Skip to content

chore(deps): bump the ruby-deps group across 1 directory with 6 updates#2636

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/bundler/ruby-deps-07ba46b067
Open

chore(deps): bump the ruby-deps group across 1 directory with 6 updates#2636
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/bundler/ruby-deps-07ba46b067

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 8, 2026

Bumps the ruby-deps group with 6 updates in the / directory:

Package From To
puma 8.0.1 8.0.2
view_component 4.11.0 4.12.0
rubocop 1.86.2 1.87.0
rubocop-rails 2.35.2 2.35.4
rubocop-rspec 3.9.0 3.10.2
bullet 8.1.2 8.1.3

Updates puma from 8.0.1 to 8.0.2

Release notes

Sourced from puma's releases.

v8.0.2

  • Bugfixes
    • Anchor PROXY protocol v1 regex to string start and enforce max line length to prevent injection via crafted request bodies (#3944)
    • Parse PROXY protocol header only on the first request per connection to prevent spoofing on keep-alive connections (#3944)

Security advisories

Changelog

Sourced from puma's changelog.

8.0.2 / 2026-05-27

  • Bugfixes
    • Anchor PROXY protocol v1 regex to string start and enforce max line length to prevent injection via crafted request bodies (#3944)
    • Parse PROXY protocol header only on the first request per connection to prevent spoofing on keep-alive connections (#3944)
Commits

Updates view_component from 4.11.0 to 4.12.0

Release notes

Sourced from view_component's releases.

4.12.0

  • Fix stale render context on reused component instances. A ViewComponent::Base instance memoized its controller, helpers, request, view context, lookup context, view flow, and requested format details on first render via ||=. Rendering the same instance a second time (intentionally or via aliasing) reused that stale context, which could leak data across requests, sessions, or users. #render_in now resets these ivars on every call so each render derives its context from the current view.

    Joel Hawksley

  • Fix HTML-safety bypass in around_render. ViewComponent::Base#around_render could return HTML-unsafe strings that bypassed the escaping applied to normal #call return values, creating an XSS risk. The vulnerability was amplified in ViewComponent::Collection#render_in, which joined per-item results and unconditionally marked the output html_safe. HTML-unsafe strings returned from around_render are now escaped (with a warning) and Collection#render_in now uses safe_join so unsafe per-item output is escaped instead of laundered into a SafeBuffer. Joel Hawksley

Changelog

Sourced from view_component's changelog.

4.12.0

  • Fix stale render context on reused component instances. A ViewComponent::Base instance memoized its controller, helpers, request, view context, lookup context, view flow, and requested format details on first render via ||=. Rendering the same instance a second time (intentionally or via aliasing) reused that stale context, which could leak data across requests, sessions, or users. #render_in now resets these ivars on every call so each render derives its context from the current view.

    Joel Hawksley

  • Fix HTML-safety bypass in around_render. ViewComponent::Base#around_render could return HTML-unsafe strings that bypassed the escaping applied to normal #call return values, creating an XSS risk. The vulnerability was amplified in ViewComponent::Collection#render_in, which joined per-item results and unconditionally marked the output html_safe. HTML-unsafe strings returned from around_render are now escaped (with a warning) and Collection#render_in now uses safe_join so unsafe per-item output is escaped instead of laundered into a SafeBuffer.

    Joel Hawksley

Commits

Updates rubocop from 1.86.2 to 1.87.0

Release notes

Sourced from rubocop's releases.

RuboCop v1.87.0

New features

  • #15167: Add --enable-all-cops and --disable-all-cops command line options that override AllCops/EnabledByDefault and AllCops/DisabledByDefault in configuration files. (@​koic)
  • #15185: Make Layout/EmptyLineAfterGuardClause accept the new # simplecov:disable and # simplecov:enable directive comments. (@​koic)
  • #15173: Add optional Rubydex integration via AllCops/UseProjectIndex to enable cross-file detection in Lint/ConstantReassignment (experimental). (@​koic)

Bug fixes

  • #15168: Fix false positives in Lint/ParenthesesAsGroupedExpression when the first argument is a call-like expression with its own parentheses, such as yield(...). (@​koic)
  • #15188: Fix false positives in Style/YodaCondition when one side is an array or hash literal containing non-literal elements. (@​koic)
  • #15182: Fix incorrect autocorrect for Style/Alias causing a syntax error when the return value of alias_method is used, such as an argument to public, private, protected, or module_function, or the right-hand side of an assignment. (@​koic)
  • #15174: Fix incorrect autocorrect for Style/ClassAndModuleChildren causing a syntax error when the namespace contains a method call (e.g., class self.class::Foo; end). (@​koic)
  • #15180: Fix incorrect autocorrect for Style/FileWrite causing a syntax error when the written heredoc is chained with another method call. (@​koic)
  • #15186: Fix incorrect autocorrect for Style/HashConversion causing a syntax error when Hash[...] is passed an anonymous splat (*). (@​koic)
  • #15192: Fix incorrect autocorrect for Style/StructInheritance causing a syntax error when the inherited Struct.new is called without parentheses. (@​koic)
  • #15170: Fix an infinite loop for Layout/RedundantLineBreak when a single-line block is chained with a safe navigation method call. (@​koic)
  • #15175: Fix Layout/IndentationWidth to indent block bodies relative to the method selector for trailing-dot multi-line method chains when EnforcedStyleAlignWith is relative_to_receiver. (@​ddbrendan)
  • #15135: Fix incorrect autocorrect for Style/RedundantParentheses that swallowed chained method calls into a trailing inline comment on the line above the closing parenthesis. (@​hammadxcm)
  • #15184: Fix various typos and grammar mistakes in documentation and cop descriptions. (@​bbatsov)

Changes

  • #15171: Cache FilePatterns#match? results per path so cops sharing the same Include/Exclude configuration do not each repeat File.fnmatch? work on every file. (@​Darhazer)
Changelog

Sourced from rubocop's changelog.

1.87.0 (2026-05-30)

New features

  • #15167: Add --enable-all-cops and --disable-all-cops command line options that override AllCops/EnabledByDefault and AllCops/DisabledByDefault in configuration files. ([@​koic][])
  • #15185: Make Layout/EmptyLineAfterGuardClause accept the new # simplecov:disable and # simplecov:enable directive comments. ([@​koic][])
  • #15173: Add optional Rubydex integration via AllCops/UseProjectIndex to enable cross-file detection in Lint/ConstantReassignment (experimental). ([@​koic][])

Bug fixes

  • #15168: Fix false positives in Lint/ParenthesesAsGroupedExpression when the first argument is a call-like expression with its own parentheses, such as yield(...). ([@​koic][])
  • #15188: Fix false positives in Style/YodaCondition when one side is an array or hash literal containing non-literal elements. ([@​koic][])
  • #15182: Fix incorrect autocorrect for Style/Alias causing a syntax error when the return value of alias_method is used, such as an argument to public, private, protected, or module_function, or the right-hand side of an assignment. ([@​koic][])
  • #15174: Fix incorrect autocorrect for Style/ClassAndModuleChildren causing a syntax error when the namespace contains a method call (e.g., class self.class::Foo; end). ([@​koic][])
  • #15180: Fix incorrect autocorrect for Style/FileWrite causing a syntax error when the written heredoc is chained with another method call. ([@​koic][])
  • #15186: Fix incorrect autocorrect for Style/HashConversion causing a syntax error when Hash[...] is passed an anonymous splat (*). ([@​koic][])
  • #15192: Fix incorrect autocorrect for Style/StructInheritance causing a syntax error when the inherited Struct.new is called without parentheses. ([@​koic][])
  • #15170: Fix an infinite loop for Layout/RedundantLineBreak when a single-line block is chained with a safe navigation method call. ([@​koic][])
  • #15175: Fix Layout/IndentationWidth to indent block bodies relative to the method selector for trailing-dot multi-line method chains when EnforcedStyleAlignWith is relative_to_receiver. ([@​ddbrendan][])
  • #15135: Fix incorrect autocorrect for Style/RedundantParentheses that swallowed chained method calls into a trailing inline comment on the line above the closing parenthesis. ([@​hammadxcm][])
  • #15184: Fix various typos and grammar mistakes in documentation and cop descriptions. ([@​bbatsov][])

Changes

  • #15171: Cache FilePatterns#match? results per path so cops sharing the same Include/Exclude configuration do not each repeat File.fnmatch? work on every file. ([@​Darhazer][])
Commits
  • e5b788d Cut 1.87
  • 65aece8 Update Changelog
  • 810c790 Fix incorrect autocorrect for Style/StructInheritance cop
  • 1ec0554 [Fix #15185] Make Layout/EmptyLineAfterGuardClause accept new SimpleCov dir...
  • 11cd569 Merge pull request #15190 from koic/fix_false_positives_in_style_yoda_condition
  • ceff136 [Fix #15188] Fix false positives for Style/YodaCondition
  • 4a12596 Fix incorrect autocorrect for Style/HashConversion cop
  • 4801e9d Merge pull request #15184 from rubocop/fix-typos-and-grammar-in-docs
  • bfe7dc5 Fix various typos and grammar mistakes in documentation
  • 6988aa4 Merge pull request #15182 from koic/fix_incorrect_autocorrect_for_style_alias...
  • Additional commits viewable in compare view

Updates rubocop-rails from 2.35.2 to 2.35.4

Release notes

Sourced from rubocop-rails's releases.

RuboCop Rails v2.35.4

Bug fixes

  • #1418: Fix a false positive for Rails/StrongParametersExpect when require is given an array literal, such as params.require([:foo, :bar]).permit(:baz). (@​koic)
  • #1574: Fix an invalid autocorrection for Rails/StrongParametersExpect when permit receives a single dynamic argument, such as params.require(:user).permit(permitted_attributes). (@​koic)
  • #1635: Fix Rails/StrongParametersExpect to allow params[:foo].inspect. (@​jdelStrother)

RuboCop Rails v2.35.3

Bug fixes

  • #1630: Fix a false positive in Rails/StrongParametersExpect when negating params[:key] with !, such as !params[:key]. (@​koic)
  • #1629: Fix false positives in Rails/StrongParametersExpect when using the safe navigation operator (&.) on params[:key]. Autocorrecting params[:key]&.downcase to params.expect(:key).downcase silently changes behavior — a missing param goes from returning nil to raising ActionController::ParameterMissing. (@​lucasmazza)
Changelog

Sourced from rubocop-rails's changelog.

2.35.4 (2026-06-07)

Bug fixes

  • #1418: Fix a false positive for Rails/StrongParametersExpect when require is given an array literal, such as params.require([:foo, :bar]).permit(:baz). ([@​koic][])
  • #1574: Fix an invalid autocorrection for Rails/StrongParametersExpect when permit receives a single dynamic argument, such as params.require(:user).permit(permitted_attributes). ([@​koic][])
  • #1635: Fix Rails/StrongParametersExpect to allow params[:foo].inspect. ([@​jdelStrother][])

2.35.3 (2026-05-27)

Bug fixes

  • #1630: Fix a false positive in Rails/StrongParametersExpect when negating params[:key] with !, such as !params[:key]. ([@​koic][])
  • #1629: Fix false positives in Rails/StrongParametersExpect when using the safe navigation operator (&.) on params[:key]. Autocorrecting params[:key]&.downcase to params.expect(:key).downcase silently changes behavior — a missing param goes from returning nil to raising ActionController::ParameterMissing. ([@​lucasmazza][])
Commits
  • a4d53a5 Cut 2.35.4
  • e9e592d Update Changelog
  • 84eb5fe [Doc] Update the doc for Rails/StrongParametersExpect
  • 5490e3e Merge pull request #1636 from koic/fix_strong_parameters_expect_dynamic_permi...
  • cfe75e9 [Fix #1574] Fix an invalid autocorrection for Rails/StrongParametersExpect
  • 4817d57 Merge pull request #1633 from koic/doc_strong_parameters_expect_safety
  • d9824c6 Merge pull request #1634 from koic/fix_strong_parameters_expect_array_require
  • e30a80b Merge pull request #1635 from jdelStrother/params-inspect
  • 70651a0 Allow inspect in Rails/StrongParametersExpect
  • a8f6e0c [Doc] Document additional unsafety of Rails/StrongParametersExpect
  • Additional commits viewable in compare view

Updates rubocop-rspec from 3.9.0 to 3.10.2

Release notes

Sourced from rubocop-rspec's releases.

RuboCop RSpec v3.10.2

  • Fix false positives for RSpec/SpecFilePathFormat when CustomTransform maps a namespace to an empty string. (@​sakuro)
  • Fix RSpec/MatchWithSimpleRegex to ignore regular expressions with options. (@​bquorning)

RuboCop RSpec v3.10.1

  • Add Strict option to RSpec/SharedContext to flag shared_context whenever it contains examples, even alongside setup code. (@​Darhazer)
  • Add NegatedMatcher configuration option RSpec/ExpectChange. (@​Darhazer)
  • Fix RSpec/MatchWithSimpleRegex to ignore regular expressions with interpolations. (@​bquorning)

RuboCop RSpec v3.10.0

  • Add new cop RSpec/MatchWithSimpleRegex to suggest include matcher when match is used with simple string literals without regex-specific features. (@​bquorning)
  • Add new cop RSpec/DiscardedMatcher to detect matchers in void context (e.g. missing .and between compound matchers). (@​ydakuka)
  • Add support for itblock nodes. (@​Darhazer)
  • RSpec/ScatteredLet now preserves the order of lets during auto-correction. (@​Darhazer)
  • Fix a false negative for RSpec/EmptyLineAfterFinalLet inside shared_examples / include_examples / it_behaves_like blocks. (@​Darhazer)
  • Fix a false positive for RSpec/ContainExactly when contain_exactly has multiple splat arguments. (@​ydah)
  • Add autocorrect support for RSpec/SubjectDeclaration. (@​eugeneius)
  • Fix false negatives for RSpec/SpecFilePathFormat when the expected class path only partially matches a path segment. (@​ydah)
  • Fix a false negative for RSpec/ExpectActual when the matcher takes no arguments (e.g. expect("foo").to be_present, expect(1).to be). (@​cvx)
Changelog

Sourced from rubocop-rspec's changelog.

3.10.2 (2026-06-06)

  • Fix false positives for RSpec/SpecFilePathFormat when CustomTransform maps a namespace to an empty string. ([@​sakuro])
  • Fix RSpec/MatchWithSimpleRegex to ignore regular expressions with options. ([@​bquorning])

3.10.1 (2026-06-05)

  • Add Strict option to RSpec/SharedContext to flag shared_context whenever it contains examples, even alongside setup code. ([@​Darhazer])
  • Add NegatedMatcher configuration option RSpec/ExpectChange. ([@​Darhazer])
  • Fix RSpec/MatchWithSimpleRegex to ignore regular expressions with interpolations. ([@​bquorning])

3.10.0 (2026-06-05)

  • Add new cop RSpec/MatchWithSimpleRegex to suggest include matcher when match is used with simple string literals without regex-specific features. ([@​bquorning])
  • Add new cop RSpec/DiscardedMatcher to detect matchers in void context (e.g. missing .and between compound matchers). ([@​ydakuka])
  • Add support for itblock nodes. ([@​Darhazer])
  • RSpec/ScatteredLet now preserves the order of lets during auto-correction. ([@​Darhazer])
  • Fix a false negative for RSpec/EmptyLineAfterFinalLet inside shared_examples / include_examples / it_behaves_like blocks. ([@​Darhazer])
  • Fix a false positive for RSpec/ContainExactly when contain_exactly has multiple splat arguments. ([@​ydah])
  • Add autocorrect support for RSpec/SubjectDeclaration. ([@​eugeneius])
  • Fix false negatives for RSpec/SpecFilePathFormat when the expected class path only partially matches a path segment. ([@​ydah])
  • Fix a false negative for RSpec/ExpectActual when the matcher takes no arguments (e.g. expect("foo").to be_present, expect(1).to be). ([@​cvx])
Commits
  • 2488441 Merge pull request #2189 from rubocop/release
  • c9e53cf Bump version to 3.10.2
  • 7ae0a42 Merge pull request #2186 from sakuro/fix/spec-file-path-format-empty-custom-t...
  • 8b0b5e9 Merge branch 'master' into fix/spec-file-path-format-empty-custom-transform
  • dc4465c Merge pull request #2188 from rubocop/fix-2185
  • d5de6b2 Consider regexp with options a non-simple regexp
  • bad0cb3 🐛 Fix RSpec/SpecFilePathFormat false positives when CustomTransform maps ...
  • ec3eeab Merge pull request #2183 from rubocop/fix-match-with-simple-regex-with-interp...
  • 16bbf49 Bump version to 3.10.1
  • 2a78abd Ignore interpolation in MatchWithSimpleRegex
  • Additional commits viewable in compare view

Updates bullet from 8.1.2 to 8.1.3

Changelog

Sourced from bullet's changelog.

8.1.3 (06/02/2026)

  • Handle inversed polymorphic belongs_to false positives
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the ruby-deps group across 1 directory with 6 updates
abf2515 
Bumps the ruby-deps group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [puma](https://github.com/puma/puma) | `8.0.1` | `8.0.2` |
| [view_component](https://github.com/viewcomponent/view_component) | `4.11.0` | `4.12.0` |
| [rubocop](https://github.com/rubocop/rubocop) | `1.86.2` | `1.87.0` |
| [rubocop-rails](https://github.com/rubocop/rubocop-rails) | `2.35.2` | `2.35.4` |
| [rubocop-rspec](https://github.com/rubocop/rubocop-rspec) | `3.9.0` | `3.10.2` |
| [bullet](https://github.com/flyerhzm/bullet) | `8.1.2` | `8.1.3` |



Updates `puma` from 8.0.1 to 8.0.2
- [Release notes](https://github.com/puma/puma/releases)
- [Changelog](https://github.com/puma/puma/blob/main/History.md)
- [Commits](puma/puma@v8.0.1...v8.0.2)

Updates `view_component` from 4.11.0 to 4.12.0
- [Release notes](https://github.com/viewcomponent/view_component/releases)
- [Changelog](https://github.com/ViewComponent/view_component/blob/main/docs/CHANGELOG.md)
- [Commits](ViewComponent/view_component@v4.11.0...v4.12.0)

Updates `rubocop` from 1.86.2 to 1.87.0
- [Release notes](https://github.com/rubocop/rubocop/releases)
- [Changelog](https://github.com/rubocop/rubocop/blob/master/CHANGELOG.md)
- [Commits](rubocop/rubocop@v1.86.2...v1.87.0)

Updates `rubocop-rails` from 2.35.2 to 2.35.4
- [Release notes](https://github.com/rubocop/rubocop-rails/releases)
- [Changelog](https://github.com/rubocop/rubocop-rails/blob/master/CHANGELOG.md)
- [Commits](rubocop/rubocop-rails@v2.35.2...v2.35.4)

Updates `rubocop-rspec` from 3.9.0 to 3.10.2
- [Release notes](https://github.com/rubocop/rubocop-rspec/releases)
- [Changelog](https://github.com/rubocop/rubocop-rspec/blob/master/CHANGELOG.md)
- [Commits](rubocop/rubocop-rspec@v3.9.0...v3.10.2)

Updates `bullet` from 8.1.2 to 8.1.3
- [Changelog](https://github.com/flyerhzm/bullet/blob/main/CHANGELOG.md)
- [Commits](flyerhzm/bullet@8.1.2...8.1.3)

---
updated-dependencies:
- dependency-name: puma
  dependency-version: 8.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: ruby-deps
- dependency-name: view_component
  dependency-version: 4.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: ruby-deps
- dependency-name: rubocop
  dependency-version: 1.87.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: ruby-deps
- dependency-name: rubocop-rails
  dependency-version: 2.35.4
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: ruby-deps
- dependency-name: rubocop-rspec
  dependency-version: 3.10.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: ruby-deps
- dependency-name: bullet
  dependency-version: 8.1.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: ruby-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies ruby Pull requests that update Ruby code labels Jun 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies ruby Pull requests that update Ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants