dep: update erb 6.0.0 → 6.0.4

Security bump for CVE-2026-41316 (High, @_init deserialization guard
bypass via def_module/def_method/def_class). Not exposed: ActionView
renders via Erubi, not Ruby's ERB class; no def_* calls or Marshal of ERB
objects anywhere — vulnerable path absent.

Transitive dep (no Gemfile change). 24 commits analyzed, 0 mitigations.

https://github.com/basecamp/37signals-hq/blob/main/upgrade-analysis/campfire-20260609-erb_v6.0.0..v6.0.4.md

🤖 Assisted by Claude
This commit is contained in:
Mike Dalessio
2026-06-09 11:32:02 -04:00
parent 17f81d4fa0
commit 7ffb043cf3
+1 -1
View File
@@ -164,7 +164,7 @@ GEM
irb (~> 1.10)
reline (>= 0.3.8)
drb (2.2.3)
erb (6.0.0)
erb (6.0.4)
erubi (1.13.1)
faker (3.5.2)
i18n (>= 1.8.11, < 2)