From 47cdbb2a0f98572c874e13e8bac89c2ddaa83b9b Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Tue, 9 Jun 2026 11:17:07 -0400 Subject: [PATCH] =?UTF-8?q?dep:=20update=20rexml=203.4.1=20=E2=86=92=203.4?= =?UTF-8?q?.4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Security bump for CVE-2025-58767 (DoS on malformed XML). Conservative update landed 3.4.4 (latest patch, above advisory floor of 3.4.2). Test/build-only transitive dep (webmock→crack, selenium-webdriver); absent from app runtime. 34 commits analyzed, 1 test-only mitigation (no-root-element parse change) — verified green via full unit + system test suites. https://github.com/basecamp/37signals-hq/blob/main/upgrade-analysis/campfire-20260609-rexml_3.4.1..3.4.4.md 🤖 Assisted by Claude --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 9bc8884..23a48f7 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -308,7 +308,7 @@ GEM resque-pool (0.7.1) rake (>= 10.0, < 14.0) resque (>= 1.22, < 3) - rexml (3.4.1) + rexml (3.4.4) rqrcode (3.2.0) chunky_png (~> 1.0) rqrcode_core (~> 2.0)