build(deps): bump concurrent-ruby from 1.3.5 to 1.3.7#999
build(deps): bump concurrent-ruby from 1.3.5 to 1.3.7#999dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [concurrent-ruby](https://github.com/ruby-concurrency/concurrent-ruby) from 1.3.5 to 1.3.7. - [Release notes](https://github.com/ruby-concurrency/concurrent-ruby/releases) - [Changelog](https://github.com/ruby-concurrency/concurrent-ruby/blob/master/CHANGELOG.md) - [Commits](ruby-concurrency/concurrent-ruby@v1.3.5...v1.3.7) --- updated-dependencies: - dependency-name: concurrent-ruby dependency-version: 1.3.7 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Up to standards ✅🟢 Issues
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
This PR updates concurrent-ruby to version 1.3.7, effectively addressing CVE-2026-54904, CVE-2026-54905, and CVE-2026-54906. Although the codebase is up to standards, the lockfile contains a nokogiri dependency with a known security vulnerability (GHSA-5prr-v3j2-97mh) related to an out-of-bounds read. Furthermore, there is an implementation gap regarding automated regression testing for thread pool behavior and concurrent logic, which is necessary to ensure stability after the update.
1 comment outside of the diff
Gemfile.lock
line 179🟡 MEDIUM RISK
The nokogiri gem has a known security vulnerability (GHSA-5prr-v3j2-97mh) involving a possible out-of-bounds read in Nokogiri::XML::NodeSet#[]. This flaw can lead to application crashes or information disclosure when processing untrusted XML or HTML content.
Test suggestions
- Execute regression tests to ensure that the bump to concurrent-ruby 1.3.7 does not negatively impact existing concurrent logic or thread pool behavior.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Execute regression tests to ensure that the bump to concurrent-ruby 1.3.7 does not negatively impact existing concurrent logic or thread pool behavior.
TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback
Bumps concurrent-ruby from 1.3.5 to 1.3.7.
Release notes
Sourced from concurrent-ruby's releases.
Changelog
Sourced from concurrent-ruby's changelog.
Commits
4c8fc28Release 1.3.7d91ca94Fix AtomicReference#update livelock when stored value is Float::NAN on JRuby ...7e4d711FixReentrantReadWriteLockread hold overflow into write-lock bit6e37e06FixAtomicReference#updatelivelock when stored value isFloat::NAN2825cfaCleanup spec3fd4932FixReadWriteLockwrong-thread write release and stray read release1974b47Add Ruby 4.0 in CIdf8706dAdd SECURITY.md (#1104)7a1b789Bump actions/upload-pages-artifact from 4 to 59b2dbf7Bump actions/deploy-pages from 4 to 5Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.