json 2.19.3-java → 2.19.5-java

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5fec8bc8502145d86122eb567bc0c407361b9bb5296c4f3caf5907f0dca33196
-  data.tar.gz: 8cb5aeb3fa683e59a4848d9d099a0c1d7ac70f499598ee5bbd115c535239ba0b
+  metadata.gz: a5c0875e24e3fbcc06aa748f53ed8132ad48fcf60b093ac6ffd93dfa606539e2
+  data.tar.gz: 202ae17bdb2e833f54eea52e6036e8fd48049b24abaeace4abcc7e43bf8823bd
 SHA512:
-  metadata.gz: 4d2b97f5e9f2bc897806c2e25139fd4b67729aa2700998d647a4957bab134f0f8c7dea0284c730db9880fa68a33cb005590df9d4005bd6c578de589bcbca3dd2
-  data.tar.gz: 7867073f237c23efa15e7c3b0d969eba53589a2b9a7d001975e05792c4d4637ee8d706b551864ede269802f8fb29d64364390959a9872fa9f1273bd82b6fa741
+  metadata.gz: 3b02f028f351f4eb2c1374471e54342e297b3ddfa2fab34c64981cb396f70980cf54b99ab5eb21e7d3a8a3a324c5939742e1c8f53c81f97cd6ad3c635bf39ad5
+  data.tar.gz: 0ced6dc79b84789a7cf307512f0b580f9d885141eccc79934802f0cfc112f666d979dc093663b17f552b53ff5b6f93f6541d1de1306ad754a8ebd04ac6ac5547

data/CHANGES.md

@@ -2,13 +2,21 @@
 
 ### Unreleased
 
+### 2026-05-04 (2.19.5)
+
+* Cap the parser to emit a maximum of 5 deprecation warnings per document. Emitting more is not helpful.
+
+### 2026-04-19 (2.19.4)
+
+* Fix parsing of out of range floats (very large exponents that lead to either `0.0` or `Inf`).
+
 ### 2026-03-25 (2.19.3)
 
 * Fix handling of unescaped control characters preceeded by a backslash.
 
 ### 2026-03-18 (2.19.2)
 
-* Fix a format string injection vulnerability in `JSON.parse(doc, allow_duplicate_key: false)`.
+* Fix a format string injection vulnerability in `JSON.parse(doc, allow_duplicate_key: false)`. `CVE-2026-33210`.
 
 ### 2026-03-08 (2.19.1)
 
@@ -28,6 +36,10 @@
 
 * Add `:allow_control_characters` parser options, to allow JSON strings containing unescaped ASCII control characters (e.g. newlines).
 
+### 2026-03-18 (2.17.1.2) - Security Backport
+
+* Fix a format string injection vulnerability in `JSON.parse(doc, allow_duplicate_key: false)`. `CVE-2026-33210`.
+
 ### 2025-12-04 (2.17.1)
 
 * Fix a regression in parsing of unicode surogate pairs (`\uXX\uXX`) that could cause an invalid string to be returned.
@@ -54,6 +66,10 @@
 * Optimized numbers parsing using SWAR (thanks to Scott Myron).
 * Optimized parsing of pretty printed documents using SWAR (thanks to Scott Myron).
 
+### 2026-03-18 (2.15.2.1) - Security Backport
+
+* Fix a format string injection vulnerability in `JSON.parse(doc, allow_duplicate_key: false)`. `CVE-2026-33210`.
+
 ### 2025-10-25 (2.15.2)
 
 * Fix `JSON::Coder` to have one dedicated depth counter per invocation.

data/lib/json/truffle_ruby/generator.rb

@@ -48,7 +48,7 @@ module JSON
       SCRIPT_SAFE_ESCAPE_PATTERN = /[\/"\\\x0-\x1f\u2028-\u2029]/
 
       def self.native_type?(value) # :nodoc:
-        (false == value || true == value || nil == value || String === value || Array === value || Hash === value || Integer === value || Float === value || Fragment === value)
+        (false == value || true == value || nil == value || String === value || Symbol === value || Array === value || Hash === value || Integer === value || Float === value || Fragment === value)
       end
 
       def self.native_key?(key) # :nodoc:
@@ -517,11 +517,11 @@ module JSON
 
             if empty?
               state.depth -= 1
-              return '{}'
+              return +'{}'
             end
 
             delim = ",#{state.object_nl}"
-            result = +"{#{state.object_nl}"
+            result = "{#{state.object_nl}"
             first = true
             key_type = nil
             indent = !state.object_nl.empty?
@@ -558,7 +558,7 @@ module JSON
                 raise TypeError, "#{key.class}#to_s returns an instance of #{key_str.class}, expected a String"
               end
 
-              result = +"#{result}#{key_json}#{state.space_before}:#{state.space}"
+              result = "#{result}#{key_json}#{state.space_before}:#{state.space}"
               if state.strict? && !Generator.native_type?(value)
                 if state.as_json
                   value = state.as_json.call(value, false)
@@ -609,7 +609,7 @@ module JSON
 
             if empty?
               state.depth -= 1
-              return '[]'
+              return +'[]'
             end
 
             result = '['.dup
@@ -734,17 +734,17 @@ module JSON
 
         module TrueClass
           # Returns a JSON string for true: 'true'.
-          def to_json(*) 'true' end
+          def to_json(*) +'true' end
         end
 
         module FalseClass
           # Returns a JSON string for false: 'false'.
-          def to_json(*) 'false' end
+          def to_json(*) +'false' end
         end
 
         module NilClass
           # Returns a JSON string for nil: 'null'.
-          def to_json(*) 'null' end
+          def to_json(*) +'null' end
         end
       end
     end

data/lib/json/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module JSON
-  VERSION = '2.19.3'
+  VERSION = '2.19.5'
 end

data/lib/json.rb

@@ -335,8 +335,8 @@ require 'json/common'
 #   JSON.generate(JSON::MinusInfinity)
 #
 # Allow:
-#   ruby = [Float::NaN, Float::Infinity, Float::MinusInfinity]
-#   JSON.generate(ruby, allow_nan: true) # => '[NaN,Infinity,-Infinity]'
+#   ruby = [Float::NAN, Float::INFINITY, JSON::NaN, JSON::Infinity, JSON::MinusInfinity]
+#   JSON.generate(ruby, allow_nan: true) # => '[NaN,Infinity,NaN,Infinity,-Infinity]'
 #
 # ---
 #

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: json
 version: !ruby/object:Gem::Version
-  version: 2.19.3
+  version: 2.19.5
 platform: java
 authors:
 - Daniel Luz
 bindir: bin
 cert_chain: []
-date: 2026-03-25 00:00:00.000000000 Z
+date: 2026-05-04 00:00:00.000000000 Z
 dependencies: []
 description: A JSON implementation as a JRuby extension.
 email: dev+ruby@mernen.com