From 28525bec5d862fd1a6055560c4cc94aedf5460f0 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Tue, 9 Jun 2026 11:51:42 -0400 Subject: [PATCH] =?UTF-8?q?dep:=20update=20sinatra=204.1.1=20=E2=86=92=204?= =?UTF-8?q?.2.1?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Security bump for CVE-2025-61921 (ReDoS via ETag header generation). Not exposed: sinatra reaches campfire only through resque-web, which is never mounted — config.ru runs plain Rails, no `require "resque/server"` anywhere, so Sinatra::Base is never defined. Dead code at runtime. Conservative update also bumped rack-protection 4.1.1 → 4.2.1 (same monorepo); its shipped lib is byte-identical bar the version string. Transitive dep (no Gemfile change). 14 commits analyzed, 0 mitigations. https://github.com/basecamp/37signals-hq/blob/main/upgrade-analysis/campfire-20260609-sinatra_v4.1.1..v4.2.1.md 🤖 Assisted by Claude --- Gemfile.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 1bc4a06..4209df1 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -263,7 +263,7 @@ GEM nio4r (~> 2.0) racc (1.8.1) rack (3.2.4) - rack-protection (4.1.1) + rack-protection (4.2.1) base64 (>= 0.1.0) logger (>= 1.6.0) rack (>= 3.0.0, < 4) @@ -360,11 +360,11 @@ GEM sentry-ruby (5.26.0) bigdecimal concurrent-ruby (~> 1.0, >= 1.0.2) - sinatra (4.1.1) + sinatra (4.2.1) logger (>= 1.6.0) mustermann (~> 3.0) rack (>= 3.0.0, < 4) - rack-protection (= 4.1.1) + rack-protection (= 4.2.1) rack-session (>= 2.0.0, < 3) tilt (~> 2.0) sqlite3 (2.7.3-aarch64-linux-gnu)