Fix CVE-2025-61594 security warning

William Tsai · William Tsai · commit 2aeab19e7ab9 · 2025-12-31T15:09:50.000+08:00
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -11,7 +11,7 @@ stages:
 
 rspec:
   stage: rspec
-  image: ruby:3.4.5
+  image: ruby:3.4.8
   tags:
     - arm64
   script:
@@ -22,7 +22,7 @@ rspec:
 
 to_gem:
   stage: publish
-  image: ruby:3.4.5
+  image: ruby:3.4.8
   tags:
     - arm64
   script:
diff --git a/.ruby-version b/.ruby-version
@@ -1 +1 @@
-3.4.5
+3.4.8
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,9 @@
+## [2.0.3] - 2025-12-31
+- Update Faraday to version `2.14.0`.
+- Update faraday-multipart to version `1.2.0`.
+- Update uri to version `1.1.1` for [CVE-2025-61594](https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594/) URI Credential Leakage Bypass vulnerability warning.
+- Update CI to use Ruby 3.4.8.
+
 ## [2.0.2] - 2025-09-23
 - Update REXML to version `3.4.4` for [CVE-2025-58767](https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767/) DoS vulnerability warning.
 
diff --git a/Gemfile b/Gemfile
@@ -3,6 +3,6 @@ source 'https://rubygems.org'
 gemspec
 
 # Simple, but flexible HTTP client library, with support for multiple backends.
-gem 'faraday', '~> 2.13.4'
+gem 'faraday', '~> 2.14.0'
 # Perform multipart-post requests using Faraday.
-gem 'faraday-multipart', '~> 1.1.1'
+gem 'faraday-multipart', '~> 1.2.0'
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,56 +1,60 @@
 PATH
   remote: .
   specs:
-    json_requester (2.0.2)
+    json_requester (2.0.3)
       faraday (~> 2.0, >= 2.0.1)
-      faraday-multipart (~> 1.1.0)
+      faraday-multipart (~> 1.2.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    addressable (2.8.7)
-      public_suffix (>= 2.0.2, < 7.0)
-    bigdecimal (3.2.3)
+    addressable (2.8.8)
+      public_suffix (>= 2.0.2, < 8.0)
+    bigdecimal (4.0.1)
     coderay (1.1.3)
-    crack (1.0.0)
+    crack (1.0.1)
       bigdecimal
       rexml
     diff-lcs (1.6.2)
-    faraday (2.13.4)
+    faraday (2.14.0)
       faraday-net_http (>= 2.0, < 3.5)
       json
       logger
-    faraday-multipart (1.1.1)
+    faraday-multipart (1.2.0)
       multipart-post (~> 2.0)
-    faraday-net_http (3.4.1)
-      net-http (>= 0.5.0)
+    faraday-net_http (3.4.2)
+      net-http (~> 0.5)
     hashdiff (1.2.1)
-    json (2.14.1)
+    io-console (0.8.2)
+    json (2.18.0)
     logger (1.7.0)
     method_source (1.1.0)
     multipart-post (2.4.1)
-    net-http (0.6.0)
-      uri
-    pry (0.14.2)
+    net-http (0.9.1)
+      uri (>= 0.11.1)
+    pry (0.16.0)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (6.0.2)
+      reline (>= 0.6.0)
+    public_suffix (7.0.0)
+    reline (0.6.3)
+      io-console (~> 0.5)
     rexml (3.4.4)
-    rspec (3.13.1)
+    rspec (3.13.2)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
       rspec-mocks (~> 3.13.0)
-    rspec-core (3.13.5)
+    rspec-core (3.13.6)
       rspec-support (~> 3.13.0)
     rspec-expectations (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.5)
+    rspec-mocks (3.13.7)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
     rspec-support (3.13.6)
-    uri (1.0.3)
-    webmock (3.25.1)
+    uri (1.1.1)
+    webmock (3.26.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
@@ -59,12 +63,12 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
-  faraday (~> 2.13.4)
-  faraday-multipart (~> 1.1.1)
+  faraday (~> 2.14.0)
+  faraday-multipart (~> 1.2.0)
   json_requester!
-  pry (~> 0.14.2)
-  rspec (~> 3.0)
-  webmock (~> 3.25, >= 3.25.1)
+  pry (~> 0.16.0)
+  rspec (~> 3.13.0)
+  webmock (~> 3.26, >= 3.26.0)
 
 BUNDLED WITH
    2.7.2
diff --git a/VERSION.md b/VERSION.md
@@ -1 +1 @@
-2.0.2
+2.0.3
diff --git a/json_requester.gemspec b/json_requester.gemspec
@@ -20,9 +20,9 @@ Gem::Specification.new do |s|
 
   s.required_ruby_version = '>= 3.0.0'
   s.add_runtime_dependency "faraday", "~> 2.0", ">= 2.0.1"
-  s.add_runtime_dependency 'faraday-multipart', '~> 1.1.0'
+  s.add_runtime_dependency 'faraday-multipart', '~> 1.2.0'
 
-  s.add_development_dependency 'pry', '~> 0.14.2'
-  s.add_development_dependency "rspec", "~> 3.0"
-  s.add_development_dependency "webmock", "~> 3.25", ">= 3.25.1"
+  s.add_development_dependency 'pry', '~> 0.16.0'
+  s.add_development_dependency "rspec", "~> 3.13.0"
+  s.add_development_dependency "webmock", "~> 3.26", ">= 3.26.0"
 end
