🚨 [security] Update json 2.18.0 → 2.19.2 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ json (indirect, 2.18.0 → 2.19.2) · Repo · Changelog

Security Advisories 🚨

🚨 Ruby JSON has a format string injection vulnerability

Impact

A format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents.

This option isn't the default, if you didn't opt-in to use it, you are not impacted.

Patches

Patched in 2.19.2.

Workarounds

The issue can be avoided by not using the allow_duplicate_key: false parsing option.

Release Notes

2.19.2

What's Changed

• Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210

Full Changelog: v2.19.1...v2.19.2

2.19.1

What's Changed

• Fix a compiler dependent GC bug introduced in 2.18.0.

Full Changelog: v2.19.0...v2.19.1

2.19.0

What's Changed

• Fix allow_blank parsing option to no longer allow invalid types (e.g. load([], allow_blank: true) now raise a type error).
• Add allow_invalid_escape parsing option to ignore backslashes that aren't followed by one of the valid escape characters.

Full Changelog: v2.18.1...v2.19.0

2.18.1

What's Changed

• Fix a potential crash in very specific circumstance if GC triggers during a call to to_json
  without first invoking a user defined #to_json method.

Full Changelog: v2.18.0...v2.18.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 39 commits:

• Release 2.19.2
• Fix a format string injection vulnerability
• Merge pull request #953 from ruby/dependabot/github_actions/actions/create-github-app-token-3
• Bump actions/create-github-app-token from 2 to 3
• Release 2.19.1
• Add missing GC_GUARD in `fbuffer_append_str`
• Release 2.19.0
• fbuffer.h: Use size_t over unsigned long
• Add depth validation to Jruby and TruffleRuby implementations
• Reject negative depth; add overflow guards to prevent hang/crash
• Fix `allow_blank` parsing option to only consider strings.
• Reimplement `to_json` methods in Ruby
• Remove unused load_uint8x16_4 function.
• Use single quotes for allow_invalid_escape doc
• Add `allow_invalid_escape` parsing option
• Remove bignum warnings
• Remove unused method in JSONGeneratorTest
• [DOC] Another link fix
• [DOC] Fix links
• Stop using RB_ALLOCV
• Cleanup function delecarations
• Remove codepaths under !RUBY_INTEGER_UNIFICATION
• Release 2.18.1
• fbuffer_append_str: assume string
• Ensure `Generator::State` is kept on the stack
• Improve class JSON intro
• Extract json_fast_memcpy16 for readability
• Use __builtin_memcpy, if available, to copy overlapping byte ranges in copy_remaining_bytes to avoid a branch to MEMCPY. Additionally use a space as padding byte instead of an 'X' so it can be represented diretly on AArch64 with a single instruction.
• Remove trailing spaces [ci skip]
• initialize search.chunk_end to silence a warning about it being potentially uninitialized
• use a conditional to select SIMD implementation rather than pointer
• Directly write to the output buffer when converting UTF32 to UTF8.
• Merge pull request #921 from nobu/nonportable-code
• Fix non-portable code
• Simplify unescape_unicode
• Keep track of the the number of additional backslashes to avoid an extra memchr searching the remaining characters when no more backslashes exist.
• Add missing documentation for `allow_control_characters` parsing option
• Update `fpconv_dtoa` definition to use `dest[32]`
• Revert "Skip test failing with JRuby in CI"

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (4763359) to head (854567d).

Additional details and impacted files

@@            Coverage Diff            @@
##              main       #82   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           16        16           
  Lines          362       362           
=========================================
  Hits           362       362           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud