Bump sinatra, rack-protection and rack

[dependabot]

Bumps sinatra, rack-protection and rack. These dependencies needed to be updated together.
Updates sinatra from 3.2.0 to 4.1.1

Changelog

Sourced from sinatra's changelog.

4.1.1 / 2024-11-20

• Fix: Restore WEBrick support (#2067)

4.1.0 / 2024-11-18

• New: Add host_authorization setting (#2053)
  • Defaults to .localhost, .test and any IP address in development mode.
  • Security: addresses CVE-2024-21510.
• Fix: Return an instance of Sinatra::IndifferentHash when calling #except (#2044)
• Fix: Address warning from URI for Ruby 3.4 (#2060)
• Fix: rackup no longer depends on WEBrick, recommend Puma instead (4a558503)
• Fix: Zeitwerk 2.7.0+ compatibility (#2050)
• Fix: Address warning about Hash construction for Ruby 3.4 (#2028)
• Fix: Declare missing dependencies for Ruby 3.5 (#2032)
• Fix: Compatibility with --enable-frozen-string-literal (#2033)
• Fix: Rack 3.1 compatibility (#2035)
  • Don't depend on Rack::Logger
  • Don't delete content-length header when Rack::Files is used

4.0.1 / 2025-05-24

• Rack 3.1 compatibility (#2035)

• Fix malformed Content-Type headers (#2081)

• Avoid crash for integer values in content_type parameters (#2078)

• Fix compatibility with --enable-frozen-string-literal (#2033)

• Declare missing dependencies for Ruby 3.5 (#2032)

• Fix warning about Hash construction. (#2028)

• Support Zeitwerk 2.7.0+ (#2050)

• Address URI depreciation (#2060)

#2035: sinatra/sinatra#2035 #2081: sinatra/sinatra#2081 #2078: sinatra/sinatra#2078 #2033: sinatra/sinatra#2033 #2032: sinatra/sinatra#2032 #2028: sinatra/sinatra#2028 #2050: sinatra/sinatra#2050 #2060: sinatra/sinatra#2060

4.0.0. / 2024-01-19

• New: Add support for Rack 3 (#1857)

... (truncated)

Commits

• 7b50a1b 4.1.1 release (#2068)
• 3f6c577 Restore WEBrick support (#2067)
• 38cd687 Multiple \<dd> tags breaks the website HTML (#2066)
• 80c3ad6 Update CHANGELOG with correct CVE (#2064)
• 73f3291 4.1.0 release (#2063)
• cd3e00d Add HostAuthorization rack-protection middleware (#2053)
• 8c4cd0b Return an instance of Sinatra::IndifferentHash when calling #except (#2044)
• 3c888f7 Address URI depreciation (#2060)
• 0d33ef8 CI: don't test falcon on Ruby 2.7
• 4a55850 Remove WEBrick
• Additional commits viewable in compare view

Updates rack-protection from 3.2.0 to 4.1.1

Changelog

Sourced from rack-protection's changelog.

4.1.1 / 2024-11-20

• Fix: Restore WEBrick support (#2067)

4.1.0 / 2024-11-18

• New: Add host_authorization setting (#2053)
  • Defaults to .localhost, .test and any IP address in development mode.
  • Security: addresses CVE-2024-21510.
• Fix: Return an instance of Sinatra::IndifferentHash when calling #except (#2044)
• Fix: Address warning from URI for Ruby 3.4 (#2060)
• Fix: rackup no longer depends on WEBrick, recommend Puma instead (4a558503)
• Fix: Zeitwerk 2.7.0+ compatibility (#2050)
• Fix: Address warning about Hash construction for Ruby 3.4 (#2028)
• Fix: Declare missing dependencies for Ruby 3.5 (#2032)
• Fix: Compatibility with --enable-frozen-string-literal (#2033)
• Fix: Rack 3.1 compatibility (#2035)
  • Don't depend on Rack::Logger
  • Don't delete content-length header when Rack::Files is used

4.0.1 / 2025-05-24

• Rack 3.1 compatibility (#2035)

• Fix malformed Content-Type headers (#2081)

• Avoid crash for integer values in content_type parameters (#2078)

• Fix compatibility with --enable-frozen-string-literal (#2033)

• Declare missing dependencies for Ruby 3.5 (#2032)

• Fix warning about Hash construction. (#2028)

• Support Zeitwerk 2.7.0+ (#2050)

• Address URI depreciation (#2060)

#2035: sinatra/sinatra#2035 #2081: sinatra/sinatra#2081 #2078: sinatra/sinatra#2078 #2033: sinatra/sinatra#2033 #2032: sinatra/sinatra#2032 #2028: sinatra/sinatra#2028 #2050: sinatra/sinatra#2050 #2060: sinatra/sinatra#2060

4.0.0. / 2024-01-19

• New: Add support for Rack 3 (#1857)

... (truncated)

Commits

• 7b50a1b 4.1.1 release (#2068)
• 73f3291 4.1.0 release (#2063)
• cd3e00d Add HostAuthorization rack-protection middleware (#2053)
• 4a55850 Remove WEBrick
• 319af3a Declare missing dependencies for Ruby 3.5 (#2032)
• 8d0095f Adjust CookieTossing spec for Rack 3.1+
• 5640495 Fix typos in changelog, readme and code comments (#2006)
• b626e2d 4.0.0 release (#1996)
• e56f657 Require Ruby 2.7.8 as minimum Ruby version (#1993)
• 9993829 CI: remove rack monkey patches
• Additional commits viewable in compare view

Updates rack from 2.2.17 to 3.2.1

Release notes

Sourced from rack's releases.

v3.0.9.1

What's Changed

• Fixed ReDoS in Accept header parsing [CVE-2024-26146]
• Fixed ReDoS in Content Type header parsing [CVE-2024-25126]
• Reject Range headers which are too large [CVE-2024-26141]

Full Changelog: rack/rack@v3.0.9...v3.0.9.1

v3.0.9

What's Changed

• Fix content-length calcuation in Rack:Response#write #2150

Full Changelog: rack/rack@v3.0.8...v3.0.9

v3.0.8

What's Changed

• Backport "Fix some unused variable verbose warnings" by @​skipkayhil in rack/rack#2084

New Contributors

• @​skipkayhil made their first contribution in rack/rack#2084

Full Changelog: rack/rack@v3.0.7...v3.0.8

v3.0.7

What's Changed

• Backport "Make query parameters without = have nil values". by @​jeremyevans in rack/rack#2060

Full Changelog: rack/rack@v3.0.6.1...v3.0.7

v3.0.6.1

No release notes provided.

v3.0.4.1

Full Changelog: rack/rack@v3.0.4...v3.0.4.1

v3.0.4

Full Changelog: rack/rack@v3.0.3...v3.0.4

v3.0.3

What's Changed

• Release v3.0.3 by @​ioquatix in rack/rack#2000

Full Changelog: rack/rack@v3.0.2...v3.0.3

v3.0.2

Full Changelog: rack/rack@v3.0.1...v3.0.2

Changelog

Sourced from rack's changelog.

Changelog

All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference Keep A Changelog.

Unreleased

SPEC Changes

• Define rack.response_finished callback arguments more strictly. (#2365, @​skipkayhil)

Added

• Add support for rack.response_finished to Rack::TempfileReaper. (#2363, @​skipkayhil)
• Add support for streaming bodies when using Rack::Events. (#2375, @​unflxw)

Changed

• Raise before exceeding a part limit, not after. (#2362, @​matthew-puku)
• Rack::Deflater now uses a fixed GZip mtime value. (#2372, @​bensheldon)

Fixed

• Fix an issue where a NoMethodError would be raised when using Rack::Events with streaming bodies. (#2375, @​unflxw)

[3.2.0] - 2025-07-31

This release continues Rack's evolution toward a cleaner, more efficient foundation while maintaining backward compatibility for most applications. The breaking changes primarily affect deprecated functionality, so most users should experience a smooth upgrade with improved performance and standards compliance.

SPEC Changes

• Request environment keys must now be strings. (#2310, [@​jeremyevans])
• Add nil as a valid return from a Response body.to_path (#2318, [@​MSP-Greg])
• Rack::Lint#check_header_value is relaxed, only disallowing CR/LF/NUL characters. (#2354, [@​ioquatix])

Added

• Introduce Rack::VERSION constant. (#2199, [@​ioquatix])
• ISO-2022-JP encoded parts within MIME Multipart sections of an HTTP request body will now be converted to UTF-8. (#2245, @​nappa)
• Add Rack::Request#query_parser= to allow setting the query parser to use. (#2349, [@​jeremyevans])
• Add Rack::Request#form_pairs to access form data as raw key-value pairs, preserving duplicate keys. (#2351, [@​matthewd])

Changed

• Invalid cookie keys will now raise an error. (#2193, [@​ioquatix])
• Rack::MediaType#params now handles empty strings. (#2229, [@​jeremyevans])
• Avoid unnecessary calls to the ip_filter lambda to evaluate Request#ip (#2287, [@​willbryant])
• Only calculate Request#ip once per request (#2292, [@​willbryant])
• Rack::Builder #use, #map, and #run methods now return nil. (#2355, [@​ioquatix])
• Directly close the body in Rack::ConditionalGet when the response is 304 Not Modified. (#2353, [@​ioquatix])
• Directly close the body in Rack::Head when the request method is HEAD(#2360, @​skipkayhil)

... (truncated)

Commits

• 14c8731 Bump patch version.
• 7ea1f40 Support streaming bodies when using Rack::Events. (#2375)
• b68251c Bump minor version.
• a6ba717 Minor updates to README and CHANGELOG.
• 9e10390 Directly close the body in Rack::Head. (#2360)
• 36156aa Ensure truthy is used consistently in the context of hijacking support in R...
• 7d09de4 Tidy up checks for script_name, path_info. (#2357)
• 5ce04c1 lint.rb consistency improvements. (#2352)
• 5f06728 Regenerate SPEC.rdoc.
• 9453930 Make Rack::Lint disallow PATH_INFO="" SCRIPT_NAME="" (#2316)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Looks like these dependencies are up-to-date now, so this is no longer needed.