From ce62fd08143b44a1f87465ee2e91bfda905995e4 Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Tue, 9 Jun 2026 11:22:40 -0400 Subject: [PATCH] =?UTF-8?q?dep:=20update=20addressable=202.8.7=20=E2=86=92?= =?UTF-8?q?=202.9.0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Security bump for CVE-2026-35611 (High, ReDoS in Addressable::Template). Not exposed: campfire never reaches Addressable::Template — runtime use is geared_pagination's URI.parse; templates appear only in webmock test stubs (all string/Regexp, never templates). Transitive dep (no Gemfile change). 49 commits analyzed, 0 mitigations. https://github.com/basecamp/37signals-hq/blob/main/upgrade-analysis/campfire-20260609-addressable_2.8.7..2.9.0.md 🤖 Assisted by Claude --- Gemfile.lock | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 23a48f7..18dce38 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -130,8 +130,8 @@ GEM specs: action_text-trix (2.1.15) railties - addressable (2.8.7) - public_suffix (>= 2.0.2, < 7.0) + addressable (2.9.0) + public_suffix (>= 2.0.2, < 8.0) ast (2.4.3) base64 (0.3.0) bcrypt (3.1.20)