Bump gixy-ng from 0.2.47 to 0.2.49

[dependabot]

Bumps gixy-ng from 0.2.47 to 0.2.49.

Release notes

Sourced from gixy-ng's releases.

v0.2.49

Added — nginx 1.30.3 stable / 1.31.2 mainline CVEs (2026-06-17)

• nginx_cves — CVE-2026-42530 — use-after-free in ngx_http_v3_module. Affects nginx mainline 1.31.0..1.31.1 only when HTTP/3 / QUIC is enabled (listen … quic or http3 on); stable 1.30.x was never exposed. Mitigation: upgrade to 1.31.2. Advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-42530, F5: https://my.f5.com/manage/s/article/K000161616.
• nginx_cves — CVE-2026-42055 — buffer overflow in ngx_http_proxy_v2_module / ngx_http_grpc_module. Affects nginx OSS 1.13.10..1.31.1 when grpc_pass is configured or upstream HTTP/2 proxying is enabled (proxy_http_version 2.0). Mitigation: upgrade to 1.30.3 (stable) or 1.31.2 (mainline). Advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-42055, F5: https://my.f5.com/manage/s/article/K000161584.
• nginx_cves — CVE-2026-48142 — buffer overread in ngx_http_charset_module. Affects nginx OSS 0.3.50..1.31.1 when a non-off charset directive is configured. Mitigation: upgrade to 1.30.3 (stable) or 1.31.2 (mainline). Advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-48142, F5: https://my.f5.com/manage/s/article/K000161585.

False-positive guarantee asserted by explicit per-CVE unit tests: nginx 1.30.3 and 1.31.2 with every trigger present (http3 on, grpc_pass, proxy_http_version 2.0, charset utf-8) surface none of these IDs.

v0.2.48

Fixed

• Circular include directives no longer crash the parser (#113, fixed in #115). nginx configs with an include cycle — most commonly a file in /etc/nginx/conf.d/ whose body says include /etc/nginx/conf.d/*.conf; (the glob matches the including file itself), or A↔B mutual includes — used to send NginxParser into unbounded recursion. On Python 3.11+ with enough stack budget that surfaced as RecursionError; on others the cycle silently inflated the parsed tree with hundreds of duplicated directives. The parser now tracks the canonical path of every file currently being parsed and skips any include that re-enters one already on the stack, emitting a single Skipping circular include: … WARNING per cycle. Applies to both filesystem includes and nginx -T dump-mode includes.

Full changelog: https://github.com/dvershinin/gixy/blob/master/CHANGELOG.md

Changelog

Sourced from gixy-ng's changelog.

[0.2.49] - 2026-06-18

Added

• nginx_cves: New entry CVE-2026-42530 — use-after-free in ngx_http_v3_module. Affects nginx mainline 1.31.0..1.31.1 only when HTTP/3 / QUIC is enabled (listen … quic or http3 on); stable 1.30.x was never exposed. Mitigation: upgrade to 1.31.2. Advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-42530, F5: https://my.f5.com/manage/s/article/K000161616.
• nginx_cves: New entry CVE-2026-42055 — buffer overflow in ngx_http_proxy_v2_module / ngx_http_grpc_module. Affects nginx OSS 1.13.10..1.31.1 when grpc_pass is configured or upstream HTTP/2 proxying is enabled (proxy_http_version 2.0). Mitigation: upgrade to 1.30.3 (stable) or 1.31.2 (mainline). Advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-42055, F5: https://my.f5.com/manage/s/article/K000161584.
• nginx_cves: New entry CVE-2026-48142 — buffer overread in ngx_http_charset_module. Affects nginx OSS 0.3.50..1.31.1 when a non-off charset directive is configured. Mitigation: upgrade to 1.30.3 (stable) or 1.31.2 (mainline). Advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-48142, F5: https://my.f5.com/manage/s/article/K000161585.

[0.2.48] - 2026-06-04

Fixed

• Circular include directives no longer crash the parser: nginx configs that contained a cycle (e.g. a file in /etc/nginx/conf.d/ whose body says include /etc/nginx/conf.d/*.conf; — the glob matches the including file itself, or A→B→A across files) sent gixy/parser/nginx_parser.py into unbounded recursion. On environments with enough stack budget that surfaced as RecursionError: maximum recursion depth exceeded (#113); on others the cycle silently inflated the parsed tree with hundreds of duplicated directives. NginxParser now tracks the canonical path of every file currently being parsed and skips any include that re-enters one already on the stack, emitting a single Skipping circular include: … WARNING per cycle. Applies to both filesystem includes and nginx -T dump-mode includes.

Commits

• 30b4d20 release: v0.2.49 — add CVE-2026-42530, -42055, -48142 (#116)
• bbfce3f release: v0.2.48
• 9b226ef fix(parser): break circular include cycles with active-include guard (#113) (...
• d7b277f docs(index): mirror README install layout — Homebrew & AUR as their own subse...
• 0516ece Merge pull request #114 from chrisfinazzo/patch-2
• 478dac6 docs(readme): document AUR install (gixy-ng) for Arch Linux
• 1850440 docs(readme): document Homebrew install (gixy now in homebrew-core)
• ca40dae Update index.md
• 8d1d4d1 Add Continuous Monitoring section + page; cross-promote Amplify; wire 4 orpha...
• 14daa29 test(nginx_cves): support multi-issue simply fixtures, restore rift coverage
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)