dep: update rack 3.2.4 → 3.2.6

Security bump clearing ~11 CVEs (multipart parser differentials/DoS, Host
header validation, byte-range DoS, Forwarded injection, Rack::Static/
Directory/Sendfile disclosures). Reachable fixes (multipart uploads, AS
byte-range streaming, host parsing) apply transparently via corrective
behavior and generous new defaults; the Static/Directory/Sendfile/
Deflater CVEs are not reachable (campfire uses none of those middlewares).

No app changes required. Optional hardening noted in plan: new env knob
RACK_MULTIPART_PARSER_BYTESIZE_LIMIT (default 10 GiB) could be tuned to
campfire's real max attachment size — left at default here.

Transitive dep via Rails (no Gemfile change). 23 commits analyzed,
0 required mitigations. Verified green via full unit + system suites.

https://github.com/basecamp/37signals-hq/blob/main/upgrade-analysis/campfire-20260609-rack_v3.2.4..v3.2.6.md

🤖 Assisted by Claude
This commit is contained in:
Mike Dalessio
2026-06-09 12:01:20 -04:00
parent 28525bec5d
commit efaae642b0
+1 -1
View File
@@ -262,7 +262,7 @@ GEM
puma (6.6.1)
nio4r (~> 2.0)
racc (1.8.1)
rack (3.2.4)
rack (3.2.6)
rack-protection (4.2.1)
base64 (>= 0.1.0)
logger (>= 1.6.0)