Update json requirement from 2.19.1 to 2.19.2

[dependabot]

Updates the requirements on json to permit the latest version.

Release notes

Sourced from json's releases.

v2.19.2

What's Changed

• Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210

Full Changelog: ruby/json@v2.19.1...v2.19.2

Changelog

Sourced from json's changelog.

2026-03-18 (2.19.2)

• Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210.

2026-03-08 (2.19.1)

• Fix a compiler dependent GC bug introduced in 2.18.0.

2026-03-06 (2.19.0)

• Fix allow_blank parsing option to no longer allow invalid types (e.g. load([], allow_blank: true) now raise a type error).
• Add allow_invalid_escape parsing option to ignore backslashes that aren't followed by one of the valid escape characters.

2026-02-03 (2.18.1)

• Fix a potential crash in very specific circumstance if GC triggers during a call to to_json without first invoking a user defined #to_json method.

2025-12-11 (2.18.0)

• Add :allow_control_characters parser options, to allow JSON strings containing unescaped ASCII control characters (e.g. newlines).

2026-03-18 (2.17.1.2) - Security Backport

• Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210.

2025-12-04 (2.17.1)

• Fix a regression in parsing of unicode surogate pairs (\uXX\uXX) that could cause an invalid string to be returned.

2025-12-03 (2.17.0)

• Improve JSON.load and JSON.unsafe_load to allow passing options as second argument.
• Fix the parser to no longer ignore invalid escapes in strings. Only \", \\, \b, \f, \n, \r, \t and \u are valid JSON escapes.
• Fixed JSON::Coder to use the depth it was initialized with.
• On TruffleRuby, fix the generator to not call to_json on the return value of as_json for Float::NAN.
• Fixed handling of state.depth: when to_json changes state.depth but does not restore it, it is reset automatically to its initial value. In particular, when a NestingError is raised, depth is no longer equal to max_nesting after the call to generate, and is reset to its initial value. Similarly when to_json raises an exception.

2025-11-07 (2.16.0)

• Deprecate JSON::State#[] and JSON::State#[]=. Consider using JSON::Coder instead.
• JSON::Coder now also yields to the block when encountering strings with invalid encoding.
• Fix GeneratorError messages to be UTF-8 encoded.
• Fix memory leak when Exception is raised, or throw is used during JSON generation.
• Optimized floating point number parsing by integrating the ryu algorithm (thanks to Josef Šimánek).
• Optimized numbers parsing using SWAR (thanks to Scott Myron).

... (truncated)

Commits

• 54f8a87 Release 2.19.2
• 393b41c Fix a format string injection vulnerability
• dbf6bb1 Merge pull request #953 from ruby/dependabot/github_actions/actions/create-gi...
• 7187315 Bump actions/create-github-app-token from 2 to 3
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)