Skip to content

fix(deps): bump json and concurrent-ruby to patch Dependabot security alerts#74

Merged
cypress-exe merged 1 commit into
mainfrom
fix/dependabot-security-updates
Jul 15, 2026
Merged

fix(deps): bump json and concurrent-ruby to patch Dependabot security alerts#74
cypress-exe merged 1 commit into
mainfrom
fix/dependabot-security-updates

Conversation

@cypress-exe

Copy link
Copy Markdown
Owner

Summary

Resolves all 4 open Dependabot security alerts, all in github-pages-site/Gemfile.lock:

Gem From To Alerts
json 2.18.1 2.21.1 #16 (high) — format string injection, patched ≥ 2.19.2
concurrent-ruby 1.3.6 1.3.7 #14 (high) — AtomicReference#update NaN livelock; #13, #15 (low) — read/write lock accounting bugs

Lockfile-only change generated with bundle lock --update json concurrent-ruby; both versions satisfy the existing Gemfile constraints (json ~> 2.6, concurrent-ruby ~> 1.0).

🤖 Generated with Claude Code

Resolves open Dependabot alerts on github-pages-site/Gemfile.lock:
- json 2.18.1 -> 2.21.1 (format string injection, GHSA high; patched >= 2.19.2)
- concurrent-ruby 1.3.6 -> 1.3.7 (AtomicReference NaN livelock, high;
  plus two low-severity lock-accounting issues; all patched in 1.3.7)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@cypress-exe
cypress-exe merged commit fe9f387 into main Jul 15, 2026
6 checks passed
@cypress-exe
cypress-exe deleted the fix/dependabot-security-updates branch July 15, 2026 03:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant