Bump the "all" group with 2 updates across multiple ecosystems

[dependabot]

Bumps the all group with 4 updates: json, prism, rack and uri.

Updates json from 2.15.0 to 2.15.1

Release notes

Sourced from json's releases.

v2.15.1

What's Changed

• Fix incorrect escaping in the JRuby extension when encoding shared strings.

Full Changelog: ruby/json@v2.15.0...v2.15.1

Changelog

Sourced from json's changelog.

2025-10-07 (2.15.1)

• Fix incorrect escaping in the JRuby extension when encoding shared strings.

Commits

• 9e6067b Release 2.15.1
• 1e19097 Add a workflow to sync commits to ruby/ruby (#872)
• 1b1647f Update changelog
• eec466d Merge pull request #871 from tompng/fix_sliced_string_escape
• d7baf01 Fix sliced string escaping
• d867e39 Run jruby-head on Windows
• ec85851 Fix a typo in the changelog
• See full diff in compare view

Updates prism from 1.5.1 to 1.5.2

Release notes

Sourced from prism's releases.

v1.5.2

Changed

• Fix character literal forced encoding when a unicode escape sequence is used.
• Reject 1 if foo = bar baz.
• Clear static literal flag on interpolated strings.
• Reject optional argument/endless method definition ambiguity.

Changelog

Sourced from prism's changelog.

[1.5.2] - 2025-10-09

Changed

• Fix character literal forced encoding when a unicode escape sequence is used.
• Reject 1 if foo = bar baz.
• Clear static literal flag on interpolated strings.
• Reject optional argument/endless method definition ambiguity.

Commits

• 5446f7b Merge pull request #3675 from ruby/bump-version
• 7574837 Bump to v
• 022d6d0 Merge pull request #3674 from Earlopain/endless-method-no-parens
• e1910d4 For these special cases, there exists no optional argument type. Since a endl...
• c89ca2a sync-ruby.yml: Fix the target push branch
• c0f3ea7 Add a workflow to sync commits to ruby/ruby (#3673)
• 3070615 Merge pull request #3672 from ruby/dependabot/bundler/gemfiles/typecheck/ruby...
• 5e2a3af Merge pull request #3671 from ruby/dependabot/maven/java-wasm/java-deps-7d48a...
• f6befc3 Bump sorbet
• bde0629 Bump the java-deps group in /java-wasm with 4 updates
• Additional commits viewable in compare view

Updates rack from 3.2.1 to 3.2.3

Changelog

Sourced from rack's changelog.

Changelog

All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference Keep A Changelog.

Unreleased

Security

• CVE-2025-61780 Improper handling of headers in Rack::Sendfile may allow proxy bypass.
• CVE-2025-61919 Unbounded read in Rack::Request form parsing can lead to memory exhaustion.

SPEC Changes

• Define rack.response_finished callback arguments more strictly. (#2365, @​skipkayhil)

Added

• Add Rack::Files#assign_headers to allow overriding how the configured file headers are set. (#2377, @​codergeek121)
• Add support for rack.response_finished to Rack::TempfileReaper. (#2363, @​skipkayhil)
• Add support for streaming bodies when using Rack::Events. (#2375, @​unflxw)

Changed

• Raise before exceeding a part limit, not after. (#2362, @​matthew-puku)
• Rack::Deflater now uses a fixed GZip mtime value. (#2372, @​bensheldon)

[3.2.2] - 2025-10-07

Security

• CVE-2025-61772 Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
• CVE-2025-61771 Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
• CVE-2025-61770 Unbounded multipart preamble buffering enables DoS (memory exhaustion)

Commits

• 32bf888 Bump patch version.
• e179614 Unbounded read in Rack::Request form parsing can lead to memory exhaustion.
• 57277b7 Improper handling of proxy headers in Rack::Sendfile may allow proxy bypass.
• 403b74b Normalize adivsories links.
• fb395bb Fix handling of Errno::EPIPE in multipart tests.
• bce149b Bump patch version.
• 3beacfc Limit amount of retained data when parsing multipart requests
• 589127f Fix denial of service vulnerbilties in multipart parsing
• See full diff in compare view

Updates uri from 1.0.3 to 1.0.4

Release notes

Sourced from uri's releases.

v1.0.4

Security fixes

• CVE-2025-61594

---

Full Changelog: ruby/uri@v1.0.3...v1.0.4

Commits

• e507473 Bump up to v1.0.4
• d3116ca Merge branch 'CVE-2025-61594-3-4' into HEAD
• 6c6449e Add authority accessor
• 5cec76b Clear user info totally at setting any of authority info
• See full diff in compare view

Bumps the all group with 2 updates: ruby/setup-ruby and pnpm/action-setup.

Updates ruby/setup-ruby from 1.263.0 to 1.265.0

Release notes

Sourced from ruby/setup-ruby's releases.

v1.265.0

What's Changed

• Update CRuby releases on Windows by @​ruby-builder-bot in ruby/setup-ruby#817

Full Changelog: ruby/setup-ruby@v1.264.0...v1.265.0

v1.264.0

What's Changed

• Add ruby-3.4.7 by @​ruby-builder-bot in ruby/setup-ruby#815

Full Changelog: ruby/setup-ruby@v1.263.0...v1.264.0

Commits

• ab177d4 Update CRuby releases on Windows
• 6797dcb Add ruby-3.4.7
• a16e0e6 Test on macos-15-intel too
• See full diff in compare view

Updates pnpm/action-setup from 4.1.0 to 4.2.0

Release notes

Sourced from pnpm/action-setup's releases.

v4.2.0

When there's a .npmrc file at the root of the repository, pnpm will be fetched from the registry that is specified in that .npmrc file #179

Commits

• 41ff726 feat: support installation from custom NPM registry (#179)
• f2b2b23 Remove --frozen-lockfile from examples (#171)
• 77504a5 Fix multiline run_install example in README.md (#167)
• d648c2d fix: not allow install multiple package manager (#161)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions