fix(deps): update rack, rexml, and sinatra for security fixes

markhallen · claude · markhallen · commit 0bff86aea4e9 · 2026-03-28T12:34:35.000Z
- rack 3.1.16 → 3.2.5 (7 CVEs: DoS, directory traversal, XSS)
- rexml 3.4.1 → 3.4.4 (DoS via malformed XML)
- sinatra 4.1.1 → 4.2.1 (ReDoS in ETag headers)

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -11,27 +11,30 @@ GEM
       rexml
     daemons (1.4.1)
     dotenv (3.1.8)
+    drb (2.2.3)
     eventmachine (1.2.7)
     hashdiff (1.2.0)
     json (2.13.2)
     language_server-protocol (3.17.0.5)
     lint_roller (1.1.0)
     logger (1.7.0)
-    minitest (5.25.5)
-    mustermann (3.0.3)
+    minitest (6.0.2)
+      drb (~> 2.0)
+      prism (~> 1.5)
+    mustermann (3.0.4)
       ruby2_keywords (~> 0.0.1)
     nio4r (2.7.4)
     parallel (1.27.0)
     parser (3.3.9.0)
       ast (~> 2.4.1)
       racc
-    prism (1.4.0)
+    prism (1.9.0)
     public_suffix (6.0.2)
     puma (7.0.1)
       nio4r (~> 2.0)
     racc (1.8.1)
-    rack (3.1.16)
-    rack-protection (4.1.1)
+    rack (3.2.5)
+    rack-protection (4.2.1)
       base64 (>= 0.1.0)
       logger (>= 1.6.0)
       rack (>= 3.0.0, < 4)
@@ -43,7 +46,7 @@ GEM
     rainbow (3.1.1)
     rake (13.3.0)
     regexp_parser (2.10.0)
-    rexml (3.4.1)
+    rexml (3.4.4)
     rubocop (1.79.1)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
@@ -67,22 +70,22 @@ GEM
       rubocop (>= 1.72.1)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
-    sinatra (4.1.1)
+    sinatra (4.2.1)
       logger (>= 1.6.0)
       mustermann (~> 3.0)
       rack (>= 3.0.0, < 4)
-      rack-protection (= 4.1.1)
+      rack-protection (= 4.2.1)
       rack-session (>= 2.0.0, < 3)
       tilt (~> 2.0)
     thin (2.0.1)
       daemons (~> 1.0, >= 1.0.9)
       eventmachine (~> 1.0, >= 1.0.4)
       logger
       rack (>= 1, < 4)
-    tilt (2.6.1)
+    tilt (2.7.0)
     unicode-display_width (3.1.4)
       unicode-emoji (~> 4.0, >= 4.0.4)
-    unicode-emoji (4.0.4)
+    unicode-emoji (4.2.0)
     webmock (3.25.1)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
@@ -106,4 +109,4 @@ DEPENDENCIES
   webmock
 
 BUNDLED WITH
-   2.6.8
+  4.0.3
