mirror of
https://github.com/basecamp/once-campfire.git
synced 2026-07-08 00:50:22 +09:00
dep: update bcrypt 3.1.20 → 3.1.22
Security bump for CVE-2026-33306 (integer overflow → zero KDF iterations at Cost=31). Not exposed: JRuby-only bug; campfire runs MRI (Ruby 3.4.5), no java platform in lockfile, ActiveModel default cost is 10-12. Direct gem (no version constraint, unchanged). 33 commits analyzed, 2 no-action mitigations (constant-time password compare hardening on the has_secure_password path) — auth tests green. https://github.com/basecamp/37signals-hq/blob/main/upgrade-analysis/campfire-20260609-bcrypt_v3.1.20..v3.1.22.md 🤖 Assisted by Claude
This commit is contained in:
+1
-1
@@ -134,7 +134,7 @@ GEM
|
||||
public_suffix (>= 2.0.2, < 8.0)
|
||||
ast (2.4.3)
|
||||
base64 (0.3.0)
|
||||
bcrypt (3.1.20)
|
||||
bcrypt (3.1.22)
|
||||
benchmark (0.5.0)
|
||||
bigdecimal (3.3.1)
|
||||
brakeman (8.0.4)
|
||||
|
||||
Reference in New Issue
Block a user