From 01f947a66ad8c5e20d8c89d9adbc7e3bd49afb70 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <tenderlove@ruby-lang.org>
Date: Wed, 18 Mar 2026 13:07:19 -0700
Subject: [PATCH 1/5] fix env url

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 10d91ed..3389e52 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,7 +15,7 @@ jobs:
 
     environment:
       name: rubygems.org
-      url: https://rubygems.org/gems/bcrypt-ruby
+      url: https://rubygems.org/gems/bcrypt
 
     permissions:
       contents: write

From 5faa2748331d3edc661c127ef2fbb3afcb6b02a4 Mon Sep 17 00:00:00 2001
From: Kevin Farrell <kev9229@gmail.com>
Date: Wed, 18 Mar 2026 16:43:13 +0000
Subject: [PATCH 2/5] Fix integer overflow in JRuby BCrypt rounds calculation

[CVE-2026-33306]
---
 ext/jruby/bcrypt_jruby/BCrypt.java | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/ext/jruby/bcrypt_jruby/BCrypt.java b/ext/jruby/bcrypt_jruby/BCrypt.java
index 86db91b..bf987d9 100644
--- a/ext/jruby/bcrypt_jruby/BCrypt.java
+++ b/ext/jruby/bcrypt_jruby/BCrypt.java
@@ -688,20 +688,21 @@ static long roundsForLogRounds(int log_rounds) {
 	 */
 	private byte[] crypt_raw(byte password[], byte salt[], int log_rounds,
 							boolean sign_ext_bug, int safety) {
-		int rounds, i, j;
+		long rounds;
+		int i, j;
 		int cdata[] =  bf_crypt_ciphertext.clone();
 		int clen = cdata.length;
 		byte ret[];
 
 		if (log_rounds < 4 || log_rounds > 31)
 			throw new IllegalArgumentException ("Bad number of rounds");
-		rounds = 1 << log_rounds;
+		rounds = roundsForLogRounds(log_rounds);
 		if (salt.length != BCRYPT_SALT_LEN)
 			throw new IllegalArgumentException ("Bad salt length");
 
 		init_key();
 		ekskey(salt, password, sign_ext_bug, safety);
-		for (i = 0; i < rounds; i++) {
+		for (long r = 0; r < rounds; r++) {
 			key(password, sign_ext_bug, safety);
 			key(salt, false, safety);
 		}

From 32e687ec5f62baad01a62e4634e41d97f8432a61 Mon Sep 17 00:00:00 2001
From: Aaron Patterson <tenderlove@ruby-lang.org>
Date: Wed, 18 Mar 2026 15:42:34 -0700
Subject: [PATCH 3/5] bump version update changelog

---
 CHANGELOG      | 3 +++
 bcrypt.gemspec | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 1682923..a2c9982 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,6 @@
+3.1.22 Mar 18 2026
+  - [CVE-2026-33306] Fix integer overflow in Java extension
+
 3.1.21 Dec 31 2025
   - Use constant time comparisons
   - Mark as Ractor safe
diff --git a/bcrypt.gemspec b/bcrypt.gemspec
index e35a402..b848c01 100644
--- a/bcrypt.gemspec
+++ b/bcrypt.gemspec
@@ -1,6 +1,6 @@
 Gem::Specification.new do |s|
   s.name = 'bcrypt'
-  s.version = '3.1.21'
+  s.version = '3.1.22'
 
   s.summary = "OpenBSD's bcrypt() password hashing algorithm."
   s.description = <<-EOF

From 44bc362c9c3d98a1225a10fd07f7631b39f7e65d Mon Sep 17 00:00:00 2001
From: Olle Jonsson <olle.jonsson@gmail.com>
Date: Thu, 26 Mar 2026 16:45:18 +0100
Subject: [PATCH 4/5] CI: Tell dependabot to update GH Actions

---
 .github/dependabot.yml | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..b18fd29
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: 'github-actions'
+    directory: '/'
+    schedule:
+      interval: 'weekly'

From 9b1d071fbc9928be9d6d733037d5c95fe54efed2 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 27 Mar 2026 19:33:14 +0000
Subject: [PATCH 5/5] Bump actions/checkout from 4 to 6

Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v6)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/release.yml | 2 +-
 .github/workflows/ruby.yml    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3389e52..1905ff8 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -31,7 +31,7 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Set up Ruby
         uses: ruby/setup-ruby@v1
diff --git a/.github/workflows/ruby.yml b/.github/workflows/ruby.yml
index 176faa0..f0f2e10 100644
--- a/.github/workflows/ruby.yml
+++ b/.github/workflows/ruby.yml
@@ -33,7 +33,7 @@ jobs:
           - { os: ubuntu-latest, ruby: truffleruby-head }
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Set up Ruby
         uses: ruby/setup-ruby-pkgs@v1