Bump the dependencies group across 1 directory with 8 updates

[dependabot]

Bumps the dependencies group with 4 updates in the / directory: rspec-rails, json, action_text-trix and timeout.

Updates rspec-rails from 8.0.3 to 8.0.4

Changelog

Sourced from rspec-rails's changelog.

8.0.4 / 2026-03-10

Full Changelog

Released to relax version constraint for rspec to allow 4.0.0.beta1.

Commits

• 222fb55 Drop compatibility check rails version to 8.0.0
• 769a3c4 v8.0.4
• 0549e59 Merge pull request #2895 from rspec/add-rspec-4-ci-check
• See full diff in compare view

Updates json from 2.18.1 to 2.19.2

Release notes

Sourced from json's releases.

v2.19.2

What's Changed

• Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210

Full Changelog: ruby/json@v2.19.1...v2.19.2

v2.19.1

What's Changed

• Fix a compiler dependent GC bug introduced in 2.18.0.

Full Changelog: ruby/json@v2.19.0...v2.19.1

v2.19.0

What's Changed

• Fix allow_blank parsing option to no longer allow invalid types (e.g. load([], allow_blank: true) now raise a type error).
• Add allow_invalid_escape parsing option to ignore backslashes that aren't followed by one of the valid escape characters.

Full Changelog: ruby/json@v2.18.1...v2.19.0

Changelog

Sourced from json's changelog.

2026-03-18 (2.19.2)

• Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210.

2026-03-08 (2.19.1)

• Fix a compiler dependent GC bug introduced in 2.18.0.

2026-03-06 (2.19.0)

• Fix allow_blank parsing option to no longer allow invalid types (e.g. load([], allow_blank: true) now raise a type error).
• Add allow_invalid_escape parsing option to ignore backslashes that aren't followed by one of the valid escape characters.

Commits

• 54f8a87 Release 2.19.2
• 393b41c Fix a format string injection vulnerability
• dbf6bb1 Merge pull request #953 from ruby/dependabot/github_actions/actions/create-gi...
• 7187315 Bump actions/create-github-app-token from 2 to 3
• 4a42a04 Release 2.19.1
• 13689c2 Add missing GC_GUARD in fbuffer_append_str
• a11acc1 Release 2.19.0
• 0a4fb79 fbuffer.h: Use size_t over unsigned long
• a29fcdc Add depth validation to Jruby and TruffleRuby implementations
• de993aa Reject negative depth; add overflow guards to prevent hang/crash
• Additional commits viewable in compare view

Updates action_text-trix from 2.1.16 to 2.1.17

Release notes

Sourced from action_text-trix's releases.

v2.1.17

Security

• Address potential XSS vector via data-trix-serialized-attributes sanitizer bypass by @​flavorjones in basecamp/trix#1282

Bug fixes

• Fix bullets merging with prior elements on Firefox when the first node is removed by @​monorkin in basecamp/trix#1280

Infrastructure/CI

• Replace Karma with @web/test-runner by @​flavorjones in basecamp/trix#1272
• ci: get green (2026-01-09 edition) by @​flavorjones in basecamp/trix#1276
• Report web-test-runner test failures by @​flavorjones in basecamp/trix#1275

Chores

• Update README.md by @​Cromian in basecamp/trix#1239

New Contributors

• @​monorkin made their first contribution in basecamp/trix#1280
• @​Cromian made their first contribution in basecamp/trix#1239

Full Changelog: basecamp/trix@v2.1.16...v2.1.17

Commits

• 2e46d51 v2.1.17
• 53197ab Merge pull request #1282 from basecamp/h1-3581911-serialized-attr
• 3229c29 Fix stored XSS via data-trix-serialized-attributes sanitizer bypass (H1 #3581...
• 7069343 Merge pull request #1239 from Cromian/patch-1
• d9dbf0a Merge pull request #1280 from basecamp/fix-bullets-merging-with-prior-element
• bef13e2 Fix bullets merging with prior elements when the first node is removed
• 194a36c Merge pull request #1275 from basecamp/flavorjones/wtr-failure-messages
• c94abe6 Use source-map to get better test failure messages
• 6f6ab9a Test runner reporter emits failure details
• 1d2d1a3 Merge pull request #1276 from basecamp/flavorjones/ci-green-20260109
• Additional commits viewable in compare view

Updates loofah from 2.25.0 to 2.25.1

Release notes

Sourced from loofah's releases.

2.25.1 / 2026-03-17

• Ensure Loofah::HTML5::Scrub.allowed_uri? recognizes unescaped whitespace entities and rejects schemas containing them. See GHSA-46fp-8f5p-pf2m. #302 @​flavorjones

Changelog

Sourced from loofah's changelog.

2.25.1 / 2026-03-17

• Ensure Loofah::HTML5::Scrub.allowed_uri? recognizes unescaped whitespace entities and rejects schemas containing them. See GHSA-46fp-8f5p-pf2m. #302 @​flavorjones

Commits

• c895c8b version bump to v2.25.1
• f4ebc9c Merge pull request #302 from flavorjones/flavorjones/better-allowed-uri
• 9f4e5db Update allowed_uri? to handle unescaped whitespace entities
• e6f4751 doc: Move security reporting to Github
• See full diff in compare view

Updates nokogiri from 1.19.1 to 1.19.2

Release notes

Sourced from nokogiri's releases.

v1.19.2 / 2026-03-19

Dependencies

• [JRuby] Saxon-HE is updated to 12.7, from 9.6.0-4. Saxon-HE is a transitive dependency of nu.validator:jing, and this update addresses CVEs in Saxon-HE's own transitive dependencies JDOM and dom4j. We don't think this warrants a security release, however we're cutting a patch release to help users whose security scanners are flagging this. #3611 @​flavorjones

SHA256 Checksums

c34d5c8208025587554608e98fd88ab125b29c80f9352b821964e9a5d5cfbd19  nokogiri-1.19.2-aarch64-linux-gnu.gem
7f6b4b0202d507326841a4f790294bf75098aef50c7173443812e3ac5cb06515  nokogiri-1.19.2-aarch64-linux-musl.gem
b7fa1139016f3dc850bda1260988f0d749934a939d04ef2da13bec060d7d5081  nokogiri-1.19.2-arm-linux-gnu.gem
61114d44f6742ff72194a1b3020967201e2eb982814778d130f6471c11f9828c  nokogiri-1.19.2-arm-linux-musl.gem
58d8ea2e31a967b843b70487a44c14c8ba1866daa1b9da9be9dbdf1b43dee205  nokogiri-1.19.2-arm64-darwin.gem
e9d67034bc80ca71043040beea8a91be5dc99b662daa38a2bfb361b7a2cc8717  nokogiri-1.19.2-java.gem
8ccf25eea3363a2c7b3f2e173a3400582c633cfead27f805df9a9c56d4852d1a  nokogiri-1.19.2-x64-mingw-ucrt.gem
7d9af11fda72dfaa2961d8c4d5380ca0b51bc389dc5f8d4b859b9644f195e7a4  nokogiri-1.19.2-x86_64-darwin.gem
fa8feca882b73e871a9845f3817a72e9734c8e974bdc4fbad6e4bc6e8076b94f  nokogiri-1.19.2-x86_64-linux-gnu.gem
93128448e61a9383a30baef041bf1f5817e22f297a1d400521e90294445069a8  nokogiri-1.19.2-x86_64-linux-musl.gem
38fdd8b59db3d5ea9e7dfb14702e882b9bf819198d5bf976f17ebce12c481756  nokogiri-1.19.2.gem

Full Changelog: sparklemotion/nokogiri@v1.19.1...v1.19.2

Changelog

Sourced from nokogiri's changelog.

v1.19.2 / 2026-03-19

Dependencies

• [JRuby] Saxon-HE is updated to 12.7, from 9.6.0-4. Saxon-HE is a transitive dependency of nu.validator:jing, and this update addresses CVEs in Saxon-HE's own transitive dependencies JDOM and dom4j. We don't think this warrants a security release, however we're cutting a patch release to help users whose security scanners are flagging this. #3611 @​flavorjones

Commits

• 6f5d025 version bump to v1.19.2
• 6d4677f dep: upgrade Saxon-HE from 9.6.0-4 to 12.7 [v1.19.x backport] (#3614)
• acf9527 dep: upgrade Saxon-HE from 9.6.0-4 to 12.7
• b42e620 Skip compressed file SAX test on libxml2 >= 2.15
• See full diff in compare view

Updates rails-html-sanitizer from 1.6.2 to 1.7.0

Release notes

Sourced from rails-html-sanitizer's releases.

v1.7.0 / 2026-02-24

• Add Rails::HTML::Sanitizer.allowed_uri? which delegates to Loofah::HTML5::Scrub.allowed_uri?, allowing the Rails framework to check URI safety without a direct dependency on Loofah.

  The minimum Loofah dependency is now ~> 2.25.

  Mike Dalessio @​flavorjones

Changelog

Sourced from rails-html-sanitizer's changelog.

v1.7.0 / 2026-02-24

• Add Rails::HTML::Sanitizer.allowed_uri? which delegates to Loofah::HTML5::Scrub.allowed_uri?, allowing the Rails framework to check URI safety without a direct dependency on Loofah.

  The minimum Loofah dependency is now ~> 2.25.

  Mike Dalessio

Commits

• a8a0413 version bump to v1.7.0
• ea9e7a4 Merge pull request #214 from rails/add-allowed-uri
• f26dc35 Add Rails::HTML::Sanitizer.allowed_uri? delegating to Loofah
• cc83f51 Merge pull request #213 from rails/flavorjones/ruby-4-support
• ee54515 dev: ruby 4 support
• 2a8fe89 Merge pull request #208 from rails/dependabot/bundler/rack-3.1.17
• 2b0ecc7 build(deps-dev): bump rack from 3.1.16 to 3.1.17
• c7ab9f2 Merge pull request #206 from rails/dependabot/bundler/rack-3.1.16
• 0283ca4 build(deps-dev): bump rack from 3.1.14 to 3.1.16
• ba7a284 Merge pull request #204 from rails/dependabot/bundler/rack-3.1.14
• Additional commits viewable in compare view

Updates rspec-mocks from 3.13.7 to 3.13.8

Changelog

Sourced from rspec-mocks's changelog.

3.13.8 / 2026-02-27

Full Changelog

Bug Fixes:

• Improve thread safety of mocks invocation recording. (Chad Wilson, #286)
• Expand any_instance warning about prepended methods to private/protected methods. (Alex Dean, #297)

Commits

• 712e3ca rspec-mocks-v3.13.8
• 77e3082 Changelog for #297
• efd3f6a Merge pull request #297 from alexdean/any_instance_of_prepend_fix
• 27fe84e Changelog for #286
• b3ef9b1 Tidy up rspec-mocks/spec/rspec/mocks/order_group_spec.rb
• 7ed9f38 Improve thread safety of OrderGroups within mocks
• 0404d76 Ignore a spec file which issues warnings
• See full diff in compare view

Updates timeout from 0.6.0 to 0.6.1

Release notes

Sourced from timeout's releases.

v0.6.1

What's Changed

• add test case for string argument by @​t-mangoe in ruby/timeout#90
• Improve Timeout.timeout documentation formatting and typos by @​ybiquitous in ruby/timeout#92
• [DOC] document the private instance method by @​nobu in ruby/timeout#94
• Compatibility with Fiber scheduler. by @​ioquatix in ruby/timeout#97
• Remove warnings by @​etiennebarrie in ruby/timeout#99

New Contributors

• @​t-mangoe made their first contribution in ruby/timeout#90
• @​ybiquitous made their first contribution in ruby/timeout#92
• @​ioquatix made their first contribution in ruby/timeout#97
• @​etiennebarrie made their first contribution in ruby/timeout#99

Full Changelog: ruby/timeout@v0.6.0...v0.6.1

Commits

• 951e802 Bump version to 0.6.1
• 9b93553 Remove warnings
• e4aa360 Fix timing-dependent test
• 55d7c84 Compatibility with Fiber scheduler. (#97)
• 35504ba Merge pull request #98 from ruby/dependabot/github_actions/step-security/hard...
• 5c0e61e Bump step-security/harden-runner from 2.15.0 to 2.15.1
• f4e1caf Merge pull request #96 from ruby/dependabot/github_actions/step-security/hard...
• 7960b04 Bump step-security/harden-runner from 2.14.2 to 2.15.0
• 29e4fd3 Merge pull request #95 from ruby/dependabot/github_actions/step-security/hard...
• ccbc5e6 Bump step-security/harden-runner from 2.14.1 to 2.14.2
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.