Skip to content

[ruby] Update Gem Dependencies#104

Merged
hayat01sh1da merged 1 commit into
masterfrom
hayat01h1da/ruby/update-gem-dependencies
Jun 18, 2026
Merged

[ruby] Update Gem Dependencies#104
hayat01sh1da merged 1 commit into
masterfrom
hayat01h1da/ruby/update-gem-dependencies

Conversation

@hayat01sh1da

@hayat01sh1da hayat01sh1da commented Jun 18, 2026

Copy link
Copy Markdown
Owner

1. concurrent-ruby: 1.3.6 → 1.3.7

Release date: 16 June 2026 · Release notes · Compare v1.3.6...v1.3.7 (14 commits)

This is primarily a security / thread-safety bug-fix release (three Low-severity CVEs).

1-1. Security fixes

  • CVE-2026-54904AtomicReference#update: Fixed an infinite retry loop / livelock that occurred when the stored value is Float::NAN.
  • CVE-2026-5490ReentrantReadWriteLock: Fixed a read hold-count overflow that spilled into the write-lock bit after 32,768 reentrant reads.
  • CVE-2026-54906ReadWriteLock: Fixed two issues:
    • Any thread could release a write lock held by another thread, breaking write exclusivity.
    • An unconditional decrement on read release dropped the counter to -1, blocking all subsequent lock acquisitions.

1-2. Infrastructure / other

  • Built concurrent-ruby-ext correctly on Darwin 32-bit systems (#1064).
  • Added SECURITY.md documentation (#1104).
  • Added Ruby 4.0 to the CI test matrix (#1106).
  • Bumped GitHub Actions (deploy-pages v4→v5, upload-pages-artifact v4→v5).
  • Adjusted test timing to reduce transient failures in ReentrantReadWriteLock specs.

Contributors: @eregon, @joshuay03, @barracuda156 (first contribution).

Maintainers recommend updating for the security patches, though real-world impact is considered unlikely.

2. Bottom line

  • concurrent-ruby 1.3.7 is a security patch (three Low-severity CVEs in AtomicReference / ReadWriteLock / ReentrantReadWriteLock) plus CI/platform housekeeping — safe, recommended bump.
  • i18n 1.15.1 adds Fiber-aware storage and thread-safe lazy loading (with a v1.15.1 fix on top), improves transliteration, and raises the minimum Ruby to 3.2 — verify the project runs on Ruby 3.2+ before merging.

@hayat01sh1da hayat01sh1da self-assigned this Jun 18, 2026

@hayat01sh1da hayat01sh1da left a comment

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@hayat01sh1da hayat01sh1da merged commit 562b61c into master Jun 18, 2026
9 checks passed
@hayat01sh1da hayat01sh1da deleted the hayat01h1da/ruby/update-gem-dependencies branch June 18, 2026 02:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant