🚨 [security] Update json 2.18.1 → 2.19.2 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ json (indirect, 2.18.1 → 2.19.2) · Repo · Changelog

Security Advisories 🚨

🚨 Ruby JSON has a format string injection vulnerability

Impact

A format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents.

This option isn't the default, if you didn't opt-in to use it, you are not impacted.

Patches

Patched in 2.19.2.

Workarounds

The issue can be avoided by not using the allow_duplicate_key: false parsing option.

Release Notes

2.19.2

What's Changed

• Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210

Full Changelog: v2.19.1...v2.19.2

2.19.1

What's Changed

• Fix a compiler dependent GC bug introduced in 2.18.0.

Full Changelog: v2.19.0...v2.19.1

2.19.0

What's Changed

• Fix allow_blank parsing option to no longer allow invalid types (e.g. load([], allow_blank: true) now raise a type error).
• Add allow_invalid_escape parsing option to ignore backslashes that aren't followed by one of the valid escape characters.

Full Changelog: v2.18.1...v2.19.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 22 commits:

• Release 2.19.2
• Fix a format string injection vulnerability
• Merge pull request #953 from ruby/dependabot/github_actions/actions/create-github-app-token-3
• Bump actions/create-github-app-token from 2 to 3
• Release 2.19.1
• Add missing GC_GUARD in `fbuffer_append_str`
• Release 2.19.0
• fbuffer.h: Use size_t over unsigned long
• Add depth validation to Jruby and TruffleRuby implementations
• Reject negative depth; add overflow guards to prevent hang/crash
• Fix `allow_blank` parsing option to only consider strings.
• Reimplement `to_json` methods in Ruby
• Remove unused load_uint8x16_4 function.
• Use single quotes for allow_invalid_escape doc
• Add `allow_invalid_escape` parsing option
• Remove bignum warnings
• Remove unused method in JSONGeneratorTest
• [DOC] Another link fix
• [DOC] Fix links
• Stop using RB_ALLOCV
• Cleanup function delecarations
• Remove codepaths under !RUBY_INTEGER_UNIFICATION

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 80.26%. Comparing base (53ef016) to head (2bf6011).
⚠️ Report is 2 commits behind head on develop.

Additional details and impacted files

@@           Coverage Diff            @@
##           develop     #660   +/-   ##
========================================
  Coverage    80.26%   80.26%           
========================================
  Files           75       75           
  Lines         1140     1140           
========================================
  Hits           915      915           
  Misses         225      225           

Flag	Coverage Δ
pull_request	80.26% <ø> (ø)
push	80.26% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.