Skip to content

erb: Update 4.0.2->4.0.3.1#167

Merged
Sharpie merged 1 commit intoOpenVoxProject:mainfrom
Sharpie:update-erb-4031
May 9, 2026
Merged

erb: Update 4.0.2->4.0.3.1#167
Sharpie merged 1 commit intoOpenVoxProject:mainfrom
Sharpie:update-erb-4031

Conversation

@Sharpie
Copy link
Copy Markdown
Contributor

@Sharpie Sharpie commented May 8, 2026
edited
Loading

This commit upgrades the default erb gem in Ruby 3.2.11 from the original version of 4.0.2 to 4.0.3.1. This release contains a fix for the following high-severity issue:

GHSA-q339-8rmv-2mhv

There will be no further releases to Ruby 3.2, thus this patch was assembled by checking out v3_2_11 of the ruby/ruby repository and using their tooling to sync commits:

./tool/sync_default_gems.rb -e erb c2861a81634ff7f236fcd1ec42498e7be0ec44dd...b6be29fd0e0f5089447d2f8d18140ae78258621d

This corresponds to the following changeset in the ruby/erb repository:

ruby/erb@v4.0.2...v4.0.3.1

CVE-2026-41316: https://nvd.nist.gov/vuln/detail/CVE-2026-41316

Checklist

I have:

  • read the CONTRIBUTING.md document
  • read and accepted the Developer Certificate of Origin document and added a Signed-off-by annotation to each of my commits
  • tested this code
  • included documentation (including possible behaviour changes)
  • documented the code
  • added or modified regression test(s)
  • added or modified unit test(s)

@Sharpie
erb: Update 4.0.2->4.0.3.1
8890a49 
This commit upgrades the default erb gem in Ruby 3.2.11 from the
original version of 4.0.2 to 4.0.3.1. This release contains a fix
for the following high-severity issue:

  GHSA-q339-8rmv-2mhv

There will be no further releases to Ruby 3.2, thus this patch was
assembled by checking out v3_2_11 of the ruby/ruby repository and
using their tooling to sync commits:

    ./tool/sync_default_gems.rb -e erb c2861a81634ff7f236fcd1ec42498e7be0ec44dd...b6be29fd0e0f5089447d2f8d18140ae78258621d

This corresponds to the following changeset in the ruby/erb repository:

  ruby/erb@v4.0.2...v4.0.3.1

CVE-2026-41316: https://nvd.nist.gov/vuln/detail/CVE-2026-41316
Signed-off-by: Charlie Sharpsteen <charlie@overlookinfratech.com>
@Sharpie Sharpie force-pushed the update-erb-4031 branch from d21c4a5 to 8890a49 Compare May 8, 2026 20:10
@bastelfreak
Copy link
Copy Markdown
Contributor

bastelfreak commented May 8, 2026

I like the idea of patching the gem instead of installing a second version of it. That always introduces weird site effects. Nice job!

@Sharpie
Copy link
Copy Markdown
Contributor Author

Sharpie commented May 8, 2026

Installing a second version isn't a complete fix as security scanners will still report a CVE finding if they see the old .gemspec file.

@Sharpie Sharpie merged commit 2c495a1 into OpenVoxProject:main May 9, 2026
105 checks passed
@Sharpie Sharpie deleted the update-erb-4031 branch May 9, 2026 14:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bastelfreak bastelfreak bastelfreak approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Sharpie @bastelfreak