mirror of
https://github.com/basecamp/once-campfire.git
synced 2026-07-08 00:50:22 +09:00
dep: update erb 6.0.0 → 6.0.4
Security bump for CVE-2026-41316 (High, @_init deserialization guard bypass via def_module/def_method/def_class). Not exposed: ActionView renders via Erubi, not Ruby's ERB class; no def_* calls or Marshal of ERB objects anywhere — vulnerable path absent. Transitive dep (no Gemfile change). 24 commits analyzed, 0 mitigations. https://github.com/basecamp/37signals-hq/blob/main/upgrade-analysis/campfire-20260609-erb_v6.0.0..v6.0.4.md 🤖 Assisted by Claude
This commit is contained in:
+1
-1
@@ -164,7 +164,7 @@ GEM
|
||||
irb (~> 1.10)
|
||||
reline (>= 0.3.8)
|
||||
drb (2.2.3)
|
||||
erb (6.0.0)
|
||||
erb (6.0.4)
|
||||
erubi (1.13.1)
|
||||
faker (3.5.2)
|
||||
i18n (>= 1.8.11, < 2)
|
||||
|
||||
Reference in New Issue
Block a user