Skip to content

build(deps): bump rack-session to 2.1.2 (GHSA-33qg-7wpp-89cq)#67

Merged
martinemde merged 1 commit into
mainfrom
rack-session-security-bump
Jun 17, 2026
Merged

build(deps): bump rack-session to 2.1.2 (GHSA-33qg-7wpp-89cq)#67
martinemde merged 1 commit into
mainfrom
rack-session-security-bump

Conversation

@technicalpickles

@technicalpickles technicalpickles commented Jun 17, 2026

Copy link
Copy Markdown
Collaborator

What

Bumps the transitive rack-session dependency from 2.1.0 to 2.1.2 in Gemfile.lock.

Why

Dependabot flagged a critical advisory: GHSA-33qg-7wpp-89cq.

Rack::Session::Cookie's decrypt-failure fallback enables secretless session forgery and Marshal deserialization. Vulnerable range: >= 2.0.0, < 2.1.2. The fix is to move to 2.1.2 or newer.

rack-session is not a direct Gemfile dependency here, so this is a lockfile-only change.

How

bundle update rack-session --conservative

Diff is intentionally limited to the single rack-session version line.

Verification (local, Ruby 3.2.2)

  • bundle install clean
  • bundle exec rspec → 67 examples, 0 failures
  • bundle exec rubocop → 26 files inspected, no offenses
  • bundle exec srb tc → No errors

🤖 Generated with Claude Code

@technicalpickles @claude
build(deps): bump rack-session to 2.1.2 (GHSA-33qg-7wpp-89cq)
df597ce 
Bumps the transitive rack-session dependency from 2.1.0 to 2.1.2 to
resolve a critical advisory: Rack::Session::Cookie's decrypt-failure
fallback enables secretless session forgery and Marshal deserialization
(vulnerable range >= 2.0.0, < 2.1.2).

Conservative lockfile-only change; no direct Gemfile dependency touched.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@technicalpickles technicalpickles requested a review from a team as a code owner June 17, 2026 16:21
@github-project-automation github-project-automation Bot moved this to Triage in Modularity Jun 17, 2026
@technicalpickles

technicalpickles commented Jun 17, 2026

Copy link
Copy Markdown
Collaborator Author

Resolves Dependabot alert #92 (GHSA-33qg-7wpp-89cq, critical): bumps rack-session 2.1.0 → 2.1.2.

@martinemde martinemde merged commit 2741dc4 into main Jun 17, 2026
6 checks passed
@martinemde martinemde deleted the rack-session-security-bump branch June 17, 2026 20:01
@github-project-automation github-project-automation Bot moved this from Triage to Done in Modularity Jun 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@martinemde martinemde martinemde approved these changes

Assignees

No one assigned

Labels

None yet

Projects

Modularity
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@technicalpickles @martinemde