Security bump clearing 3 advisories: GHSA-c4rq-3m3g-8wgx (High, CSS selector tokenizer ReDoS), GHSA-v2fc-qm4h-8hqv (XSLT transform memory leak), GHSA-wx95-c6cv-8532 (unchecked xmlC14NExecute return). None exposed: loofah/rails-html-sanitizer use DOM/XPath not CSS selectors, every app CSS selector is a compile-time literal, and campfire uses no XSLT or XML canonicalization. The 1.18→1.19 minor bump is a Ruby-4-support/packaging milestone — bundled libxml2 2.13.9 / libxslt 1.1.43 are unchanged, so HTML parsing and ActionText sanitization output are identical. Ruby floor 3.2 (campfire runs 3.4.5); all 4 locked platforms still ship. Transitive dep via Rails/loofah (no Gemfile change). 33 commits analyzed, 0 mitigations. Verified green via full unit + system suites. https://github.com/basecamp/37signals-hq/blob/main/upgrade-analysis/campfire-20260609-nokogiri_v1.18.10..v1.19.3.md 🤖 Assisted by Claude
Campfire
Campfire is a web-based chat application. It supports many of the features you'd expect, including:
- Multiple rooms, with access controls
- Direct messages
- File attachments with previews
- Search
- Notifications (via Web Push)
- @mentions
- API, with support for bot integrations
Deploying with Docker
Campfire's Docker image contains everything needed for a fully-functional, single-machine deployment. This includes the web app, background jobs, caching, file serving, and SSL.
To persist storage of the database and file attachments, map a volume to /rails/storage.
To configure additional features, you can set the following environment variables:
SSL_DOMAIN- enable automatic SSL via Let's Encrypt for the given domain nameDISABLE_SSL- alternatively, setDISABLE_SSLto serve over plain HTTPVAPID_PUBLIC_KEY/VAPID_PRIVATE_KEY- set these to a valid keypair to allow sending Web Push notifications. You can generate a new keypair by running/script/admin/create-vapid-keySENTRY_DSN- to enable error reporting to sentry in production, supply your DSN here
For example:
docker build -t campfire .
docker run \
--publish 80:80 --publish 443:443 \
--restart unless-stopped \
--volume campfire:/rails/storage \
--env SECRET_KEY_BASE=$YOUR_SECRET_KEY_BASE \
--env VAPID_PUBLIC_KEY=$YOUR_PUBLIC_KEY \
--env VAPID_PRIVATE_KEY=$YOUR_PRIVATE_KEY \
--env TLS_DOMAIN=chat.example.com \
campfire
Running in development
bin/setup
bin/rails server
Worth Noting
When you start Campfire for the first time, you’ll be guided through creating an admin account. The email address of this admin account will be shown on the login page so that people who forget their password know who to contact for help. (You can change this email later in the settings)
Campfire is single-tenant: any rooms designated "public" will be accessible by all users in the system. To support entirely distinct groups of customers, you would deploy multiple instances of the application.