json 2.19.2-java → 2.19.4-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5a4f27aa9482c82e62e9256e9071b4ddf0582f82bfe3749e5b557bf659cccd12
-  data.tar.gz: a0da3a6444b623c1b39f5941f4e53617aee051a4c11864a4b54abe08d068e890
+  metadata.gz: a6ba9ad6b206d6d9a14e7e98407f38a7e2f86c55d32005a88272401812407a89
+  data.tar.gz: 1b16463800eb3a27a9aaac47f2ea52a26755f678044eb34b4f90604583a88e6d
 SHA512:
-  metadata.gz: c1c4e2ad183f7e83483183858e671989ba5b0f4daac4231d358455230895571eaa8976e2b0ef548eb2997bfef27e6d7b385ebfe43801ea3be6486ad16bd5adc5
-  data.tar.gz: afef5d0028b23018c36e33ccead023cd990a7394e41ca4f5aa5e6c0a9f7839725a20f2bd1d137fbb08bcaec2456c7d9c79dd47b89cad386748068261c0b6e2e1
+  metadata.gz: 45a3edef6c8531203af73973e0341dc23e8914f04e67c34cc65f72528748e328b39e06027ad9f5758b85a4a101e2a0101d2e4891850c0da7b585d4b2576c68bb
+  data.tar.gz: c02bcc65e769bf9dd495226b00eceff36c178aa19559b4857599f1167b9924bf89c4b3b7c0810c8f76aca6ba22be10fa9100ba40c2f2d37bdd628556717512a7

data/CHANGES.md

@@ -2,9 +2,17 @@
 
 ### Unreleased
 
-### 2026-03-08 (2.19.2)
+### 2026-04-19 (2.19.4)
 
-* Fix a format string injection vulnerability in `JSON.parse(doc, allow_duplicate_key: false)`.
+* Fix parsing of out of range floats (very large exponents that lead ot either `0.0` or `Inf`).
+
+### 2026-03-25 (2.19.3)
+
+* Fix handling of unescaped control characters preceeded by a backslash.
+
+### 2026-03-18 (2.19.2)
+
+* Fix a format string injection vulnerability in `JSON.parse(doc, allow_duplicate_key: false)`. `CVE-2026-33210`.
 
 ### 2026-03-08 (2.19.1)
 
@@ -24,6 +32,10 @@
 
 * Add `:allow_control_characters` parser options, to allow JSON strings containing unescaped ASCII control characters (e.g. newlines).
 
+### 2026-03-18 (2.17.1.2) - Security Backport
+
+* Fix a format string injection vulnerability in `JSON.parse(doc, allow_duplicate_key: false)`. `CVE-2026-33210`.
+
 ### 2025-12-04 (2.17.1)
 
 * Fix a regression in parsing of unicode surogate pairs (`\uXX\uXX`) that could cause an invalid string to be returned.
@@ -50,6 +62,10 @@
 * Optimized numbers parsing using SWAR (thanks to Scott Myron).
 * Optimized parsing of pretty printed documents using SWAR (thanks to Scott Myron).
 
+### 2026-03-18 (2.15.2.1) - Security Backport
+
+* Fix a format string injection vulnerability in `JSON.parse(doc, allow_duplicate_key: false)`. `CVE-2026-33210`.
+
 ### 2025-10-25 (2.15.2)
 
 * Fix `JSON::Coder` to have one dedicated depth counter per invocation.

data/lib/json/truffle_ruby/generator.rb

@@ -48,7 +48,7 @@ module JSON
       SCRIPT_SAFE_ESCAPE_PATTERN = /[\/"\\\x0-\x1f\u2028-\u2029]/
 
       def self.native_type?(value) # :nodoc:
-        (false == value || true == value || nil == value || String === value || Array === value || Hash === value || Integer === value || Float === value || Fragment === value)
+        (false == value || true == value || nil == value || String === value || Symbol === value || Array === value || Hash === value || Integer === value || Float === value || Fragment === value)
       end
 
       def self.native_key?(key) # :nodoc:
@@ -517,11 +517,11 @@ module JSON
 
             if empty?
               state.depth -= 1
-              return '{}'
+              return +'{}'
             end
 
             delim = ",#{state.object_nl}"
-            result = +"{#{state.object_nl}"
+            result = "{#{state.object_nl}"
             first = true
             key_type = nil
             indent = !state.object_nl.empty?
@@ -558,7 +558,7 @@ module JSON
                 raise TypeError, "#{key.class}#to_s returns an instance of #{key_str.class}, expected a String"
               end
 
-              result = +"#{result}#{key_json}#{state.space_before}:#{state.space}"
+              result = "#{result}#{key_json}#{state.space_before}:#{state.space}"
               if state.strict? && !Generator.native_type?(value)
                 if state.as_json
                   value = state.as_json.call(value, false)
@@ -609,7 +609,7 @@ module JSON
 
             if empty?
               state.depth -= 1
-              return '[]'
+              return +'[]'
             end
 
             result = '['.dup
@@ -734,17 +734,17 @@ module JSON
 
         module TrueClass
           # Returns a JSON string for true: 'true'.
-          def to_json(*) 'true' end
+          def to_json(*) +'true' end
         end
 
         module FalseClass
           # Returns a JSON string for false: 'false'.
-          def to_json(*) 'false' end
+          def to_json(*) +'false' end
         end
 
         module NilClass
           # Returns a JSON string for nil: 'null'.
-          def to_json(*) 'null' end
+          def to_json(*) +'null' end
         end
       end
     end

data/lib/json/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module JSON
-  VERSION = '2.19.2'
+  VERSION = '2.19.4'
 end

data/lib/json.rb

@@ -335,8 +335,8 @@ require 'json/common'
 #   JSON.generate(JSON::MinusInfinity)
 #
 # Allow:
-#   ruby = [Float::NaN, Float::Infinity, Float::MinusInfinity]
-#   JSON.generate(ruby, allow_nan: true) # => '[NaN,Infinity,-Infinity]'
+#   ruby = [Float::NAN, Float::INFINITY, JSON::NaN, JSON::Infinity, JSON::MinusInfinity]
+#   JSON.generate(ruby, allow_nan: true) # => '[NaN,Infinity,NaN,Infinity,-Infinity]'
 #
 # ---
 #

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: json
 version: !ruby/object:Gem::Version
-  version: 2.19.2
+  version: 2.19.4
 platform: java
 authors:
 - Daniel Luz
 bindir: bin
 cert_chain: []
-date: 2026-03-18 00:00:00.000000000 Z
+date: 2026-04-18 00:00:00.000000000 Z
 dependencies: []
 description: A JSON implementation as a JRuby extension.
 email: dev+ruby@mernen.com