Update json requirement from 2.19.5 to 2.19.7

[dependabot]

Updates the requirements on json to permit the latest version.

Release notes

Sourced from json's releases.

v2.19.7

What's Changed

• Fix some more edge cases with out of range floats.
• Ensure the string provided to JSON.parse can't be mutated during parsing.
• Add missing write barriers in State#dup.
• Further validate generator depth config.

Full Changelog: ruby/json@v2.19.6...v2.19.7

Changelog

Sourced from json's changelog.

2026-05-28 (2.19.7)

• Fix some more edge cases with out of range floats.
• Ensure the string provided to JSON.parse can't be mutated during parsing.
• Add missing write barriers in State#dup.
• Further validate generator depth config.

2026-05-28 (2.19.6)

• Cleanly handle overly large depth generator argument.
• Add missing write barrier in ParserConfig.

2026-05-04 (2.19.5)

• Cap the parser to emit a maximum of 5 deprecation warnings per document. Emitting more is not helpful.

2026-04-19 (2.19.4)

• Fix parsing of out of range floats (very large exponents that lead to either 0.0 or Inf).

2026-03-25 (2.19.3)

• Fix handling of unescaped control characters preceeded by a backslash.

2026-03-18 (2.19.2)

• Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210.

2026-03-08 (2.19.1)

• Fix a compiler dependent GC bug introduced in 2.18.0.

2026-03-06 (2.19.0)

• Fix allow_blank parsing option to no longer allow invalid types (e.g. load([], allow_blank: true) now raise a type error).
• Add allow_invalid_escape parsing option to ignore backslashes that aren't followed by one of the valid escape characters.

2026-02-03 (2.18.1)

• Fix a potential crash in very specific circumstance if GC triggers during a call to to_json without first invoking a user defined #to_json method.

2025-12-11 (2.18.0)

• Add :allow_control_characters parser options, to allow JSON strings containing unescaped ASCII control characters (e.g. newlines).

2026-03-18 (2.17.1.2) - Security Backport

• Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210.

... (truncated)

Commits

• ab6c8f2 Release 2.19.7
• f033b9d Fix some more edge cases with out of range floats
• 5ca8a67 parser.c: Ensure the user provided string can't be mutated
• dba1d88 generator.c: trigger write barriers in cState_init_copy
• e8800cb Further validate generator depth config
• 1e276eb Release 2.19.6
• 9696622 Add ruby-asan to CI
• d644602 generator.c: Handle stupidly large depth
• ab6972d Add missing write barrier in ParserConfig
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)