build(deps): bump rack-session from 2.1.1 to 2.1.2#994
build(deps): bump rack-session from 2.1.1 to 2.1.2#994dependabot[bot] wants to merge 1 commit intomasterfrom
Conversation
Bumps [rack-session](https://github.com/rack/rack-session) from 2.1.1 to 2.1.2. - [Release notes](https://github.com/rack/rack-session/releases) - [Changelog](https://github.com/rack/rack-session/blob/main/releases.md) - [Commits](rack/rack-session@v2.1.1...v2.1.2) --- updated-dependencies: - dependency-name: rack-session dependency-version: 2.1.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Up to standards ✅🟢 Issues
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
This PR upgrades rack-session to 2.1.2 to address CVE-2026-39324 and bumps rack to 3.2.6. While the primary goal is met and Codacy reports the PR is up to standards, the Gemfile.lock contains multiple unresolved security vulnerabilities in other dependencies. Specifically, net-imap and nokogiri have high-severity issues that should be addressed to maintain a secure posture. There is also a lack of verification for application boot and session persistence which are critical given the middleware changes.
About this PR
- While this PR fixes rack-session, the lockfile currently contains critical and high-severity vulnerabilities in net-imap, nokogiri, graphql, and yard. It is recommended to schedule a follow-up task to update these dependencies.
4 comments outside of the diff
Gemfile.lock
line 155🔴 HIGH RISK
Updatenet-imapto 0.5.14 or later to patch a critical STARTTLS stripping vulnerability and multiple command injection vectors.
line 179🔴 HIGH RISK
Updatenokogirito 1.19.3 or later to resolve a high-severity ReDoS vulnerability and a memory leak in XSLT transforms.
line 111🟡 MEDIUM RISK
Updategraphqlto 2.5.26 or later to fix a lexer-based resource exhaustion vulnerability.
line 441🟡 MEDIUM RISK
Updateyardto 0.9.42 or later to address a path traversal vulnerability.
Test suggestions
- Verify application boots and initializes middleware stack successfully with updated gems
- Smoke test session persistence and retrieval to ensure compatibility with rack 3.2.6
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify application boots and initializes middleware stack successfully with updated gems
2. Smoke test session persistence and retrieval to ensure compatibility with rack 3.2.6
TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback
Bumps rack-session from 2.1.1 to 2.1.2.
Release notes
Sourced from rack-session's releases.
Changelog
Sourced from rack-session's changelog.
Commits
504367bBump patch version.f43638cDon't fall back to unencrypted coder if encryptors are present.dadcfe6Bump actions/checkout from 4 to 5 (#54)4eb9ea8Add top level session spec to validate existing formats.8f94577Add rails to external tests.38ea47dAllow the v2 encryptor to serialize messages withMarshal(#44)43f2e3aFix compatibility with older Rubies.6a060b8Support UTF-8 data when using the JSON serializer (#39)8ce0146Fixauth_tagretrieval on JRuby (#32)7727185Add AEAD encryption (#23)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.