Support Rack 3 (attempt #2) #96

mattbooks · 2025-12-09T23:15:17Z

What is this change doing?

Support rack v2 and rack v3
Many updates (ruby, protobuf, envoy, etc.)
Update capybara and selenium testing (based on sidekiq-gusto and mangled by AI)
Fix proto generation

Why is this change being made?

Not many app changes needed to support rack 3 (maybe some of the header lower-casing), however for more modern dependencies lots of updates were needed

How did you test this change?

CI testing (locally and in github)
Manual client testing in gus-gateway

based on #92 from @ngan and @joemsak

boostsecurity-io

⚠️ 1 New Security Finding

The latest commit contains 1 new security finding.

Findings

Dependency: rubygems / rack@ 3.1.13

SUMMARY

Direct Dependency: rack
Location : Gemfile.lock

OCCURRENCES

Vulnerability	Severity	CVSS	Contains Malware	Critical Risk	Description
CVE-2025-46727	Critical	7.5	no	no	This file introduces a vulnerable rack gem with a high severity vulnerability
CVE-2025-61770	Critical	7.5	no	no	This file introduces a vulnerable rack gem with a high severity vulnerability
CVE-2025-61771	Critical	7.5	no	no	This file introduces a vulnerable rack gem with a high severity vulnerability
CVE-2025-61772	Critical	7.5	no	no	This file introduces a vulnerable rack gem with a high severity vulnerability
CVE-2025-61919	Critical	7.5	no	no	This file introduces a vulnerable rack gem with a high severity vulnerability

Remediation :

Please consider upgrading rack to a higher version to try to resolve this issue.

Not a finding? Ignore it by adding a comment on the line with just the word noboost.

Scanner: boostsecurity - bundler-audit

socket-security · 2025-12-09T23:16:35Z

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring alerts on:

npm/estraverse@5.3.0
npm/argparse@2.0.1
npm/brace-expansion@2.0.1
npm/chalk@4.1.2
npm/balanced-match@1.0.2
npm/json-parse-even-better-errors@2.3.1
npm/path-parse@1.0.7
npm/supports-preserve-symlinks-flag@1.0.0
npm/ajv-formats@2.1.1
npm/fastest-levenshtein@1.0.16
npm/require-from-string@2.0.2
npm/core-util-is@1.0.3
npm/@sindresorhus/is@4.6.0
npm/flat@5.0.2
npm/@colors/colors@1.5.0
npm/glob-to-regexp@0.4.1
npm/jest-worker@27.5.1
npm/@pkgjs/parseargs@0.11.0
npm/eastasianwidth@0.2.0
npm/any-promise@1.3.0
npm/char-regex@1.0.2
npm/clone-deep@4.0.1
npm/colorette@2.0.20
npm/cssesc@3.0.0
npm/lodash-es@4.17.21
npm/escape-string-regexp@5.0.0
npm/minipass-flush@1.0.5
npm/minipass-pipeline@1.2.4
npm/mkdirp-classic@0.5.3
npm/mz@2.7.0
npm/shallow-clone@3.0.1
npm/thenify@3.3.1
npm/thenify-all@1.6.0
npm/@isaacs/cliui@8.0.2
npm/parse5@6.0.1
npm/strip-final-newline@3.0.0
npm/mimic-fn@4.0.0
npm/highlight.js@10.7.3
npm/parse5@5.1.1
npm/sprintf-js@1.1.3
npm/isexe@3.1.1
npm/@isaacs/string-locale-compare@1.1.0
npm/just-diff@6.0.2
npm/treeverse@3.0.0
npm/walk-up-path@3.0.1
npm/common-ancestor-path@1.0.1
npm/json-stringify-nice@1.1.4
npm/minipass-sized@1.0.3
npm/promise-all-reject-late@1.0.1
npm/cli-highlight@2.1.11
npm/parse5-htmlparser2-tree-adapter@6.0.1
npm/wildcard@2.0.1
npm/@pnpm/config.env-replace@1.1.0
npm/@pnpm/network.ca-file@1.0.2
npm/rechoir@0.8.0
npm/just-diff-apply@5.5.0
npm/p-each-series@3.0.0
npm/p-reduce@3.0.0
npm/@tufjs/canonical-json@2.0.0
npm/web-worker@1.2.0
npm/time-span@5.1.0
npm/convert-hrtime@5.0.0
npm/emojilib@2.4.0
npm/skin-tone@2.0.0
npm/unicode-emoji-modifier-base@1.0.0
npm/minipass-collect@2.0.1
npm/@types/json-schema@7.0.15
npm/@types/eslint-scope@3.7.7
npm/ip-address@9.0.5
npm/read-package-up@11.0.0
npm/unicorn-magic@0.1.0
npm/parse-ms@4.0.0
npm/has-tostringtag@1.0.2
npm/es-errors@1.3.0
npm/diff@5.2.0
npm/has-property-descriptors@1.0.2
npm/define-data-property@1.1.4
npm/@jridgewell/resolve-uri@3.1.2
npm/available-typed-arrays@1.0.7
npm/strip-final-newline@4.0.0
npm/@jridgewell/set-array@1.2.1
npm/@jridgewell/trace-mapping@0.3.25
npm/p-event@6.0.1
npm/set-function-length@1.2.2
npm/hasown@2.0.2
npm/@jridgewell/source-map@0.3.6
npm/@sec-ant/readable-stream@0.4.1
npm/@isaacs/fs-minipass@4.0.1
npm/@sindresorhus/merge-streams@4.0.0
npm/path-scurry@1.11.1
npm/environment@1.1.0
npm/function-timeout@1.0.2
npm/commander@12.1.0
npm/minimatch@9.0.5
npm/webpack-merge@6.0.1
npm/glob@10.4.5
npm/@jridgewell/sourcemap-codec@1.5.0
npm/jackspeak@3.4.3
npm/unicorn-magic@0.3.0
npm/@pnpm/npm-conf@2.3.1
npm/@types/eslint@9.6.1
npm/escalade@3.2.0
npm/negotiator@1.0.0
npm/json-parse-even-better-errors@4.0.0
npm/proc-log@5.0.0
npm/@npmcli/agent@3.0.0
npm/promise-call-limit@3.0.2
npm/is-unicode-supported@2.1.0
npm/envinfo@7.14.0
gem/lint_roller@1.1.0
npm/@npmcli/node-gyp@4.0.0
npm/@npmcli/name-from-folder@3.0.0
npm/read-package-json-fast@4.0.0
npm/proggy@3.0.0
npm/package-json-from-dist@1.0.1
npm/@npmcli/fs@4.0.0
npm/@npmcli/installed-package-contents@3.0.0
npm/parse-conflict-json@4.0.0
npm/libnpmversion@7.0.0
npm/@npmcli/config@9.0.0
npm/@sigstore/core@2.0.0
npm/@tufjs/models@3.0.1
npm/picocolors@1.1.1
npm/@npmcli/metavuln-calculator@8.0.1
npm/@discoveryjs/json-ext@0.6.3
npm/@webassemblyjs/helper-numbers@1.13.2
npm/undici-types@6.21.0
npm/@npmcli/map-workspaces@4.0.2
npm/gopd@1.2.0
npm/call-bind@1.0.8
npm/es-define-property@1.0.1
npm/node-releases@2.0.19
npm/@jridgewell/gen-mapping@0.3.8
npm/safe-regex-test@1.1.0
npm/is-arguments@1.2.0
npm/dunder-proto@1.0.1
npm/is-typed-array@1.1.15
npm/math-intrinsics@1.1.0
npm/@webpack-cli/configtest@3.0.1
npm/@webpack-cli/info@3.0.1
npm/@webpack-cli/serve@3.0.1
npm/is-core-module@2.16.1
npm/es-module-lexer@1.6.0
npm/p-timeout@6.1.4
npm/is-generator-function@1.1.0
npm/get-proto@1.0.1
npm/import-from-esm@2.0.0
npm/browserslist@4.24.4
npm/es-object-atoms@1.1.1
npm/fdir@6.4.3
npm/fast-uri@3.0.6
npm/sigstore@3.1.0
npm/@sigstore/bundle@3.1.0
npm/@sigstore/sign@3.1.0
npm/exponential-backoff@3.1.2
npm/possible-typed-array-names@1.1.0
npm/for-each@0.3.5
npm/call-bind-apply-helpers@1.0.2
npm/@npmcli/git@6.0.3
npm/tinyglobby@0.2.12
npm/get-intrinsic@1.3.0
npm/foreground-child@3.3.1
npm/update-browserslist-db@1.1.3
npm/minipass-fetch@4.0.1
npm/find-up-simple@1.0.1
npm/call-bound@1.0.4
npm/@npmcli/run-script@9.1.0
npm/fast-content-type-parse@3.0.0
npm/which-typed-array@1.1.19
npm/@types/estree@1.0.7
gem/logger@1.7.0
npm/@npmcli/query@4.0.1
npm/caniuse-lite@1.0.30001713
npm/electron-to-chromium@1.5.136
npm/@sigstore/tuf@3.1.1
npm/@sigstore/verify@2.1.1
npm/@npmcli/redact@3.2.2
gem/language_server-protocol@3.17.0.5
npm/@npmcli/package-json@6.2.0
npm/index-to-position@1.2.0
gem/base64@0.3.0
npm/@sigstore/protobuf-specs@0.4.3
npm/brace-expansion@2.0.2
npm/@npmcli/arborist@8.0.1
npm/libnpmdiff@7.0.1
npm/libnpmexec@9.0.1
npm/libnpmfund@6.0.1
npm/libnpmpack@8.0.1
npm/tuf-js@3.1.0
npm/fdir@6.5.0
npm/yoctocolors@2.1.2
npm/@npmcli/promise-spawn@8.0.3
npm/import-meta-resolve@4.2.0
npm/tinyglobby@0.2.15
npm/chalk@5.6.2
gem/unicode-emoji@4.1.0
npm/pretty-ms@9.3.0
npm/clean-stack@5.3.0
npm/@octokit/openapi-types@26.0.0
npm/exponential-backoff@3.1.3
gem/prism@1.6.0
npm/@babel/helper-validator-identifier@7.28.5
npm/@octokit/openapi-types@27.0.0
npm/@octokit/graphql@9.0.3
npm/@octokit/core@7.0.6
npm/@octokit/plugin-retry@8.0.3
npm/@octokit/plugin-throttling@11.0.3
npm/make-asynchronous@1.0.1
npm/super-regex@1.1.0
gem/rubocop-ast@1.48.0
npm/ip-address@10.1.0
npm/js-yaml@4.1.1
npm/glob@10.5.0
gem/webrick@1.9.2
npm/postcss-selector-parser@7.1.1
gem/json@2.17.1
gem/rackup@2.3.1
npm/json-schema-traverse@1.0.0
npm/ms@2.1.3
npm/is-obj@2.0.0
npm/tapable@2.2.1
npm/emoji-regex@9.2.2
npm/pkg-dir@4.2.0
npm/iconv-lite@0.6.3
npm/is-plain-obj@4.1.0
npm/events@3.3.0
npm/path-key@4.0.0
npm/loader-runner@4.3.0
npm/path-browserify@1.0.1
npm/wordwrap@1.0.0
npm/promise-retry@2.0.1
npm/minimist@1.2.8
npm/err-code@2.0.3
npm/mkdirp@1.0.4
npm/mkdirp@3.0.1
npm/cliui@8.0.1
npm/cliui@7.0.4
npm/wrap-ansi@7.0.0
npm/wrap-ansi@8.1.0
npm/util@0.12.5
npm/resolve-cwd@3.0.0
npm/stream-browserify@3.0.0
npm/eslint-scope@5.1.1
npm/webpack-sources@3.2.3
npm/@improbable-eng/grpc-web@0.15.0
npm/@improbable-eng/grpc-web-node-http-transport@0.15.0
npm/smart-buffer@4.2.0
npm/source-map-support@0.5.21
npm/browser-resolve@2.0.0
npm/fs-minipass@3.0.3
npm/fs-minipass@2.1.0
npm/has-flag@4.0.0
npm/indent-string@5.0.0
npm/function-bind@1.1.2
npm/crypto-random-string@4.0.0
npm/supports-color@9.4.0
npm/supports-color@7.2.0
npm/supports-color@8.1.1
npm/mime-db@1.52.0
npm/mime-types@2.1.35
npm/unique-string@3.0.0
npm/ip-regex@5.0.0
npm/esrecurse@4.3.0
npm/neo-async@2.6.2
npm/graceful-fs@4.2.11
npm/graceful-fs@4.2.10
npm/lines-and-columns@1.2.4
npm/fast-deep-equal@3.1.3
npm/buffer@5.2.1
npm/signal-exit@3.0.7
npm/signal-exit@4.1.0
npm/onetime@5.1.2
npm/onetime@6.0.0
npm/semver-regex@4.0.5
npm/env-paths@2.2.1
npm/url-join@5.0.0
npm/config-chain@1.1.13
npm/jsbn@1.1.0
npm/dot-prop@5.3.0
npm/spdx-correct@3.2.0
npm/ajv-keywords@5.1.0
npm/lodash@4.17.21
npm/temp-dir@3.0.0
npm/tempy@3.1.0
npm/string-width@4.2.3
npm/string-width@5.1.2
npm/yargs-parser@21.1.1
npm/yargs-parser@20.2.9
npm/into-stream@7.0.0
npm/p-limit@2.3.0
npm/is-callable@1.2.7
npm/encoding@0.1.13
npm/cli-columns@4.0.0
npm/aggregate-error@5.0.0
npm/aggregate-error@3.1.0
npm/y18n@5.0.8
npm/interpret@3.1.1
npm/compare-func@2.0.0
npm/@semantic-release/error@3.0.0
npm/@semantic-release/error@4.0.0
npm/yargs@17.7.2
npm/yargs@16.2.0
npm/readable-stream@2.3.8
npm/readable-stream@3.6.2
npm/insert-module-globals@7.2.1
npm/module-deps@6.2.3
npm/universalify@2.0.1
npm/@types/normalize-package-data@2.4.4
npm/read-pkg@9.0.1
npm/cosmiconfig@9.0.0
npm/spdx-expression-parse@4.0.0
npm/spdx-expression-parse@3.0.1
npm/handlebars@4.7.8
npm/traverse@0.6.8
npm/p-filter@4.1.0
npm/serialize-javascript@6.0.2
npm/@semantic-release/git@10.0.1
npm/@types/google-protobuf@3.15.12
npm/@semantic-release/changelog@6.0.3
npm/meow@13.2.0
npm/spdx-exceptions@2.5.0
npm/http-proxy-agent@7.0.2
npm/is-stream@3.0.0
npm/is-stream@2.0.1
npm/is-stream@4.0.1
npm/figures@6.1.0
npm/binary-extensions@2.3.0
npm/get-stream@9.0.1
npm/get-stream@6.0.1
npm/get-stream@7.0.1
npm/get-stream@8.0.1
npm/find-versions@6.0.0
npm/chownr@2.0.0
npm/chownr@3.0.0
npm/yallist@5.0.0
npm/yallist@4.0.0
npm/conventional-commits-filter@5.0.0
npm/cli-table3@0.6.5
npm/braces@3.0.3
npm/fill-range@7.1.1
npm/minipass@3.3.6
npm/minipass@7.1.2
npm/minipass@5.0.0
npm/issue-parser@7.0.1
npm/git-log-parser@1.2.1
npm/lru-cache@10.4.3
npm/grpc-web@1.5.0
npm/ajv@8.17.1
npm/google-protobuf@3.21.4
npm/import-local@3.2.0
npm/watchpack@2.4.2
npm/micromatch@4.0.8
npm/npm-run-path@5.3.0
npm/npm-run-path@6.0.0
npm/uglify-js@3.19.3
npm/cmd-shim@7.0.0
npm/ini@1.3.8
npm/ini@5.0.0
npm/npm-normalize-package-bin@4.0.0
npm/ignore-walk@7.0.0
npm/npm-audit-report@6.0.0
gem/capybara@3.40.0
npm/npm-user-validate@3.0.0
npm/mute-stream@2.0.0
npm/npm-packlist@9.0.0
npm/promzard@2.0.0
npm/bin-links@5.0.0
npm/write-file-atomic@6.0.0
npm/read-cmd-shim@5.0.0
npm/unique-slug@5.0.0
npm/ssri@12.0.0
npm/unique-filename@4.0.0
npm/cacache@19.0.1
npm/npm-bundled@4.0.0
npm/npm-pick-manifest@10.0.0
npm/which@5.0.0
npm/npm-profile@11.0.1
npm/libnpmhook@11.0.0
npm/browserify@17.0.1
npm/libnpmaccess@9.0.0
npm/libnpmorg@7.0.0
npm/libnpmsearch@8.0.0
npm/libnpmteam@7.0.0
npm/npm-registry-fetch@18.0.2
npm/pacote@19.0.1
npm/pacote@20.0.0
npm/make-fetch-happen@14.0.3
npm/@webassemblyjs/floating-point-hex-parser@1.13.2
npm/@webassemblyjs/helper-api-error@1.13.2
npm/@webassemblyjs/helper-wasm-bytecode@1.13.2
npm/@webassemblyjs/ieee754@1.13.2
npm/@webassemblyjs/leb128@1.13.2
npm/@webassemblyjs/utf8@1.13.2
npm/@webassemblyjs/ast@1.14.1
npm/@webassemblyjs/helper-buffer@1.14.1
npm/@webassemblyjs/helper-wasm-section@1.14.1
npm/@webassemblyjs/wasm-edit@1.14.1
npm/@webassemblyjs/wasm-gen@1.14.1
npm/@webassemblyjs/wasm-opt@1.14.1
npm/@webassemblyjs/wasm-parser@1.14.1
npm/@webassemblyjs/wast-printer@1.14.1
npm/cross-spawn@7.0.6
npm/libnpmpublish@10.0.1
npm/has-symbols@1.1.0
npm/init-package-json@7.0.2
npm/node-emoji@2.2.0
npm/https-proxy-agent@7.0.6
npm/socks-proxy-agent@8.0.5
npm/schema-utils@4.3.0
npm/is-regex@1.2.1
npm/resolve@1.22.10
npm/webpack-cli@6.0.1
gem/pry@0.15.2
npm/@semantic-release/commit-analyzer@13.0.1
npm/nopt@8.1.0
npm/marked-terminal@7.3.0
npm/read@4.1.0
npm/supports-hyperlinks@3.2.0
npm/import-fresh@3.3.1
npm/enhanced-resolve@5.18.1
npm/npm-package-arg@12.0.2
npm/registry-auth-token@5.1.0
npm/terser@5.39.0
npm/is-cidr@5.1.1
npm/cidr-regex@4.1.3
npm/acorn@8.14.1
npm/terser-webpack-plugin@5.3.14
gem/byebug@12.0.0
gem/pry-byebug@3.11.0
npm/human-signals@2.1.0
npm/human-signals@5.0.0
npm/human-signals@8.0.1
npm/webpack@5.99.5
npm/parse-json@8.3.0
npm/parse-json@5.2.0
npm/abbrev@3.0.1
npm/hosted-git-info@8.1.0
npm/hosted-git-info@7.0.2
gem/parallel@1.27.0
npm/@babel/code-frame@7.27.1
npm/type-fest@4.41.0
npm/type-fest@2.19.0
npm/type-fest@1.4.0
npm/http-cache-semantics@4.2.0
npm/http-cache-semantics@4.1.1
npm/@semantic-release/exec@7.1.0
gem/diff-lcs@1.6.2
npm/universal-user-agent@7.0.3
npm/before-after-hook@4.0.0
gem/rack-cors@3.0.0
npm/marked@15.0.12
npm/@octokit/auth-token@6.0.0
gem/rspec-expectations@3.13.5
gem/matrix@0.4.3
npm/@semantic-release/npm@12.0.2
npm/agent-base@7.1.4
npm/agent-base@7.1.3
npm/conventional-changelog-writer@8.2.0
npm/aproba@2.1.0
npm/picomatch@2.3.1
npm/picomatch@4.0.3
npm/picomatch@4.0.2
gem/simplecov-html@0.13.2
npm/validate-npm-package-name@6.0.2
npm/normalize-package-data@6.0.2
npm/normalize-package-data@7.0.1
npm/spdx-license-ids@3.0.22
npm/socks@2.8.7
npm/socks@2.8.4
npm/jsonfile@6.2.0
npm/npm-install-checks@7.1.2
npm/env-ci@11.2.0
npm/@semantic-release/release-notes-generator@14.1.0
gem/hashdiff@1.2.1
npm/ansi-regex@5.0.1
npm/ansi-regex@6.2.2
npm/ansi-regex@6.1.0
npm/ansi-styles@4.3.0
npm/ansi-styles@6.2.3
npm/ansi-styles@6.2.1
npm/strip-ansi@6.0.1
npm/strip-ansi@7.1.2
npm/strip-ansi@7.1.0
gem/unicode-display_width@3.2.0
npm/normalize-url@8.1.0
npm/hook-std@4.0.0
gem/rexml@3.4.4
npm/@semantic-release/github@11.0.6
npm/mime@4.1.0
npm/debug@4.4.3
npm/debug@4.4.0
gem/nokogiri@1.18.10
gem/regexp_parser@2.11.3
npm/semver-diff@5.0.0
npm/error-ex@1.3.4
npm/fs-extra@11.3.2
gem/rspec-support@3.13.6
npm/semantic-release@24.2.9
npm/minizlib@2.1.2
npm/minizlib@3.1.0
npm/minizlib@3.0.2
npm/npm@10.9.4
npm/typescript@5.9.3
npm/ci-info@4.3.1
npm/semver@7.7.3
npm/semver@7.7.1
gem/googleapis-common-protos-types@1.22.0
gem/bigdecimal@3.3.1
npm/node-gyp@11.5.0
npm/node-gyp@11.2.0
gem/rspec-core@3.13.6
npm/@octokit/plugin-paginate-rest@13.2.1
npm/conventional-changelog-angular@8.1.0
npm/conventional-commits-parser@6.2.1
gem/rspec@3.13.2
gem/crack@1.0.1
gem/grpc@1.76.0
gem/parser@3.3.10.0
gem/rake@13.3.1
gem/webmock@3.26.1
npm/tar@7.5.2
npm/tar@6.2.1
npm/tar@7.4.3
npm/@octokit/types@15.0.2
npm/@octokit/types@16.0.0
npm/@octokit/endpoint@11.0.2
gem/rubocop@1.81.7
gem/rspec-mocks@3.13.7
gem/rack@3.2.4
gem/rubyzip@3.2.2
npm/ansi-escapes@7.2.0
npm/p-map@7.0.4
npm/p-map@7.0.3
gem/rubocop-rspec@3.8.0
npm/@octokit/request@10.0.7
npm/@octokit/request-error@7.1.0
gem/public_suffix@7.0.0
gem/addressable@2.8.8
npm/execa@5.1.1
npm/execa@9.6.1
npm/execa@8.0.1
gem/google-protobuf@4.33.2
gem/selenium-webdriver@4.39.0
npm/@types/node@22.19.2
npm/@types/node@22.14.0

View full report

mattbooks · 2025-12-09T23:49:32Z

@SocketSecurity ignore-all

Removed browser console log printing on test failure.

mattbooks · 2025-12-09T23:52:59Z

spec/integration/ruby_server_nodejs_client_spec.rb

-  let(:node_client) { File.expand_path('../node-client/dist/client.js', __dir__) }
+  let(:node_client_dir) { File.expand_path('../node-client', __dir__) }
  let(:node_cmd) do
+    # Use npm for dependency management (avoids yarn workspace detection issues)


I don't know if this is a bad idea. It's an AI fix for these specs.

mattbooks · 2025-12-09T23:56:57Z

Rakefile

+    '--plugin=protoc-gen-js=/usr/lib/node_modules/protoc-gen-js/bin/protoc-gen-js',
+    '--plugin=protoc-gen-grpc-web=/usr/local/bin/protoc-gen-grpc-web',
+    '--js_out=import_style=commonjs:/defs/pb-js-grpc-web',
+    '--grpc-web_out=import_style=commonjs,mode=grpcweb:/defs/pb-js-grpc-web',


One of the main fixes was updating how these are generated to use updated plugins

mattbooks · 2025-12-09T23:57:21Z

spec/support/capybara.rb

+require 'capybara/rspec'
+require 'selenium-webdriver'
+
+Capybara.register_driver :selenium_chrome_standalone do |app|


Some selenium wrangling was required to get the specs working

boostsecurity-io

🚀 1 New Security Fix

You just committed 1 security fix. 😎 Keep up the great work!

🎯 Take a look at what findings you fixed.

Findings

Dependency: rubygems / rack@ 3.1.13

SUMMARY

Direct Dependency: rack
Location : Gemfile.lock

OCCURRENCES

Vulnerability	Severity	CVSS	Contains Malware	Critical Risk	Description
CVE-2025-46727	Critical	7.5	no	no	This file introduces a vulnerable rack gem with a high severity vulnerability
CVE-2025-61770	Critical	7.5	no	no	This file introduces a vulnerable rack gem with a high severity vulnerability
CVE-2025-61771	Critical	7.5	no	no	This file introduces a vulnerable rack gem with a high severity vulnerability
CVE-2025-61772	Critical	7.5	no	no	This file introduces a vulnerable rack gem with a high severity vulnerability
CVE-2025-61919	Critical	7.5	no	no	This file introduces a vulnerable rack gem with a high severity vulnerability

Remediation :

Please consider upgrading rack to a higher version to try to resolve this issue.

Scanner: boostsecurity - bundler-audit

dryrunsecurity · 2025-12-10T18:38:10Z

This pull request includes insecure supply-chain practices: GitHub Actions use mutable tags (e.g., @v2, @v1) rather than pinned commit SHAs, the Dockerfile downloads protoc and protoc-gen-grpc-web without integrity checks, and it fetches and immediately executes a remote nodesource setup script with no verification. These issues increase risk of silent compromise of CI/build artifacts and should be mitigated by pinning actions and verifying all downloaded artifacts (checksums/GPG) before execution.

Insecure Supply Chain via Mutable GitHub Action Tags in .github/workflows/ci.yml

Vulnerability	Insecure Supply Chain via Mutable GitHub Action Tags
Description	The GitHub Actions workflow in `.github/workflows/ci.yml` uses mutable version tags (`@v2` and `@v1`) for `actions/checkout` and `ruby/setup-ruby` respectively. This practice introduces a supply chain risk because the code associated with these tags can be updated by the action maintainers at any time. If an action's repository is compromised, malicious code could be injected into the CI/CD pipeline without any changes being visible in the pull request, leading to potential compromise of the build process or deployed artifacts. The industry best practice for securing GitHub Actions is to pin actions to a specific, immutable commit SHA.

grpc-web-ruby/.github/workflows/ci.yml

Lines 16 to 20 in 3e9bea2

    
           - name: Checkout code 
        
             uses: actions/checkout@v2 
        
           - name: Set up Ruby 3.4 
        
             uses: ruby/setup-ruby@v1

Unpinned External Dependencies without Integrity Check in Dockerfile.protoc

Vulnerability	Unpinned External Dependencies without Integrity Check
Description	The `Dockerfile.protoc` downloads `protoc` and `protoc-gen-grpc-web` binaries from GitHub releases using `curl -OL` without any subsequent integrity verification (e.g., using `sha256sum`). This practice makes the build process vulnerable to supply chain attacks, where a compromised download source or a man-in-the-middle attack could inject malicious code into the downloaded binaries without detection. Secure development practices for Dockerfiles strongly recommend verifying the integrity of all downloaded external artifacts using checksums.

grpc-web-ruby/Dockerfile.protoc

Lines 18 to 26 in 3e9bea2

    
           RUN PROTOC_ZIP=protoc-28.0-linux-x86_64.zip \ 
        
             && curl -OL https://github.com/protocolbuffers/protobuf/releases/download/v28.0/$PROTOC_ZIP \ 
        
             && unzip -o $PROTOC_ZIP -d /usr/local bin/protoc \ 
        
             && unzip -o $PROTOC_ZIP -d /usr/local 'include/*' \ 
        
             && rm -f $PROTOC_ZIP 
        
           # Install modern protoc-gen-grpc-web plugin (compatible with grpc-web 1.5.0+) 
        
           RUN GRPC_WEB_VERSION=1.5.0 \ 
        
             && curl -OL https://github.com/grpc/grpc-web/releases/download/${GRPC_WEB_VERSION}/protoc-gen-grpc-web-${GRPC_WEB_VERSION}-linux-x86_64 \

Insecure Script Execution (curl -o file && bash file) in Dockerfile.protoc

Vulnerability	Insecure Script Execution (curl -o file && bash file)
Description	The `Dockerfile.protoc` downloads a shell script (`nodesource_setup.sh`) from a remote URL and executes it immediately using `bash` without any integrity verification (e.g., checksum or GPG signature). This pattern is inherently insecure because if the remote source (`deb.nodesource.com`) were compromised, an attacker could inject malicious code into the script, leading to arbitrary code execution within the build environment. This could compromise the build process, inject backdoors, or exfiltrate sensitive information.

grpc-web-ruby/Dockerfile.protoc

Lines 11 to 12 in 3e9bea2

    
           RUN curl -fsSL https://deb.nodesource.com/setup_22.x -o nodesource_setup.sh \ 
        
             && bash nodesource_setup.sh \

All finding details can be found in the DryRun Security Dashboard.

joemsak

Looking good so far!

I'm looking into that change in spec/integration/ruby_server_nodejs_client_spec.rb in the meantime

.rubocop.yml

Co-authored-by: Joe Sak <joe@joesak.com>

joemsak · 2025-12-10T20:34:06Z

@mattbooks what do you think of this? #97 I asked my agent to assess that questionable change in spec/integration/ruby_server_nodejs_client_spec.rb XD

* Update .gitignore to allow tracking .yarnrc.yml files Change .yarn* to .yarn/ and .pnp.* to be more specific. This allows .yarnrc.yml configuration files to be tracked. * Add .yarnrc.yml files for yarn workspace isolation Add standalone .yarnrc.yml to spec/node-client/ so Yarn 4 treats it as an independent project rather than detecting it as a workspace member of the root project. * Remove npm install workaround from node client test With yarn workspace isolation fixed, we no longer need to run npm install on every test run. The test now just executes the pre-built node client directly. - Remove npm install command from test - Delete package-lock.json (use yarn consistently) - Update yarn.lock files * Trigger gh actions

mattbooks · 2025-12-10T21:10:53Z

@joemsak thanks — that fix is in line with what I felt was odd about it. merged it in

ngan and others added 23 commits December 9, 2025 12:01

Support Rack 3

34dae27

Ignore dev env stuff

de654f3

Update Ruby, Node, Yarn, deps, replace apparition with cuprite

c7bb29d

Remove docker container orphans on rake tasks

948cfad

Upgrade to latest envoy image

800682a

Update GH actions to use Ruby 3.4

2ca1de0

Remove frozen bundle line, not working in ruby 3.4

f02ebb8

Remove --remove-orphans flag

bdea892

Remove 'chromium'; not needed with chrome service

21aca61

Update rubocop syntax

ce7bee7

Lint

cc32774

WIP trying to upgrade protobuf, grpc, protoc, et al

15d6d3b

Use customized protoc image to upgrade protoc and the generators

050b195

Update envoy config

168df3b

Put the apparition code back

8dbc3d8

Rename workflow file, remove rspec

57d2538

Try manual rake cmd

33a5b8d

Okay, rspec is needed in CI

f4dd659

Separate on lines

6a4c9cf

Clean up rakefile

fa06b2b

Replace apparition with selenium-webdriver, copied from gusto-sidekiq

a7e1cf4

Fix env value type in docker-compose

1e0356e

AI-assisted spec fixes

a5b0eaf

boostsecurity-io bot reviewed Dec 9, 2025

View reviewed changes

mattbooks added 2 commits December 9, 2025 15:17

Fix docker compose version in CI

3d5226b

Ignore cjs/mjs and undo test configs

c0cac9c

Remove console log printing for feature tests

d6dd73d

Removed browser console log printing on test failure.

mattbooks commented Dec 9, 2025

View reviewed changes

mattbooks added 3 commits December 10, 2025 09:34

Remove code for running specs without docker since that does not work

1744e59

Clean up rakefile

b82f7b4

Fix rake constraint and update dependencies for CI

df4b80b

mattbooks changed the title ~~Unpin rack mattbooks~~ Support Rack 3 (attempt #2) Dec 10, 2025

boostsecurity-io bot reviewed Dec 10, 2025

View reviewed changes

mattbooks marked this pull request as ready for review December 10, 2025 18:37

mattbooks requested review from a team December 10, 2025 19:19

joemsak reviewed Dec 10, 2025

View reviewed changes

.rubocop.yml Outdated Show resolved Hide resolved

Update .rubocop.yml

69349e2

Co-authored-by: Joe Sak <joe@joesak.com>

joemsak approved these changes Dec 10, 2025

View reviewed changes

mattbooks merged commit b8841be into master Dec 10, 2025
9 checks passed

mattbooks deleted the unpin-rack-mattbooks branch December 10, 2025 22:25

Support Rack 3 (attempt #2) #96

Support Rack 3 (attempt #2) #96

Uh oh!

Conversation

mattbooks commented Dec 9, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

What is this change doing?

Why is this change being made?

How did you test this change?

Uh oh!

boostsecurity-io bot left a comment

Choose a reason for hiding this comment

⚠️ 1 New Security Finding

Uh oh!

socket-security bot commented Dec 9, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

mattbooks commented Dec 9, 2025

Uh oh!

mattbooks Dec 9, 2025

Choose a reason for hiding this comment

Uh oh!

mattbooks Dec 9, 2025

Choose a reason for hiding this comment

Uh oh!

mattbooks Dec 9, 2025

Choose a reason for hiding this comment

Uh oh!

boostsecurity-io bot left a comment

Choose a reason for hiding this comment

🚀 1 New Security Fix

Uh oh!

dryrunsecurity bot commented Dec 10, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

joemsak left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

joemsak commented Dec 10, 2025

Uh oh!

mattbooks commented Dec 10, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

mattbooks commented Dec 9, 2025 •

edited

Loading

socket-security bot commented Dec 9, 2025 •

edited

Loading

dryrunsecurity bot commented Dec 10, 2025 •

edited

Loading