Releases · ruby/json · GitHub

25 Mar 11:04

byroot

v2.19.3 Latest

Latest

Fix handling of unescaped control characters preceeded by a backslash.

Full Changelog: v2.19.2...v2.19.3

Assets 2

18 Mar 17:28

byroot

v2.19.2

What's Changed

Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210

Full Changelog: v2.19.1...v2.19.2

Assets 2

18 Mar 17:46

byroot

v2.17.1.2

Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210

Full Changelog: v2.17.1...v2.17.1.2

Assets 2

18 Mar 17:49

byroot

v2.15.2.1

Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210

Full Changelog: v2.15.2...v2.15.2.1

Assets 2

08 Mar 09:16

byroot

v2.19.1

What's Changed

Fix a compiler dependent GC bug introduced in 2.18.0.

Full Changelog: v2.19.0...v2.19.1

Assets 2

06 Mar 08:14

byroot

v2.19.0

What's Changed

Fix allow_blank parsing option to no longer allow invalid types (e.g. load([], allow_blank: true) now raise a type error).
Add allow_invalid_escape parsing option to ignore backslashes that aren't followed by one of the valid escape characters.

Full Changelog: v2.18.1...v2.19.0

Assets 2

03 Feb 07:48

byroot

v2.18.1

What's Changed

Fix a potential crash in very specific circumstance if GC triggers during a call to to_json
without first invoking a user defined #to_json method.

Full Changelog: v2.18.0...v2.18.1

Assets 2

11 Dec 11:04

byroot

v2.18.0

What's Changed

Add :allow_control_characters parser options, to allow JSON strings containing unescaped ASCII control characters (e.g. newlines).

Full Changelog: v2.17.1...v2.18.0

Assets 2

11 Dec 11:04

byroot

v2.17.1

What's Changed

Fix a regression in parsing of unicode surogate pairs (\uXX\uXX) that could cause an invalid string to be returned.

Full Changelog: v2.17.0...v2.17.1

Assets 2

03 Dec 15:25

byroot

v2.17.0

What's Changed

Improve JSON.load and JSON.unsafe_load to allow passing options as second argument.
Fix the parser to no longer ignore invalid escapes in strings.
Only \", \\, \b, \f, \n, \r, \t and \u are valid JSON escapes.
Fixed JSON::Coder to use the depth it was initialized with.
On TruffleRuby, fix the generator to not call to_json on the return value of as_json for Float::NAN.
Fixed handling of state.depth: when to_json changes state.depth but does not restore it, it is reset
automatically to its initial value.
In particular, when a NestingError is raised, depth is no longer equal to max_nesting after the call to
generate, and is reset to its initial value. Similarly when to_json raises an exception.

Full Changelog: v2.16.0...v2.17.0

Assets 2