From 4730f76356290de7e0156ab2e63cb9cdbe430fa0 Mon Sep 17 00:00:00 2001 From: Mike Landau Date: Wed, 25 Mar 2026 11:59:52 -0700 Subject: [PATCH 1/2] Fix remaining Dependabot security alerts MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Rails example: Upgrade Rails 7.1.6 → 7.2.3.1 to fix activestorage path traversal/glob injection/DoS/content type bypass, activesupport ReDoS/DoS/XSS, and actionview XSS vulnerabilities - Django example: Update sqlparse 0.5.3 → 0.5.4 (DoS fix) - Drupal example: Update psysh v0.12.15 → v0.12.19 (privilege escalation fix) Co-Authored-By: Claude Opus 4.6 (1M context) --- examples/stacks/django/requirements.txt | 2 +- examples/stacks/drupal/composer.lock | 12 +- examples/stacks/rails/blog/Gemfile | 3 +- examples/stacks/rails/blog/Gemfile.lock | 150 +++++++++++------------- 4 files changed, 78 insertions(+), 89 deletions(-) diff --git a/examples/stacks/django/requirements.txt b/examples/stacks/django/requirements.txt index a3054d75e95..e689959e781 100644 --- a/examples/stacks/django/requirements.txt +++ b/examples/stacks/django/requirements.txt @@ -1,4 +1,4 @@ asgiref==3.6.0 Django==4.2.29 psycopg2==2.9.5 -sqlparse==0.5.3 \ No newline at end of file +sqlparse==0.5.4 \ No newline at end of file diff --git a/examples/stacks/drupal/composer.lock b/examples/stacks/drupal/composer.lock index a588a5eeb06..b76521fcc09 100644 --- a/examples/stacks/drupal/composer.lock +++ b/examples/stacks/drupal/composer.lock @@ -3134,16 +3134,16 @@ }, { "name": "psy/psysh", - "version": "v0.12.15", + "version": "v0.12.19", "source": { "type": "git", "url": "https://github.com/bobthecow/psysh.git", - "reference": "38953bc71491c838fcb6ebcbdc41ab7483cd549c" + "reference": "a4f766e5c5b6773d8399711019bb7d90875a50ee" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/bobthecow/psysh/zipball/38953bc71491c838fcb6ebcbdc41ab7483cd549c", - "reference": "38953bc71491c838fcb6ebcbdc41ab7483cd549c", + "url": "https://api.github.com/repos/bobthecow/psysh/zipball/a4f766e5c5b6773d8399711019bb7d90875a50ee", + "reference": "a4f766e5c5b6773d8399711019bb7d90875a50ee", "shasum": "" }, "require": { @@ -3207,9 +3207,9 @@ ], "support": { "issues": "https://github.com/bobthecow/psysh/issues", - "source": "https://github.com/bobthecow/psysh/tree/v0.12.15" + "source": "https://github.com/bobthecow/psysh/tree/v0.12.19" }, - "time": "2025-11-28T00:00:14+00:00" + "time": "2026-02-14T17:51:48+00:00" }, { "name": "ralouphie/getallheaders", diff --git a/examples/stacks/rails/blog/Gemfile b/examples/stacks/rails/blog/Gemfile index 1cb3f558185..8f56bebdf36 100644 --- a/examples/stacks/rails/blog/Gemfile +++ b/examples/stacks/rails/blog/Gemfile @@ -4,8 +4,7 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" } ruby "4.0.2" # Bundle edge Rails instead: gem "rails", github: "rails/rails", branch: "main" -gem "rails", "~> 7.1.5" -gem "rack", "~> 2.2.15" +gem "rails", "~> 7.2.3.1" # The original asset pipeline for Rails [https://github.com/rails/sprockets-rails] gem "sprockets-rails" diff --git a/examples/stacks/rails/blog/Gemfile.lock b/examples/stacks/rails/blog/Gemfile.lock index 9752bd91eff..529987fb301 100644 --- a/examples/stacks/rails/blog/Gemfile.lock +++ b/examples/stacks/rails/blog/Gemfile.lock @@ -1,85 +1,79 @@ GEM remote: https://rubygems.org/ specs: - actioncable (7.1.6) - actionpack (= 7.1.6) - activesupport (= 7.1.6) + actioncable (7.2.3.1) + actionpack (= 7.2.3.1) + activesupport (= 7.2.3.1) nio4r (~> 2.0) websocket-driver (>= 0.6.1) zeitwerk (~> 2.6) - actionmailbox (7.1.6) - actionpack (= 7.1.6) - activejob (= 7.1.6) - activerecord (= 7.1.6) - activestorage (= 7.1.6) - activesupport (= 7.1.6) - mail (>= 2.7.1) - net-imap - net-pop - net-smtp - actionmailer (7.1.6) - actionpack (= 7.1.6) - actionview (= 7.1.6) - activejob (= 7.1.6) - activesupport (= 7.1.6) - mail (~> 2.5, >= 2.5.4) - net-imap - net-pop - net-smtp + actionmailbox (7.2.3.1) + actionpack (= 7.2.3.1) + activejob (= 7.2.3.1) + activerecord (= 7.2.3.1) + activestorage (= 7.2.3.1) + activesupport (= 7.2.3.1) + mail (>= 2.8.0) + actionmailer (7.2.3.1) + actionpack (= 7.2.3.1) + actionview (= 7.2.3.1) + activejob (= 7.2.3.1) + activesupport (= 7.2.3.1) + mail (>= 2.8.0) rails-dom-testing (~> 2.2) - actionpack (7.1.6) - actionview (= 7.1.6) - activesupport (= 7.1.6) + actionpack (7.2.3.1) + actionview (= 7.2.3.1) + activesupport (= 7.2.3.1) cgi nokogiri (>= 1.8.5) racc - rack (>= 2.2.4) + rack (>= 2.2.4, < 3.3) rack-session (>= 1.0.1) rack-test (>= 0.6.3) rails-dom-testing (~> 2.2) rails-html-sanitizer (~> 1.6) - actiontext (7.1.6) - actionpack (= 7.1.6) - activerecord (= 7.1.6) - activestorage (= 7.1.6) - activesupport (= 7.1.6) + useragent (~> 0.16) + actiontext (7.2.3.1) + actionpack (= 7.2.3.1) + activerecord (= 7.2.3.1) + activestorage (= 7.2.3.1) + activesupport (= 7.2.3.1) globalid (>= 0.6.0) nokogiri (>= 1.8.5) - actionview (7.1.6) - activesupport (= 7.1.6) + actionview (7.2.3.1) + activesupport (= 7.2.3.1) builder (~> 3.1) cgi erubi (~> 1.11) rails-dom-testing (~> 2.2) rails-html-sanitizer (~> 1.6) - activejob (7.1.6) - activesupport (= 7.1.6) + activejob (7.2.3.1) + activesupport (= 7.2.3.1) globalid (>= 0.3.6) - activemodel (7.1.6) - activesupport (= 7.1.6) - activerecord (7.1.6) - activemodel (= 7.1.6) - activesupport (= 7.1.6) + activemodel (7.2.3.1) + activesupport (= 7.2.3.1) + activerecord (7.2.3.1) + activemodel (= 7.2.3.1) + activesupport (= 7.2.3.1) timeout (>= 0.4.0) - activestorage (7.1.6) - actionpack (= 7.1.6) - activejob (= 7.1.6) - activerecord (= 7.1.6) - activesupport (= 7.1.6) + activestorage (7.2.3.1) + actionpack (= 7.2.3.1) + activejob (= 7.2.3.1) + activerecord (= 7.2.3.1) + activesupport (= 7.2.3.1) marcel (~> 1.0) - activesupport (7.1.6) + activesupport (7.2.3.1) base64 benchmark (>= 0.3) bigdecimal - concurrent-ruby (~> 1.0, >= 1.0.2) + concurrent-ruby (~> 1.0, >= 1.3.1) connection_pool (>= 2.2.5) drb i18n (>= 1.6, < 2) logger (>= 1.4.2) - minitest (>= 5.1) - mutex_m + minitest (>= 5.1, < 6) securerandom (>= 0.3) - tzinfo (~> 2.0) + tzinfo (~> 2.0, >= 2.0.5) addressable (2.8.9) public_suffix (>= 2.0.2, < 8.0) base64 (0.3.0) @@ -141,11 +135,8 @@ GEM matrix (0.4.3) mini_mime (1.1.5) mini_portile2 (2.8.9) - minitest (6.0.2) - drb (~> 2.0) - prism (~> 1.5) + minitest (5.27.0) msgpack (1.8.0) - mutex_m (0.3.0) net-imap (0.6.3) date net-protocol @@ -176,28 +167,28 @@ GEM puma (5.6.9) nio4r (~> 2.0) racc (1.8.1) - rack (2.2.22) - rack-session (1.0.2) - rack (< 3) + rack (3.2.5) + rack-session (2.1.1) + base64 (>= 0.1.0) + rack (>= 3.0.0) rack-test (2.2.0) rack (>= 1.3) - rackup (1.0.1) - rack (< 3) - webrick - rails (7.1.6) - actioncable (= 7.1.6) - actionmailbox (= 7.1.6) - actionmailer (= 7.1.6) - actionpack (= 7.1.6) - actiontext (= 7.1.6) - actionview (= 7.1.6) - activejob (= 7.1.6) - activemodel (= 7.1.6) - activerecord (= 7.1.6) - activestorage (= 7.1.6) - activesupport (= 7.1.6) + rackup (2.3.1) + rack (>= 3) + rails (7.2.3.1) + actioncable (= 7.2.3.1) + actionmailbox (= 7.2.3.1) + actionmailer (= 7.2.3.1) + actionpack (= 7.2.3.1) + actiontext (= 7.2.3.1) + actionview (= 7.2.3.1) + activejob (= 7.2.3.1) + activemodel (= 7.2.3.1) + activerecord (= 7.2.3.1) + activestorage (= 7.2.3.1) + activesupport (= 7.2.3.1) bundler (>= 1.15.0) - railties (= 7.1.6) + railties (= 7.2.3.1) rails-dom-testing (2.3.0) activesupport (>= 5.0.0) minitest @@ -205,11 +196,11 @@ GEM rails-html-sanitizer (1.7.0) loofah (~> 2.25) nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0) - railties (7.1.6) - actionpack (= 7.1.6) - activesupport (= 7.1.6) + railties (7.2.3.1) + actionpack (= 7.2.3.1) + activesupport (= 7.2.3.1) cgi - irb + irb (~> 1.13) rackup (>= 1.0.0) rake (>= 12.2) thor (~> 1.0, >= 1.2.2) @@ -253,6 +244,7 @@ GEM concurrent-ruby (~> 1.0) tzinfo-data (1.2014.5) tzinfo (>= 1.0.0) + useragent (0.16.11) web-console (4.2.1) actionview (>= 6.0.0) activemodel (>= 6.0.0) @@ -262,7 +254,6 @@ GEM nokogiri (~> 1.6) rubyzip (>= 1.3.0) selenium-webdriver (~> 4.0, < 4.11) - webrick (1.9.2) websocket-driver (0.8.0) base64 websocket-extensions (>= 0.1.0) @@ -284,8 +275,7 @@ DEPENDENCIES importmap-rails jbuilder puma (~> 5.6) - rack (~> 2.2.15) - rails (~> 7.1.5) + rails (~> 7.2.3.1) selenium-webdriver sprockets-rails sqlite3 (~> 1.4) From 2e48255d52f3edb3d21e8856f8f48b81ee30118e Mon Sep 17 00:00:00 2001 From: Mike Landau Date: Wed, 25 Mar 2026 12:15:49 -0700 Subject: [PATCH 2/2] =?UTF-8?q?Upgrade=20Puma=205=20=E2=86=92=206=20for=20?= =?UTF-8?q?Rack=203=20compatibility?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Puma 5 is not compatible with Rack 3 which was pulled in by the Rails 7.2 upgrade. Co-Authored-By: Claude Opus 4.6 (1M context) --- examples/stacks/rails/blog/Gemfile | 2 +- examples/stacks/rails/blog/Gemfile.lock | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/stacks/rails/blog/Gemfile b/examples/stacks/rails/blog/Gemfile index 8f56bebdf36..63fd64f9d70 100644 --- a/examples/stacks/rails/blog/Gemfile +++ b/examples/stacks/rails/blog/Gemfile @@ -13,7 +13,7 @@ gem "sprockets-rails" gem "sqlite3", "~> 1.4" # Use the Puma web server [https://github.com/puma/puma] -gem "puma", "~> 5.6" +gem "puma", "~> 6.0" # Use JavaScript with ESM import maps [https://github.com/rails/importmap-rails] gem "importmap-rails" diff --git a/examples/stacks/rails/blog/Gemfile.lock b/examples/stacks/rails/blog/Gemfile.lock index 529987fb301..bc844bb76b4 100644 --- a/examples/stacks/rails/blog/Gemfile.lock +++ b/examples/stacks/rails/blog/Gemfile.lock @@ -164,7 +164,7 @@ GEM date stringio public_suffix (7.0.5) - puma (5.6.9) + puma (6.6.1) nio4r (~> 2.0) racc (1.8.1) rack (3.2.5) @@ -274,7 +274,7 @@ DEPENDENCIES debug importmap-rails jbuilder - puma (~> 5.6) + puma (~> 6.0) rails (~> 7.2.3.1) selenium-webdriver sprockets-rails