🚨 [security] Update html-proofer 5.0.10 → 5.1.1 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ html-proofer (5.0.10 → 5.1.1) · Repo · Changelog

Release Notes

5.1.1

Full Changelog: v5.1.0...v5.1.1

5.1.0

What's Changed

• Bump actions/checkout from 4 to 5 by @dependabot[bot] in #857
• Add benchmark to Gemfile by @denisdefreyne in #858
• Remove outdated real-world examples by @denisdefreyne in #859
• Allow support for multiple directory index files by @denisdefreyne in #860
• [skip test] Release v5.1.0 by @github-actions[bot] in #861

New Contributors

• @denisdefreyne made their first contribution in #858

Full Changelog: v5.0.10...v5.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ afm (indirect, 0.2.2 → 1.0.0) · Repo · Changelog

Release Notes

1.0.0

There are no functional changes to 0.2.2 in this release, it is just a quick
update to make sure it still runs on modern rubies and add modern tooling

• [chore] Add GitHub actions instead of travis (chuckle)
• [chore] Set required ruby version to last maintained version
• [chore] update dependencies
• [chore] modernize gemspec
• [chore] formatting all ruby files to modernish standards

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ async (indirect, 2.23.1 → 2.34.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ bigdecimal (indirect, 3.1.9 → 3.3.1) · Repo · Changelog

Release Notes

3.3.1

What's Changed

• Fix modulo/remainder of negative zero by @tompng in #441
• Unify all precision validation to be consistent with BigDecimal#add by @tompng in #442
• Bump version to 3.3.1 by @tompng in #443

Full Changelog: v3.3.0...v3.3.1

3.3.0

What's Changed

• Allow calling Rational#to_d without arguments by @fsateler in #421
• Fix test_no_memory_leak failure by @tompng in #424
• Change BigMath.sin and cos to always calculate in relative precision. by @tompng in #422
• Faster exp calculation by @tompng in #399
• Rename assert_relative_precision to assert_converge_in_precision by @tompng in #425
• Add support for tangent function by @rhannequin in #231
• Make bigdecimal.rb work in JRuby by @tompng in #420
• BigMath methods common interface: coerce x, validate prec, check nan error by @tompng in #415
• Round result of sqrt and BigMath methods by @tompng in #427
• Update example calculation result in BigMath document by @tompng in #428
• BigMath.log(0,n)==-Infinity just like Math.log(0) by @tompng in #430
• Fix divmod and modulo by infinity to match Float#divmod and Float#modulo by @tompng in #429
• Bump step-security/harden-runner from 2.13.0 to 2.13.1 by @dependabot[bot] in #431
• Make internal BigMath method a private method by @tompng in #432
• Improve performance of x**y when y is a huge value by @tompng in #438
• Fix precision of x.power(y, prec) when the result is nearly infinity by @tompng in #439
• Bump version to 3.3.0 by @tompng in #437

New Contributors

• @fsateler made their first contribution in #421

Full Changelog: v3.2.3...v3.3.0

3.2.3

What's Changed

• Fix sign of bigdecimal**bigint by @tompng in #341
• Fix BigMath.atan precision safe margin by @tompng in #320
• Fix typo in BigDecimal#scale comment by @timcraft in #348
• Allow BigDecimal accept Float without precision by @mrzasa in #314
• Fix edgecase segfault of BigDecimal#remainder by @tompng in #349
• Fix precision of BigMath.sin(x,prec) and BigMath.cos(x,prec) for large x by @tompng in #346
• Fix wrong converge check in VpSqrt by @tompng in #353
• Bump step-security/harden-runner from 2.12.0 to 2.12.1 by @dependabot[bot] in #356
• Ensure BigMath.sin and BigMath.cos to be within -1..1 by @tompng in #317
• Remove BigDecimal_divremain(which has a bug) and use BigDecimal_DoDivmod instead by @tompng in #351
• Bump step-security/harden-runner from 2.12.1 to 2.12.2 by @dependabot[bot] in #359
• Remove back pointer from Real to VALUE by @tompng in #344
• Update docs for #to_d core extensions by @dduugg in #360
• Fix compiling issue (when BIGDECIMAL_DEBUG is 1) by @tompng in #363
• Use a correct term: engineering notation -> scientific notation by @mame in #365
• Fix to_f underflow check when DECDIG is uint16_t by @tompng in #364
• Fix VpNumOfChars calculation for the longest case by @tompng in #366
• Fix a bug that exponent overflow is ignored in add, sub, mult and div operation by @tompng in #367
• Fix dump/load bigdecimal with few or large precs by @tompng in #362
• Refactor AddExponent overflow/underflow check by @tompng in #368
• Strict BigDecimal("0.1e#{exponent}") exponent overflow/underflow check by @tompng in #369
• Add DECDIG=16bit CI workflow by @tompng in #370
• Fix wrong multiplying BASE_FIG in precision calculation by @tompng in #372
• Remove debug print by @tompng in #375
• Remove unused #define macros by @tompng in #376
• VpDivd bugfix by @tompng in #374
• Fix VpDivd to fully use quotient array by @tompng in #377
• Add RB_GC_GUARD to test-only methods by @tompng in #378
• Use minimum necessary division precision in BigDecimal_DoDivmod by @tompng in #371
• Remove dead code and ineffective optimization path form VpDivd by @tompng in #379
• Implement exp, log, power and ** in ruby by @tompng in #347
• Remove unused "# define" macros by @tompng in #382
• Bump step-security/harden-runner from 2.12.2 to 2.13.0 by @dependabot[bot] in #383
• VpFormatSt O(n^2) to O(n) by @tompng in #384
• Ignore ndigits passed to BigDecimal(string, ndigits) by @tompng in #385
• Better error message for negative**intinite and zero-converge case fix by @tompng in #386
• Refactor truncate floor and ceil duplicated part by @tompng in #387
• Fix exp log power to raise "Computation results in Infinity/NaN" in EXCEPTION_INFINITY/EXCEPTION_NaN mode by @tompng in #389
• Reduce guard obj by @tompng in #390
• Remove ENTER and GUARD_OBJ macro by @tompng in #391
• Coerce to bigdecimal refactor by @tompng in #392
• Coerce rational with the given prec in exp, log and power calculation by @tompng in #393
• Unify coerce prec calculation by @tompng in #394
• Use bool instead of Qtrue/Qfalse for normal c boolish value by @tompng in #395
• Fix adjusting x to 0.3..3 in log calculation by @tompng in #397
• missing.h cleanup by @tompng in #396
• Hide internal method of BigMath into BigDecimal::Internal by @tompng in #400
• Remove gc_compaction test by @tompng in #401
• Bump actions/checkout from 4 to 5 by @dependabot[bot] in #402
• Fix VpMult result size calculation by @tompng in #403
• Fix GetAddSubPrec calculation by @tompng in #406
• Fix PrecLimit not restored on exception by @tompng in #405
• Fix div,modulo,remainder and divmod precision when prec limit is specified by @tompng in #408
• Fix x.fix and x.frac affected by prec limit, Stop -x and x.abs round with prec limit by @tompng in #409
• Don't use ZeroWrapLimited. Use unlimited version instead. by @tompng in #410
• Fix x / y precision when prec limit is huge by @tompng in #412
• Calculate exp, log, pow with the given prec even if prec limit is set by @tompng in #411
• Simplify to_i logic by @tompng in #413
• Add BigMath::E and BigMath::PI precision test by @tompng in #414
• Rewrite BigDecimal#sqrt in ruby with improved Newton's method by @tompng in #381
• Update bigdecimal version used in benchmark from 3.0.0 to 3.1.1 by @tompng in #416
• Implement BigDecimal#_decimal_shift for internal use by @tompng in #324
• In JRuby, don't add sqrt, exp, log, power implemented in ruby by @tompng in #417
• Add JRuby minimum ci by @tompng in #418
• Bump version to 3.2.3 by @tompng in #419

New Contributors

• @timcraft made their first contribution in #348
• @dduugg made their first contribution in #360

Full Changelog: v3.2.2...v3.2.3

3.2.2

What's Changed

• Make precision calculation in bigdecimal.div(value, 0) gc-compaction safe by @tompng in #339

Full Changelog: v3.2.1...v3.2.2

3.2.1

What's Changed

• Enabled trusted publisher for rubygems.org by @hsbt in #333
• Fix division precision limit by @tompng in #335

Full Changelog: v3.2.0...v3.2.1

3.2.0

What's Changed

• Fix spec NoMethodError message for .allocator on truffle Ruby by @mrzasa in #313
• Remove outdated BigMath.atan document that refers to convergence by @tompng in #318
• Add a precision assertion to BigMath test by @tompng in #316
• Use Ractor#value as Ractor#take is removed by @ko1 in #327
• Indent multiline call-seq comment by @tompng in #311
• Integrate BigDecimal_div and BigDecimal_div2 by @tompng in #329
• Fix division rounding by @tompng in #330

New Contributors

• @tompng made their first contribution in #318
• @ko1 made their first contribution in #327

Full Changelog: v3.1.9...v3.2.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ console (indirect, 1.30.2 → 1.34.2) · Repo · Changelog

Release Notes

1.34.1 (from changelog)

• Add process_id to serialized output records for clarity (pid is still included for backwards compatibility).
  • Add object_id to serialized output records only when the subject is not a string or class/module.

1.34.0 (from changelog)

• Allow Console::Compatible::Logger#add to accept **options.

1.32.0 (from changelog)

• Add fiber_id to serialized output records to help identify which fiber logged the message.
• Ractor support appears broken in older Ruby versions, so we now require Ruby 3.4 or later for Ractor compatibility, if you need Ractor support.

1.31.0 (from changelog)

Ractor compatibility.

The console library now works correctly with Ruby's Ractor concurrency model. Previously, attempting to use console logging within Ractors would fail with errors about non-shareable objects. This has been fixed by ensuring the default configuration is properly frozen.

# This now works without errors:
ractor = Ractor.new do
require 'console'
Console.info('Hello from Ractor!')
'Ractor completed successfully'
end

result = ractor.take
puts result # => 'Ractor completed successfully'

The fix is minimal and maintains full backward compatibility while enabling safe parallel logging across multiple Ractors.

Symbol log level compatibility.

Previously, returning symbols from custom log_level methods in configuration files would cause runtime errors like "comparison of Integer with :debug failed". This has been fixed to properly convert symbols to their corresponding integer values.

# config/console.rb - This now works correctly:
def log_level(env = ENV)
	:debug  # Automatically converted to Console::Logger::LEVELS[:debug]
end

While this fix maintains backward compatibility, the recommended approach is still to use integer values directly:

# config/console.rb - Recommended approach:
def log_level(env = ENV)
	Console::Logger::LEVELS[:debug]  # Returns 0
end

Improved output format selection for cron jobs and email contexts.

When MAILTO environment variable is set (typically in cron jobs), the console library now prefers human-readable terminal output instead of JSON serialized output, even when the output stream is not a TTY. This ensures that cron job output sent via email is formatted in a readable way for administrators.

# Previously in cron jobs (non-TTY), this would output JSON:

# {"time":"2025-06-07T10:30:00Z","severity":"info","subject":"CronJob","message":["Task completed"]}

# Now with MAILTO set, it outputs human-readable format:
# 0.1s info: CronJob
# | Task completed

This change is conservative and only affects environments where MAILTO is explicitly set, ensuring compatibility with existing deployments.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ethon (indirect, 0.16.0 → 0.18.0) · Repo · Changelog

Release Notes

0.18.0 (from changelog)

Full Changelog

• Fixed verbose mode attempting to print binary SSL data by replacing it with a summary. (Felipe Mesquita, #265)
• Fixed on_headers callbacks being called once per header line instead of once for all headers. (Felipe Mesquita, #264)
• Stabilized test server boot on macOS by fixing IPv6/IPv4 localhost resolution and preventing orphaned processes. (Geremia Taglialatela, #261)
• Added logger to runtime dependencies for Ruby 3.5+ compatibility. (Geremia Taglialatela, #259)
• Opted-in for MFA requirement explicitly by adding rubygems_mfa_required metadata. (Geremia Taglialatela, #257)
• Removed redundant encoding and require_relative checks. (Geremia Taglialatela, #258)

0.17.0 (from changelog)

Full Changelog

• Require Ruby 2.6+ and simplify Gemfile. (Felipe Mesquita, #255)
• Fixed mismatched libcurl error codes in easy_codes array. (Felipe Mesquita, #253)
• Add Ruby 3.3 and 3.4, remove Ruby 2.5 from CI matrix. (Felipe Mesquita, #252)
• Skip test due to libcurl 8.7.x bug in CURLINFO_REQUEST_SIZE. (Felipe Mesquita, #251)
• Use Rackup::Handler.default for Rack 3 compatibility. (Vít Ondruch, #244)
• Add Ruby 3.1 and 3.2 to the test matrix. (Orien Madgwick, #228)
• Remove development and test files from the gem package. (Orien Madgwick, #227)
• Fix missing parenthesis in example. (Aleksey Tsalolikhin, #226)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ ffi (indirect, 1.17.1 → 1.17.2) · Repo · Changelog

Release Notes

1.17.2 (from changelog)

Fixed:

• #1144, #1145 Update libffi to 3.4.8 to fix installation issues on latest Macos on ARM64
• Various adjustments to run the specs cleanly on Ruby-3.5 master branch.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ fiber-storage (indirect, 1.0.0 → 1.0.1) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ io-event (indirect, 1.10.0 → 1.14.2) · Repo · Changelog

Release Notes

1.14.0 (from changelog)

Enhanced IO::Event::PriorityHeap with deletion and bulk insertion methods

The {ruby IO::Event::PriorityHeap} now supports efficient element removal and bulk insertion:

• delete(element): Remove a specific element from the heap in O(n) time
• delete_if(&block): Remove elements matching a condition with O(n) amortized bulk deletion
• concat(elements): Add multiple elements efficiently in O(n) time

heap = IO::Event::PriorityHeap.new

# Efficient bulk insertion - O(n) instead of O(n log n)
heap.concat([5, 2, 8, 1, 9, 3])

# Remove specific element
removed = heap.delete(5) # Returns 5, heap maintains order

# Bulk removal with condition
count = heap.delete_if{|x| x.even?} # Removes 2, 8 efficiently

The delete_if and concat methods are particularly efficient for bulk operations, using bottom-up heapification to maintain the heap property in O(n) time. This provides significant performance improvements:

• Bulk insertion: O(n log n) → O(n) for adding multiple elements
• Bulk deletion: O(k×n) → O(n) for removing k elements

Both methods maintain the heap invariant and include comprehensive test coverage with edge case validation.

1.11.2 (from changelog)

• Fix Windows build.

1.11.1 (from changelog)

• Fix read_nonblock when using the URing selector, which was not handling zero-length reads correctly. This allows reading available data without blocking.

1.11.0 (from changelog)

Introduce IO::Event::WorkerPool for off-loading blocking operations.

The {ruby IO::Event::WorkerPool} provides a mechanism for executing blocking operations on separate OS threads while properly integrating with Ruby's fiber scheduler and GVL (Global VM Lock) management. This enables true parallelism for CPU-intensive or blocking operations that would otherwise block the event loop.

# Fiber scheduler integration via blocking_operation_wait hook
class MyScheduler
def initialize
@worker_pool = IO::Event::WorkerPool.new
end

def blocking_operation_wait(operation)
@worker_pool.call(operation)
end
end

# Usage with automatic offloading
Fiber.set_scheduler(MyScheduler.new)
# Automatically offload rb_nogvl(..., RB_NOGVL_OFFLOAD_SAFE) to a background thread:
result = some_blocking_operation()

The implementation uses one or more background threads and a list of pending blocking operations. Those operations either execute through to completion or may be cancelled, which executes the "unblock function" provided to rb_nogvl.

1.10.2 (from changelog)

• Improved consistency of handling closed IO when invoking #select.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ json (indirect, 2.10.2 → 2.16.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ metrics (indirect, 0.12.2 → 0.15.0) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ nokogiri (indirect, 1.18.8 → 1.18.10) · Repo · Changelog

Security Advisories 🚨

🚨 Nokogiri patches vendored libxml2 to resolve multiple CVEs

Summary

Nokogiri v1.18.9 patches the vendored libxml2 to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796.

Impact and severity

CVE-2025-6021

A flaw was found in libxml2's xmlBuildQName function, where integer overflows in buffer size calculations can lead to a stack-based buffer overflow. This issue can result in memory corruption or a denial of service when processing crafted input.

NVD claims a severity of 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/17d950ae

CVE-2025-6170

A flaw was found in the interactive shell of the xmllint command-line tool, used for parsing XML files. When a user inputs an overly long command, the program does not check the input size properly, which can cause it to crash. This issue might allow attackers to run harmful code in rare configurations without modern protections.

NVD claims a severity of 2.5 Low (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/5e9ec5c1

CVE-2025-49794

A use-after-free vulnerability was found in libxml2. This issue occurs when parsing XPath elements under certain circumstances when the XML schematron has the <sch:name path="..."/> schema elements. This flaw allows a malicious actor to craft a malicious XML document used as input for libxml, resulting in the program's crash using libxml or other possible undefined behaviors.

NVD claims a severity of 9.1 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5

CVE-2025-49795

A NULL pointer dereference vulnerability was found in libxml2 when processing XPath XML expressions. This flaw allows an attacker to craft a malicious XML input to libxml2, leading to a denial of service.

NVD claims a severity of 7.5 High (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/62048278

CVE-2025-49796

A vulnerability was found in libxml2. Processing certain sch:name elements from the input XML file can trigger a memory corruption issue. This flaw allows an attacker to craft a malicious XML input file that can lead libxml to crash, resulting in a denial of service or other possible undefined behavior due to sensitive data being corrupted in memory.

NVD claims a severity of 9.1 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H)

Fixed by applying https://gitlab.gnome.org/GNOME/libxml2/-/commit/81cef8c5

Affected Versions

• Nokogiri < 1.18.9 when using CRuby (MRI) with vendored libxml2

Patched Versions

• Nokogiri >= 1.18.9

Mitigation

Upgrade to Nokogiri v1.18.9 or later.

Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against patched external libxml2 libraries which will also address these same issues.

References

• #3526
• https://nvd.nist.gov/vuln/detail/CVE-2025-6021
• https://nvd.nist.gov/vuln/detail/CVE-2025-6170
• https://nvd.nist.gov/vuln/detail/CVE-2025-49794
• https://nvd.nist.gov/vuln/detail/CVE-2025-49795
• https://nvd.nist.gov/vuln/detail/CVE-2025-49796

Release Notes

1.18.10

v1.18.10 / 2025-09-15

Dependencies

• [CRuby] Vendored libxml2 is updated to v2.13.9. Note that the security fixes published in v2.13.9 were already present in Nokogiri v1.18.9.
• [CRuby] [Windows and MacOS] Vendored libiconv is updated to v1.18

sha256 checksums

7fb87235d729c74a2be635376d82b1d459230cc17c50300f8e4fcaabc6195344  nokogiri-1.18.10-aarch64-linux-gnu.gem
7e74e58314297cc8a8f1b533f7212d1999dbe2639a9ee6d97b483ea2acc18944  nokogiri-1.18.10-aarch64-linux-musl.gem
51f4f25ab5d5ba1012d6b16aad96b840a10b067b93f35af6a55a2c104a7ee322  nokogiri-1.18.10-arm-linux-gnu.gem
1c6ea754e51cecc85c30ee8ab1e6aa4ce6b6e134d01717e9290e79374a9e00aa  nokogiri-1.18.10-arm-linux-musl.gem
c2b0de30770f50b92c9323fa34a4e1cf5a0af322afcacd239cd66ee1c1b22c85  nokogiri-1.18.10-arm64-darwin.gem
cd431a09c45d84a2f870ba0b7e8f571199b3727d530f2b4888a73639f76510b5  nokogiri-1.18.10-java.gem
64f40d4a41af9f7f83a4e236ad0cf8cca621b97e31f727b1bebdae565a653104  nokogiri-1.18.10-x64-mingw-ucrt.gem
536e74bed6db2b5076769cab5e5f5af0cd1dccbbd75f1b3e1fa69d1f5c2d79e2  nokogiri-1.18.10-x86_64-darwin.gem
ff5ba26ba2dbce5c04b9ea200777fd225061d7a3930548806f31db907e500f72  nokogiri-1.18.10-x86_64-linux-gnu.gem
0651fccf8c2ebbc2475c8b1dfd7ccac3a0a6d09f8a41b72db8c21808cb483385  nokogiri-1.18.10-x86_64-linux-musl.gem
d5cc0731008aa3b3a87b361203ea3d19b2069628cb55e46ac7d84a0445e69cc1  nokogiri-1.18.10.gem

1.18.9

v1.18.9 / 2025-07-20

Security

• [CRuby] Applied upstream libxml2 patches to address CVE-2025-6021, CVE-2025-6170, CVE-2025-49794, CVE-2025-49795, and CVE-2025-49796. See GHSA-353f-x4gh-cqq8 for more information.

sha256 checksums

5bcfdf7aa8d1056a7ad5e52e1adffc64ef53d12d0724fbc6f458a3af1a4b9e32  nokogiri-1.18.9-aarch64-linux-gnu.gem
55e9e6ca46c4ad1715e313f407d8481d15be1e3b65d9f8e52ba1c124d01676a7  nokogiri-1.18.9-aarch64-linux-musl.gem
eea3f1f06463ff6309d3ff5b88033c4948d0da1ab3cc0a3a24f63c4d4a763979  nokogiri-1.18.9-arm64-darwin.gem
fe611ae65880e445a9c0f650d52327db239f3488626df4173c05beafd161d46e  nokogiri-1.18.9-arm-linux-gnu.gem
935605e14c0ba17da18d203922440bf6c0676c602659278d855d4622d756a324  nokogiri-1.18.9-arm-linux-musl.gem
ac5a7d93fd0e3cef388800b037407890882413feccca79eb0272a2715a82fa33  nokogiri-1.18.9.gem
1fe5b7aa4a054eda689a969bb4e03999960a6ea806582d327207d687168bceb5  nokogiri-1.18.9-java.gem
6b4fc1523aa0370c78653e38c94cb50e7f3ab786425de66ba7ad24222c1164a3  nokogiri-1.18.9-x64-mingw-ucrt.gem
e0d2deb03d3d7af8016e8c9df5ff4a7d692159cefb135cbb6a4109f265652348  nokogiri-1.18.9-x86_64-darwin.gem
b52f5defedc53d14f71eeaaf990da66b077e1918a2e13088b6a96d0230f44360  nokogiri-1.18.9-x86_64-linux-gnu.gem
e69359d6240c17e64cc9f43970d54f13bfc7b8cc516b819228f687e953425e69  nokogiri-1.18.9-x86_64-linux-musl.gem

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ pdf-reader (indirect, 2.14.1 → 2.15.0) · Repo · Changelog

Release Notes

2.15.0 (from changelog)

  - multiple PRs, but mainly #562
  - See https://railsatscale.com/2025-04-23-rbs-support-for-sorbet/
  - No impact expected for most users, but projects that use sorbet may find subtle changes in
    the RBI file that is shipped with the gem
  - Some files with passwords > 32 bytes long (#555)
  - Some files that contain cipher text with a 16 byte IV and no further blocks (#561)
  - Some files that encrypted data with no padding (#564)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ public_suffix (indirect, 6.0.1 → 6.0.2) · Repo · Changelog

Release Notes

6.0.2 (from changelog)

Changed

• Updated definitions.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ traces (indirect, 0.15.2 → 0.18.2) · Repo · Changelog

Release Notes

0.18.1 (from changelog)

• Don't call prepare in traces/provider.rb. It can cause circular loading warnings.

0.18.0 (from changelog)

• W3C Baggage Support - Full support for W3C Baggage specification for application-specific context propagation.

New Context Propagation Interfaces

Traces#trace_context and Traces.trace_context are insufficient for efficient inter-process tracing when using OpenTelemetry. That is because OpenTelemetry has it's own "Context" concept with arbitrary key-value storage (of which the current span is one such key/value pair). Unfortunately, OpenTelemetry requires those values to be propagated "inter-process" while ignores them for "intra-process" tracing.

Therefore, in order to propagate this context, we introduce 4 new methods:

• Traces.current_context - Capture the current trace context for local propagation between execution contexts (threads, fibers).
• Traces.with_context(context) - Execute code within a specific trace context, with automatic restoration when used with blocks.
• Traces.inject(headers = nil, context = nil) - Inject W3C Trace Context headers into a headers hash for distributed propagation.
• Traces.extract(headers) - Extract trace context from W3C Trace Context headers.

The default implementation is built on top of Traces.trace_context, however these methods can be replaced by the backend. In that case, the context object is opaque, in other words it is library-specific, and you should not assume it is an instance of Traces::Context.

0.17.0 (from changelog)

• Remove support for resource: keyword argument with no direct replacement – use an attribute instead.

0.16.0 (from changelog)

• Introduce traces:provider:list command to list all available trace providers.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ zeitwerk (indirect, 2.7.2 → 2.7.3) · Repo · Changelog

Release Notes

2.7.3 (from changelog)

• The helper Zeitwerk::Loader#cpath_expected_at did not work correctly if the inflector had logic that relied on the absolute path of the given file or directory. This has been fixed.

  This bug was found by Codex.

• Perpetual internal work.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

🆕 benchmark (added, 0.5.0)

🆕 logger (added, 1.7.0)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[netlify]

✅ Deploy Preview for techworkersberlin ready!

Name	Link
🔨 Latest commit	f20e9ca
🔍 Latest deploy log	https://app.netlify.com/projects/techworkersberlin/deploys/691d0562bc151000082f1c7f
😎 Deploy Preview	https://deploy-preview-318--techworkersberlin.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.