An open index of dependabot pull requests across open source projects.

Bump nlohmann_json from 3.11.3 to 3.12.0.bcr.1

Open
Number: #6
Type: Pull Request
State: Open
Author: dependabot[bot] dependabot[bot]
Association: Unknown
Comments: 1
Created: March 04, 2026 at 12:51 AM UTC
(4 months ago)
Updated: May 26, 2026 at 11:38 PM UTC
(about 2 months ago)
Labels:
dependencies bazel
Description:

Bumps nlohmann_json from 3.11.3 to 3.12.0.bcr.1.

Release notes

Sourced from nlohmann_json's releases.

JSON for Modern C++ version 3.12.0

Release date: 2025-04-11 SHA-256: aaf127c04cb31c406e5b04a63f1ae89369fccde6d8fa7cdda1ed4f32dfc5de63 (json.hpp), b8cb0ef2dd7f57f18933997c9934bb1fa962594f701cd5a8d3c2c80541559372 (include.zip), 42f6e95cad6ec532fd372391373363b62a14af6d771056dbfc86160e6dfff7aa (json.tar.xz)

Summary

This release fixes some bugs found in the 3.11.3 release and adds some new features.

All changes are backward-compatible.

:moneybag: Note you can support this project via GitHub sponsors or PayPal.

Key updates and enhancements

  • Diagnostic byte positions: A new macro, JSON_DIAGNOSTIC_POSITIONS, introduces member functions to query the byte positions of values in the input they were parsed from. When enabled, this information is also included in exceptions to help pinpoint errors. #4517 #4455 #4570 #4569 #4572 #4571 #4579 #4585 #4561
  • Enhanced conversion macros: The conversion macros for arbitrary types now include several upgrades:
  • Support for std::optional: The library now supports conversions from/to std::optional types when compiled with C++17. #1749 #4036
  • Flexible string compatibility: Functions patch, diff, and flatten now work with arbitrary string types. #4536 #4134 #4613 #4019
  • Binary format enhancements:
    • The BJData mapping now supports draft 3, including optimized binary array types. #4513 #4588
    • The BSON mapping has added support for unsigned 64-bit integers. #4590 #4535 #3894
    • The get_number function used in the binary format implementations has been optimized to read multiple bytes at once. #4391
  • Multidimensional array conversion: Multidimensional C-style arrays can now be directly converted to JSON. #4262 #4248
  • Filesystem paths in UTF-8: The conversions from/to std::filesystem::path are now encoded to UTF-8 strings by default on all operating systems. #4271 #4631
  • CMake 4.0 support. By adjusting the CMake minimal version to 3.5, CMake 4.0 can be used without warning or error. #4709

Changes and fixes

Warnings

The quality assurance page gives an overview of the warning flags used during the tests.

Compiler warnings

... (truncated)

Changelog

Sourced from nlohmann_json's changelog.

Changelog

All notable changes to this project will be documented in this file. This project adheres to Semantic Versioning.

unreleased (2024-12-22)

Full Changelog

  • Impossible de read json file create with nlohmann::ordered_json::dump #4556
  • Error C2039 : 'json_sax_dom_callback_parser': is not a member of 'nlohmann::json_abi_v3_11_3::detail' #4529
  • json_fwd.hpp don't define default template arguments for ordered_map #4518
  • new repo version seems stop create any the ingress-nginx controller with opentelemetry-cpp.git #4515
  • Error converting to/from scoped enumerations #4499
  • Default initialized iterators are not comparable #4493
  • Bug json.exception.type_error.302 #4492
  • tests fail to build with clang-19 and libc++ due to unsupported std::char_traits #4490
  • Brace-Initialization Fails with json::parse and Key Access on Linux #4488
  • Crash when parsing nullptr #4485
  • Namespace macros are not respected in many instances #4484
  • ohos model to json string garbage characters #4481
  • Missing newlines in deserialized string #4479
  • Latest tag not available on NuGet #4478
  • Invalid union access for get_ref/get_ptr with unsigned integer #4475
  • /accesswallet #4469
  • struct reflect json with error C2440 #4467
  • Compiler error when using macro NLOHMANN_DEFINE_TYPE_NON_INTRUSIVE #4463
  • Issue when dumping a vector of derived classes #4462
  • whit std::wstring compile error #4460
  • Inconsisten operator[] #4458
  • json parse enclosing json object with [] #4457
  • [bug] nlohmann::json constructor behaves improperly #4450
  • parse OOM #4449
  • Library Cannot Parse JSON File It Wrote #4448
  • Unexpected Integer Conversion of JSON Values on ARM64 #4447
  • Structure declared in natvis file template doesn't seem to match current structure of basic_json<> #4438
  • A lot of EOT in json file #4436
  • CVE-2024-34062 #4429
  • CVE-2024-39689 #4428
  • CVE-2024-5569 #4427
  • CVE-2024-37891 #4426
  • Tornado vulnerabilities #4425
  • CVE-2024-35195 #4424
  • CVE-2024-22195, CVE-2024-34064 #4423
  • CVE-2024-3651 #4422
  • CVE-2024-22190 #4421
  • CVE-2024-39705 #4420
  • Failing to read complex Unicode string embedded in JSON #4417
  • Unable to parse JSON string from snake case to camel case #4399
  • Crashes when I try to use ‘json::at()’ on a properly structured, non null, and correctly constructed ‘.json’ file #4387
  • JSON_BuildTests fail when JSON_DisableEnumSerialization is set to ON #4384
  • JSON can't parse a simple data #4383

... (truncated)

Commits

Package Dependencies
Ecosystem:
bazel
Version Change:
3.11.3 → 3.12.0.bcr.1
Update Type:
Minor
Security Advisories
tqdm CLI arguments injection attack
GHSA-g7vv-2v7x-gj9p CVE-2024-34062 LOW
### Impact Any optional non-boolean CLI arguments (e.g. `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. Example: ```sh python -m tqdm -...
Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode
GHSA-jjg7-2v4v-x38h CVE-2024-3651 MODERATE
### Impact A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service. ### Patches The function has been refined to reje...
Requests `Session` object does not verify requests after making first request with verify=False
GHSA-9wx4-h78v-vm56 CVE-2024-35195 MODERATE
When using a `requests.Session`, if the first request to a given origin is made with `verify=False`, TLS certificate verification may remain disabled for all subsequent requests to that origin, eve...
zipp Denial of Service vulnerability
GHSA-jfmj-5v4g-7637 CVE-2024-5569 MODERATE
A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that l...
Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
GHSA-h75v-3vvj-5mfj CVE-2024-34064 MODERATE
The `xmlattr` filter in affected versions of Jinja accepts keys containing non-attribute characters. XML/HTML attributes cannot contain spaces, `/`, `>`, or `=`, as each would then be interpreted a...
ntlk unsafe deserialization vulnerability
GHSA-cgvx-9447-vcch CVE-2024-39705 HIGH
NLTK through 3.8.1 allows remote code execution if untrusted packages have pickled Python code, and the integrated data package download functionality is used. This affects, for example, averaged_p...
Jinja vulnerable to HTML attribute injection when passing user input as keys to xmlattr filter
GHSA-h5c8-rqwp-cp95 CVE-2024-22195 MODERATE
The `xmlattr` filter in affected versions of Jinja accepts keys containing spaces. XML/HTML attributes cannot contain spaces, as each would then be interpreted as a separate attribute. If an applic...
Untrusted search path under some conditions on Windows allows arbitrary code execution
GHSA-2mqj-m65w-jghx CVE-2024-22190 HIGH
### Summary This issue exists because of an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.ex...
Certifi removes GLOBALTRUST root certificate
GHSA-248v-346w-9cwc CVE-2024-39689 LOW
Certifi 2024.07.04 removes root certificates from "GLOBALTRUST" from the root store. These are in the process of being removed from Mozilla's trust store. GLOBALTRUST's root certificates are being...
urllib3's Proxy-Authorization request header isn't stripped during cross-origin redirects
GHSA-34jh-p97f-mpxf CVE-2024-37891 MODERATE
When using urllib3's proxy support with `ProxyManager`, the `Proxy-Authorization` header is only sent to the configured proxy, as expected. However, when sending HTTP requests *without* using urll...
Technical Details
ID: 15932895
UUID: 4019430147
Node ID: PR_kwDOP8RVKM7Hv3ue
Host: GitHub
Repository: RunEdgeAI/agents-cpp-sdk