chore(deps): bump rack from 3.2.5 to 3.2.6

[dependabot]

Bumps rack from 3.2.5 to 3.2.6.

Release notes

Sourced from rack's releases.

v3.2.6

Full Changelog: rack/rack@v3.2.5...v3.2.6

Changelog

Sourced from rack's changelog.

[3.2.6] - 2026-04-01

Security

• CVE-2026-34763 Root directory disclosure via unescaped regex interpolation in Rack::Directory.
• CVE-2026-34230 Avoid O(n^2) algorithm in Rack::Utils.select_best_encoding which could lead to denial of service.
• CVE-2026-32762 Forwarded header semicolon injection enables Host and Scheme spoofing.
• CVE-2026-26961 Raise error for multipart requests with multiple boundary parameters.
• CVE-2026-34786 Rack::Static header_rules bypass via URL-encoded path mismatch.
• CVE-2026-34831 Content-Length mismatch in Rack::Files error responses.
• CVE-2026-34826 Multipart byte range processing allows denial of service via excessive overlapping ranges.
• CVE-2026-34835 Rack::Request accepts invalid Host characters, enabling host allowlist bypass.
• CVE-2026-34830 Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect.
• CVE-2026-34785 Rack::Static prefix matching can expose unintended files under the static root.
• CVE-2026-34829 Multipart parsing without Content-Length header allows unbounded chunked file uploads.
• CVE-2026-34827 Multipart header parsing allows denial of service via escape-heavy quoted parameters.
• CVE-2026-26962 Improper unfolding of folded multipart headers preserves CRLF in parsed parameter values.

Commits

• e1f22fd Bump patch version.
• 31989fd Fix typo in test.
• d268165 Fix test expectation.
• 8f425de Add Ruby v4.0 to the test matrix.
• bf83042 Drop EOL Rubies from external tests.
• d50c4d3 Implement OBS unfolding for multipart requests per RFC 5322 2.2.3
• bfb6914 Limit the number of quoted escapes during multipart parsing
• b3e5945 Add Content-Length size check in Rack::Multipart::Parser
• 7a8f326 Fix root prefix bug in Rack::Static
• a57bc14 Only do a simple substitution on the x-accel-mapping paths
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
kings-lendas	Ready	Preview, Comment	Apr 2, 2026 6:58pm

[github-actions]

Dependency Security Check

[WARN] Vulnerabilidades em dependências!

Ver relatório

Name: activestorage
Version: 8.0.4
CVE: CVE-2026-33658
GHSA: GHSA-p9fm-f462-ggrg
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg
Title: Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests
Solution: update to '~> 7.2.3, >= 7.2.3.1', '~> 8.0.4, >= 8.0.4.1', '>= 8.1.2.1'

Name: json
Version: 2.19.0
CVE: CVE-2026-33210
GHSA: GHSA-3m6g-2423-7cp3
Criticality: Unknown
URL: https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3
Title: Ruby JSON has a format string injection vulnerability
Solution: update to '~> 2.15.2.1', '~> 2.17.1.2', '>= 2.19.2'

Name: loofah
Version: 2.25.0
GHSA: GHSA-46fp-8f5p-pf2m
Criticality: Unknown
URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-46fp-8f5p-pf2m
Title: Improper detection of disallowed URIs by Loofah `allowed_uri?`
Solution: update to '>= 2.25.1'

Name: mcp
Version: 0.8.0
CVE: CVE-2026-33946
GHSA: GHSA-qvqr-5cv7-wh35
Criticality: High
URL: https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35
Title: MCP Ruby SDK - Insufficient Session Binding Allows SSE Stream Hijacking via Session ID Replay
Solution: update to '>= 0.9.2'

Vulnerabilities found!

[github-actions]

Brakeman Security Scan

• Total warnings: 0
• High confidence: 0

[OK] Nenhum issue de alta confiança.

[github-actions]

Semgrep Static Analysis

• Errors: 1
• Critical (high confidence): 0
• Warnings: 15

[FAIL] Errors encontrados! Corrigir.

[github-actions]

Security Scan — Kings Lendas

SAST (análise estática)

Check	Status
Brakeman	[OK] success
Dependências	[FAIL] failure
Semgrep	[OK] success
TruffleHog	[OK] success
Segredos locais	[OK] success

DAST (testes dinâmicos)

Check	Status
Autenticação	[OK] success
SQL Injection	[OK] success
SSRF / Path Traversal	[OK] success
Integridade dos dados	[OK] success

[WARN] Alguns checks falharam. Revisar acima.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

_{TIP This summary will be updated as you push new changes. Give us feedback}