Skip to content

[9.4] deps(stdlib): bump erb from 2.2.3 to 4.0.4.1 to resolve CVE-2026-41316#9387

Merged
headius merged 1 commit intojruby:jruby-9.4from
chadlwilson:bump-erb
Apr 22, 2026
Merged

[9.4] deps(stdlib): bump erb from 2.2.3 to 4.0.4.1 to resolve CVE-2026-41316#9387
headius merged 1 commit intojruby:jruby-9.4from
chadlwilson:bump-erb

Conversation

@chadlwilson
Copy link
Copy Markdown
Contributor

@chadlwilson chadlwilson commented Apr 21, 2026
edited
Loading

2.2.3 is EOL from CRuby perspective, so they will not backport the fix to a maintained gem (I asked).

This thus deviates from the CRuby 3.1 stdlib version and bumps to 4.0.4.1 (as bundled with Ruby 3.4.x, maintained at https://github.com/ruby/erb/tree/ruby-3.4).

This still has Ruby 2.7 compatibility and the two relevant "breaking" changes seem innocuous: https://github.com/ruby/erb/blob/ruby-3.4/NEWS.md (Drop deprecated -S option from command / Bump required-ruby_version to Ruby 2.7+)

My only open question with this is whether the gem extension stub introduced in erb 4.0.x is a problem, since this did not exist with 2.2.3. Is something like #9289 needed for 9.4 - even though it's not there currently?

@chadlwilson chadlwilson changed the title deps(stdlib): bump erb from 2.2.3 to 4.0.4.1 to resolve CVE-2026-41316 [9.4] deps(stdlib): bump erb from 2.2.3 to 4.0.4.1 to resolve CVE-2026-41316 Apr 21, 2026
@chadlwilson chadlwilson changed the base branch from master to jruby-9.4 April 21, 2026 15:21
@chadlwilson chadlwilson marked this pull request as ready for review April 21, 2026 16:56
@chadlwilson chadlwilson mentioned this pull request Apr 22, 2026
Merged
@chadlwilson
deps(stdlib): bump erb from 2.2.3 to 4.0.4.1 to resolve CVE-2026-41316
8cf8fe6 
2.2.3 is EOL from CRuby perspective, so they will not backport the security fix to a maintained gem (I [asked](ruby/erb#114 (comment))).

This thus deviates from the CRuby 3.1 stdlib version and bumps to 4.0.4.1 (as bundled with Ruby 3.4.x, maintained at https://github.com/ruby/erb/tree/ruby-3.4).

This still has Ruby 2.7 compatibility and the two relevant "breaking" changes seem innocuous: https://github.com/ruby/erb/blob/ruby-3.4/NEWS.md (Drop deprecated -S option from command / Bump `required-ruby_version` to Ruby 2.7+)

Signed-off-by: Chad Wilson <29788154+chadlwilson@users.noreply.github.com>
@headius headius merged commit 1808fc4 into jruby:jruby-9.4 Apr 22, 2026
97 of 98 checks passed
@headius headius added this to the JRuby 9.4.15.0 milestone Apr 22, 2026
@chadlwilson chadlwilson deleted the bump-erb branch April 22, 2026 08:34
@chadlwilson
Copy link
Copy Markdown
Contributor Author

chadlwilson commented Apr 22, 2026

Is the extensions thing OK @headius ? 2.2.3 didn't have an extension (or the java stub).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

JRuby 9.4.15.0

Development

Successfully merging this pull request may close these issues.

2 participants

@chadlwilson @headius