chore(deps): bump the bundler group across 1 directory with 4 updates

[dependabot]

Bumps the bundler group with 4 updates in the / directory: puma, erb, net-imap and nokogiri.

Updates puma from 7.2.0 to 7.2.1

Release notes

Sourced from puma's releases.

v7.2.1

• Bugfixes
  • Limit and anchor PROXY protocol v1 parsing to prevent abuse via crafted inputs (#3947)
  • Parse PROXY protocol only once per connection to prevent injection on keep-alive requests (#3947)

Security advisories

• CVE-2026-47736 / GHSA-qpgp-93vx-g8v8: Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
• CVE-2026-47737 / GHSA-2vqw-3mp8-cgmx: Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections

Changelog

Sourced from puma's changelog.

7.2.1 / 2026-05-27

• Bugfixes
  • Limit and anchor PROXY protocol v1 parsing to prevent abuse via crafted inputs (#3947)
  • Parse PROXY protocol only once per connection to prevent injection on keep-alive requests (#3947)

Commits

• 92754ac Release v7.2.1 (#3948)
• ebe9db3 7.2.1 backport (#3947)
• See full diff in compare view

Updates erb from 5.1.3 to 6.0.1.1

Release notes

Sourced from erb's releases.

v6.0.1.1

Full Changelog: ruby/erb@v6.0.1...v6.0.1.1

v6.0.1

What's Changed

• Fix typo in changelog by @​hunchr in ruby/erb#96
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in ruby/erb#97
• Bump step-security/harden-runner from 2.13.1 to 2.13.2 by @​dependabot[bot] in ruby/erb#98
• Fixed by misspell -w -error -source=text by @​hsbt in ruby/erb#99
• Freeze ERB::Compiler::TrimScanner::ERB_STAG by @​osyoyu in ruby/erb#100

New Contributors

• @​hunchr made their first contribution in ruby/erb#96
• @​osyoyu made their first contribution in ruby/erb#100

Full Changelog: ruby/erb@v6.0.0...v6.0.1

v6.0.0

What's Changed

• Update the latest versions of actions: push-gem.yml by @​hsbt in ruby/erb#90
• Fix typo in documentation by @​suy in ruby/erb#91
• Fix tag shown in example of ERB expression tag and execution tag by @​sampart in ruby/erb#92
• [DOC] Suppress documentation for internals by @​nobu in ruby/erb#93
• Replace Ruby 3.5 with Ruby 4.0 by @​yahonda in ruby/erb#94
• Reapply "Remove safe_level and further positional arguments (#7)" by @​k0kubun in ruby/erb#95

New Contributors

• @​suy made their first contribution in ruby/erb#91
• @​sampart made their first contribution in ruby/erb#92
• @​yahonda made their first contribution in ruby/erb#94

Full Changelog: ruby/erb@v5.1.3...v6.0.0

Changelog

Sourced from erb's changelog.

6.0.1.1

• Prohibit def_method on marshal-loaded ERB instances

6.0.1

• Freeze ERB::Compiler::TrimScanner::ERB_STAG for Ractor compatibility

6.0.0

• Remove safe_level and further positional arguments from ERB.new
• Remove deprecated constant ERB::Revision

Commits

• 9345076 Version 6.0.1.1
• dd34ce4 Prohibit def_method on marshal-loaded ERB instances
• bbde68f Version 6.0.1
• 43f0876 Freeze ERB::Compiler::TrimScanner::ERB_STAG (#100)
• 2aa3a68 Fixed by misspell -w -error -source=text (#99)
• f91b260 Bump step-security/harden-runner from 2.13.1 to 2.13.2 (#98)
• 543500f Bump actions/checkout from 5 to 6 (#97)
• b23452a Fix typo in changelog (#96)
• bbaaf1f Version 6.0.0
• 1f83b25 Drop a deprecated constant ERB::Revision
• Additional commits viewable in compare view

Updates net-imap from 0.6.4 to 0.6.4.1

Release notes

Sourced from net-imap's releases.

v0.6.4.1

What's Changed

🔒 Security

This release fixes several more security vulnerabilities which are related to the fixes in v0.6.4. Please see the linked security advisories for more information.

• (moderate) Command Injection via non-synchronizing literal in "raw" argument (CVE-2026-47240, GHSA-8p34-64r3-mwg8) This vulnerability depends how the server interprets non-synchronizing literals. The connection is not vulnerable if the server supports non-synchronizing literals.
  • 🥅 Validate non-synchronizing literals support by @​nevans in ruby/net-imap#701
• (moderate) Command Injection via unvalidated ID and ENABLE arguments (CVE-2026-47242, GHSA-46q3-7gv7-qmgg)
  • 🥅 Validate ID values contain only valid bytes by @​nevans in ruby/net-imap#698
  • 🥅 Validate #enable arguments are all atoms by @​nevans in ruby/net-imap#699 NOTE: #enable should never be called with untrusted input.
• (low) Denial of Service via incomplete "raw" argument validation (CVE-2026-47241, GHSA-c4fp-cxrr-mj66) This results in the affected command hanging until the connection is closed. If another thread attempts to send a concurrent pipelined command, the first thread will return with a syntax error and the second thread will hang until the connection closes.
  • Reported by @​fg0x0
  • 🐛 Prevent trailing {0} in RawData validation by @​nevans in ruby/net-imap#700

Added

• 🔍 Add more detail to Net::IMAP#inspect TLS info by @​nevans in ruby/net-imap#674

Fixed

• 🔧 Disallow config.max_non_synchronizing_literal = nil by @​nevans in ruby/net-imap#672
• 🧵 Fix deadlock in #disconnect by @​nevans in ruby/net-imap#686
• 🥅 Validate that Atom and Flag are not empty by @​nevans in ruby/net-imap#684

Documentation

• ⚠️ Boost visibility of raw data argument documentation warnings by @​nevans in ruby/net-imap#677

Other Changes

• 🏷️ Allow 64-bit Integer arguments by @​nevans in ruby/net-imap#675
• 🥅 Ensure send_number_data input is an Integer by @​nevans in ruby/net-imap#676
• ♻️ Improve RawData.new, Add RawData.split by @​nevans in ruby/net-imap#679
• 🏷️ Less strict number string coercion, to match RFCs by @​nevans in ruby/net-imap#680
• 🥅 Validate response literal byte size format by @​nevans in ruby/net-imap#681

Miscellaneous

• ⬆️ Bump step-security/harden-runner from 2.19.0 to 2.19.1 by @​dependabot[bot] in ruby/net-imap#673
• ✅ Improvements to tests' FakeServer by @​nevans in ruby/net-imap#678
• ⬆️ Bump step-security/harden-runner from 2.19.1 to 2.19.3 by @​dependabot[bot] in ruby/net-imap#682
• ⬆️ Bump step-security/harden-runner from 2.19.3 to 2.19.4 by @​dependabot[bot] in ruby/net-imap#683

Full Changelog: ruby/net-imap@v0.6.4...v0.6.4.1

Commits

• 357f3b5 🔖 Bump version to 0.6.4.1
• e066b83 🔀 Merge pull request #701 from ruby/security/validate-non_sync_literal-support
• 0ea9eba ✅ Fix flaky tests for MacOS, TruffleRuby
• 5cad699 🔀 Merge pull request #700 from ruby/security/fix-raw_data-trailing-literal-ma...
• 5a0af4a 🔀 Merge pull request #699 from ruby/security/validate-enable-arguments
• b9d1972 🔀 Merge pull request #698 from ruby/security/validate-quoted-data
• 07e002b ♻️ Use QuotedString internally to send quoted string
• ae9f83b ♻️ Extract str.bytesize lvar in send_literal
• d6ddd29 🐛 Prevent trailing {0} in RawData validation
• 1f97168 🥅 Validate #enable arguments are all atoms
• Additional commits viewable in compare view

Updates nokogiri from 1.19.3 to 1.19.4

Release notes

Sourced from nokogiri's releases.

v1.19.4 / 2026-06-18

Security

• [CRuby] (Low) Fixed a possible invalid memory read when XML::Node#initialize_copy_with_args is called with an argument that is not a Node. See GHSA-g9g8-vgvw-g3vf for more information.
• [CRuby] (Low) Fixed a possible use-after-free when an XML::XPathContext is used after its source document has been garbage collected. See GHSA-p67v-3w7g-wjg7 for more information.
• [CRuby] (Low) Fixed a possible use-after-free during XInclude processing via Node#do_xinclude. See GHSA-wfpw-mmfh-qq69 for more information.
• [CRuby] (Low) Fixed a possible use-after-free when Document#root= is assigned a non-element node. See GHSA-wjv4-x9w8-wm3h for more information.
• [CRuby] (Low) Fixed a possible use-after-free when setting an attribute value via XML::Attr#value= or #content=. See GHSA-phwj-rprq-35pp for more information.
• [CRuby] (Low) Fixed a null pointer dereference when methods are called on uninitialized wrapper objects (e.g. via allocate); these now raise instead of crashing the process. See GHSA-9cv2-cfxc-v4v2 for more information.
• [CRuby] (Low) Fixed a possible use-after-free when Document#encoding= raises an exception. See GHSA-5v8h-3h3q-446p for more information.
• [CRuby] (Medium) Fixed an out-of-bounds read in XML::NodeSet#[] (alias #slice) when given a large negative index. See GHSA-5prr-v3j2-97mh for more information.
• [JRuby] (Low) XML::Schema now enforces the NONET parse option, which Nokogiri enables by default. It was not enforced on JRuby, so a schema parsed with default options could still fetch external resources over the network, potentially enabling SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See GHSA-8678-w3jw-xfc2 for more information.

1269fb644a6de405057a53dd5c762b1209b43ca7424f839454d3dbc677c31a8f  nokogiri-1.19.4-aarch64-linux-gnu.gem
35c65b9ce72b3bb03207bdbe7067915019dc18c1b9b59139684bd6690fdd01af  nokogiri-1.19.4-aarch64-linux-musl.gem
a301313e38bb065d68239e79734bcd6f56fb6efaacebde29e9abf2a4735340ca  nokogiri-1.19.4-arm-linux-gnu.gem
588923c101bcfa78869734d247d25b598674323e7f22474fc468f6e5647311eb  nokogiri-1.19.4-arm-linux-musl.gem
a46db9853286e6597b36ebc6953817d15acf3a299583eb3f89fdc6f91dd63527  nokogiri-1.19.4-arm64-darwin.gem
ce04b9e268c9626852231a48b49128ed52034f1ccb39484a6da3875491cd709e  nokogiri-1.19.4-java.gem
051da97b8eccfdb5444fed40246a35e10d7298b9efe759b4cd25455ea04c587e  nokogiri-1.19.4-x64-mingw-ucrt.gem
7fd17057d3e1f00e9954a74b3cd76595d3d4a5ef233b7ed9599047c204f70551  nokogiri-1.19.4-x86_64-darwin.gem
379fae440b28915e3f19d752ce2dcf8465ed2b2fbefd2a7ca0dd497bc981a06a  nokogiri-1.19.4-x86_64-linux-gnu.gem
17dfb7c1fa194ae02fbf7c51a7afc8d278045ab3fdacfd86f91d02d7b274470b  nokogiri-1.19.4-x86_64-linux-musl.gem
50c951611c92bca05c51411aef45f1cbc50f2821c4802758c5c6d34696533ab5  nokogiri-1.19.4.gem

Changelog

Sourced from nokogiri's changelog.

v1.19.4 / 2026-06-18

Security

• [CRuby] (Low) Fixed a possible invalid memory read when XML::Node#initialize_copy_with_args is called with an argument that is not a Node. See GHSA-g9g8-vgvw-g3vf for more information.
• [CRuby] (Low) Fixed a possible use-after-free when an XML::XPathContext is used after its source document has been garbage collected. See GHSA-p67v-3w7g-wjg7 for more information.
• [CRuby] (Low) Fixed a possible use-after-free during XInclude processing via Node#do_xinclude. See GHSA-wfpw-mmfh-qq69 for more information.
• [CRuby] (Low) Fixed a possible use-after-free when Document#root= is assigned a non-element node. See GHSA-wjv4-x9w8-wm3h for more information.
• [CRuby] (Low) Fixed a possible use-after-free when setting an attribute value via XML::Attr#value= or #content=. See GHSA-phwj-rprq-35pp for more information.
• [CRuby] (Low) Fixed a null pointer dereference when methods are called on uninitialized wrapper objects (e.g. via allocate); these now raise instead of crashing the process. See GHSA-9cv2-cfxc-v4v2 for more information.
• [CRuby] (Low) Fixed a possible use-after-free when Document#encoding= raises an exception. See GHSA-5v8h-3h3q-446p for more information.
• [CRuby] (Medium) Fixed an out-of-bounds read in XML::NodeSet#[] (alias #slice) when given a large negative index. See GHSA-5prr-v3j2-97mh for more information.
• [JRuby] (Low) XML::Schema now enforces the NONET parse option, which Nokogiri enables by default. It was not enforced on JRuby, so a schema parsed with default options could still fetch external resources over the network, potentially enabling SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See GHSA-8678-w3jw-xfc2 for more information.

Commits

• 8cfb9da version bump to v1.19.4
• a856d1e fix: JRuby NONET bypass in XML::Schema (v1.19.x) (#3639)
• 6a0aa1e fix(CRuby): use-after-free in Document#encoding= when setter raises (v1.19.x)...
• f658a54 fix: JRuby NONET bypass in XML::Schema
• 39d26fe fix(CRuby): use-after-free in Document#encoding= when setter raises
• 04a09dd fix(CRuby): out-of-bounds read in NodeSet#[] with large negative index (v1.19...
• 7799fbd fix: avoid NPE on uninitialized XML::Node structs (v1.19.x) (#3645)
• ef19e13 fix(CRuby): avoid UAF in XML::Attr#value= (v1.19.x) (#3644)
• 5524fa9 fix: Document#root= rejects non-element nodes (v1.19.x) (#3643)
• 9891ad1 fix(CRuby): use-after-free in XPathContext document lifetime (v1.19.x) (#3641)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.