🚨 [security] [ruby] Update standard 1.35.1 → 1.44.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ standard (1.35.1 → 1.44.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ json (indirect, 2.7.1 → 2.9.1) · Repo · Changelog

Release Notes

2.9.1

What's Changed

• Add support for Solaris 10 which lacks strnlen()

2.9.0

What's Changed

• Fix C implementation of script_safe escaping to not confuse some other 3 wide characters with \u2028 and \u2029.
  e.g. JSON.generate(["倩", "瀨"], script_safe: true) would generate the wrong JSON.
• JSON.dump(object, some_io) now write into the IO in chunks while previously it would buffer the entire JSON before writing.
• JSON::GeneratorError now has a #invalid_object attribute, making it easier to understand why an object tree cannot be serialized.
• Numerous improvements to the JRuby extension.

Full Changelog: v2.8.2...v2.9.0

2.8.2

What's Changed

• JSON.load_file: explictly load the file as UTF-8

Full Changelog: v2.8.1...v2.8.2

2.8.1

• Fix the java version of the package to include the extension implementation. Only concerns JRuby.

Full Changelog: v2.8.0...v2.8.1

2.8.0

What's Changed

• Emit a deprecation warning when JSON.load create custom types without the create_additions option being explictly enabled.
  • Prefer to use JSON.unsafe_load(string) or JSON.load(string, create_additions: true).
• Emit a deprecation warning when serializing valid UTF-8 strings encoded in ASCII_8BIT aka BINARY.
• Bump required Ruby version to 2.7.
• Add support for optionally parsing trailing commas, via allow_trailing_comma: true, which in cunjunction with the
  pre-existing support for comments, make it suitable to parse jsonc documents.
• Many performance improvements to JSON.parse and JSON.load, up to 1.7x faster on real world documents.
• Some minor performance improvements to JSON.dump and JSON.generate.

Parsing performance

Parsing performance is improved by 50-70% on realistic benchmarks, and even more on micro-benchmarks: https://gist.github.com/casperisfine/cf4b3a0594fae24b7d0eb93daaf3841a

== Parsing activitypub.json (58160 bytes)
ruby 3.4.0dev (2024-11-06T07:59:09Z precompute-hash-wh.. 7943f98a8a) +YJIT +PRISM [arm64-darwin24]
Warming up --------------------------------------
          json 2.7.2   638.000 i/100ms
                  oj   798.000 i/100ms
          Oj::Parser   948.000 i/100ms
           rapidjson   631.000 i/100ms
Calculating -------------------------------------
          json 2.7.2      6.423k (± 1.3%) i/s  (155.70 μs/i) -     32.538k in   5.067149s
                  oj      7.989k (± 1.0%) i/s  (125.17 μs/i) -     40.698k in   5.094544s
          Oj::Parser      9.472k (± 1.3%) i/s  (105.58 μs/i) -     47.400k in   5.005119s
           rapidjson      6.354k (± 1.1%) i/s  (157.37 μs/i) -     32.181k in   5.064962s
Comparison:

json 2.8.0:     9510.0 i/s

Oj::Parser:     9471.9 i/s - same-ish: difference falls within error

oj:     7989.4 i/s - 1.19x  slower

json 2.7.2:     6422.5 i/s - 1.48x  slower

rapidjson:     6354.5 i/s - 1.50x  slower
== Parsing twitter.json (567916 bytes)

ruby 3.4.0dev (2024-11-06T07:59:09Z precompute-hash-wh.. 7943f98a8a) +YJIT +PRISM [arm64-darwin24]

Warming up --------------------------------------

json 2.7.2    52.000 i/100ms

oj    64.000 i/100ms

Oj::Parser    76.000 i/100ms

rapidjson    57.000 i/100ms

Calculating -------------------------------------

json 2.7.2    526.860 (± 3.8%) i/s    (1.90 ms/i) -      2.652k in   5.042680s

oj    631.234 (± 1.7%) i/s    (1.58 ms/i) -      3.200k in   5.070973s

Oj::Parser    764.354 (± 3.5%) i/s    (1.31 ms/i) -      3.876k in   5.077736s

rapidjson    579.085 (± 2.8%) i/s    (1.73 ms/i) -      2.907k in   5.024620s
Comparison:

json 2.8.0:      884.0 i/s

Oj::Parser:      764.4 i/s - 1.16x  slower

oj:      631.2 i/s - 1.40x  slower

rapidjson:      579.1 i/s - 1.53x  slower

json 2.7.2:      526.9 i/s - 1.68x  slower
== Parsing citm_catalog.json (1727030 bytes)

ruby 3.4.0dev (2024-11-06T07:59:09Z precompute-hash-wh.. 7943f98a8a) +YJIT +PRISM [arm64-darwin24]

Warming up --------------------------------------

json 2.7.2    30.000 i/100ms

oj    35.000 i/100ms

Oj::Parser    45.000 i/100ms

rapidjson    40.000 i/100ms

Calculating -------------------------------------

json 2.7.2    304.584 (± 3.3%) i/s    (3.28 ms/i) -      1.530k in   5.029021s

oj    358.572 (± 0.8%) i/s    (2.79 ms/i) -      1.820k in   5.076123s

Oj::Parser    450.643 (± 3.1%) i/s    (2.22 ms/i) -      2.295k in   5.098150s

rapidjson    395.304 (± 1.5%) i/s    (2.53 ms/i) -      2.000k in   5.060537s
Comparison:

json 2.8.0:      449.8 i/s

Oj::Parser:      450.6 i/s - same-ish: difference falls within error

rapidjson:      395.3 i/s - 1.14x  slower

oj:      358.6 i/s - 1.25x  slower

json 2.7.2:      304.6 i/s - 1.48x  slower

Full Changelog: v2.7.3...v2.8.0

2.7.6

• Fix a regression in JSON.generate when dealing with Hash keys that are string subclasses, call to_json on them.

Full Changelog: v2.7.5...v2.7.6

2.7.5

What's Changed

• Fix a memory leak when #to_json methods raise an exception.
• Gracefully handle formatting configs being set to nil instead of "".
• Workaround another issue caused by conflicting versions of both json_pure and json being loaded.

Full Changelog: v2.7.4...v2.7.5

2.7.4

What's Changed

• Workaround a bug in 3.4.8 and older rubygems/rubygems#6490.
  This bug would cause some gems with native extension to fail during compilation.
• Workaround different versions of json and json_pure being loaded (not officially supported).
• Make json_pure Ractor compatible.

Full Changelog: v2.7.3...v2.7.4

2.7.3

What's Changed

• Numerous performance optimizations in JSON.generate and JSON.dump (up to 2 times faster).
• Limit the size of ParserError exception messages, only include up to 32 bytes of the unparseable source.
• Fix json-pure's Object#to_json to accept non state arguments
• Fix multiline comment support in json-pure.
• Fix JSON.parse to no longer mutate the argument encoding when passed an ASCII-8BIT string.
• Fix String#to_json to raise on invalid encoding in json-pure.
• Delete code that was based on CVTUTF.
• Use the pure-Ruby generator on TruffleRuby.
• Fix strict mode in json-pure to not break on Integer.

JSON.dump Performance

JSON.dump is now much faster, and on par or faster than alternative implementations:

== Encoding citm_catalog.json (500298 bytes)
ruby 3.4.0preview2 (2024-10-07 master 32c733f57b) +YJIT +PRISM [arm64-darwin23]
Warming up --------------------------------------
        json (2.7.3)   123.000 i/100ms
                  oj   124.000 i/100ms
Calculating -------------------------------------
        json (2.7.3)      1.312k (± 1.8%) i/s  (761.91 μs/i) -      6.642k in   5.062192s
                  oj      1.278k (± 2.0%) i/s  (782.35 μs/i) -      6.448k in   5.046587s
Comparison:

json (2.7.2):      884.0 i/s

json (2.7.3):     1312.5 i/s - 1.48x  faster

oj:     1278.2 i/s - 1.45x  faster

== Encoding twitter.json (466906 bytes)
ruby 3.4.0preview2 (2024-10-07 master 32c733f57b) +YJIT +PRISM [arm64-darwin23]
Warming up --------------------------------------
        json (2.7.3)   213.000 i/100ms
                  oj   222.000 i/100ms
Calculating -------------------------------------
        json (2.7.3)      2.140k (± 2.8%) i/s  (467.19 μs/i) -     10.863k in   5.079099s
                  oj      2.303k (± 3.2%) i/s  (434.27 μs/i) -     11.544k in   5.018239s

Comparison:
        json (2.7.2):     1250.5 i/s
                  oj:     2302.7 i/s - 1.84x  faster
        json (2.7.3):     2140.5 i/s - 1.71x  faster

Full Changelog: ruby/json@v2.7.2...v2.7.3

2.7.2

What's Changed

• Use rb_sym2str instead of SYM2ID by @jhawthorn in #561
• Fix memory leak when exception is raised during JSON generation by @peterzhu2118 in #574
• Remove references to "19" methods in JRuby by @headius in #576
• Make OpenStruct support as optional by @hsbt in #565
• Autoload JSON::GenericObject to avoid require ostruct warning in Ruby 3.4 by @tompng in #577
• Warn to install ostruct if json couldn't load it by @hsbt in #578

New Contributors

• @mperham made their first contribution in #571
• @peterzhu2118 made their first contribution in #574

Full Changelog: v2.7.1...v2.7.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ parallel (indirect, 1.24.0 → 1.26.3) · Repo

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ parser (indirect, 3.3.1.0 → 3.3.6.0) · Repo · Changelog

Release Notes

3.3.6.0 (from changelog)

API modifications:

• Bump maintenance branches to 3.3.6 (#1045) (Koichi ITO)

3.3.5.1 (from changelog)

API modifications:

• Bump maintenance branches to 3.2.6 (#1044) (Koichi ITO)

3.3.5.0 (from changelog)

API modifications:

• Bump maintenance branches to 3.3.5 (#1039) (Koichi ITO)

3.3.4.1 (from changelog)

API modifications:

• Bump 3.2 branch to 3.2.5. (#1036) (Ilya Bylich)
• Bump Racc to 1.8.1 (#1031) (Koichi ITO)

Bugs fixed:

• builder.rb: catch encoding errors when parsing invalid encoding regexp (#1033) (Earlopain)

3.3.4.0 (from changelog)

API modifications:

• Bump maintenance branches to 3.3.4 (#1027) (Koichi ITO)

3.3.3.0 (from changelog)

API modifications:

• Bump maintenance branches to 3.3.3 (#1023) (Koichi ITO)
• Bump Racc to 1.8.0 (#1018) (Koichi ITO)

3.3.2.0 (from changelog)

API modifications:

• Bump 3.3 branch to 3.3.2 (Ilya Bylich)
• Bump 3.1 branch to 3.1.6 (#1014) (Koichi ITO)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ racc (indirect, 1.7.3 → 1.8.1) · Repo · Changelog

Release Notes

1.8.1

What's Changed

• Use require_relative in the Racc codebase by @koic in #269
• Fix a typo by @koic in #270
• Provide a 'Changelog' link on rubygems.org/gems/racc by @mark-young-atg in #271
• Fix RDoc main file to "README.rdoc" by @ydah in #274
• Fix file path and line number errors when using +, * and () by @ydah in #273
• Bump up v1.8.1 by @yui-knk in #275

New Contributors

• @koic made their first contribution in #269
• @mark-young-atg made their first contribution in #271

Full Changelog: v1.8.0...v1.8.1

1.8.0

What's Changed

• Generate jar to build gem by @nobu in #255
• Fix trivial typos by @ydah in #257
• Try to fix test failure with Ruby 3.3 by @hsbt in #260
• Reformat the rdoc so it renders correctly both locally and on github. by @zenspider in #258
• Allow racc cmdline to read from stdin if no path specified. by @zenspider in #259
• Add more grammars by @nurse in #222
• Exclude 2.5 on macos-latest by @nobu in #263
• Drop code for Ruby 1.6 by @nobu in #264
• Refactor command line options by @nobu in #265
• Change encode EUC-JP to UTF-8 by @ydah in #267
• Organize README.ja.rdoc by @ydah in #266
• Support error_on_expect_mismatch declaration in Racc grammar file by @yui-knk in #262
• Bump up v1.8.0 by @yui-knk in #268

New Contributors

• @ydah made their first contribution in #257
• @nurse made their first contribution in #222

Full Changelog: v1.7.3...v1.8.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ regexp_parser (indirect, 2.9.0 → 2.10.0) · Repo · Changelog

Release Notes

2.10.0 (from changelog)

Added

• #referenced_expressions
  • like #referenced_expression, but for multiplexing backrefs
  • returns the Group expressions that are being referenced

Fixed

• fixed #char & #codepoint errors for single-digit hex escapes
  • e.g. \xA

2.9.3 (from changelog)

Fixed

• fixed positive lookbehinds with character ">" being treated as named groups
  • e.g. (?<=foo>)
  • thanks to Daniel Vandersluis

2.9.2 (from changelog)

Fixed

• made the MFA requirement for changes to this gem visible on rubygems
  • thanks to Geremia Taglialatela

2.9.1 (from changelog)

Fixed

• fixed unnecessary $LOAD_PATH searches at load time
  • thanks to Koichi ITO

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rexml (indirect, 3.2.6 → 3.4.0) · Repo · Changelog

Security Advisories 🚨

🚨 REXML ReDoS vulnerability

Impact

The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;).

This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03.

Patches

The REXML gem 3.3.9 or later include the patch to fix the vulnerability.

Workarounds

Use Ruby 3.2 or later instead of Ruby 3.1.

References

• https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org

🚨 REXML denial of service vulnerability

Impact

The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes.

If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected.

Patches

The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

Workarounds

Don't parse untrusted XMLs with tree parser API.

References

• https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org

🚨 REXML DoS vulnerability

Impact

The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API.

If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability.

Patches

The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

Workarounds

Don't parse untrusted XMLs with SAX2 or pull parser API.

References

• https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability
• https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org

🚨 REXML DoS vulnerability

Impact

The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, >] and ]>.

If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

Patches

The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.

Workarounds

Don't parse untrusted XMLs.

References

• GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability
• GHSA-4xqq-m2hx-25v8 : This is a similar vulnerability
• https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/: An announce on www.ruby-lang.org

🚨 REXML denial of service vulnerability

Impact

The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as <, 0 and %>.

If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.

Patches

The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities.

Workarounds

Don't parse untrusted XMLs.

References

• GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability
• https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/

🚨 REXML contains a denial of service vulnerability

Impact

The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many <s in an attribute value.

If you need to parse untrusted XMLs, you may be impacted to this vulnerability.

Patches

The REXML gem 3.2.7 or later include the patch to fix this vulnerability.

Workarounds

Don't parse untrusted XMLs.

References

• https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rubocop (indirect, 1.62.1 → 1.70.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rubocop-ast (indirect, 1.31.2 → 1.37.0) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ rubocop-performance (indirect, 1.20.2 → 1.23.1) · Repo · Changelog

Release Notes

1.23.1

Bug fixes

• #478: Fix Performance/RedundantStringChars cop error in case of implicit receiver. (@viralpraxis)
• #480: Fix Performance/Squeeze cop error on frozen AST string node value. (@viralpraxis)

1.23.0

New features

• #474: Add new Performance/StringBytesize cop. (@viralpraxis)

1.22.1

Bug fixes

• #468: Fix false positives for Performance/BigDecimalWithNumericArgument when using float argument for BigDecimal. (@koic)

1.22.0

Bug fixes

• #454: Fix false positives for Performance/BigDecimalWithNumericArgument when using BigDecimal 3.1+. (@koic)

Changes

• #385: Disable Performance/BlockGivenWithExplicitBlock by default. (@earlopain)
• #407: Make Performance/DoubleStartEndWith aware of safe navigation. (@earlopain)

1.21.1

Bug fixes

• #452: Fix an error for Performance/RedundantEqualityComparisonBlock when the block is empty. (@earlopain)

1.21.0

New features

• #446: Support Prism as a Ruby parser (experimental). (@koic)

Bug fixes

• #437: Fix a false positive for Performance/ChainArrayAllocation when using select with block argument after select. (@koic)
• #448: Fix a false positive for Performance/RedundantBlockCall when using block.call with block argument. (@koic)

Changes

• #240: Disable Performance/Casecmp cop by default. (@parkerfinch)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ standard-performance (indirect, 1.3.1 → 1.6.0) · Repo · Changelog

Release Notes

1.6.0 (from changelog)

• Updates rubocop-performance from 1.22.0 to 1.23.0

1.5.0 (from changelog)

• Updates rubocop-performance from 1.21.0 to 1.22.1

1.4.0 (from changelog)

• Updates rubocop-performance from 1.20.1 to 1.21.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ unicode-display_width (indirect, 2.5.0 → 2.6.0) · Repo · Changelog

Release Notes

2.6.0 (from changelog)

• Unicode 16

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)