The vendored (default) cgi gem

Several patched releases of cgi are available https://rubygems.org/gems/cgi/versions. It looks like MRI ruby is going with 0.4.2 https://stdgems.org/. Perhaps that is the best path?

In general what is the strategy for default gems in jruby? Are they meant to track a specific ruby major/minor?

For example in the jruby 9.4 stream would the default gems track those in ruby 3.1? Or ruby 3.y?