Mike Dalessio 8e0aa7d636 dep: update nokogiri 1.18.10 → 1.19.3
Security bump clearing 3 advisories: GHSA-c4rq-3m3g-8wgx (High, CSS
selector tokenizer ReDoS), GHSA-v2fc-qm4h-8hqv (XSLT transform memory
leak), GHSA-wx95-c6cv-8532 (unchecked xmlC14NExecute return). None
exposed: loofah/rails-html-sanitizer use DOM/XPath not CSS selectors,
every app CSS selector is a compile-time literal, and campfire uses no
XSLT or XML canonicalization.

The 1.18→1.19 minor bump is a Ruby-4-support/packaging milestone —
bundled libxml2 2.13.9 / libxslt 1.1.43 are unchanged, so HTML parsing
and ActionText sanitization output are identical. Ruby floor 3.2
(campfire runs 3.4.5); all 4 locked platforms still ship.

Transitive dep via Rails/loofah (no Gemfile change). 33 commits analyzed,
0 mitigations. Verified green via full unit + system suites.

https://github.com/basecamp/37signals-hq/blob/main/upgrade-analysis/campfire-20260609-nokogiri_v1.18.10..v1.19.3.md

🤖 Assisted by Claude
2026-06-09 12:42:51 -04:00
2025-08-21 09:31:59 +01:00
2025-08-21 09:31:59 +01:00
2025-08-21 09:31:59 +01:00
2026-01-16 09:31:22 +01:00
2025-08-21 09:31:59 +01:00
2025-12-01 10:40:24 +01:00
2025-08-21 09:31:59 +01:00
2025-08-21 09:31:59 +01:00
2025-08-21 09:31:59 +01:00
2025-08-21 09:31:59 +01:00
2025-08-21 09:31:59 +01:00
2025-09-18 14:51:42 +02:00
2025-12-01 10:40:24 +01:00
2026-06-09 12:42:51 -04:00
2025-08-21 09:31:59 +01:00
2025-08-21 09:31:59 +01:00
2025-08-21 09:31:59 +01:00
2025-09-18 10:53:41 -04:00

Campfire

Campfire is a web-based chat application. It supports many of the features you'd expect, including:

  • Multiple rooms, with access controls
  • Direct messages
  • File attachments with previews
  • Search
  • Notifications (via Web Push)
  • @mentions
  • API, with support for bot integrations

Deploying with Docker

Campfire's Docker image contains everything needed for a fully-functional, single-machine deployment. This includes the web app, background jobs, caching, file serving, and SSL.

To persist storage of the database and file attachments, map a volume to /rails/storage.

To configure additional features, you can set the following environment variables:

  • SSL_DOMAIN - enable automatic SSL via Let's Encrypt for the given domain name
  • DISABLE_SSL - alternatively, set DISABLE_SSL to serve over plain HTTP
  • VAPID_PUBLIC_KEY/VAPID_PRIVATE_KEY - set these to a valid keypair to allow sending Web Push notifications. You can generate a new keypair by running /script/admin/create-vapid-key
  • SENTRY_DSN - to enable error reporting to sentry in production, supply your DSN here

For example:

docker build -t campfire .

docker run \
  --publish 80:80 --publish 443:443 \
  --restart unless-stopped \
  --volume campfire:/rails/storage \
  --env SECRET_KEY_BASE=$YOUR_SECRET_KEY_BASE \
  --env VAPID_PUBLIC_KEY=$YOUR_PUBLIC_KEY \
  --env VAPID_PRIVATE_KEY=$YOUR_PRIVATE_KEY \
  --env TLS_DOMAIN=chat.example.com \
  campfire

Running in development

bin/setup
bin/rails server

Worth Noting

When you start Campfire for the first time, youll be guided through creating an admin account. The email address of this admin account will be shown on the login page so that people who forget their password know who to contact for help. (You can change this email later in the settings)

Campfire is single-tenant: any rooms designated "public" will be accessible by all users in the system. To support entirely distinct groups of customers, you would deploy multiple instances of the application.

S
Description
No description provided
Readme 85 MiB
Languages
Ruby 44.4%
HTML 24.4%
JavaScript 18.1%
CSS 12.2%
Shell 0.5%
Other 0.4%