From df597cec3a4e4c646d9d6f086c0253bbdecf7a59 Mon Sep 17 00:00:00 2001 From: Josh Nichols Date: Wed, 17 Jun 2026 12:21:38 -0400 Subject: [PATCH] build(deps): bump rack-session to 2.1.2 (GHSA-33qg-7wpp-89cq) Bumps the transitive rack-session dependency from 2.1.0 to 2.1.2 to resolve a critical advisory: Rack::Session::Cookie's decrypt-failure fallback enables secretless session forgery and Marshal deserialization (vulnerable range >= 2.0.0, < 2.1.2). Conservative lockfile-only change; no direct Gemfile dependency touched. Co-Authored-By: Claude Opus 4.8 (1M context) --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index eeac99a..15b917b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -202,7 +202,7 @@ GEM public_suffix (6.0.1) racc (1.8.1) rack (3.1.12) - rack-session (2.1.0) + rack-session (2.1.2) base64 (>= 0.1.0) rack (>= 3.0.0) rack-test (2.2.0)