Skip to content

🚨 [security] [ruby] Update cucumber-rails 4.0.1 → 4.1.0 (minor)#5915

Open
depfu[bot] wants to merge 1 commit into
developfrom
depfu/update/cucumber-rails-4.1.0
Open

🚨 [security] [ruby] Update cucumber-rails 4.0.1 → 4.1.0 (minor)#5915
depfu[bot] wants to merge 1 commit into
developfrom
depfu/update/cucumber-rails-4.1.0

Conversation

@depfu

@depfu depfu Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!


Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ cucumber-rails (4.0.1 → 4.1.0) · Repo · Changelog

Release Notes

4.1.0

Changed

  • Allow Cucumber 11.x by bumping the runtime dependency cap to < 12 #612

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 55 commits:

↗️ crass (indirect, 1.0.6 → 1.0.7) · Repo · Changelog

Release Notes

1.0.7

Security

  • High: Fixed a denial of service vulnerability in which a large numeric exponent could consume disproportionate CPU and memory before the value was clamped. Exponents are now bounded before 10**exponent is computed. (GHSA-6wmf-3r64-vcwv)

  • Moderate: Fixed a scenario in which deeply nested simple blocks or functions could exhaust the Ruby stack and raise SystemStackError, or could result in excessive memory usage. Parser nesting is now limited to a configurable maximum depth via a new option (:maximum_depth, with a conservative default of 25). Constructs nested more deeply are discarded as an :error node with the value "maximum-depth-exceeded". (GHSA-6jxj-px6v-747w)

  • Moderate: Fixed a scenario in which a long run of adjacent comments could exhaust the Ruby stack and raise SystemStackError. Discarded comments are now skipped iteratively rather than recursively. (GHSA-wwpr-jff3-395c)

  • Moderate: Fixed a denial of service vulnerability in which inputs containing many non-ASCII characters could cause excessive CPU usage due to inefficient handling of multi-byte characters during tokenization. (GHSA-8vfg-2r28-hvhj)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 26 commits:

↗️ cucumber (indirect, 10.2.0 → 11.1.1) · Repo · Changelog

Release Notes

11.1.1

Changed

  • Change to use events to pass the data from "log" and "attach" calls from the step definitions to the formatters. With this the last part of the ancient (pre event) formatter inteface has been removed. (#1881 brasmusson)

Fixed

  • Fixed issue with html-formatter where attachments and envelopes were causing the entire message pool to be blank (#1891) luke-hill
  • Show failed step error details in the summary formatter output
  • Fixed up JRuby examples which weren't running due to anglicisation issues (Pivoted to use English step definitions to help JRuby testing)
  • Fixed up Arabic example which had some incorrect logic for step definition matching (Due to RTL nature of the language)

11.1.0

Added

  • Print thread backtraces on SIGINFO/SIGPWR (#1830) sobrinho
  • Added Suggestion messages that will show all the snippets for all message based formatters (#1870) luke-hill

Changed

  • Heavy refactor to the internals for message building (Used in formatters - should be no noticeable change)
    (#1853 luke-hill)
  • Simplify attachment handling in the MessageBuilder and #attach method

Fixed

  • When someone calls #attach with a hashified output (Instead of JSON); call #to_json before attaching as a stringified JSON response to avoid errors (#1787 luke-hill)
  • Altered the concept of how BeforeAll and AfterAll hooks would run. They now attempt to all run before continuing test execution (#1857 brasmusson)
  • Internal refactor to MessageBuilder class to send envelopes through event bus (Should be no noticeable change)
  • Updated cucumber-compatibility-kit to v24
  • This has only been partially completed so far (With approx 20% of all events refactored)
  • Internal refactor to emit direct message envelopes instead of building messages and then converting them to envelopes (Should be no noticeable change)
  • Introduced new base events class which is slightly more intuitive and leans less on old ruby standards (Should be no noticeable change)

11.0.0

Added

  • Add timestamp to Attachment message
  • Added a new option for running order --reverse which will run the scenarios in reverse order (#1807 luke-hill)
  • A first initial iteration of the new cucumber-query structure (#1801 luke-hill)

This will be used for the migration of all existing formatters - becoming the building blocks for the future of cucumber formatters
which will begin being migrated in the start of 2026

Changed

  • Use the test result type 'ambiguous' added to cucumber-ruby-core when steps are ambiguous
    (#1815) brasmusson)
  • Use the new internal cucumber-query structure for the rerun formatter

This is a very large refactor, but should not change any behaviour. The cucumber-query structure is a new internal structure that is designed to be used by formatters to query
the state of the test run in a more intuitive way.

The rerun formatter was chosen as the first formatter to migrate to this new structure as it is one of the simpler
formatters and will allow us to test the new structure in a real-world scenario.

  • Updated cucumber-compatibility-kit to v22
  • Security: Switched out IO.read for more secure File.read in a few areas of the codebase
  • Implemented the new cucumber-query structure in all message based formatters (Currently HTML / Rerun and Message)
    (#1844 luke-hill)

Fixed

  • Fix crash when Cucumber::Messages::Group#children is nil
  • Fixed a longstanding issue that could affect formatters reporting of retried scenarios (Now each scenario should only be reported once, with the final result of the scenario)
    (#1844 luke-hill)
  • Fixed an issue where the default flags derived in the Options and Configuration classes were not congruent
    (#1846) luke-hill)
  • Fixed an issue where NoMethodError could be raised when declaring a parameter-type that used bound methods
    (#1789)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ cucumber-cucumber-expressions (indirect, 19.0.0 → 19.0.1) · Repo · Changelog

Release Notes

19.0.1

Fixed

  • [.Net] Downgrade dependency fluentassertions to 7.2.0 (#423)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ cucumber-gherkin (indirect, 39.0.0 → 39.1.0) · Repo · Changelog

Release Notes

39.1.0

Added

  • (i18n) Expanded Turkish keywords (#567)

Changed

  • [Ruby, Python, JavaScript, Perl, C++, .NET] Optimise parser class/speed by removing redundant null #detach method (#561).
  • [Ruby] Changed ParserMessageStream to accept keyword arguments allowing the Gherkin class methods to be slightly more optimal (#560).

Fixed

  • [c] Fixed memory leak with respect to the pickle ast ids.
  • [c] Fixed potential read past null terminator. Fixed allocation of more memory than necessary (#559).
  • [PHP] Fix PHP 8.4 deprecation warnings (#550).
  • [cpp] Added missing include guard in parser.hpp (#554)
  • [cpp] Removed unreachable code in parser.hpp (#554)

Removed

  • [Python] Drop support for python 3.9.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ cucumber-html-formatter (indirect, 22.3.0 → 23.1.0) · Repo · Changelog

Release Notes

23.1.0

Changed

  • Upgrade react-components to 24.3.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ cucumber-messages (indirect, 32.2.0 → 32.3.1) · Repo · Changelog

Release Notes

32.3.1

Fixed

  • [Java] Fix broken Javadoc

32.3.0

Added

  • [Java] Annotate constructor arguments with property names (#399

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ pp (indirect, 0.6.3 → 0.6.4) · Repo

Release Notes

0.6.4

What's Changed

  • Add a workflow to sync commits to ruby/ruby by @k0kubun in #62
  • [DOC] Suppress documentation for internals by @nobu in #65
  • Support private instance_variables_to_inspect by @hamajyotan in #70

New Contributors

Full Changelog: v0.6.3...v0.6.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 46 commits:

↗️ rdoc (indirect, 6.3.4.1 → 8.0.0) · Repo · Changelog

Security Advisories 🚨

🚨 RDoc RCE vulnerability with .rdoc_options

An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0.

When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored.

When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.

We recommend to update the RDoc gem to version 6.6.3.1 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:

  • For Ruby 3.0 users: Update to rdoc 6.3.4.1
  • For Ruby 3.1 users: Update to rdoc 6.4.1.1
  • For Ruby 3.2 users: Update to rdoc 6.5.1.1

You can use gem update rdoc to update it. If you are using bundler, please add gem "rdoc", ">= 6.6.3.1" to your Gemfile.

Note: 6.3.4, 6.4.1, 6.5.1 and 6.6.3 have a incorrect fix. We recommend to upgrade 6.3.4.1, 6.4.1.1, 6.5.1.1 and 6.6.3.1 instead of them.

🚨 RDoc RCE vulnerability with .rdoc_options

An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0.

When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored.

When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.

We recommend to update the RDoc gem to version 6.6.3.1 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:

  • For Ruby 3.0 users: Update to rdoc 6.3.4.1
  • For Ruby 3.1 users: Update to rdoc 6.4.1.1
  • For Ruby 3.2 users: Update to rdoc 6.5.1.1

You can use gem update rdoc to update it. If you are using bundler, please add gem "rdoc", ">= 6.6.3.1" to your Gemfile.

Note: 6.3.4, 6.4.1, 6.5.1 and 6.6.3 have a incorrect fix. We recommend to upgrade 6.3.4.1, 6.4.1.1, 6.5.1.1 and 6.6.3.1 instead of them.

🚨 RDoc RCE vulnerability with .rdoc_options

An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0.

When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored.

When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.

We recommend to update the RDoc gem to version 6.6.3.1 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:

  • For Ruby 3.0 users: Update to rdoc 6.3.4.1
  • For Ruby 3.1 users: Update to rdoc 6.4.1.1
  • For Ruby 3.2 users: Update to rdoc 6.5.1.1

You can use gem update rdoc to update it. If you are using bundler, please add gem "rdoc", ">= 6.6.3.1" to your Gemfile.

Note: 6.3.4, 6.4.1, 6.5.1 and 6.6.3 have a incorrect fix. We recommend to upgrade 6.3.4.1, 6.4.1.1, 6.5.1.1 and 6.6.3.1 instead of them.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ zeitwerk (indirect, 2.7.5 → 2.8.2) · Repo · Changelog

Release Notes

2.8.1 (from changelog)

  • Replace anonymous block parameters with regular named ones.

    Ruby 3.3.0 has a bug: it does not parse anonymous block parameters, which were introduced in Ruby 3.1.

    While this is a Ruby bug and people could upgrade to 3.3.1, I prefer users just do not hit this. At the end of the day, it is cosmetic.

2.8.0 (from changelog)

  • Adds support for namespace files, nsfiles for short.

    If a loader has an nsfile configured (nil by default):

    loader.nsfile = 'ns.rb' # must be set before setup

    explicit namespaces can be defined by such special file inside their directories:

    my_component/ns.rb     # MyComponent
    my_component/widget.rb # MyComponent::Widget
    

    This may be handy for self-contained units for which a my_component.rb file in the parent directory would feel unnatural.

    If an nsfile is set, you can still define explicit namespaces as always. Both styles can coexist in the project. However, it is an error condition to try to define the same namespace using both conventions.

    For further details, please check the documentation for nsfiles.

  • When a file is shadowed because the constant path it maps to already exists, the location of said constant is included in the log message.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 43 commits:

🆕 erb (added, 6.0.4)


Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu Bot added the dependencies Pull requests that update a dependency file label Jul 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants