From 905165b7e2bfd91b2f1649fd6ae973588a65ba98 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Tue, 9 Jun 2026 11:25:39 -0400 Subject: [PATCH] =?UTF-8?q?dep:=20update=20bcrypt=203.1.20=20=E2=86=92=203?= =?UTF-8?q?.1.22?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Security bump for CVE-2026-33306 (integer overflow → zero KDF iterations at Cost=31). Not exposed: JRuby-only bug; campfire runs MRI (Ruby 3.4.5), no java platform in lockfile, ActiveModel default cost is 10-12. Direct gem (no version constraint, unchanged). 33 commits analyzed, 2 no-action mitigations (constant-time password compare hardening on the has_secure_password path) — auth tests green. https://github.com/basecamp/37signals-hq/blob/main/upgrade-analysis/campfire-20260609-bcrypt_v3.1.20..v3.1.22.md 🤖 Assisted by Claude --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 18dce38..da0cee7 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -134,7 +134,7 @@ GEM public_suffix (>= 2.0.2, < 8.0) ast (2.4.3) base64 (0.3.0) - bcrypt (3.1.20) + bcrypt (3.1.22) benchmark (0.5.0) bigdecimal (3.3.1) brakeman (8.0.4)