Skip to content

Security: bump rexml, yard#53

Merged
technicalpickles merged 2 commits into
mainfrom
security/dep-sweep
Jun 24, 2026
Merged

Security: bump rexml, yard#53
technicalpickles merged 2 commits into
mainfrom
security/dep-sweep

Conversation

@technicalpickles

@technicalpickles technicalpickles commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Security Dependencies Bumped

Gem Old Version New Version GHSA Severity
rexml 3.2.6 3.4.4 GHSA-2rxp-v6pw-ch6m High
rexml 3.2.6 3.4.4 GHSA-vmwr-mc7x-5vc3 High
rexml 3.2.6 3.4.4 GHSA-5866-49gr-22v4 Medium
rexml 3.2.6 3.4.4 GHSA-r55c-59qm-vjw6 Medium
rexml 3.2.6 3.4.4 GHSA-4xqq-m2hx-25v8 Medium
rexml 3.2.6 3.4.4 GHSA-vg3r-rm7w-2xgh Medium
yard 0.9.36 0.9.44 GHSA-3jfp-46x4-xgfj Medium

Note: rexml bump represents a minor version upgrade (3.2.x -> 3.4.x). All tests passing (55 examples, 0 failures).

Changes

  • Updated Gemfile.lock with new versions
  • Regenerated Sorbet RBI files for rexml@3.4.4 and yard@0.9.44

Note: CI failure on Ruby 4 pre-exists on main (unrelated to this security bump)

The CI failure (LoadError: cannot load such file -- ostruct from pry 0.14.2) is pre-existing on the main branch and is unrelated to this security bump. pry 0.14.2 requires ostruct which was removed from Ruby 4.0's default gems. This PR does not introduce or worsen this failure.

@technicalpickles @claude
Security: bump rexml, yard
26c2960 
Bumped rexml from 3.2.6 to 3.4.4 (addresses multiple CVEs)
Bumped yard from 0.9.36 to 0.9.44 (addresses GHSA-3jfp-46x4-xgfj)

Tests passing: rspec (55 examples, 0 failures)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-project-automation github-project-automation Bot moved this to Triage in Modularity Jun 18, 2026
@technicalpickles technicalpickles marked this pull request as ready for review June 24, 2026 18:55
@technicalpickles technicalpickles requested a review from a team as a code owner June 24, 2026 18:55
@technicalpickles technicalpickles merged commit 564cd7a into main Jun 24, 2026
6 checks passed
@technicalpickles technicalpickles deleted the security/dep-sweep branch June 24, 2026 20:19
@github-project-automation github-project-automation Bot moved this from Triage to Done in Modularity Jun 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Modularity
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@technicalpickles