mirror of
https://github.com/basecamp/once-campfire.git
synced 2026-07-08 00:50:22 +09:00
dep: update sinatra 4.1.1 → 4.2.1
Security bump for CVE-2025-61921 (ReDoS via ETag header generation). Not exposed: sinatra reaches campfire only through resque-web, which is never mounted — config.ru runs plain Rails, no `require "resque/server"` anywhere, so Sinatra::Base is never defined. Dead code at runtime. Conservative update also bumped rack-protection 4.1.1 → 4.2.1 (same monorepo); its shipped lib is byte-identical bar the version string. Transitive dep (no Gemfile change). 14 commits analyzed, 0 mitigations. https://github.com/basecamp/37signals-hq/blob/main/upgrade-analysis/campfire-20260609-sinatra_v4.1.1..v4.2.1.md 🤖 Assisted by Claude
This commit is contained in:
+3
-3
@@ -263,7 +263,7 @@ GEM
|
||||
nio4r (~> 2.0)
|
||||
racc (1.8.1)
|
||||
rack (3.2.4)
|
||||
rack-protection (4.1.1)
|
||||
rack-protection (4.2.1)
|
||||
base64 (>= 0.1.0)
|
||||
logger (>= 1.6.0)
|
||||
rack (>= 3.0.0, < 4)
|
||||
@@ -360,11 +360,11 @@ GEM
|
||||
sentry-ruby (5.26.0)
|
||||
bigdecimal
|
||||
concurrent-ruby (~> 1.0, >= 1.0.2)
|
||||
sinatra (4.1.1)
|
||||
sinatra (4.2.1)
|
||||
logger (>= 1.6.0)
|
||||
mustermann (~> 3.0)
|
||||
rack (>= 3.0.0, < 4)
|
||||
rack-protection (= 4.1.1)
|
||||
rack-protection (= 4.2.1)
|
||||
rack-session (>= 2.0.0, < 3)
|
||||
tilt (~> 2.0)
|
||||
sqlite3 (2.7.3-aarch64-linux-gnu)
|
||||
|
||||
Reference in New Issue
Block a user