Skip to content

Bump activestorage, rails, client_side_validations, client_side_validations-simple_form, elasticsearch, simple_form and solargraph#158

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bundler/multi-8b39303809
Open

Bump activestorage, rails, client_side_validations, client_side_validations-simple_form, elasticsearch, simple_form and solargraph#158
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bundler/multi-8b39303809

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 11, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps activestorage, rails, client_side_validations, client_side_validations-simple_form, elasticsearch, simple_form and solargraph. These dependencies needed to be updated together.
Updates activestorage from 6.1.7.7 to 8.1.3

Release notes

Sourced from activestorage's releases.

8.1.3

Active Support

  • Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

    When hash keys are custom objects whose as_json returns a Hash, the encoder now calls to_s on the original key object instead of on the as_json result.

    Before: hash = {CustomKey.new(123) => "value"} hash.to_json # => {"{:id=>123}":"value"}

    After: hash.to_json # => {"custom_123":"value"}

    Dan Sharp

  • Fix inflections to better handle overlapping acronyms.

    ActiveSupport::Inflector.inflections(:en) do |inflect|
  inflect.acronym "USD"
  inflect.acronym "USDC"
end
"USDC".underscore # => "usdc"

    Said Kaldybaev

  • Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

    zzak

Active Model

  • Fix Ruby 4.0 delegator warning when calling inspect on attributes.

    Hammad Khan

  • Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

    The performance optimisation that replaced @range with @max/@min broke Marshal compatibility. Objects serialised under 8.0 (with @range) and deserialised under 8.1 (expecting @max/@min) would crash with undefined method '<=' for nil because Marshal.load restores instance variables without calling initialize.

... (truncated)

Changelog

Sourced from activestorage's changelog.

Rails 8.1.3 (March 24, 2026)

  • Fix ActiveStorage::Blob content type predicate methods to handle nil.

    Daichi KUDO

Rails 8.1.2.1 (March 23, 2026)

  • Filter user supplied metadata in DirectUploadController

    [CVE-2026-33173]

    Jean Boussier

  • Configurable maxmimum streaming chunk size

    Makes sure that byte ranges for blobs don't exceed 100mb by default. Content ranges that are too big can result in denial of service.

    [CVE-2026-33174]

    Gannon McGibbon

  • Limit range requests to a single range

    [CVE-2026-33658]

    Jean Boussier

  • Prevent path traversal in DiskService.

    DiskService#path_for now raises an InvalidKeyError when passed keys with dot segments (".", ".."), or if the resolved path is outside the storage root directory.

    #path_for also now consistently raises InvalidKeyError if the key is invalid in any way, for example containing null bytes or having an incompatible encoding. Previously, the exception raised may have been ArgumentError or Encoding::CompatibilityError.

    DiskController now explicitly rescues InvalidKeyError with appropriate HTTP status codes.

    [CVE-2026-33195]

    Mike Dalessio

  • Prevent glob injection in DiskService#delete_prefixed.

    Escape glob metacharacters in the resolved path before passing to Dir.glob.

... (truncated)

Commits
  • fa8f081 Preparing for 8.1.3 release
  • 63cef3d Merge branch '8-1-sec' into 8-1-stable
  • 1db4b89 Preparing for 8.1.2.1 release
  • 1c7d1cf Update changelog
  • 8c9676b Prevent glob injection in ActiveStorage DiskService#delete_prefixed
  • 9b06fbc Prevent path traversal in ActiveStorage DiskService
  • d9502f5 Active Storage: Filter user supplied metadata in DirectUploadController
  • 85ec5b1 ActiveStorage::Streaming limit range requests to a single range
  • 42012ea Configurable maxmimum streaming chunk size
  • 064cea7 Merge pull request #56783 from kudoas/fix-activestorage-blob-content-type-nil
  • Additional commits viewable in compare view

Updates rails from 6.1.7.7 to 8.1.3

Release notes

Sourced from rails's releases.

8.1.3

Active Support

  • Fix JSONGemCoderEncoder to correctly serialize custom object hash keys.

    When hash keys are custom objects whose as_json returns a Hash, the encoder now calls to_s on the original key object instead of on the as_json result.

    Before: hash = {CustomKey.new(123) => "value"} hash.to_json # => {"{:id=>123}":"value"}

    After: hash.to_json # => {"custom_123":"value"}

    Dan Sharp

  • Fix inflections to better handle overlapping acronyms.

    ActiveSupport::Inflector.inflections(:en) do |inflect|
  inflect.acronym "USD"
  inflect.acronym "USDC"
end
"USDC".underscore # => "usdc"

    Said Kaldybaev

  • Silence Dalli 4.0+ warning when using ActiveSupport::Cache::MemCacheStore.

    zzak

Active Model

  • Fix Ruby 4.0 delegator warning when calling inspect on attributes.

    Hammad Khan

  • Fix NoMethodError when deserialising Type::Integer objects marshalled under Rails 8.0.

    The performance optimisation that replaced @range with @max/@min broke Marshal compatibility. Objects serialised under 8.0 (with @range) and deserialised under 8.1 (expecting @max/@min) would crash with undefined method '<=' for nil because Marshal.load restores instance variables without calling initialize.

... (truncated)

Commits
  • fa8f081 Preparing for 8.1.3 release
  • 63cef3d Merge branch '8-1-sec' into 8-1-stable
  • 1db4b89 Preparing for 8.1.2.1 release
  • 1c7d1cf Update changelog
  • e91694b Update CHANGELOG (8.1 only)
  • 6752711 Fix XSS in debug exceptions copy-to-clipboard
  • 63f5ad8 Skip blank attribute names in Action View tag helpers
  • 8c9676b Prevent glob injection in ActiveStorage DiskService#delete_prefixed
  • 9b06fbc Prevent path traversal in ActiveStorage DiskService
  • ec1a0e2 Improve performance of NumberToDelimitedConverter
  • Additional commits viewable in compare view

Updates client_side_validations from 18.1.0 to 24.0.0

Release notes

Sourced from client_side_validations's releases.

v24.0.0

What's Changed

Full Changelog: DavyJonesLocker/client_side_validations@v23.1.0...v24.0.0

v23.1.0

What's Changed

Full Changelog: DavyJonesLocker/client_side_validations@v23.0.0...v23.1.0

v23.0.0

What's Changed

... (truncated)

Changelog

Sourced from client_side_validations's changelog.

24.0.0 / 2026-04-19

  • [FEATURE] Breaking change: Remove the jQuery runtime dependency and the old jQuery plugin aliases from the published JavaScript assets
  • [FEATURE] Breaking change: Public JavaScript APIs now work with native DOM elements and DOM collections instead of jQuery-wrapped objects
  • [ENHANCEMENT] Use native browser events and event listeners throughout the runtime and test harness

23.1.0 / 2026-01-27

  • [FEATURE] Add jQuery 4.0.0 compatibility

23.0.0 / 2026-01-07

  • [FEATURE] Breaking change: Add csv prefix to CSV related data attributes:
    • data-changed => data-csv-changed
    • data-valid => data-csv-valid
    • data-validate => data-csv-validate
  • [FEATURE] Use data attributes instead of jQuery.data()
  • [FEATURE] Drop Internet Explorer and other older browsers support
  • [FEATURE] Drop Ruby < 3.2
  • [FEATURE] Drop Rails < 7.2
  • [FEATURE] Drop jQuery < 3.7.1 Compatibility
  • [BUGFIX] Allow proc values in length validator options
  • [ENHANCEMENT] Update QUnit to 2.25.0
  • [ENHANCEMENT] Test against Ruby 3.4 and 4.0
  • [ENHANCEMENT] Match node package version with gem version

22.3.1 / 2025-01-29

  • [BUGFIX] form_with default argument exception on Rails 8.0 (#974)

22.3.0 / 2024-11-12

  • [FEATURE] Rails 8.0 compatibility
  • [ENHANCEMENT] Update QUnit to 2.22.0

22.2.0 / 2024-06-01

  • [FEATURE] Allow Rails 8.0 alpha
  • [ENHANCEMENT] Test against Ruby 3.3
  • [ENHANCEMENT] Update QUnit to 2.21.0

22.1.1 / 2023-10-08

  • [BUGFIX] Fix a bug with missing translations (#920)

22.1.0 / 2023-10-05

  • [FEATURE] Rails 7.1 compatibility

22.0.0 / 2023-09-02

... (truncated)

Commits

Updates client_side_validations-simple_form from 13.0.0 to 18.0.0

Release notes

Sourced from client_side_validations-simple_form's releases.

v18.0.0

What's Changed

Full Changelog: DavyJonesLocker/client_side_validations-simple_form@v17.0.0...v18.0.0

Changelog

Sourced from client_side_validations-simple_form's changelog.

18.0.0 / 2026-04-19

  • [FEATURE] Breaking change: Align the Simple Form JavaScript hooks with the DOM-first ClientSideValidations runtime
  • [ENHANCEMENT] Remove jQuery-specific assumptions from the browser test harness and documentation

17.0.0 / 2026-01-07

  • [FEATURE] Drop Internet Explorer and other older browsers support
  • [FEATURE] Drop CSV < 23 compatibility
  • [FEATURE] Drop Ruby < 3.2 compatibility
  • [ENHANCEMENT] Test against Ruby 3.3, 3.4, and 4.0
  • [ENHANCEMENT] Update QUnit to 2.25.0
  • [ENHANCEMENT] Match node package version with gem version

16.0.0 / 2023-09-02

  • [FEATURE] Do not require jQuery
  • [ENHANCEMENT] Test against Ruby 3.2
  • [ENHANCEMENT] Update QUnit to 2.19.4
  • [FEATURE] Drop support to Ruby 2.6
  • [FEATURE] Drop support to CSV < 22.0

15.0.0 / 2022-09-18

  • [FEATURE] Drop Ruby 2.5 support
  • [FEATURE] Drop Client Side Validations < 21.0 compatibility
  • [ENHANCEMENT] Test against jQuery 3.6.1 by default
  • [ENHANCEMENT] Update QUnit to 2.19.1
  • [ENHANCEMENT] Update development dependencies

14.1.0 / 2021-12-16

  • [FEATURE] Add Client Side Validations 20.0 compatibility
  • [ENHANCEMENT] Update development dependencies

14.0.1 / 2021-11-15

  • [ENHANCEMENT] Require MFA to publish gems
  • [ENHANCEMENT] Update development dependencies

14.0.0 / 2021-10-01

  • [FEATURE] Drop Ruby 2.4 support
  • [FEATURE] Drop Rails 5.0 and 5.1 support
  • [FEATURE] Drop legacy browsers support (including IE8 and IE9)
  • [FEATURE] Drop Yarn < 1.19 and Node < 12.0 support
  • [FEATURE] Add JavaScript sources to node package
  • [ENHANCEMENT] Minor JS Refactor
  • [ENHANCEMENT] Update development dependencies
  • [ENHANCEMENT] Update QUnit to 2.17.2
Commits
  • f022fa0 Align Simple Form with the DOM-first runtime (#204)
  • 79a71d9 Merge pull request #203 from DavyJonesLocker/release/17_0_0
  • c7bf89f Bump up version
  • c588762 Merge pull request #202 from DavyJonesLocker/chore/drop-eol
  • 3e10b06 Drop EOL dependencies
  • ae90eda Merge pull request #201 from DavyJonesLocker/chore/ruby4
  • 4e52fe1 Test against Ruby 4
  • fbd629f Merge pull request #200 from DavyJonesLocker/chore/update-dependencies
  • 1c52094 Update dependencies
  • cbb5891 Merge pull request #197 from DavyJonesLocker/chore/update-dependencies
  • Additional commits viewable in compare view

Updates elasticsearch from 8.19.0 to 8.19.3

Release notes

Sourced from elasticsearch's releases.

v8.19.3

  • Dev: This release replaces the deprecated artifacts API with a new up to date one Pull Request. This is used for downloading the REST tests and specification from Elasticsearch in development.
  • Dev: The 8.19 branch now tests for Ruby 4.0, so the gems ostruct and benchmark have been added to Gemfiles when RUBY_VERSION >= '4'.

API Changes

  • Code updated to the latest Elasticsearch 8.19.11 specification.

  • General source code documentation updates.

  • indices.data_streams_stats - New parameter: [List] :expand_wildcards Whether to expand wildcard expressions to concrete data stream names that are open, closed or both. (options: all, closed, hidden, none, open)

  • Inference APIs add [Time] :timeout parameter:

    • inference.chat_completion_unified
    • inference.completion
    • inference.inference
    • inference.put
    • inference.put_alibabacloud
    • inference.put_amazonbedrock
    • inference.put_amazonsagemaker
    • inference.put_anthropic
    • inference.put_azureaistudio
    • inference.put_azureopenai
    • inference.put_cohere
    • inference.put_deepseek
    • inference.put_elasticsearch
    • inference.put_elser
    • inference.put_googleaistudio
    • inference.put_googlevertexai
    • inference.put_hugging_face
    • inference.put_jinaai
    • inference.put_mistral
    • inference.put_openai
    • inference.put_voyageai
    • inference.put_watsonx

  • Update for ml.infer_trained_model_path: /_ml/trained_models/{model_id}/deployment/_infer is deprecated since version 8.2.0. The code has been updated to use /_ml/trained_models/{model_id}/_infer instead. The response object is different and will return:

{
  "inference_results":
  [
    {"predicted_value": [[1.0,1.0]]}
  ]
}

Instead of:

{"predicted_value": [[1.0,1.0]]}
</tr></table>

... (truncated)

Commits
  • 6e00844 Bumps version to 8.19.3, updates CHANGELOG
  • a0bc7de Bumps stack to version 8.19.11-SNAPSHOT
  • bddaef1 Adds ostruct gem if Ruby version >= 4
  • 8c77143 [CI] Updates Ruby versions
  • a8009af [Tests] Updates skipped REST API tests
  • d1da5d6 [API] Updates ml.infer_trained_model path
  • fee1395 [API] Updates build hash, auto generated code
  • 88b4337 [Tests] Allow running single test in YAML test
  • 74ff0b1 Auto-generated API code
  • 787fd60 Bumps stack to version 8.19.10-SNAPSHOT
  • Additional commits viewable in compare view

Updates simple_form from 5.2.0 to 5.4.1

Release notes

Sourced from simple_form's releases.

v5.4.1

https://github.com/heartcombo/simple_form/blob/v5.4.1/CHANGELOG.md

v5.4.0

https://github.com/heartcombo/simple_form/blob/v5.4.0/CHANGELOG.md

v5.3.0

No release notes provided.

Changelog

Sourced from simple_form's changelog.

5.4.1

  • Ruby 4.0 support (no changes required)
  • Support procs on validators for minlength/maxlength, and improve validators logic across the board to match Rails #1859

5.4.0

  • Add support for Ruby 3.4 and Rails 7.2/8.0/8.1. (no changes required)
  • Drop support for Rails < 7 and Ruby < 2.7.
  • Add weekday input. #1846
  • Remove redundant aria-required attribute for required fields. #1823
  • Integrate :rich_text_area with placeholders #1842
  • Fix encrypted attributes improperly casted (later fixed in Rails) #1836
  • Pass base object to human_attribute_name in labels #1812

5.3.1

  • Revert "Speed up input mapping lookup by avoiding rescuing exceptions" from v5.3.0, it caused a regression on dev/test environments with custom inputs.
  • Try a slightly different approach to input lookups, without relying on regexp, to see if that helps with performance as originally intended.
  • Add support to Ruby 3.3. (no changes required.)

5.3.0

  • Add support for Rails 7.1. (no meaningful changes required.)
  • Add SimpleForm.deprecator to integrate with new application deprecators in Rails 7.1.
  • Remove test files from the gem package. @​orien
  • Speed up input mapping lookup by avoiding rescuing exceptions. @​meanphil @​kriom @​egeek
Commits
  • 2df5c7d Release v5.4.1
  • f231160 Stop updating copyright every year [ci skip]
  • 55e66f1 Exclude Rails main + Ruby 3.2
  • 9dce1a0 Handle length validator with procs, improve validators support (#1859)
  • 584127a Test with Ruby 4.0
  • c13176e Make rdoc a dev dependency on the gemspec
  • ef3e121 Bundle update
  • 44384d3 Test with the released version of v7.0
  • ac606d7 Add version to changelog (oops!) [ci skip]
  • 9e7c934 Release v5.4.0
  • Additional commits viewable in compare view

Updates solargraph from 0.56.0 to 0.59.2

Changelog

Sourced from solargraph's changelog.

0.59.2 - May 22, 2026

  • Convert RBS implicit nil annotations (#1197)
  • Temporary job stubs (#1200)
  • Limit pin combination to doc maps (#1195)
  • Ignore literal values in type inference (#1201)
  • Fix for clips with flaky node recipients

0.59.1 - May 18, 2026

  • Fix signatureHelp bug (#1185)
  • Linting fixes for Ruby 3.1 (#1193)
  • Parameters shadow local variables with same name (#1192)

0.59.0 - May 13, 2026

  • Ensure pathname is required for rbs in shell caching processes (#1183)
  • Pre-release branch 2026-01-12 (#1152)
  • 2026-01-27 dev branch (#1165)
  • Position linting (#1179)
  • Revert YARD and RBS pin caching (#1180)
  • Ensure pathname is required for rbs in shell caching processes (#1183)
  • Limit default include glob to current directory (#1184)
  • Require Ruby >= 3.1.0
  • Require RBS >= 3.10.0
  • Stub combine_same_type_arity_signatures (#1186)

0.58.3 - March 9, 2026

  • Ignore workspace dependencies in cache processes (#1174)

0.58.2 - January 19, 2026

  • Avoid rbs pollution (#1146)
  • Fix 'solargraph pin --references ClassName' private method call (#1150)
  • Improve memory efficiency of Position class (#1054)
  • Raise InvalidOffsetError for offsets > text (#1155)

0.58.1 - January 2, 2026

  • Normalize line endings to LF (#1142)

0.58.0 - January 1, 2026

  • Faster constant resolution (#1083)
  • [regression] Handle RBS static method aliases (#1094)
  • More type fills and shims (#1005)
  • Fix resolution in blocks in type checker (#890)
  • Annotation fixes for strong typechecking (#1057)
  • Remove dead code (#1077)
  • Fix flakey spec (#1080)
  • Fix bad sexpr generation in op_asgn (#1089)
  • Opt-in for MFA requirement (#730)
  • [regression] Fix resolution issues with namespaces from YARD (#1097)
  • Improve a pin combination case around selfy types (#1024)
  • Rescue reference errors in hosts (#1105)
  • Relax bundler runtime dependency version constraint to support newer versions (#1125)

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code labels Jun 11, 2026
@dependabot
Bump activestorage, rails, client_side_validations, client_side_valid…
ae06c6f 
…ations-simple_form, elasticsearch, simple_form and solargraph

Bumps [activestorage](https://github.com/rails/rails), [rails](https://github.com/rails/rails), [client_side_validations](https://github.com/DavyJonesLocker/client_side_validations), [client_side_validations-simple_form](https://github.com/DavyJonesLocker/client_side_validations-simple_form), [elasticsearch](https://github.com/elastic/elasticsearch-ruby), [simple_form](https://github.com/heartcombo/simple_form) and [solargraph](https://github.com/castwide/solargraph). These dependencies needed to be updated together.

Updates `activestorage` from 6.1.7.7 to 8.1.3
- [Release notes](https://github.com/rails/rails/releases)
- [Changelog](https://github.com/rails/rails/blob/v8.1.3/activestorage/CHANGELOG.md)
- [Commits](rails/rails@v6.1.7.7...v8.1.3)

Updates `rails` from 6.1.7.7 to 8.1.3
- [Release notes](https://github.com/rails/rails/releases)
- [Commits](rails/rails@v6.1.7.7...v8.1.3)

Updates `client_side_validations` from 18.1.0 to 24.0.0
- [Release notes](https://github.com/DavyJonesLocker/client_side_validations/releases)
- [Changelog](https://github.com/DavyJonesLocker/client_side_validations/blob/main/CHANGELOG.md)
- [Commits](DavyJonesLocker/client_side_validations@v18.1.0...v24.0.0)

Updates `client_side_validations-simple_form` from 13.0.0 to 18.0.0
- [Release notes](https://github.com/DavyJonesLocker/client_side_validations-simple_form/releases)
- [Changelog](https://github.com/DavyJonesLocker/client_side_validations-simple_form/blob/main/CHANGELOG.md)
- [Commits](DavyJonesLocker/client_side_validations-simple_form@v13.0.0...v18.0.0)

Updates `elasticsearch` from 8.19.0 to 8.19.3
- [Release notes](https://github.com/elastic/elasticsearch-ruby/releases)
- [Changelog](https://github.com/elastic/elasticsearch-ruby/blob/main/CHANGELOG.md)
- [Commits](elastic/elasticsearch-ruby@v8.19.0...v8.19.3)

Updates `simple_form` from 5.2.0 to 5.4.1
- [Release notes](https://github.com/heartcombo/simple_form/releases)
- [Changelog](https://github.com/heartcombo/simple_form/blob/main/CHANGELOG.md)
- [Commits](heartcombo/simple_form@v5.2.0...v5.4.1)

Updates `solargraph` from 0.56.0 to 0.59.2
- [Changelog](https://github.com/castwide/solargraph/blob/master/CHANGELOG.md)
- [Commits](castwide/solargraph@v0.56.0...v0.59.2)

---
updated-dependencies:
- dependency-name: activestorage
  dependency-version: 8.1.3
  dependency-type: direct:production
- dependency-name: client_side_validations
  dependency-version: 24.0.0
  dependency-type: direct:production
- dependency-name: client_side_validations-simple_form
  dependency-version: 18.0.0
  dependency-type: direct:production
- dependency-name: elasticsearch
  dependency-version: 8.19.3
  dependency-type: direct:production
- dependency-name: rails
  dependency-version: 8.1.3
  dependency-type: direct:production
- dependency-name: simple_form
  dependency-version: 5.4.1
  dependency-type: direct:production
- dependency-name: solargraph
  dependency-version: 0.59.2
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/bundler/multi-8b39303809 branch from 79645b0 to ae06c6f Compare June 11, 2026 11:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update Ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants