Bump the minor-and-patch group across 1 directory with 6 updates

[dependabot]

Bumps the minor-and-patch group with 5 updates in the / directory:

Package	From	To
state_machines	0.101.0	0.201.0
google-protobuf	4.35.0	4.35.1
graphql	2.6.3	2.6.4
nokogiri	1.19.3	1.19.4
sorbet-static	0.6.13286	0.6.13309

Updates state_machines from 0.101.0 to 0.201.0

Release notes

Sourced from state_machines's releases.

state_machines: v0.201.0

0.201.0 (2026-06-12)

Bug Fixes

• complete nested attribute event transitions in the same action cycle (6295cc0)

state_machines: v0.200.0

0.200.0 (2026-06-11)

Features

• consolidate duplicated internal logic (c1507a0)
• consolidate duplicated internal logic (20c2408)

Changelog

Sourced from state_machines's changelog.

0.201.0 (2026-06-12)

Bug Fixes

• complete nested attribute event transitions in the same action cycle (6295cc0)

0.200.0 (2026-06-11)

Features

• consolidate duplicated internal logic (c1507a0)
• consolidate duplicated internal logic (20c2408)

Commits

• 881c5ec chore(master): release state_machines 0.201.0 (#170)
• 6295cc0 fix: complete nested attribute event transitions in the same action cycle
• 684056d chore: update COSS version to 0.200.0
• 1b61d97 chore(master): release state_machines 0.200.0 (#168)
• c1507a0 Merge pull request #167 from state-machines/chore/cleanup
• 343da12 docs: move method documentation into machine modules
• 20c2408 feat: consolidate duplicated internal logic
• 12eb5bc chore: update COSS version to 0.101.0
• See full diff in compare view

Updates google-protobuf from 4.35.0 to 4.35.1

Commits

• See full diff in compare view

Updates graphql from 2.6.3 to 2.6.4

Changelog

Sourced from graphql's changelog.

2.6.4 (22 Jun 2026)

Bug fixes

• AsyncDataloader: rework to avoid deadlocks with Falcon #5479
• Execution::Next: fix tracer arguments #5650

Commits

• 10e4d50 2.6.4
• 31281b4 Merge pull request #5479 from rmosolgo/async-dataloader-deadlock-fix
• 1de64d5 Update AsyncDataloader spec and snapshots
• db2b435 Rename fiber variables
• 6fe7c4f Clean up FiberCounting test helper
• ffa4a98 Add Async fiber limit implementation
• b426e8e Merge pull request #5651 from rmosolgo/fix-action-cable-tests
• 049c931 Fix ActionCable test for Rails head
• ff6e4a0 Merge pull request #5650 from rmosolgo/exec-next-fix-trace-args
• 3939526 Update snapshots
• Additional commits viewable in compare view

Updates nokogiri from 1.19.3 to 1.19.4

Release notes

Sourced from nokogiri's releases.

v1.19.4 / 2026-06-18

Security

• [CRuby] (Low) Fixed a possible invalid memory read when XML::Node#initialize_copy_with_args is called with an argument that is not a Node. See GHSA-g9g8-vgvw-g3vf for more information.
• [CRuby] (Low) Fixed a possible use-after-free when an XML::XPathContext is used after its source document has been garbage collected. See GHSA-p67v-3w7g-wjg7 for more information.
• [CRuby] (Low) Fixed a possible use-after-free during XInclude processing via Node#do_xinclude. See GHSA-wfpw-mmfh-qq69 for more information.
• [CRuby] (Low) Fixed a possible use-after-free when Document#root= is assigned a non-element node. See GHSA-wjv4-x9w8-wm3h for more information.
• [CRuby] (Low) Fixed a possible use-after-free when setting an attribute value via XML::Attr#value= or #content=. See GHSA-phwj-rprq-35pp for more information.
• [CRuby] (Low) Fixed a null pointer dereference when methods are called on uninitialized wrapper objects (e.g. via allocate); these now raise instead of crashing the process. See GHSA-9cv2-cfxc-v4v2 for more information.
• [CRuby] (Low) Fixed a possible use-after-free when Document#encoding= raises an exception. See GHSA-5v8h-3h3q-446p for more information.
• [CRuby] (Medium) Fixed an out-of-bounds read in XML::NodeSet#[] (alias #slice) when given a large negative index. See GHSA-5prr-v3j2-97mh for more information.
• [JRuby] (Low) XML::Schema now enforces the NONET parse option, which Nokogiri enables by default. It was not enforced on JRuby, so a schema parsed with default options could still fetch external resources over the network, potentially enabling SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See GHSA-8678-w3jw-xfc2 for more information.

1269fb644a6de405057a53dd5c762b1209b43ca7424f839454d3dbc677c31a8f  nokogiri-1.19.4-aarch64-linux-gnu.gem
35c65b9ce72b3bb03207bdbe7067915019dc18c1b9b59139684bd6690fdd01af  nokogiri-1.19.4-aarch64-linux-musl.gem
a301313e38bb065d68239e79734bcd6f56fb6efaacebde29e9abf2a4735340ca  nokogiri-1.19.4-arm-linux-gnu.gem
588923c101bcfa78869734d247d25b598674323e7f22474fc468f6e5647311eb  nokogiri-1.19.4-arm-linux-musl.gem
a46db9853286e6597b36ebc6953817d15acf3a299583eb3f89fdc6f91dd63527  nokogiri-1.19.4-arm64-darwin.gem
ce04b9e268c9626852231a48b49128ed52034f1ccb39484a6da3875491cd709e  nokogiri-1.19.4-java.gem
051da97b8eccfdb5444fed40246a35e10d7298b9efe759b4cd25455ea04c587e  nokogiri-1.19.4-x64-mingw-ucrt.gem
7fd17057d3e1f00e9954a74b3cd76595d3d4a5ef233b7ed9599047c204f70551  nokogiri-1.19.4-x86_64-darwin.gem
379fae440b28915e3f19d752ce2dcf8465ed2b2fbefd2a7ca0dd497bc981a06a  nokogiri-1.19.4-x86_64-linux-gnu.gem
17dfb7c1fa194ae02fbf7c51a7afc8d278045ab3fdacfd86f91d02d7b274470b  nokogiri-1.19.4-x86_64-linux-musl.gem
50c951611c92bca05c51411aef45f1cbc50f2821c4802758c5c6d34696533ab5  nokogiri-1.19.4.gem

Changelog

Sourced from nokogiri's changelog.

v1.19.4 / 2026-06-18

Security

• [CRuby] (Low) Fixed a possible invalid memory read when XML::Node#initialize_copy_with_args is called with an argument that is not a Node. See GHSA-g9g8-vgvw-g3vf for more information.
• [CRuby] (Low) Fixed a possible use-after-free when an XML::XPathContext is used after its source document has been garbage collected. See GHSA-p67v-3w7g-wjg7 for more information.
• [CRuby] (Low) Fixed a possible use-after-free during XInclude processing via Node#do_xinclude. See GHSA-wfpw-mmfh-qq69 for more information.
• [CRuby] (Low) Fixed a possible use-after-free when Document#root= is assigned a non-element node. See GHSA-wjv4-x9w8-wm3h for more information.
• [CRuby] (Low) Fixed a possible use-after-free when setting an attribute value via XML::Attr#value= or #content=. See GHSA-phwj-rprq-35pp for more information.
• [CRuby] (Low) Fixed a null pointer dereference when methods are called on uninitialized wrapper objects (e.g. via allocate); these now raise instead of crashing the process. See GHSA-9cv2-cfxc-v4v2 for more information.
• [CRuby] (Low) Fixed a possible use-after-free when Document#encoding= raises an exception. See GHSA-5v8h-3h3q-446p for more information.
• [CRuby] (Medium) Fixed an out-of-bounds read in XML::NodeSet#[] (alias #slice) when given a large negative index. See GHSA-5prr-v3j2-97mh for more information.
• [JRuby] (Low) XML::Schema now enforces the NONET parse option, which Nokogiri enables by default. It was not enforced on JRuby, so a schema parsed with default options could still fetch external resources over the network, potentially enabling SSRF or XXE attacks and bypassing the mitigation for CVE-2020-26247. See GHSA-8678-w3jw-xfc2 for more information.

Commits

• 8cfb9da version bump to v1.19.4
• a856d1e fix: JRuby NONET bypass in XML::Schema (v1.19.x) (#3639)
• 6a0aa1e fix(CRuby): use-after-free in Document#encoding= when setter raises (v1.19.x)...
• f658a54 fix: JRuby NONET bypass in XML::Schema
• 39d26fe fix(CRuby): use-after-free in Document#encoding= when setter raises
• 04a09dd fix(CRuby): out-of-bounds read in NodeSet#[] with large negative index (v1.19...
• 7799fbd fix: avoid NPE on uninitialized XML::Node structs (v1.19.x) (#3645)
• ef19e13 fix(CRuby): avoid UAF in XML::Attr#value= (v1.19.x) (#3644)
• 5524fa9 fix: Document#root= rejects non-element nodes (v1.19.x) (#3643)
• 9891ad1 fix(CRuby): use-after-free in XPathContext document lifetime (v1.19.x) (#3641)
• Additional commits viewable in compare view

Updates sorbet-static from 0.6.13286 to 0.6.13309

Release notes

Sourced from sorbet-static's releases.

sorbet 0.6.13308.20260617130608-d4d97a753

To use Sorbet add this line to your Gemfile:

gem 'sorbet', '0.6.13308', :group => :development
gem 'sorbet-runtime', '0.6.13308'

sorbet 0.6.13307.20260617130542-ce366d871

To use Sorbet add this line to your Gemfile:

gem 'sorbet', '0.6.13307', :group => :development
gem 'sorbet-runtime', '0.6.13307'

sorbet 0.6.13306.20260617071119-68187f348

To use Sorbet add this line to your Gemfile:

gem 'sorbet', '0.6.13306', :group => :development
gem 'sorbet-runtime', '0.6.13306'

sorbet 0.6.13305.20260616174559-b460a043c

To use Sorbet add this line to your Gemfile:

gem 'sorbet', '0.6.13305', :group => :development
gem 'sorbet-runtime', '0.6.13305'

sorbet 0.6.13304.20260616194356-fbb64fbab

To use Sorbet add this line to your Gemfile:

gem 'sorbet', '0.6.13304', :group => :development
gem 'sorbet-runtime', '0.6.13304'

sorbet 0.6.13303.20260616194306-f733d716e

To use Sorbet add this line to your Gemfile:

gem 'sorbet', '0.6.13303', :group => :development
gem 'sorbet-runtime', '0.6.13303'

sorbet 0.6.13302.20260616141144-e7bd36db6

To use Sorbet add this line to your Gemfile:

gem 'sorbet', '0.6.13302', :group => :development
gem 'sorbet-runtime', '0.6.13302'

sorbet 0.6.13301.20260616125925-db227de64

... (truncated)

Commits

• See full diff in compare view

Updates sorbet-static-and-runtime from 0.6.13286 to 0.6.13309

Release notes

Sourced from sorbet-static-and-runtime's releases.

sorbet 0.6.13308.20260617130608-d4d97a753

To use Sorbet add this line to your Gemfile:

gem 'sorbet', '0.6.13308', :group => :development
gem 'sorbet-runtime', '0.6.13308'

sorbet 0.6.13307.20260617130542-ce366d871

To use Sorbet add this line to your Gemfile:

gem 'sorbet', '0.6.13307', :group => :development
gem 'sorbet-runtime', '0.6.13307'

sorbet 0.6.13306.20260617071119-68187f348

To use Sorbet add this line to your Gemfile:

gem 'sorbet', '0.6.13306', :group => :development
gem 'sorbet-runtime', '0.6.13306'

sorbet 0.6.13305.20260616174559-b460a043c

To use Sorbet add this line to your Gemfile:

gem 'sorbet', '0.6.13305', :group => :development
gem 'sorbet-runtime', '0.6.13305'

sorbet 0.6.13304.20260616194356-fbb64fbab

To use Sorbet add this line to your Gemfile:

gem 'sorbet', '0.6.13304', :group => :development
gem 'sorbet-runtime', '0.6.13304'

sorbet 0.6.13303.20260616194306-f733d716e

To use Sorbet add this line to your Gemfile:

gem 'sorbet', '0.6.13303', :group => :development
gem 'sorbet-runtime', '0.6.13303'

sorbet 0.6.13302.20260616141144-e7bd36db6

To use Sorbet add this line to your Gemfile:

gem 'sorbet', '0.6.13302', :group => :development
gem 'sorbet-runtime', '0.6.13302'

sorbet 0.6.13301.20260616125925-db227de64

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions