Skip to content

chore(deps): bump json from 2.19.1 to 2.19.2#898

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/bundler/json-2.19.2
Closed

chore(deps): bump json from 2.19.1 to 2.19.2#898
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/bundler/json-2.19.2

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Mar 21, 2026

Bumps json from 2.19.1 to 2.19.2.

Release notes

Sourced from json's releases.

v2.19.2

What's Changed

  • Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210

Full Changelog: ruby/json@v2.19.1...v2.19.2

Changelog

Sourced from json's changelog.

2026-03-18 (2.19.2)

  • Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210.
Commits
  • 54f8a87 Release 2.19.2
  • 393b41c Fix a format string injection vulnerability
  • dbf6bb1 Merge pull request #953 from ruby/dependabot/github_actions/actions/create-gi...
  • 7187315 Bump actions/create-github-app-token from 2 to 3
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code labels Mar 21, 2026
@mergify mergify Bot added the queued label Mar 21, 2026
mergify Bot added a commit that referenced this pull request Mar 21, 2026
@mergify
Merge of #898
c476a75
@mergify mergify Bot mentioned this pull request Mar 21, 2026
Closed
35 tasks
@mergify
Copy link
Copy Markdown
Contributor

mergify Bot commented Mar 21, 2026

Merge Queue Status

This pull request spent 8 seconds in the queue, including 1 second running CI.

Required conditions to merge
  • base=master
  • status-success=docker-test
  • status-success=hadolint
  • status-success=ruby
  • any of [🛡 GitHub branch protection]:
    • check-neutral = frontend
    • check-skipped = frontend
    • check-success = frontend
  • any of [🛡 GitHub branch protection]:
    • check-neutral = ruby
    • check-skipped = ruby
    • check-success = ruby
  • author=dependabot[bot]

Reason

Pull request #898 has been dequeued

merge conditions unmatch:

  • base=master
  • status-success=docker-test
  • status-success=hadolint
  • status-success=ruby
  • any of [🛡 GitHub branch protection]:
    • check-neutral = frontend
    • check-skipped = frontend
    • check-success = frontend
  • any of [🛡 GitHub branch protection]:
    • check-neutral = ruby
    • check-skipped = ruby
    • check-success = ruby
  • author=dependabot[bot]

Hint

You should look at the reason for the failure and decide if the pull request needs to be fixed or if you want to requeue it.
If you do update this pull request, it will automatically be requeued once the queue conditions match again.
If you think this was a flaky issue instead, you can requeue the pull request, without updating it, by posting a @mergifyio queue comment.

@mergify mergify Bot added dequeued and removed queued labels Mar 21, 2026
@dependabot @gildesmarais
chore(deps): bump json from 2.19.1 to 2.19.2
f18cfa2 
Bumps [json](https://github.com/ruby/json) from 2.19.1 to 2.19.2.
- [Release notes](https://github.com/ruby/json/releases)
- [Changelog](https://github.com/ruby/json/blob/master/CHANGES.md)
- [Commits](ruby/json@v2.19.1...v2.19.2)

---
updated-dependencies:
- dependency-name: json
  dependency-version: 2.19.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@gildesmarais gildesmarais force-pushed the dependabot/bundler/json-2.19.2 branch from 697a2ef to f18cfa2 Compare March 21, 2026 15:14
@mergify mergify Bot added queued and removed dequeued labels Mar 21, 2026
mergify Bot added a commit that referenced this pull request Mar 21, 2026
@mergify
Merge of #898
2647daa
@mergify mergify Bot mentioned this pull request Mar 21, 2026
Closed
23 tasks
@mergify
Copy link
Copy Markdown
Contributor

mergify Bot commented Mar 21, 2026
edited
Loading

Merge Queue Status

This pull request spent 21 hours 44 minutes 16 seconds in the queue, including 35 seconds running CI.

Required conditions to merge
  • check-success=docker-test (false)
  • check-success=docker-test (true)
  • status-success=ruby
  • any of [🛡 GitHub branch protection]:
    • check-neutral = frontend
    • check-skipped = frontend
    • check-success = frontend
  • any of [🛡 GitHub branch protection]:
    • check-neutral = ruby
    • check-skipped = ruby
    • check-success = ruby
  • author=dependabot[bot]
  • base=main
  • status-success=hadolint

Reason

New commits have been added to the draft pull request that were not made by Mergify

Hint

If you want to requeue this pull request, you can post a @mergifyio queue comment.

mergify Bot added a commit that referenced this pull request Mar 22, 2026
@mergify
Merge of #898
64793da
@mergify mergify Bot mentioned this pull request Mar 22, 2026
Closed
23 tasks
@gildesmarais
Copy link
Copy Markdown
Member

gildesmarais commented Mar 22, 2026

@dependabot recreate

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Mar 22, 2026

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Mar 22, 2026

Looks like this PR is closed. If the branch still exists, you can re-open the PR and then use @dependabot rebase or @dependabot recreate. If the branch was deleted, Dependabot will create a new PR on the next scheduled run, or you can trigger an update from the Dependency graph page.

@dependabot dependabot Bot deleted the dependabot/bundler/json-2.19.2 branch March 22, 2026 13:00
@mergify mergify Bot added dequeued and removed queued labels Mar 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file dequeued ruby Pull requests that update Ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gildesmarais