Skip to content

Bump the minor-and-patch group across 1 directory with 7 updates#87

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bundler/minor-and-patch-83caa9b69c
Open

Bump the minor-and-patch group across 1 directory with 7 updates#87
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bundler/minor-and-patch-83caa9b69c

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 19, 2026

Copy link
Copy Markdown
Contributor

Bumps the minor-and-patch group with 7 updates in the / directory:

Package From To
nokogiri 1.19.3 1.19.4
pagy 43.5.5 43.5.6
tailwindcss-rails 4.4.0 4.6.0
resend 1.3.0 1.5.0
brakeman 8.0.4 8.0.5
overcommit 0.70.0 0.71.0
selenium-webdriver 4.44.0 4.45.0

Updates nokogiri from 1.19.3 to 1.19.4

Release notes

Sourced from nokogiri's releases.

v1.19.4 / 2026-06-18

Security

  • [CRuby] (Low) Fixed a possible invalid memory read when XML::Node#initialize_copy_with_args is called with an argument that is not a Node. See GHSA-g9g8-vgvw-g3vf for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when an XML::XPathContext is used after its source document has been garbage collected. See GHSA-p67v-3w7g-wjg7 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free during XInclude processing via Node#do_xinclude. See GHSA-wfpw-mmfh-qq69 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#root= is assigned a non-element node. See GHSA-wjv4-x9w8-wm3h for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when setting an attribute value via XML::Attr#value= or #content=. See GHSA-phwj-rprq-35pp for more information.
  • [CRuby] (Low) Fixed a null pointer dereference when methods are called on uninitialized wrapper objects (e.g. via allocate); these now raise instead of crashing the process. See GHSA-9cv2-cfxc-v4v2 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#encoding= raises an exception. See GHSA-5v8h-3h3q-446p for more information.
  • [CRuby] (Medium) Fixed an out-of-bounds read in XML::NodeSet#[] (alias #slice) when given a large negative index. See GHSA-5prr-v3j2-97mh for more information.
  • [JRuby] (Low) XML::Schema now enforces the NONET parse option, which Nokogiri enables by default. It was not enforced on JRuby, so a schema parsed with default options could still fetch external resources over the network, potentially enabling SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See GHSA-8678-w3jw-xfc2 for more information.
1269fb644a6de405057a53dd5c762b1209b43ca7424f839454d3dbc677c31a8f  nokogiri-1.19.4-aarch64-linux-gnu.gem
35c65b9ce72b3bb03207bdbe7067915019dc18c1b9b59139684bd6690fdd01af  nokogiri-1.19.4-aarch64-linux-musl.gem
a301313e38bb065d68239e79734bcd6f56fb6efaacebde29e9abf2a4735340ca  nokogiri-1.19.4-arm-linux-gnu.gem
588923c101bcfa78869734d247d25b598674323e7f22474fc468f6e5647311eb  nokogiri-1.19.4-arm-linux-musl.gem
a46db9853286e6597b36ebc6953817d15acf3a299583eb3f89fdc6f91dd63527  nokogiri-1.19.4-arm64-darwin.gem
ce04b9e268c9626852231a48b49128ed52034f1ccb39484a6da3875491cd709e  nokogiri-1.19.4-java.gem
051da97b8eccfdb5444fed40246a35e10d7298b9efe759b4cd25455ea04c587e  nokogiri-1.19.4-x64-mingw-ucrt.gem
7fd17057d3e1f00e9954a74b3cd76595d3d4a5ef233b7ed9599047c204f70551  nokogiri-1.19.4-x86_64-darwin.gem
379fae440b28915e3f19d752ce2dcf8465ed2b2fbefd2a7ca0dd497bc981a06a  nokogiri-1.19.4-x86_64-linux-gnu.gem
17dfb7c1fa194ae02fbf7c51a7afc8d278045ab3fdacfd86f91d02d7b274470b  nokogiri-1.19.4-x86_64-linux-musl.gem
50c951611c92bca05c51411aef45f1cbc50f2821c4802758c5c6d34696533ab5  nokogiri-1.19.4.gem
Changelog

Sourced from nokogiri's changelog.

v1.19.4 / 2026-06-18

Security

  • [CRuby] (Low) Fixed a possible invalid memory read when XML::Node#initialize_copy_with_args is called with an argument that is not a Node. See GHSA-g9g8-vgvw-g3vf for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when an XML::XPathContext is used after its source document has been garbage collected. See GHSA-p67v-3w7g-wjg7 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free during XInclude processing via Node#do_xinclude. See GHSA-wfpw-mmfh-qq69 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#root= is assigned a non-element node. See GHSA-wjv4-x9w8-wm3h for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when setting an attribute value via XML::Attr#value= or #content=. See GHSA-phwj-rprq-35pp for more information.
  • [CRuby] (Low) Fixed a null pointer dereference when methods are called on uninitialized wrapper objects (e.g. via allocate); these now raise instead of crashing the process. See GHSA-9cv2-cfxc-v4v2 for more information.
  • [CRuby] (Low) Fixed a possible use-after-free when Document#encoding= raises an exception. See GHSA-5v8h-3h3q-446p for more information.
  • [CRuby] (Medium) Fixed an out-of-bounds read in XML::NodeSet#[] (alias #slice) when given a large negative index. See GHSA-5prr-v3j2-97mh for more information.
  • [JRuby] (Low) XML::Schema now enforces the NONET parse option, which Nokogiri enables by default. It was not enforced on JRuby, so a schema parsed with default options could still fetch external resources over the network, potentially enabling SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See GHSA-8678-w3jw-xfc2 for more information.
Commits
  • 8cfb9da version bump to v1.19.4
  • a856d1e fix: JRuby NONET bypass in XML::Schema (v1.19.x) (#3639)
  • 6a0aa1e fix(CRuby): use-after-free in Document#encoding= when setter raises (v1.19.x)...
  • f658a54 fix: JRuby NONET bypass in XML::Schema
  • 39d26fe fix(CRuby): use-after-free in Document#encoding= when setter raises
  • 04a09dd fix(CRuby): out-of-bounds read in NodeSet#[] with large negative index (v1.19...
  • 7799fbd fix: avoid NPE on uninitialized XML::Node structs (v1.19.x) (#3645)
  • ef19e13 fix(CRuby): avoid UAF in XML::Attr#value= (v1.19.x) (#3644)
  • 5524fa9 fix: Document#root= rejects non-element nodes (v1.19.x) (#3643)
  • 9891ad1 fix(CRuby): use-after-free in XPathContext document lifetime (v1.19.x) (#3641)
  • Additional commits viewable in compare view

Updates pagy from 43.5.5 to 43.5.6

Release notes

Sourced from pagy's releases.

Version 43.5.6

Changes in 43.5.6

  • Validate I18n locale input, coerce dev_tools wand_scale, add input-safety docs (#908)
    • Coerce dev_tools wand_scale to a float
    • Validate the I18n locale against a BCP 47 pattern
    • Update docs and comments about safety

CHANGELOG

Version 43

We needed a leap version to unequivocally signal that it's not just a major version: it's a complete redesign of the legacy code at all levels, usage and API included.

Why 43? Because it's exactly one step beyond "The answer to the ultimate question of life, the Universe, and everything." 😉

Improvements

This version introduces several enhancements, such as new :countish and :keynav_js paginators and improved automation and configuration processes, reducing setup requirements by 99%. The update also includes a simpler API and new interactive development tools, making it a comprehensive upgrade from previous versions.

  • New :countish Paginator
    • Faster than OFFSET and supporting the full UI
  • New Keynav Pagination
    • The pagy-exclusive technique using the fastest keyset pagination alongside all frontend helpers.
  • New interactive dev-tools
    • New PagyWand to integrate the pagy CSS with your app themes.
    • New Pagy AI available right inside your own app.
  • Intelligent automation
  • Simpler API
    • You solely need the pagy method and the @​pagy instance to paginate any collection and use any navigation tag and helper.
    • Methods are autoloaded only if used, and consume no memory otherwise.
    • Methods have narrower scopes and can be overridden without deep knowledge.
  • New documentation
    • Very concise, straightforward, and easy to navigate and understand.

Upgrade to 43

See the Upgrade Guide

... (truncated)

Changelog

Sourced from pagy's changelog.

Version 43.5.6

  • Validate I18n locale input, coerce dev_tools wand_scale, add input-safety docs (#908)
    • Coerce dev_tools wand_scale to a float
    • Validate the I18n locale against a BCP 47 pattern
    • Update docs and comments about safety
Commits

Updates tailwindcss-rails from 4.4.0 to 4.6.0

Release notes

Sourced from tailwindcss-rails's releases.

v4.6.0 / 2026-06-17

Fixed

  • tailwindcss:watch now forwards stop signals (SIGINT/SIGTERM) to the spawned tailwindcss process, instead of letting it be orphaned. This happens when a process manager signals the watch task directly rather than the whole process group — most commonly Procfile-based managers like foreman in development. @​jordan-brough

v4.5.0 / 2026-06-15

Improved

  • New silent flag on tailwindcss:build and tailwindcss:watch tasks to suppress non-error output from the tailwindcss CLI (e.g., bin/rails tailwindcss:watch[silent]). Requires Tailwind CSS v4.3.1. #618 @​jordan-brough

New Contributors

Full Changelog: rails/tailwindcss-rails@v4.4.0...v4.5.0

Changelog

Sourced from tailwindcss-rails's changelog.

v4.6.0 / 2026-06-17

Fixed

  • tailwindcss:watch now forwards stop signals (SIGINT/SIGTERM) to the spawned tailwindcss process, instead of letting it be orphaned. This happens when a process manager signals the watch task directly rather than the whole process group — most commonly Procfile-based managers like foreman in development. @​jordan-brough

v4.5.0 / 2026-06-15

Improved

  • New silent flag on tailwindcss:build and tailwindcss:watch tasks to suppress non-error output from the tailwindcss CLI (e.g., bin/rails tailwindcss:watch[silent]). Requires Tailwind CSS v4.3.1. #618 @​jordan-brough
Commits
  • d4d95b3 version bump to v4.6.0
  • 900f700 Forward stop signals to tailwindcss watcher (#621)
  • c704ea5 dev: update Gemfile.lock
  • 2938f5a build(deps): bump ruby/setup-ruby in the github-actions group (#624)
  • e9773b5 version bump to v4.5.0
  • 35a521e doc: update CHANGELOG
  • 9a6a58a Support new --silent tailwind flag via [silent] (#618)
  • c169899 build(deps): bump actions/checkout in the github-actions group (#623)
  • 2d75b62 build(deps): bump ruby/setup-ruby in the github-actions group (#622)
  • b3b682d Merge pull request #616 from rails/dependabot/bundler/tailwindcss-ruby-4.3.0
  • Additional commits viewable in compare view

Updates resend from 1.3.0 to 1.5.0

Release notes

Sourced from resend's releases.

v1.5.0

What's Changed

Full Changelog: resend/resend-ruby@v1.4.0...v1.5.0

v1.4.0

What's Changed

New Contributors

Full Changelog: resend/resend-ruby@v1.3.0...v1.4.0

Commits
  • 2fd6189 feat: add contact imports endpoints (#186)
  • 73a2aaa chore: bump version to 1.4.0 (#187)
  • 4e32018 chore(deps): update dependency rubocop to v1.88.0 (#184)
  • e45e717 feat(receiving): add html_format query param to get (#185)
  • f4c35aa chore(deps-dev): bump net-imap from 0.6.3 to 0.6.4.1 (#183)
  • 9ef70be chore(deps): update dependency rubocop to v1.87.0 (#181)
  • 7566fda chore: bump public-shared-workflows hash (#180)
  • 281f984 chore: bump public-shared-workflows hash (#179)
  • c88434c chore: add sync-prs-to-linear action (#178)
  • 520c5da chore(deps): update dependency rubocop to v1.86.2 (#177)
  • Additional commits viewable in compare view

Updates brakeman from 8.0.4 to 8.0.5

Release notes

Sourced from brakeman's releases.

8.0.5

Changelog

Sourced from brakeman's changelog.

8.0.5 - 2026-06-12

  • Add quote_schema_name to safe quote method list (Zsolt Kozaroczy)
  • Fix SQL injection false positive for compact_blank/compact on permitted params (Arpit Jain)
  • Fix inline render false positive for local named text (Arpit Jain)
  • Fix HAML crash on .raw calls (Federico Franco)
  • Fix Ruby version parsing - especially for non-CRuby versions (Chris Southerland Jr)
  • Fix TemplateAliasProcessor#template_name arity (viralpraxis)
  • Reduce false positives when using shell escaping
Commits
  • 104443e Bump to 8.0.5
  • 8e61e2a Update CHANGES
  • f014c15 Merge pull request #2028 from kiskoza/fix/quote_schema_name
  • 9227822 Merge pull request #2027 from arpitjain099/fix/brakeman-1915-render-partial-t...
  • 6788d28 Merge pull request #2025 from arpitjain099/fix/sql-fp-compact-blank
  • b7c3906 Add quote_schema_name to safe quote method list
  • f95c500 test: update line number for still-warns SQL injection case after fixture shift
  • 4fba779 base_processor: skip hash render-type extraction when type set positionally
  • 1e63a41 Fix SQL injection false positive for compact_blank/compact on permitted params
  • 7ff9e49 Merge pull request #2023 from FFederi/fix-haml-chained-raw-crash
  • Additional commits viewable in compare view

Updates overcommit from 0.70.0 to 0.71.0

Release notes

Sourced from overcommit's releases.

0.71.0

What's Changed

New Contributors

Full Changelog: sds/overcommit@v0.70.0...v0.71.0

Changelog

Sourced from overcommit's changelog.

0.71.0

  • Fix race condition when reading input from stdin in hooks
  • Update Solargraph regex matcher
Commits

Updates selenium-webdriver from 4.44.0 to 4.45.0

Release notes

Sourced from selenium-webdriver's releases.

Selenium 4.45.0

Detailed Changelogs by Component

Java     |     Python     |     DotNet     |     Ruby     |     JavaScript

What's Changed

... (truncated)

Changelog

Sourced from selenium-webdriver's changelog.

4.45.0 (2026-06-15)

  • Support CDP versions: v147, v148, v149
  • deprecate curb http client support (#17443)
  • move Ruby bindings to use typescript get attribute atom (#17524)
  • Move atoms to use the typescript versions (#17532)
  • deprecate Chromium Profile classes (#17557)
  • update bazel test tags (#17558)
  • separate concerns between Service, DriverFinder, and Options (#17564)
  • fix using environment variables to set drivers (#17571)
  • create more obvious test guard keywords as aliases (#17636)
Commits
  • cd6a3cd [build] Prepare for release of selenium-4.45.0 (#17680)
  • bb741bd [build] Automated Browser Version Update (#17658)
  • f53de51 [rb] run minimize test on linux now that #17644 fixed fluxbox startup
  • 3f37cce [rb] set window state before each window test instead of resetting driver
  • 2bfb990 [rb] skip Safari double_click action tests
  • 6008ae6 [rb] skip double_click action test on Safari
  • bf0edc8 [rb] create more obvious test guard keywords as aliases (#17636)
  • c474d76 [build] Automated Browser Version Update (#17609)
  • 13c5344 [rb] streamline tests on github actions runners (#17550)
  • 79af12b [rb] stabilize tests and remove driver-restart workaround in manager spec
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the minor-and-patch group across 1 directory with 7 updates
cb2effa 
Bumps the minor-and-patch group with 7 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [nokogiri](https://github.com/sparklemotion/nokogiri) | `1.19.3` | `1.19.4` |
| [pagy](https://github.com/ddnexus/pagy) | `43.5.5` | `43.5.6` |
| [tailwindcss-rails](https://github.com/rails/tailwindcss-rails) | `4.4.0` | `4.6.0` |
| [resend](https://github.com/resend/resend-ruby) | `1.3.0` | `1.5.0` |
| [brakeman](https://github.com/presidentbeef/brakeman) | `8.0.4` | `8.0.5` |
| [overcommit](https://github.com/sds/overcommit) | `0.70.0` | `0.71.0` |
| [selenium-webdriver](https://github.com/SeleniumHQ/selenium) | `4.44.0` | `4.45.0` |



Updates `nokogiri` from 1.19.3 to 1.19.4
- [Release notes](https://github.com/sparklemotion/nokogiri/releases)
- [Changelog](https://github.com/sparklemotion/nokogiri/blob/main/CHANGELOG.md)
- [Commits](sparklemotion/nokogiri@v1.19.3...v1.19.4)

Updates `pagy` from 43.5.5 to 43.5.6
- [Release notes](https://github.com/ddnexus/pagy/releases)
- [Changelog](https://github.com/ddnexus/pagy/blob/master/docs/CHANGELOG.md)
- [Commits](ddnexus/pagy@43.5.5...43.5.6)

Updates `tailwindcss-rails` from 4.4.0 to 4.6.0
- [Release notes](https://github.com/rails/tailwindcss-rails/releases)
- [Changelog](https://github.com/rails/tailwindcss-rails/blob/main/CHANGELOG.md)
- [Commits](rails/tailwindcss-rails@v4.4.0...v4.6.0)

Updates `resend` from 1.3.0 to 1.5.0
- [Release notes](https://github.com/resend/resend-ruby/releases)
- [Changelog](https://github.com/resend/resend-ruby/blob/main/CHANGELOG.md)
- [Commits](resend/resend-ruby@v1.3.0...v1.5.0)

Updates `brakeman` from 8.0.4 to 8.0.5
- [Release notes](https://github.com/presidentbeef/brakeman/releases)
- [Changelog](https://github.com/presidentbeef/brakeman/blob/main/CHANGES.md)
- [Commits](presidentbeef/brakeman@v8.0.4...v8.0.5)

Updates `overcommit` from 0.70.0 to 0.71.0
- [Release notes](https://github.com/sds/overcommit/releases)
- [Changelog](https://github.com/sds/overcommit/blob/main/CHANGELOG.md)
- [Commits](sds/overcommit@v0.70.0...v0.71.0)

Updates `selenium-webdriver` from 4.44.0 to 4.45.0
- [Release notes](https://github.com/SeleniumHQ/selenium/releases)
- [Changelog](https://github.com/SeleniumHQ/selenium/blob/trunk/rb/CHANGES)
- [Commits](SeleniumHQ/selenium@selenium-4.44.0...selenium-4.45.0)

---
updated-dependencies:
- dependency-name: nokogiri
  dependency-version: 1.19.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: pagy
  dependency-version: 43.5.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: tailwindcss-rails
  dependency-version: 4.6.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: resend
  dependency-version: 1.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: brakeman
  dependency-version: 8.0.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: minor-and-patch
- dependency-name: overcommit
  dependency-version: 0.71.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
- dependency-name: selenium-webdriver
  dependency-version: 4.45.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code labels Jun 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants