build(deps): bump the ruby-deps group with 13 updates

[dependabot]

Bumps the ruby-deps group with 13 updates:

Package	From	To
rake	13.3.1	13.4.2
nokogiri	1.19.2	1.19.3
aws-sdk-s3	1.218.0	1.220.0
aws-sdk-s3control	1.128.0	1.129.0
parallel	1.27.0	2.1.0
async	2.38.1	2.39.0
aws-partitions	1.1233.0	1.1243.0
aws-sdk-core	3.244.0	3.246.0
aws-sdk-kms	1.123.0	1.124.0
bigdecimal	4.1.0	4.1.2
io-event	1.14.5	1.15.1
json	2.19.3	2.19.4
mime-types-data	3.2026.0331	3.2026.0414

Updates rake from 13.3.1 to 13.4.2

Commits

• 503b8ec v13.4.2
• 46038e7 Merge pull request #723 from ruby/fix/testopts-preserve-existing-value
• 604a3d9 Isolate TESTOPTS env in TestRakeTestTask setup/teardown
• 5886caa Preserve ENV["TESTOPTS"] when verbose is enabled
• 92193ac v13.4.1
• b74be0b Merge pull request #721 from ruby/fix/add-options-to-gemspec
• 829f66d Add lib/rake/options.rb to gemspec
• 2d55bc4 v13.4.0
• 1415070 Exclude dependabot updates from release note
• b3dc948 Merge pull request #713 from pvdb/simplify_standard_system_dir
• Additional commits viewable in compare view

Updates nokogiri from 1.19.2 to 1.19.3

Release notes

Sourced from nokogiri's releases.

v1.19.3 / 2026-04-27

Fixed / Security

• Address exponential regex backtracking in CSS selector tokenizer. See GHSA-c4rq-3m3g-8wgx for more information.
• [CRuby] Address memory leak in XSLT::Stylesheet#transform. See GHSA-v2fc-qm4h-8hqv for more information.

46b89e5d7b9e844c2ee360794240c6ea2a4e6fa0c5892a4ed487db621224b639  nokogiri-1.19.3-aarch64-linux-gnu.gem
8392dfdcd21be7a94dbbe9ccc138dea01b97b24cb2dc02a114ca98bfb1d9a0b7  nokogiri-1.19.3-aarch64-linux-musl.gem
3919d5ffc334ad778a4a9eb88fda7dcb8b1fb58c8a52ac640c6dcd2f038e774f  nokogiri-1.19.3-arm-linux-gnu.gem
9ce1cb6346bb9c67b1550eb537aa183ead91e4b6eadb2f36ade02d8dd2a79fb6  nokogiri-1.19.3-arm-linux-musl.gem
71b9bd424b1b7abc18b05052a1a3cfd3627abdca62be280854cc411791357e42  nokogiri-1.19.3-arm64-darwin.gem
40ea6ebf5cf2005dae1dee26dd557d3afb41fb6de6c9764aca8cf06fdb841db1  nokogiri-1.19.3-java.gem
8bb7132cad356c879a1286eaabcb5e68326cb2490317984280fbc62f456d506a  nokogiri-1.19.3-x64-mingw-ucrt.gem
77f3fba57d46c53ab31e62fc6c28f705109d1bf6264356c76f132b2be5728d4d  nokogiri-1.19.3-x86_64-darwin.gem
2f5078620fe12e83669b5b17311b32532a8153d02eee7ad06948b926d6080976  nokogiri-1.19.3-x86_64-linux-gnu.gem
248c906d2166eca5efb56d52fdee5f9a1f51d69a72e2b64fdac647b4ce39ea3f  nokogiri-1.19.3-x86_64-linux-musl.gem
78312cbac32a40c812780d9678221b79d51288eec00054c1a8d15f7ce05960e8  nokogiri-1.19.3.gem

Changelog

Sourced from nokogiri's changelog.

v1.19.3 / 2026-04-27

Fixed / Security

• Address exponential regex backtracking in CSS selector tokenizer. See GHSA-c4rq-3m3g-8wgx for more information.
• [CRuby] Address memory leak in XSLT::Stylesheet#transform. See GHSA-v2fc-qm4h-8hqv for more information.

Commits

• c139a3d version bump to v1.19.3
• 7501a63 fix: backtracking in CSS tokenizer rules (v1.19.x backport) (#3627)
• 03e7968 test: skip CSS tokenizer benchmarks on JRuby
• b984b7e fix: ReDoS in CSS tokenizer ident rule
• 0092623 fix: ReDoS in CSS tokenizer STRING rule
• ee17d33 fix: memory leak in XSLT transform (backport to v1.19.x) (#3624)
• ce188a3 doc: update CHANGELOG
• caeaac4 fix: memory leak in XSLT transform
• 25220bf dep(test): test against libxml-ruby v6 (#3618)
• 0caeb21 doc: add security warnings for untrusted XSLT stylesheets
• See full diff in compare view

Updates aws-sdk-s3 from 1.218.0 to 1.220.0

Changelog

Sourced from aws-sdk-s3's changelog.

1.220.0 (2026-04-22)

• Feature - This release adds five additional checksum algorithms for S3 data integrity (MD5, SHA-512, XXHash3, XXHash64, XXHash128) and support for S3 Inventory on directory buckets (S3 Express One Zone).

1.219.0 (2026-04-07)

• Feature - Updated list of the valid AWS Region values for the LocationConstraint parameter for general purpose buckets.

Commits

• See full diff in compare view

Updates aws-sdk-s3control from 1.128.0 to 1.129.0

Changelog

Sourced from aws-sdk-s3control's changelog.

1.129.0 (2026-04-22)

• Feature - This release adds support for five additional checksum algorithms for data integrity checking in Amazon S3 - MD5, SHA-512, XXHash3, XXHash64, and XXHash128.

Commits

• See full diff in compare view

Updates parallel from 1.27.0 to 2.1.0

Changelog

Sourced from parallel's changelog.

2.1.0

Added

• support different serializers
• support for HMac verified serializer to secure hardened environments

2.0.1

Added

• require mfa for gem release

2.0.0

Changed

• Require Ruby >= 3.3
• Add Ruby 4 Ractor support

1.28.0

Fixed

• Dump undumpable exceptions without cause if that fixes the issue

Commits

• cd5ba09 v2.1.0
• 71eb9a3 Merge pull request #373 from grosser/grosser/hmac
• 1fdf79a prevent pipe injection
• fa1cc25 Merge pull request #372 from tagliala/chore/remove-regex-match
• 9aed9a4 Prefer String#include? and match? over =~
• de62c89 Merge pull request #371 from tagliala/chore/remove-old-spec
• 1df9204 Remove stale Darwin hwprefs spec
• d20c207 Merge pull request #368 from grosser/grosser/speed
• a55c3bc speed up tests
• f9c570b v2.0.1
• Additional commits viewable in compare view

Updates async from 2.38.1 to 2.39.0

Release notes

Sourced from async's releases.

v2.39.0

• Async::Barrier#wait now returns the number of tasks that were waited for, or nil if there were no tasks to wait for. This provides better feedback about the operation, and allows you to know how many tasks were involved in the wait.

Changelog

Sourced from async's changelog.

v2.39.0

• Async::Barrier#wait now returns the number of tasks that were waited for, or nil if there were no tasks to wait for. This provides better feedback about the operation, and allows you to know how many tasks were involved in the wait.

Commits

• 886d62c Bump minor version.
• 2c89c3f Make the test more robust.
• 751b6aa Barrier waits return nil or number of tasks waited on.
• 7f00f35 Break the cycle between the task and the fiber as early as possible.
• See full diff in compare view

Updates aws-partitions from 1.1233.0 to 1.1243.0

Changelog

Sourced from aws-partitions's changelog.

1.1243.0 (2026-04-30)

• Feature - Updated the partitions source data the determines the AWS service regions and endpoints.

1.1242.0 (2026-04-29)

• Feature - Updated the partitions source data the determines the AWS service regions and endpoints.

1.1241.0 (2026-04-24)

• Feature - Updated the partitions source data the determines the AWS service regions and endpoints.

1.1240.0 (2026-04-17)

• Feature - Updated the partitions source data the determines the AWS service regions and endpoints.

1.1239.0 (2026-04-16)

• Feature - Updated the partitions source data the determines the AWS service regions and endpoints.

1.1238.0 (2026-04-13)

• Feature - Added support for enumerating regions for Aws::Interconnect.

1.1237.0 (2026-04-08)

• Feature - Added support for enumerating regions for Aws::MarketplaceDiscovery.

1.1236.0 (2026-04-07)

• Feature - Added support for enumerating regions for Aws::S3Files.

1.1235.0 (2026-04-06)

• Feature - Updated the partitions source data the determines the AWS service regions and endpoints.

1.1234.0 (2026-04-02)

• Feature - Updated the partitions source data the determines the AWS service regions and endpoints.

Commits

• See full diff in compare view

Updates aws-sdk-core from 3.244.0 to 3.246.0

Changelog

Sourced from aws-sdk-core's changelog.

3.246.0 (2026-04-23)

• Feature - Updated configuration values for defaults_mode.

3.245.0 (2026-04-17)

• Feature - Updated Aws::STS::Client with the latest API changes.

• Feature - The STS client now supports configuring SigV4a through the auth scheme preference setting. SigV4a uses asymmetric cryptography, enabling customers using long-term IAM credentials to continue making STS API calls even when a region is isolated from the partition leader.

• Issue - Explicitly set 0600 permissions on SSO/login cache files.

Commits

• See full diff in compare view

Updates aws-sdk-kms from 1.123.0 to 1.124.0

Changelog

Sourced from aws-sdk-kms's changelog.

1.124.0 (2026-04-27)

• Feature - KMS GetKeyLastUsage API provides information on the last successful cryptographic operation performed on KMS keys. This new API provides KMS customers with the last timestamp, CloudTrail eventId, and the cryptographic operation that was performed on the key.

Commits

• See full diff in compare view

Updates bigdecimal from 4.1.0 to 4.1.2

Release notes

Sourced from bigdecimal's releases.

v4.1.2

What's Changed

• Optimize BigDecimal#to_s by @​byroot in ruby/bigdecimal#519
• Fix calloc-transposed-args warning by @​nobu in ruby/bigdecimal#520
• Use '0'+n for converting single digit to char by @​tompng in ruby/bigdecimal#521
• Revert "Add a workaround for slow BigDecimal#to_f when it has large N_significant_digits" by @​tompng in ruby/bigdecimal#522
• BigMath.exp overflow/underflow check by @​tompng in ruby/bigdecimal#523
• Fix unary minus on unsigned type warning by @​tompng in ruby/bigdecimal#525
• Update dtoa to version from Ruby 4.0 by @​jhawthorn in ruby/bigdecimal#528
• Bump version to v4.1.2 by @​tompng in ruby/bigdecimal#529

New Contributors

• @​jhawthorn made their first contribution in ruby/bigdecimal#528

Full Changelog: ruby/bigdecimal@v4.1.1...v4.1.2

v4.1.1

What's Changed

• Define test as the default rake task by @​byroot in ruby/bigdecimal#509
• Add changelog for 4.1.0. by @​simi in ruby/bigdecimal#508
• Make BigDecimal object embedded by @​byroot in ruby/bigdecimal#507
• Remove unused minitest from Gemfile by @​byroot in ruby/bigdecimal#510
• Multiplication with 8-decdig batch by @​tompng in ruby/bigdecimal#501
• Increase VpMult batch size by @​tompng in ruby/bigdecimal#511
• Update to cover change in Bundler by @​brandonzylstra in ruby/bigdecimal#512
• tiny grammar fix in README.md by @​brandonzylstra in ruby/bigdecimal#513
• Add a workaround for slow BigDecimal#to_f when it has large N_significant_digits by @​tompng in ruby/bigdecimal#514
• Bump version to v4.1.1 by @​tompng in ruby/bigdecimal#516

New Contributors

• @​byroot made their first contribution in ruby/bigdecimal#509
• @​simi made their first contribution in ruby/bigdecimal#508
• @​brandonzylstra made their first contribution in ruby/bigdecimal#512

Full Changelog: ruby/bigdecimal@v4.1.0...v4.1.1

Changelog

Sourced from bigdecimal's changelog.

4.1.2

• Fix dtoa Ractor-safety bug. Update dtoa to version from Ruby 4.0 GH-528

  @​jhawthorn

• Optimize BigDecimal#to_s GH-519

  @​byroot

4.1.1

• Make BigDecimal object embedded GH-507

  @​byroot

• Multiplication with 16-decdig batch GH-501 GH-511

  @​tompng

Commits

• 9160561 Bump version to v4.1.2 (#529)
• 8050ec7 Update dtoa to version from Ruby 4.0 (#528)
• f8a02b2 Merge pull request #526 from ruby/dependabot/github_actions/step-security/har...
• ac9a5cd Bump step-security/harden-runner from 2.16.1 to 2.17.0
• 6b51b99 Fix unary minus on unsigned type warning (#525)
• 50b80b1 BigMath.exp overflow/underflow check (#523)
• fc54487 Revert "Add a workaround for slow BigDecimal#to_f when it has large N_signifi...
• 72937b7 Use '0'+n for converting single digit to char (#521)
• 8ac1498 Merge pull request #517 from ruby/dependabot/github_actions/rubygems/release-...
• 3c89db5 Merge pull request #518 from ruby/dependabot/github_actions/step-security/har...
• Additional commits viewable in compare view

Updates io-event from 1.14.5 to 1.15.1

Release notes

Sourced from io-event's releases.

v1.15.1

No release notes provided.

v1.15.0

• Add bounds checks, in the unlikely event of a user providing an invalid offset that exceeds the buffer size. This prevents potential memory corruption and ensures safe operation when using buffered IO methods.

Changelog

Sourced from io-event's changelog.

Releases

v1.15.0

• Add bounds checks, in the unlikely event of a user providing an invalid offset that exceeds the buffer size. This prevents potential memory corruption and ensures safe operation when using buffered IO methods.

v1.14.4

• Allow epoll_pwait2 to be disabled via --disable-epoll_pwait2.

v1.14.3

• Fix several implementation bugs that could cause deadlocks on blocking writes.

v1.14.0

Enhanced IO::Event::PriorityHeap with deletion and bulk insertion methods

The {ruby IO::Event::PriorityHeap} now supports efficient element removal and bulk insertion:

• delete(element): Remove a specific element from the heap in O(n) time
• delete_if(&block): Remove elements matching a condition with O(n) amortized bulk deletion
• concat(elements): Add multiple elements efficiently in O(n) time

heap = IO::Event::PriorityHeap.new
Efficient bulk insertion - O(n) instead of O(n log n)
heap.concat([5, 2, 8, 1, 9, 3])
Remove specific element
removed = heap.delete(5)  # Returns 5, heap maintains order
Bulk removal with condition
count = heap.delete_if{|x| x.even?}  # Removes 2, 8 efficiently

The delete_if and concat methods are particularly efficient for bulk operations, using bottom-up heapification to maintain the heap property in O(n) time. This provides significant performance improvements:

• Bulk insertion: O(n log n) → O(n) for adding multiple elements
• Bulk deletion: O(k×n) → O(n) for removing k elements

Both methods maintain the heap invariant and include comprehensive test coverage with edge case validation.

v1.11.2

• Fix Windows build.

... (truncated)

Commits

• ccd0953 Bump patch version.
• 41f2033 Fix error handling - oops.
• fed29b7 Update copyrights.
• 5c20637 Bump minor version.
• 94d41f7 Clarify behavior of IO_Event_Selector_loop_yield to prevent self-transfer in ...
• 7313f0a Fix handling of closed IO objects in IO::Event::Selector::Select. (#165)
• aa47301 Add bounds check for offset.
• See full diff in compare view

Updates json from 2.19.3 to 2.19.4

Release notes

Sourced from json's releases.

v2.19.4

What's Changed

• Fix parsing of out of range floats (very large exponents that lead to either 0.0 or Inf).

Full Changelog: ruby/json@v2.19.2...v2.19.4

Changelog

Sourced from json's changelog.

2026-04-19 (2.19.4)

• Fix parsing of out of range floats (very large exponents that lead to either 0.0 or Inf).

Commits

• 6688a81 Release 2.19.4
• f1e6163 Fix references to NAN and INFINITY in documentation comments
• 18d5475 Reduce warnings
• 1072482 Fix parsing of negative out of bound floats.
• 20454ba Fix handling out of of range exponent in numbers
• 0e99fcb Fix json generation for symbols on TruffleRuby
• ac0670b Keep Integer#to_json optimized and adapt the test
• 35db859 Avoid extra String#+@ calls, interpolated strings are already mutable
• d0b47b0 Avoid method redefinition warnings in test_broken_bignum
• e871d07 test_broken_bignum: avoid fork and subprocess for robustness
• Additional commits viewable in compare view

Updates mime-types-data from 3.2026.0331 to 3.2026.0414

Changelog

Sourced from mime-types-data's changelog.

3.2026.0414 / 2026-04-14

• Updated registry entries from the IANA [media registry][registry] and [provisional media registry][provisional] and the [Apache Tika media registry][tika] as of the release date.

3.2026.0407 / 2026-04-07

• Updated registry entries from the IANA [media registry][registry] and [provisional media registry][provisional] and the [Apache Tika media registry][tika] as of the release date.

Commits

• d237ee4 Update mime-types-data 3.2026.0414 / 2026-04-14
• cdd6e72 Update mime-types-data 3.2026.0407 / 2026-04-07
• 1bcba11 deps: bump the actions group with 2 updates
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions