Skip to content

Bump the bundler group across 1 directory with 5 updates#1

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/bundler/bundler-fe472a72e5
Open

Bump the bundler group across 1 directory with 5 updates#1
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/bundler/bundler-fe472a72e5

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot bot commented on behalf of github Oct 28, 2025

Bumps the bundler group with 5 updates in the / directory:

Package From To
rake 10.3.2 12.3.3
asciidoctor 1.5.0 1.5.8
json 1.8.1 2.3.0
rubyzip 1.1.6 1.3.0
yajl-ruby 1.1.0 1.4.3

Updates rake from 10.3.2 to 12.3.3

Changelog

Sourced from rake's changelog.

=== 12.3.3

==== Bug fixes

  • Use the application's name in error message if a task is not found. Pull Request #303 by tmatilai

==== Enhancements:

  • Use File.open explicitly.

=== 12.3.2

==== Bug fixes

  • Fixed test fails caused by 2.6 warnings. Pull Request #297 by hsbt

==== Enhancements:

  • Rdoc improvements. Pull Request #293 by colby-swandale
  • Improve multitask performance. Pull Request #273 by jsm
  • Add alias prereqs. Pull Request #268 by take-cheeze

=== 12.3.1

==== Bug fixes

  • Support did_you_mean >= v1.2.0 which has a breaking change on formatters. Pull request #262 by FUJI Goro.

==== Enhancements:

  • Don't run task if it depends on already invoked but failed task. Pull request #252 by Gonzalo Rodriguez.
  • Make space trimming consistent for all task arguments. Pull request #259 by Gonzalo Rodriguez.
  • Removes duplicated inclusion of Rake::DSL in tests. Pull request #254 by Gonzalo Rodriguez.
  • Re-raise a LoadError that didn't come from require in the test loader. Pull request #250 by Dylan Thacker-Smith.

=== 12.3.0

==== Compatibility Changes

  • Bump required_ruby_version to Ruby 2.0.0. Rake has already

... (truncated)

Commits
  • 5c87c46 Bump version to 12.3.3.
  • 5b8f8fc Use File.open explicitly.
  • 6497ba4 Merge pull request #317 from ruby/ignore-gitignore
  • be62efb Removed gitignore from gemspec files.
  • 1c22b49 Merge pull request #309 from RDIL/patch-1
  • 496944a Remove deprecated travis ci option
  • 489c7d8 Merge pull request #307 from ruby/azure-pipelines
  • 77eb6d8 Only enabled macOS environment
  • 72ffa2e use realpath
  • 7744872 Do not specify ruby version of macOS
  • Additional commits viewable in compare view

Updates asciidoctor from 1.5.0 to 1.5.8

Release notes

Sourced from asciidoctor's releases.

v1.5.8

Summary

This release was made possible by support from our Change Maker sponsor, Okta.

According to the release notes for 1.5.7, there wasn't supposed be another releases in the 1.5.x line. However, due to scheduling conflicts, the 2.0.0 release got pushed back. So this semi-major release was cut to get us back on track.

This release consists of over 50 enhancements and fixes that accumulated in the meantime, as well as a response to a CVE and several updates needed for Asciidoctor.js. Although unintentional, this release also includes a 10% boost in performance.

A huge thanks to @​zelivans for throwing curveballs at the processor and uncovering numerous hard-to-catch bugs, including one which became CVE-2018-18385. Fixes for all those issues have been included in this release.

The most significant change in this release is that unordered and ordered lists can be nested to any depth. Also related to lists, it's now possible to specify auto-numbered callout numbers using <.>. And guard comments in front of callouts are preserved if font-based icons are not enabled. You can now set a starting line number for numbered source blocks when using Pygments or CodeRay for source highlighting in HTML or when converting to DocBook. Attribute references in the target of a custom block macro or the attrlist of an include directive are now replaced automatically. If the part-signifier and/or chapter-signifier attributes are set, the values of these attributes are prepended to the part and chapter title, respectively.

If you're using the API, there are several nice enhancements as well. It's now possible to short-circuit the AbstractBlock#find_by method once a match is found or you want to abort the search. The authors of the document can be retrieved neatly as an array. The imagesdir that was set at the location of an image is now recorded on the image node as well as in the catalog.

Thanks to @​jwehmschulte for translating the README into German, to @​mogztter for syncing the French translation, @​jonasbjork for adding Swedish translations for the built-in attributes, @​BojanStipic for updating the Serbian translations for the built-in attributes, and @​stoeps13 for improving the Windows installation instructions. Also thanks to @​junaruga for replacing the deprecated thread_safe gem integration with concurrent-ruby.

Following this release, the master branch will transition to 2.0.0 and semantic versioning (really, this time). Work will continue on the new documentation site for Asciidoctor that's based on Antora.

Distributions

Asciidoctor is also packaged for Fedora, Debian, Ubuntu, Alpine Linux, OpenSUSE, and Homebrew. Please use the system's package manager to install the package named asciidoctor.

Release meta

Released on: 2018-10-28 Released by: @​mojavelinux Release beer: Trappistes Rochefort 10

Logs: resolved issues | full diff

Credits

This release cycle welcomed in our first Change Maker sponsor, Okta. We want to thank Okta and our other generous sponsors, without whose support Asciidoctor would not be possible. Thank you to all our sponsors for your dedication to improving the state of technical documentation!

Thanks to the following people who contributed to this release:

@​zelivans, @​mogztter, @​graphitefriction, @​jwehmschulte, @​jonasbjork, @​junaruga, @​owenh000, @​BojanStipic, @​aerostitch, @​ds26gte, @​diguage, @​kikijiki, @​ztmr, @​gilgamaze, @​ecki, @​sometimesfood, @​mperktold, @​ilvetz, @​pdmayoSFI, and @​stoeps13.

A very special thanks to all our awesome supporters on BountySource (Salt) and OpenCollective. Their support provided critical funding for the development of this release and the ongoing development of the project.

You can support this project by becoming a sponsor on OpenCollective. For those still contributing via BountySource, we kindly ask that you switch your donations over to OpenCollective because it's a nicer system and better aligns with our values.

Changelog

Enhancements

  • if set, add value of part-signifier and chapter-signifier attributes to part and chapter titles (#2738)

... (truncated)

Changelog

Sourced from asciidoctor's changelog.

== 1.5.8 (2018-10-28) - @​mojavelinux

Enhancements::

  • if set, add value of part-signifier and chapter-signifier attributes to part and chapter titles (#2738)
  • allow position (float) and alignment (align) to be set on video block (#2425)
  • substitute attribute references in attrlist of include directive (#2761)
  • add Document#set_header_attribute method for adding method directly to document header during parsing (#2820)
  • add helper method to extension processor classes to create lists and list items
  • allow ordered and unordered lists to be nested to an arbitrary / unlimited depth (#2854)
  • add prefer DSL method to extension registry and document processor to flag extension as preferred (#2848)
  • allow manname and manpurpose to be set using document attributes; don't look for NAME section in this case (#2810)
  • substitute attribute references in target of custom block macro (honoring attribute-missing setting) (#2839)
  • interpret <.> as an auto-numbered callout in verbatim blocks and callout lists (#2871)
  • require marker for items in callout list to have circumfix brackets (e.g., <1> instead of 1>) (#2871)
  • preserve comment guard in front of callout number in verbatim block if icons is not enabled (#1360)
  • add more conventional styles to quote block when it has the excerpt role (#2092)
  • colspecs can be separated by semi-colon instead of comma (#2798)
  • change AbstractBlock#find_by to respond to StopIteration exception; stop traversal after matching ID (#2900)
  • change AbstractBlock#find_by to honor return values :skip and :skip_children from filter block to skip node and its descendants or just its descendants, respectively (#2067)
  • add API to retrieve authors as array; use API in converters (#1042) (@​mogztter)
  • add support for start attribute on source block to set starting line number when converting to DocBook (#2915)
  • track imagesdir for image on node and in catalog (#2779)
  • allow starting line number to be set using start attribute when highighting source block with Pygments or CodeRay (#1742)
  • add intrinsic attribute named pp that effectively resolves to ++ (#2807)
  • upgrade highlight.js to 9.13.1

Bug Fixes::

  • don't hang on description list item that begins with /// (#2888)
  • don't crash when using AsciiDoc table cell style on column in CSV table (#2817)
  • show friendly error if CSV data for table contains unclosed quote (#2878) (@​zelivans)
  • don't crash when attribute entry continuation is used on last line of file (#2880) (@​zelivans)
  • treat empty/missing value of named block attribute followed by other attributes (e.g., caption=,cols=2*) as empty string
  • AbstractNode#set_option does nothing if option is already set (PR #2778)
  • allow revnumber to be an attribute reference in revision info line (#2785)
  • use ::File.open instead of ::IO.binread in Reader for Asciidoctor.js compatibility
  • add fallback for timezone when setting doctime
  • preserve UNC path that begins with a double backslash (Windows) (#2869)
  • fix formatting of quote block (indentation) in manpage output (#2792)
  • catalog inline anchors in ordered list items (#2812)
  • detect closing tag on last line with no trailing newline (#2830)
  • process !name@ attribute syntax property; follow-up to #642
  • change document extension processor DSL methods to return registered extension instance instead of array of instances
  • use fallback value for manname-title to prevent crash in manpage converter
  • consolidate inner whitespace in prose in manpage output (#2890)
  • only apply subs to node attribute value if enclosed in single quotes (#2905)
  • don't hide URI scheme if target of link macro is a bare URI scheme
  • fix crash when child section of part is out of sequence and section numbering is enabled (#2931)
  • fix crash when restoring passthroughs if passthrough role is enclosed in single quotes (#2882, #2883)

... (truncated)

Commits
  • d7aeb75 Release 1.5.8
  • f7fcb9b cache document attributes in Parser.parse_header_metadata
  • bfa01fa resolves #669 allow authorinitials for single author to be overridden (PR #2943)
  • edf971a resolves #1706 configure nested pre in pre.wrap to inherit [skip ci]
  • c6be3d4 resolves #1639 generate manpage even if input is non-conforming or malformed ...
  • 4f89c4d upgrade linked version of highlight.js to 9.13.1
  • 3d8f480 resolves #2769 report correct line number for inline anchor with id already i...
  • d5b9fb7 resolves #1742 add support for starting line number on source block (PR #2941)
  • 8997c37 resolves #2779 track imagesdir on image node and in catalog (PR #2897)
  • 845322c resolves #2738 use part-signifier and chapter-signifier, if set (PR #2763)
  • Additional commits viewable in compare view

Updates json from 1.8.1 to 2.3.0

Release notes

Sourced from json's releases.

v2.3.0

What's Changed

New Contributors

Full Changelog: ruby/json@v2.2.0...v2.3.0

v2.2.0

What's Changed

New Contributors

Full Changelog: ruby/json@v2.1.0...v2.2.0

v2.1.0

What's Changed

New Contributors

... (truncated)

Changelog

Sourced from json's changelog.

2019-12-11 (2.3.0)

  • Fix default of create_additions to always be false for JSON(user_input) and JSON.parse(user_input, nil). Note that JSON.load remains with default true and is meant for internal serialization of trusted data. [CVE-2020-10663]
  • Fix passing args all #to_json in json/add/*.
  • Fix encoding issues
  • Fix issues of keyword vs positional parameter
  • Fix JSON::Parser against bigdecimal updates
  • Bug fixes to JRuby port

2019-02-21 (2.2.0)

  • Adds support for 2.6 BigDecimal and ruby standard library Set datetype.

2017-04-18 (2.1.0)

  • Allow passing of decimal_class option to specify a class as which to parse JSON float numbers.

2017-03-23 (2.0.4)

  • Raise exception for incomplete unicode surrogates/character escape sequences. This problem was reported by Daniel Gollahon (dgollahon).
  • Fix arbitrary heap exposure problem. This problem was reported by Ahmad Sherif (ahmadsherif).

2017-01-12 (2.0.3)

  • Set required_ruby_version to 1.9
  • Some small fixes

2016-07-26 (2.0.2)

  • Specify required_ruby_version for json_pure.
  • Fix issue #295 failure when parsing frozen strings.

2016-07-01 (2.0.1)

  • Fix problem when requiring json_pure and Parser constant was defined top level.
  • Add RB_GC_GUARD to avoid possible GC problem via Pete Johns.
  • Store current_nesting on stack by Aaron Patterson.

2015-09-11 (2.0.0)

  • Now complies to newest JSON RFC 7159.
  • Implements compatibility to ruby 2.4 integer unification.
  • Removed support for quirks_mode option.
  • Drops support for old rubies whose life has ended, that is rubies < 2.0. Also see https://www.ruby-lang.org/en/news/2014/07/01/eol-for-1-8-7-and-1-9-2/
  • There were still some mentions of dual GPL licensing in the source, but JSON has just the Ruby license that itself includes an explicit dual-licensing clause that allows covered software to be distributed under the terms of the Simplified BSD License instead for all ruby versions >= 1.9.3. This is however a GPL compatible license according to the Free Software Foundation. I changed these mentions to be consistent with the Ruby license setting in the gemspec files which were already correct now.

... (truncated)

Commits

Updates rubyzip from 1.1.6 to 1.3.0

Release notes

Sourced from rubyzip's releases.

v1.3.0

Security

  • Add validate_entry_sizes option so that callers can trust an entry's reported size when using extract #403
    • This option defaults to false for backward compatibility in this release, but you are strongly encouraged to set it to true. It will default to true in rubyzip 2.0.

New Feature

  • Add add_stored method to simplify adding entries without compression #366

Tooling / Documentation

  • Add more gem metadata links #402

v1.2.4

  • Do not rewrite zip files opened with open_buffer that have not changed #360

Tooling / Documentation

  • Update example_recursive.rb in README #397
  • Hold CI at trusty for now, automatically pick the latest ruby patch version, use rbx-4 and hold jruby at 9.1 #399

v1.2.3

  • Allow tilde in zip entry names #391 (fixes regression in 1.2.2 from #376)
  • Support frozen string literals in more files #390
  • Require pathname explicitly #388 (fixes regression in 1.2.2 from #376)

Tooling / Documentation:

  • CI updates #392, #394
    • Bump supported ruby versions and add 2.6
    • JRuby failures are no longer ignored (reverts #375 / part of #371)
  • Add changelog entry that was missing for last release #387
  • Comment cleanup #385

Since the GitHub release information for 1.2.2 is missing, I will also include it here:

1.2.2

NB: This release drops support for extracting symlinks, because there was no clear way to support this securely. See rubyzip/rubyzip#376 for details.

  • Fix CVE-2018-1000544 #376 / #371
  • Fix NoMethodError: undefined method `glob' #363
  • Fix handling of stored files (i.e. files not using compression) with general purpose bit 3 set #358
  • Fix close on StringIO-backed zip file #353
  • Add Zip.force_entry_names_encoding option #340
  • Update rubocop, apply auto-fixes, and fix regressions caused by said auto-fixes #332, #355
  • Save temporary files to temporary directory (rather than current directory) #325

Tooling / Documentation:

... (truncated)

Changelog

Sourced from rubyzip's changelog.

1.3.0 (2019-09-25)

Security

  • Add validate_entry_sizes option so that callers can trust an entry's reported size when using extract #403
    • This option defaults to false for backward compatibility in this release, but you are strongly encouraged to set it to true. It will default to true in rubyzip 2.0.

New Feature

  • Add add_stored method to simplify adding entries without compression #366

Tooling / Documentation

  • Add more gem metadata links #402

1.2.4 (2019-09-06)

  • Do not rewrite zip files opened with open_buffer that have not changed #360

Tooling / Documentation

  • Update example_recursive.rb in README #397
  • Hold CI at trusty for now, automatically pick the latest ruby patch version, use rbx-4 and hold jruby at 9.1 #399

1.2.3

  • Allow tilde in zip entry names #391 (fixes regression in 1.2.2 from #376)
  • Support frozen string literals in more files #390
  • Require pathname explicitly #388 (fixes regression in 1.2.2 from #376)

Tooling / Documentation:

  • CI updates #392, #394
    • Bump supported ruby versions and add 2.6
    • JRuby failures are no longer ignored (reverts #375 / part of #371)
  • Add changelog entry that was missing for last release #387
  • Comment cleanup #385

1.2.2

NB: This release drops support for extracting symlinks, because there was no clear way to support this securely. See rubyzip/rubyzip#376 for details.

  • Fix CVE-2018-1000544 #376 / #371
  • Fix NoMethodError: undefined method `glob' #363
  • Fix handling of stored files (i.e. files not using compression) with general purpose bit 3 set #358
  • Fix close on StringIO-backed zip file #353
  • Add Zip.force_entry_names_encoding option #340
  • Update rubocop, apply auto-fixes, and fix regressions caused by said auto-fixes #332, #355
  • Save temporary files to temporary directory (rather than current directory) #325

... (truncated)

Commits
  • e79d9ea Merge pull request #407 from rubyzip/v1-3-0
  • 7c65e1e Bump version to 1.3.0
  • d65fe7b Merge pull request #403 from rubyzip/check-size
  • 97cb6ae Warn when an entry size is invalid
  • 7849f73 Default validate_entry_sizes to false for 1.3 release
  • 4167f0c Validate entry sizes when extracting
  • 94b7fa2 [ci skip] Update changelog
  • 93505ca Check expected entry size in add_stored test
  • 6619bf3 Merge pull request #366 from hainesr/add-stored
  • ecb2776 Zip::File.add_stored() to add uncompressed files.
  • Additional commits viewable in compare view

Updates yajl-ruby from 1.1.0 to 1.4.3

Changelog

Sourced from yajl-ruby's changelog.

Changelog

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the bundler group across 1 directory with 5 updates
0077397 
Bumps the bundler group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [rake](https://github.com/ruby/rake) | `10.3.2` | `12.3.3` |
| [asciidoctor](https://github.com/asciidoctor/asciidoctor) | `1.5.0` | `1.5.8` |
| [json](https://github.com/ruby/json) | `1.8.1` | `2.3.0` |
| [rubyzip](https://github.com/rubyzip/rubyzip) | `1.1.6` | `1.3.0` |
| [yajl-ruby](https://github.com/brianmario/yajl-ruby) | `1.1.0` | `1.4.3` |



Updates `rake` from 10.3.2 to 12.3.3
- [Release notes](https://github.com/ruby/rake/releases)
- [Changelog](https://github.com/ruby/rake/blob/master/History.rdoc)
- [Commits](ruby/rake@v10.3.2...v12.3.3)

Updates `asciidoctor` from 1.5.0 to 1.5.8
- [Release notes](https://github.com/asciidoctor/asciidoctor/releases)
- [Changelog](https://github.com/asciidoctor/asciidoctor/blob/main/CHANGELOG.adoc)
- [Commits](asciidoctor/asciidoctor@v1.5.0...v1.5.8)

Updates `json` from 1.8.1 to 2.3.0
- [Release notes](https://github.com/ruby/json/releases)
- [Changelog](https://github.com/ruby/json/blob/master/CHANGES.md)
- [Commits](ruby/json@v1.8.1...v2.3.0)

Updates `rubyzip` from 1.1.6 to 1.3.0
- [Release notes](https://github.com/rubyzip/rubyzip/releases)
- [Changelog](https://github.com/rubyzip/rubyzip/blob/main/Changelog.md)
- [Commits](rubyzip/rubyzip@v1.1.6...v1.3.0)

Updates `yajl-ruby` from 1.1.0 to 1.4.3
- [Changelog](https://github.com/brianmario/yajl-ruby/blob/master/CHANGELOG.md)
- [Commits](https://github.com/brianmario/yajl-ruby/commits)

---
updated-dependencies:
- dependency-name: rake
  dependency-version: 12.3.3
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: asciidoctor
  dependency-version: 1.5.8
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: json
  dependency-version: 2.3.0
  dependency-type: direct:production
  dependency-group: bundler
- dependency-name: rubyzip
  dependency-version: 1.3.0
  dependency-type: indirect
  dependency-group: bundler
- dependency-name: yajl-ruby
  dependency-version: 1.4.3
  dependency-type: indirect
  dependency-group: bundler
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code labels Oct 28, 2025
llamapreview[bot]
llamapreview bot reviewed Oct 28, 2025
View reviewed changes
Copy link
Copy Markdown

@llamapreview llamapreview bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI Code Review by LlamaPReview

🎯 TL;DR & Recommendation

Recommendation: Approve with suggestions

This PR updates multiple dependencies to newer versions, bringing security fixes and improvements, but introduces potential compatibility risks that require verification.

🌟 Strengths

  • Security enhancements in JSON and rubyzip gems address known vulnerabilities.
  • Updated dependencies include bug fixes and new features for improved reliability.
Priority File Category Impact Summary Anchors
P2 Gemfile Architecture Potential breaking changes in AsciiDoc rendering
P2 Gemfile Security Security fix but may break JSON parsing
P2 Gemfile Architecture Requires Ruby 2.0+, compatibility risk
P2 Gemfile Security Security improvements in implicit dependencies
P2 Gemfile Architecture Compatibility issues with updated core

🔍 Notable Themes

  • Dependency version updates may introduce breaking changes requiring thorough testing of rendering and build processes.
⚠️ **Unanchored Suggestions (Manual Review Recommended)**

The following suggestions could not be precisely anchored to a specific line in the diff. This can happen if the code is outside the changed lines, has been significantly refactored, or if the suggestion is a general observation. Please review them carefully in the context of the full file.

📁 File: Gemfile

Speculative: Rubyzip 1.3.0 adds security-focused validate_entry_sizes option to prevent zip bomb attacks. Yajl-ruby update likely includes security patches and performance improvements. Both dependencies are transitively used by asciidoctor-pdf/epub3, so these updates improve the security posture of the documentation build pipeline.

Related Code:

💡 Have feedback? We'd love to hear it in our GitHub Discussions.
✨ This review was generated by LlamaPReview Advanced, which is free for all open-source projects. Learn more.

Gemfile
@@ -1,7 +1,7 @@
source 'https://rubygems.org'

gem 'rake'
Copy link
Copy Markdown

@llamapreview llamapreview bot Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 | Confidence: Medium

Speculative: Major version bump from 1.5.0 to 1.5.8 could introduce breaking changes in AsciiDoc rendering. The changelog shows significant changes including API modifications (e.g., AbstractBlock#find_by behavior changes), new required syntax for callout markers (<1> instead of 1>), and modified block attribute processing. Since this is a documentation project (Pro Git 2nd Edition), these changes could affect rendering of complex AsciiDoc elements like callouts, tables, and nested lists.

Gemfile

gem 'rake'
gem 'asciidoctor', '1.5.0'
gem 'asciidoctor', '1.5.8'
Copy link
Copy Markdown

@llamapreview llamapreview bot Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 | Confidence: Medium

Speculative: The JSON gem update includes a security fix for CVE-2020-10663, changing the default of create_additions to false for JSON(user_input) and JSON.parse(user_input, nil). This prevents potential remote code execution through deserialization of untrusted data. However, it also drops support for Ruby < 2.0 and removes quirks_mode option, which could break existing JSON parsing logic if the project relies on these features.

Gemfile
@@ -1,7 +1,7 @@
source 'https://rubygems.org'
Copy link
Copy Markdown

@llamapreview llamapreview bot Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 | Confidence: Medium

Speculative: Major version jump from 10.3.2 to 12.3.3 requires Ruby 2.0.0+ (per changelog). This could break compatibility if the project runs on older Ruby versions. Rake task definitions might be affected by internal API changes between major versions.

Gemfile
gem 'asciidoctor', '1.5.8'

gem 'json'
gem 'awesome_print'
Copy link
Copy Markdown

@llamapreview llamapreview bot Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[Contextual Comment]
This comment refers to code near real line 9. Anchored to nearest_changed(7) line 7.

P2 | Confidence: Medium

Speculative: The asciidoctor core update to 1.5.8 might create compatibility issues with the pinned alpha versions of asciidoctor-pdf and asciidoctor-epub3. These extensions were likely tested with older asciidoctor versions and could break or produce different output with the updated core library, affecting PDF/EPUB generation for the book.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@llamapreview llamapreview[bot] llamapreview[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants