From 9faafc698383182d392a1568efd1138482d35c92 Mon Sep 17 00:00:00 2001
From: Josh Nichols <josh.nichols+agent@gusto.com>
Date: Wed, 17 Jun 2026 12:21:40 -0400
Subject: [PATCH] chore(deps): bump nokogiri to 1.19.3 to fix
 GHSA-353f-x4gh-cqq8

Nokogiri < 1.18.9 ships a vendored libxml2 with two 9.1-critical CVEs
(use-after-free + memory corruption) plus three lower-severity ones.
Bump the transitive dependency above the patched 1.18.9 floor; conservative
update resolved to the latest 1.19.3 across all locked platforms.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 Gemfile.lock | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 4751a98..c18b607 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -69,17 +69,17 @@ GEM
     mcp (0.1.0)
       json_rpc_handler (~> 0.1)
     minitest (5.25.5)
-    nokogiri (1.18.7-aarch64-linux-gnu)
+    nokogiri (1.19.3-aarch64-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.18.7-aarch64-linux-musl)
+    nokogiri (1.19.3-aarch64-linux-musl)
       racc (~> 1.4)
-    nokogiri (1.18.7-arm64-darwin)
+    nokogiri (1.19.3-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.7-x86_64-darwin)
+    nokogiri (1.19.3-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.7-x86_64-linux-gnu)
+    nokogiri (1.19.3-x86_64-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.18.7-x86_64-linux-musl)
+    nokogiri (1.19.3-x86_64-linux-musl)
       racc (~> 1.4)
     packwerk (3.2.2)
       activesupport (>= 6.0)