Skip to content

Bump rack from 3.0.11 to 3.1.20#52

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bundler/rack-3.1.20
Closed

Bump rack from 3.0.11 to 3.1.20#52
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/bundler/rack-3.1.20

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Feb 17, 2026
edited
Loading

Bumps rack from 3.0.11 to 3.1.20.

Changelog

Sourced from rack's changelog.

[3.1.20] - 2026-02-16

Security

  • CVE-2026-25500 XSS injection via malicious filename in Rack::Directory.
  • CVE-2026-22860 Directory traversal via root prefix bypass in Rack::Directory.

[3.1.19] - 2025-11-03

Fixed

  • Multipart parser: limit MIME header size check to the unread buffer region to avoid false multipart mime part header too large errors when previously read data accumulates in the scan buffer. (#2392, @​alpaca-tc, @​willnet, @​krororo)

[3.1.18] - 2025-10-10

Security

  • CVE-2025-61780 Improper handling of headers in Rack::Sendfile may allow proxy bypass.
  • CVE-2025-61919 Unbounded read in Rack::Request form parsing can lead to memory exhaustion.

[3.1.17] - 2025-10-07

Security

  • CVE-2025-61772 Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
  • CVE-2025-61771 Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
  • CVE-2025-61770 Unbounded multipart preamble buffering enables DoS (memory exhaustion)

[3.1.16] - 2025-06-04

Security

[3.1.15] - 2025-05-18

[3.1.14] - 2025-05-06

⚠️ This release includes a security fix that may cause certain routes in previously working applications to fail if query parameters exceed 4,096 in count or 4 MB in total size. See rack/rack#2356 for more details.

Security

  • CVE-2025-46727 Unbounded parameter parsing in Rack::QueryParser can lead to memory exhaustion.

[3.1.13] - 2025-04-13

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code labels Feb 17, 2026
@dependabot dependabot Bot mentioned this pull request Feb 17, 2026
Closed
@neetodeploy neetodeploy Bot had a problem deploying to rubocop-neeto-ljhq-pr-52 February 17, 2026 16:20 Failure
@neetodeploy neetodeploy Bot had a problem deploying to rubocop-neeto-ljhq-pr-52 February 17, 2026 16:20 Failure
@neetodeploy neetodeploy Bot had a problem deploying to rubocop-neeto-ljhq-pr-52 February 17, 2026 16:20 Failure
@yedhink
Copy link
Copy Markdown
Contributor

yedhink commented Apr 2, 2026

@dependabot recreate

@dependabot
Bump rack from 3.0.11 to 3.1.20
b9ad14c 
Bumps [rack](https://github.com/rack/rack) from 3.0.11 to 3.1.20.
- [Release notes](https://github.com/rack/rack/releases)
- [Changelog](https://github.com/rack/rack/blob/main/CHANGELOG.md)
- [Commits](https://github.com/rack/rack/commits/v3.1.20)

---
updated-dependencies:
- dependency-name: rack
  dependency-version: 3.1.20
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/bundler/rack-3.1.20 branch from 771288e to b9ad14c Compare April 2, 2026 12:36
@neetogit-bot
Copy link
Copy Markdown

neetogit-bot Bot commented Apr 2, 2026

This PR bumps rack which is managed centrally via Gemfile.common.rb in neeto-commons-backend. The upgrade must happen there first, be tested across products, and released via a compliance update.

Tracking issue: https://github.com/neetozone/neeto-commons-backend/issues/4996

Closing this PR.

This comment was auto-generated by NeetoGit.

@neetogit-bot neetogit-bot Bot closed this Apr 2, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Apr 2, 2026

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@neetodeploy neetodeploy Bot requested a deployment to rubocop-neeto-ljhq-pr-52 April 2, 2026 12:36 Abandoned
@dependabot dependabot Bot deleted the dependabot/bundler/rack-3.1.20 branch April 2, 2026 12:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file ruby Pull requests that update ruby code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@yedhink