From 7ffb043cf3276d2049dd751c144eea4242880c48 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Tue, 9 Jun 2026 11:32:02 -0400 Subject: [PATCH] =?UTF-8?q?dep:=20update=20erb=206.0.0=20=E2=86=92=206.0.4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Security bump for CVE-2026-41316 (High, @_init deserialization guard bypass via def_module/def_method/def_class). Not exposed: ActionView renders via Erubi, not Ruby's ERB class; no def_* calls or Marshal of ERB objects anywhere — vulnerable path absent. Transitive dep (no Gemfile change). 24 commits analyzed, 0 mitigations. https://github.com/basecamp/37signals-hq/blob/main/upgrade-analysis/campfire-20260609-erb_v6.0.0..v6.0.4.md 🤖 Assisted by Claude --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index cfebb3b..075c181 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -164,7 +164,7 @@ GEM irb (~> 1.10) reline (>= 0.3.8) drb (2.2.3) - erb (6.0.0) + erb (6.0.4) erubi (1.13.1) faker (3.5.2) i18n (>= 1.8.11, < 2)