.88.0

Release notes

Sourced from rubocop's releases.

RuboCop v1.88.0

New features

  • #15166: Add a new Recursive option to Style/MutableConstant. When enabled, the cop checks and freezes mutable literals nested inside arrays and hashes. The option is disabled by default to preserve existing behavior. ([@​paracycle][])

Bug fixes

  • #15220: Fix a bad autocorrect for Lint/RedundantSplatExpansion when splatting an empty literal (e.g. when *[] or rescue *[]), which expanded to invalid or semantically different code. ([@​bbatsov][])
  • #15221: Fix a bad autocorrect for Lint/RegexpAsCondition when the regexp literal is negated (e.g. if !/foo/), which inverted the condition. ([@​bbatsov][])
  • #15242: Fix a bad autocorrect for Lint/SymbolConversion when the receiver is an interpolated string containing an embedded double quote (e.g. "foo#{bar}\"qux".to_sym), which produced a syntax error. ([@​bbatsov][])
  • #15270: Fix a crash for Style/CombinableLoops when a for loop has an empty body, and stop autocorrecting consecutive for loops whose iteration variables differ (which produced code referencing an undefined variable). ([@​bbatsov][])
  • #15272: Fix a crash for Style/ConstantVisibility when a visibility declaration has a numeric literal argument (e.g. private_constant 42). ([@​bbatsov][])
  • #15215: Fix a false negative for Lint/OrderedMagicComments when an encoding magic comment is preceded by a magic comment other than frozen_string_literal (e.g. shareable_constant_value). ([@​bbatsov][])
  • #15228: Fix a false negative for Lint/RedundantWithIndex when the block takes no arguments (e.g. ary.each_with_index { do_something }). ([@​bbatsov][])
  • #15230: Fix a false negative for Lint/RequireRelativeSelfPath when requiring the current file by name with its extension (e.g. require_relative 'foo.rb') and the file path is absolute. ([@​bbatsov][])
  • #15229: Fix a false negative for Lint/SafeNavigationChain when an ordinary method is chained after a parenthesized safe navigation call (e.g. (x&.foo).bar). ([@​bbatsov][])
  • #15225: Fix a false negative for Lint/SafeNavigationWithEmpty when the receiver of &.empty? is a local variable, instance variable, constant, or other non-method-call expression. ([@​bbatsov][])
  • #15231: Fix a false negative for Lint/SendWithMixinArgument when send/public_send/__send__ is called with no explicit receiver or with a self receiver (e.g. send(:include, Bar)). ([@​bbatsov][])
  • #15248: Fix a false negative for Lint/ToEnumArguments when more positional arguments are passed than the method accepts (e.g. def m(x); to_enum(:m, x, extra); end), which raises ArgumentError when the enumerator is used. ([@​bbatsov][])
  • #15249: Fix a false negative for Lint/UnescapedBracketInRegexp when an unescaped ] is preceded by an escaped backslash (e.g. /abc\\]123/). ([@​bbatsov][])
  • #15267: Fix a false positive for Style/ArrayIntersectWithSingleElement with a splat argument (e.g. array.intersect?([*foo])), which is not a single element and was incorrectly rewritten to array.include?(*foo). ([@​bbatsov][])
  • #15272: Fix a false positive for Style/ColonMethodCall with chained JRuby interop calls (e.g. Java::com::something_method). ([@​bbatsov][])
  • #15271: Fix a false positive for Style/ConditionalAssignment with EnforcedStyle: assign_inside_condition when assigning an unless without an else branch (e.g. x = unless cond; 1; end), which was rewritten to move the assignment inside the unless and changed behavior when the condition was true. ([@​bbatsov][])
  • #14401: Fix a false positive for Layout/BlockAlignment with EnforcedStyleAlignWith: start_of_line when a block is passed as a method argument. ([@​augustocbx][])
  • #15216: Fix a false positive for Lint/RaiseException when raise Exception is used inside a module nested within an allowed implicit namespace (e.g. Gem). ([@​bbatsov][])
  • #15219: Fix a false positive for Lint/RedundantDirGlobSort when sort is given a comparator block or a block-pass argument, which is not redundant with the default sorting. ([@​bbatsov][])
  • #15224: Fix a false positive for Lint/ShadowingOuterLocalVariable when a block argument has the same name as a pattern variable from a different in branch of the same case. ([@​bbatsov][])
  • #15239: Fix a false positive for Lint/SuppressedExceptionInNumberConversion when the numeric constructor already passes exception: false (e.g. Integer(arg, exception: false) rescue nil), which also produced an autocorrect with a duplicate exception: false keyword. ([@​bbatsov][])
  • #15243: Fix a false positive for Lint/TopLevelReturnWithArgument when a return with an argument is inside a numbered-parameter block or an it block. ([@​bbatsov][])
  • #15245: Fix a false positive for Lint/UselessRuby2Keywords when ruby2_keywords in a nested class or module refers to a method of the same name defined in an outer scope. ([@​bbatsov][])
  • #15246: Fix a false positive for Lint/UselessSetterCall when a multiple assignment uses nested destructuring (e.g. (a, b), c = arg, other_arg), which misaligned variables with the right-hand side values. ([@​bbatsov][])
  • #15125: Fix a false positive for Style/ZeroLengthPredicate when File::Stat.new(...).size.zero? is used. ([@​augustocbx][])
  • #15196: Fix --start-server to wait until the server is running before returning, which fixes a flaky --restart-server spec and a race for commands run right after starting the server. ([@​koic][])
  • #15272: Fix Style/Alias not detecting block scope for numbered-parameter and it blocks, which caused a false positive for alias_method and a false negative for alias inside such blocks. ([@​bbatsov][])
  • #15281: Fix an incorrect autocorrect when Style/IfUnlessModifier and Style/Next correct the same conditional. ([@​fynsta][])
  • #15260: Fix an error for Style/FileWrite when a literal or variable is passed to write in the block form. ([@​koic][])
  • #15276: Fix an error for Style/RedundantFormat when the format string is a heredoc with format arguments. ([@​fynsta][])
  • #15270: Fix an incorrect autocorrect for Style/AndOr when an operand is next, break, or yield with an argument (e.g. foo and next 1), which produced invalid Ruby like foo && next 1. ([@​bbatsov][])
  • #15267: Fix an incorrect autocorrect for Style/ArrayFirstLast when arr[0]/arr[-1] is the target of a compound assignment (e.g. arr[0] += 1), which produced arr.first += 1 and raised NoMethodError. ([@​bbatsov][])
  • #15267: Fix an incorrect autocorrect for Style/ArrayIntersect where a negated predicate on a safe-navigation chain (e.g. a&.intersection(b)&.none?) was rewritten to !a&.intersect?(b), flipping the result when the receiver is nil. ([@​bbatsov][])
  • #15273: Fix an incorrect autocorrect for Style/BlockDelimiters that converted a single-line do...end block containing a block-level rescue or ensure to {...}, producing invalid Ruby. ([@​bbatsov][])
  • #15268: Fix an incorrect autocorrect for Style/CaseEquality when the argument is an operator or unary expression (e.g. Array === a + b), which produced mis-parsed code like a + b.is_a?(Array). ([@​bbatsov][])
  • #15268: Fix an incorrect autocorrect for Style/ClassEqualityComparison inside a namespace when the class name string is already fully qualified (e.g. bar.class.name == '::Bar'), which produced instance_of?(::::Bar) and was a syntax error. ([@​bbatsov][])
  • #15268: Fix an incorrect autocorrect for Style/ClassEqualityComparison when comparing Class itself to a string literal (e.g. var.class == 'Date'), which produced var.instance_of?('Date') and raised TypeError; such comparisons are no longer autocorrected. ([@​bbatsov][])
  • #15274: Fix an incorrect autocorrect for Style/ClassMethodsDefinitions that corrupted a preceding comment containing def <name> and left the method undefined as a class method. ([@​bbatsov][])
  • #15270: Fix an incorrect autocorrect for Style/ComparableClamp when the clamped value is an operator expression (e.g. a + b), which produced mis-parsed code like a + b.clamp(low, high). ([@​bbatsov][])
  • #15267: Fix an incorrect autocorrect for Style/ConcatArrayLiterals with an empty array literal argument (e.g. arr.concat([], [b])), which produced invalid Ruby like arr.push(, b). ([@​bbatsov][])
  • #15274: Fix an incorrect autocorrect for Style/DigChain that duplicated a trailing comment and dropped indentation when the chain was inside a method or block. ([@​bbatsov][])
  • #15288: Fix an incorrect autocorrect for Lint/UselessTimes when a 1.times block takes a single destructured (|(a, b)|) or splat (|*a|) argument, which produced a body referencing an undefined variable. ([@​bbatsov][])
  • #15280: Fix an incorrect autocorrect for Style/ConditionalAssignment with EnforcedStyle: assign_inside_condition and a single-line case. ([@​fynsta][])

... (truncated)

Changelog

Sourced from rubocop's changelog.

1.88.0 (2026-06-16)

New features

  • #15166: Add a new Recursive option to Style/MutableConstant. When enabled, the cop checks and freezes mutable literals nested inside arrays and hashes. The option is disabled by default to preserve existing behavior. ([@​paracycle][])

Bug fixes

  • #15220: Fix a bad autocorrect for Lint/RedundantSplatExpansion when splatting an empty literal (e.g. when *[] or rescue *[]), which expanded to invalid or semantically different code. ([@​bbatsov][])
  • #15221: Fix a bad autocorrect for Lint/RegexpAsCondition when the regexp literal is negated (e.g. if !/foo/), which inverted the condition. ([@​bbatsov][])
  • #15242: Fix a bad autocorrect for Lint/SymbolConversion when the receiver is an interpolated string containing an embedded double quote (e.g. "foo#{bar}\"qux".to_sym), which produced a syntax error. ([@​bbatsov][])
  • #15270: Fix a crash for Style/CombinableLoops when a for loop has an empty body, and stop autocorrecting consecutive for loops whose iteration variables differ (which produced code referencing an undefined variable). ([@​bbatsov][])
  • #15272: Fix a crash for Style/ConstantVisibility when a visibility declaration has a numeric literal argument (e.g. private_constant 42). ([@​bbatsov][])
  • #15215: Fix a false negative for Lint/OrderedMagicComments when an encoding magic comment is preceded by a magic comment other than frozen_string_literal (e.g. shareable_constant_value). ([@​bbatsov][])
  • #15228: Fix a false negative for Lint/RedundantWithIndex when the block takes no arguments (e.g. ary.each_with_index { do_something }). ([@​bbatsov][])
  • #15230: Fix a false negative for Lint/RequireRelativeSelfPath when requiring the current file by name with its extension (e.g. require_relative 'foo.rb') and the file path is absolute. ([@​bbatsov][])
  • #15229: Fix a false negative for Lint/SafeNavigationChain when an ordinary method is chained after a parenthesized safe navigation call (e.g. (x&.foo).bar). ([@​bbatsov][])
  • #15225: Fix a false negative for Lint/SafeNavigationWithEmpty when the receiver of &.empty? is a local variable, instance variable, constant, or other non-method-call expression. ([@​bbatsov][])
  • #15231: Fix a false negative for Lint/SendWithMixinArgument when send/public_send/__send__ is called with no explicit receiver or with a self receiver (e.g. send(:include, Bar)). ([@​bbatsov][])
  • #15248: Fix a false negative for Lint/ToEnumArguments when more positional arguments are passed than the method accepts (e.g. def m(x); to_enum(:m, x, extra); end), which raises ArgumentError when the enumerator is used. ([@​bbatsov][])
  • #15249: Fix a false negative for Lint/UnescapedBracketInRegexp when an unescaped ] is preceded by an escaped backslash (e.g. /abc\\]123/). ([@​bbatsov][])
  • #15267: Fix a false positive for Style/ArrayIntersectWithSingleElement with a splat argument (e.g. array.intersect?([*foo])), which is not a single element and was incorrectly rewritten to array.include?(*foo). ([@​bbatsov][])
  • #15272: Fix a false positive for Style/ColonMethodCall with chained JRuby interop calls (e.g. Java::com::something_method). ([@​bbatsov][])
  • #15271: Fix a false positive for Style/ConditionalAssignment with EnforcedStyle: assign_inside_condition when assigning an unless without an else branch (e.g. x = unless cond; 1; end), which was rewritten to move the assignment inside the unless and changed behavior when the condition was true. ([@​bbatsov][])
  • #14401: Fix a false positive for Layout/BlockAlignment with EnforcedStyleAlignWith: start_of_line when a block is passed as a method argument. ([@​augustocbx][])
  • #15216: Fix a false positive for Lint/RaiseException when raise Exception is used inside a module nested within an allowed implicit namespace (e.g. Gem). ([@​bbatsov][])
  • #15219: Fix a false positive for Lint/RedundantDirGlobSort when sort is given a comparator block or a block-pass argument, which is not redundant with the default sorting. ([@​bbatsov][])
  • #15224: Fix a false positive for Lint/ShadowingOuterLocalVariable when a block argument has the same name as a pattern variable from a different in branch of the same case. ([@​bbatsov][])
  • #15239: Fix a false positive for Lint/SuppressedExceptionInNumberConversion when the numeric constructor already passes exception: false (e.g. Integer(arg, exception: false) rescue nil), which also produced an autocorrect with a duplicate exception: false keyword. ([@​bbatsov][])
  • #15243: Fix a false positive for Lint/TopLevelReturnWithArgument when a return with an argument is inside a numbered-parameter block or an it block. ([@​bbatsov][])
  • #15245: Fix a false positive for Lint/UselessRuby2Keywords when ruby2_keywords in a nested class or module refers to a method of the same name defined in an outer scope. ([@​bbatsov][])
  • #15246: Fix a false positive for Lint/UselessSetterCall when a multiple assignment uses nested destructuring (e.g. (a, b), c = arg, other_arg), which misaligned variables with the right-hand side values. ([@​bbatsov][])
  • #15125: Fix a false positive for Style/ZeroLengthPredicate when File::Stat.new(...).size.zero? is used. ([@​augustocbx][])
  • #15196: Fix --start-server to wait until the server is running before returning, which fixes a flaky --restart-server spec and a race for commands run right after starting the server. ([@​koic][])
  • #15272: Fix Style/Alias not detecting block scope for numbered-parameter and it blocks, which caused a false positive for alias_method and a false negative for alias inside such blocks. ([@​bbatsov][])
  • #15281: Fix an incorrect autocorrect when Style/IfUnlessModifier and Style/Next correct the same conditional. ([@​fynsta][])
  • #15260: Fix an error for Style/FileWrite when a literal or variable is passed to write in the block form. ([@​koic][])
  • #15276: Fix an error for Style/RedundantFormat when the format string is a heredoc with format arguments. ([@​fynsta][])
  • #15270: Fix an incorrect autocorrect for Style/AndOr when an operand is next, break, or yield with an argument (e.g. foo and next 1), which produced invalid Ruby like foo && next 1. ([@​bbatsov][])
  • #15267: Fix an incorrect autocorrect for Style/ArrayFirstLast when arr[0]/arr[-1] is the target of a compound assignment (e.g. arr[0] += 1), which produced arr.first += 1 and raised NoMethodError. ([@​bbatsov][])
  • #15267: Fix an incorrect autocorrect for Style/ArrayIntersect where a negated predicate on a safe-navigation chain (e.g. a&.intersection(b)&.none?) was rewritten to !a&.intersect?(b), flipping the result when the receiver is nil. ([@​bbatsov][])
  • #15273: Fix an incorrect autocorrect for Style/BlockDelimiters that converted a single-line do...end block containing a block-level rescue or ensure to {...}, producing invalid Ruby. ([@​bbatsov][])
  • #15268: Fix an incorrect autocorrect for Style/CaseEquality when the argument is an operator or unary expression (e.g. Array === a + b), which produced mis-parsed code like a + b.is_a?(Array). ([@​bbatsov][])
  • #15268: Fix an incorrect autocorrect for Style/ClassEqualityComparison inside a namespace when the class name string is already fully qualified (e.g. bar.class.name == '::Bar'), which produced instance_of?(::::Bar) and was a syntax error. ([@​bbatsov][])
  • #15268: Fix an incorrect autocorrect for Style/ClassEqualityComparison when comparing Class itself to a string literal (e.g. var.class == 'Date'), which produced var.instance_of?('Date') and raised TypeError; such comparisons are no longer autocorrected. ([@​bbatsov][])
  • #15274: Fix an incorrect autocorrect for Style/ClassMethodsDefinitions that corrupted a preceding comment containing def <name> and left the method undefined as a class method. ([@​bbatsov][])
  • #15270: Fix an incorrect autocorrect for Style/ComparableClamp when the clamped value is an operator expression (e.g. a + b), which produced mis-parsed code like a + b.clamp(low, high). ([@​bbatsov][])
  • #15267: Fix an incorrect autocorrect for Style/ConcatArrayLiterals with an empty array literal argument (e.g. arr.concat([], [b])), which produced invalid Ruby like arr.push(, b). ([@​bbatsov][])
  • #15274: Fix an incorrect autocorrect for Style/DigChain that duplicated a trailing comment and dropped indentation when the chain was inside a method or block. ([@​bbatsov][])
  • #15288: Fix an incorrect autocorrect for Lint/UselessTimes when a 1.times block takes a single destructured (|(a, b)|) or splat (|*a|) argument, which produced a body referencing an undefined variable. ([@​bbatsov][])

... (truncated)

Commits
  • 37bf5ad Cut 1.88
  • cd0c2e3 Update Changelog
  • b7af64a [Fix #12276] Record pending cops options in the auto-gen-config command
  • bbd7ff2 Add hk integration docs
  • 117e40a Merge pull request #15293 from RedZapdos123/fix-literal-interp-hash-symbol
  • 4d95141 [Fix #15291] Fix hash symbol interpolation
  • 0347d27 Add Recursive option to Style/MutableConstant
  • f0d92b4 Fix incorrect autocorrects for Style/FileWrite with heredocs
  • 32df346 Fix an incorrect autocorrect for Style/Semicolon with heredocs
  • 4c221fb [Fix #15269] Fix a false positive where cop Include patterns matched parent...
  • Additional commits viewable in compare view

Updates sorbet-runtime from 0.6.13295 to 0.6.13312

Release notes

Sourced from sorbet-runtime's releases.

sorbet 0.6.13311.20260623123710-2ff17933b

To use Sorbet add this line to your Gemfile:

gem 'sorbet', '0.6.13311', :group => :development
gem 'sorbet-runtime', '0.6.13311'

sorbet 0.6.13310.20260622174233-ca92442c4

To use Sorbet add this line to your Gemfile:

gem 'sorbet', '0.6.13310', :group => :development
gem 'sorbet-runtime', '0.6.13310'

sorbet 0.6.13309.20260620214539-fb3a0f229

To use Sorbet add this line to your Gemfile:

gem 'sorbet', '0.6.13309', :group => :development
gem 'sorbet-runtime', '0.6.13309'

sorbet 0.6.13308.20260617130608-d4d97a753

To use Sorbet add this line to your Gemfile:

gem 'sorbet', '0.6.13308', :group => :development
gem 'sorbet-runtime', '0.6.13308'

sorbet 0.6.13307.20260617130542-ce366d871

To use Sorbet add this line to your Gemfile:

gem 'sorbet', '0.6.13307', :group => :development
gem 'sorbet-runtime', '0.6.13307'

sorbet 0.6.13306.20260617071119-68187f348

To use Sorbet add this line to your Gemfile:

gem 'sorbet', '0.6.13306', :group => :development
gem 'sorbet-runtime', '0.6.13306'

sorbet 0.6.13305.20260616174559-b460a043c

To use Sorbet add this line to your Gemfile:

gem 'sorbet', '0.6.13305', :group => :development
gem 'sorbet-runtime', '0.6.13305'

sorbet 0.6.13304.20260616194356-fbb64fbab

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
DEPS: Bump the gems group across 1 directory with 6 updates
ff63191 
Bumps the gems group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [nokogiri](https://github.com/sparklemotion/nokogiri) | `1.19.3` | `1.19.4` |
| [concurrent-ruby](https://github.com/ruby-concurrency/concurrent-ruby) | `1.3.6` | `1.3.7` |
| [json](https://github.com/ruby/json) | `2.19.9` | `2.20.0` |
| [pp](https://github.com/ruby/pp) | `0.6.3` | `0.6.4` |
| [rubocop](https://github.com/rubocop/rubocop) | `1.87.0` | `1.88.0` |
| [sorbet-runtime](https://github.com/sorbet/sorbet) | `0.6.13295` | `0.6.13312` |



Updates `nokogiri` from 1.19.3 to 1.19.4
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](sparklemotion/nokogiri@v1.19.3...v1.19.4)

Updates `concurrent-ruby` from 1.3.6 to 1.3.7
- [Release notes](https://github.com/ruby-concurrency/concurrent-ruby/releases)
- [Changelog](https://github.com/ruby-concurrency/concurrent-ruby/blob/master/CHANGELOG.md)
- [Commits](ruby-concurrency/concurrent-ruby@v1.3.6...v1.3.7)

Updates `json` from 2.19.9 to 2.20.0
- [Release notes](https://github.com/ruby/json/releases)
- [Changelog](https://github.com/ruby/json/blob/master/CHANGES.md)
- [Commits](ruby/json@v2.19.9...v2.20.0)

Updates `pp` from 0.6.3 to 0.6.4
- [Release notes](https://github.com/ruby/pp/releases)
- [Commits](ruby/pp@v0.6.3...v0.6.4)

Updates `rubocop` from 1.87.0 to 1.88.0
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](rubocop/rubocop@v1.87.0...v1.88.0)

Updates `sorbet-runtime` from 0.6.13295 to 0.6.13312
- [Release notes](https://github.com/sorbet/sorbet/releases)
- [Commits](https://github.com/sorbet/sorbet/commits)

---
updated-dependencies:
- dependency-name: nokogiri
  dependency-version: 1.19.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gems
- dependency-name: concurrent-ruby
  dependency-version: 1.3.7
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: gems
- dependency-name: json
  dependency-version: 2.20.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: gems
- dependency-name: pp
  dependency-version: 0.6.4
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: gems
- dependency-name: rubocop
  dependency-version: 1.88.0
  dependency-type: indirect
  update-type: version-update:semver-minor
  dependency-group: gems
- dependency-name: sorbet-runtime
  dependency-version: 0.6.13312
  dependency-type: indirect
  update-type: version-update:semver-patch
  dependency-group: gems
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code labels Jun 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants