Issue #20516 has been updated by hsbt (Hiroshi SHIBATA). Thanks all. The current `make test-bundled-gems` is not working with C ext dependencies like strscan. I removed them at https://github.com/ruby/ruby/blob/master/tool/lib/bundled_gem.rb#L67 if dependencies are the default gems. We can use them via ruby source tree. The above workaround is only working with resolving with correct version like `strscan >= 3.0.9` manually. The version of strscan with `ruby_3_2` is `3.0.5`. Because https://bugs.ruby-lang.org/issues/20516#note-10 is failed maybe. We have the following solution: * Wait to release rexml-3.2.9. * Upgrade strscan-3.0.9+ on `ruby_3_1` and `ruby_3_2` and rexml-3.2.8. ---------------------------------------- Bug #20516: The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. https://bugs.ruby-lang.org/issues/20516#change-108587 * Author: naitoh (Jun NAITOH) * Status: Closed * ruby -v: ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] * Backport: 3.1: REQUIRED, 3.2: REQUIRED, 3.3: DONE ---------------------------------------- The version of rexml in ruby 3.3.2 has not been updated since 3.2.6. This is still a DoS vulnerable version. https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ ``` $ ruby -v ruby 3.3.2 (2024-05-30 revision e5a195edf6) [arm64-darwin22] $ gem list rexml *** LOCAL GEMS *** rexml (3.2.6) ``` -- https://bugs.ruby-lang.org/