What's Changed

• Fix some more edge cases with out of range floats.
• Ensure the string provided to JSON.parse can't be mutated during parsing.
• Add missing write barriers in State#dup.
• Further validate generator depth config.

Full Changelog: v2.19.6...v2.19.7

What's Changed

• Cleanly handle overly large depth generator argument.
• Add missing write barrier in ParserConfig.

Full Changelog: v2.19.5...v2.19.6

What's Changed

• Cap the parser to emit a maximum of 5 deprecation warnings per document. Emitting more is not helpful.

Full Changelog: v2.19.4...v2.19.5

What's Changed

• Fix parsing of out of range floats (very large exponents that lead to either 0.0 or Inf).

Full Changelog: v2.19.2...v2.19.4

• Fix handling of unescaped control characters preceeded by a backslash.

Full Changelog: v2.19.2...v2.19.3

What's Changed

• Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210

Full Changelog: v2.19.1...v2.19.2

• Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210

Full Changelog: v2.17.1...v2.17.1.2

• Fix a format string injection vulnerability in JSON.parse(doc, allow_duplicate_key: false). CVE-2026-33210

Full Changelog: v2.15.2...v2.15.2.1

What's Changed

• Fix a compiler dependent GC bug introduced in 2.18.0.

Full Changelog: v2.19.0...v2.19.1

What's Changed

• Fix allow_blank parsing option to no longer allow invalid types (e.g. load([], allow_blank: true) now raise a type error).
• Add allow_invalid_escape parsing option to ignore backslashes that aren't followed by one of the valid escape characters.

Full Changelog: v2.18.1...v2.19.0