Upgrade addressable to 2.9.0

[flavorjones]

Summary

Upgrade addressable from 2.8.9 to 2.9.0 to address https://github.com/basecamp/fizzy/security/dependabot/61.

6 commits analyzed, 0 mitigations required, 0 transitive deps changed.

This is a security release fixing ReDoS vulnerabilities in Addressable::Template#match. Fizzy does not use Addressable::Template directly, and no gem dependencies use the affected operators. Safe, transparent upgrade.

Changes

• Updated Gemfile.lock: addressable 2.8.9 → 2.9.0

Test plan

• bin/rails test — 1481 tests, 0 failures

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[flavorjones]

Upgrade Plan: addressable 2.8.9..2.9.0

Upgrade Plan: addressable 2.8.9..2.9.0 for fizzy

• Date: 2026-04-08
• Gem: addressable
• Range: 2.8.9..2.9.0 (6 commits)
• Target: fizzy

Summary

• Total commits: 6
• No impact: 3 (skipped at recon)
• Analyzed, not affected: 3
• Requires mitigation: 0

This is a security-focused release that fixes ReDoS (Regular Expression Denial of Service) vulnerabilities in Addressable::Template#match. The fizzy app does not use Addressable::Template directly, and none of its gem dependencies use the affected Template#match functionality with the vulnerable operators. This upgrade is safe to apply with no application changes.

Commits Requiring Mitigation

None. No commits in this range affect the fizzy application.

Analyzed -- No App Impact

Commit	Summary	Impact Level
c87f768f	Fix ReDoS vulnerability in URI template matching (+/# operators with explode modifier)	unlikely impact
0afcb0b9	Improve regex quantifier from lazy to possessive for O(n) performance	unlikely impact
91915c1f	Fix additional vulnerable regex paths in Template#match (joiner strictness, multi-variable +/# expressions)	likely impact

Analysis details: Searched the fizzy app (app/, lib/, test/, config/, saas/) and all bundled gem dependencies for Addressable::Template usage. The fizzy app has zero direct references to any Addressable:: class. Among gem dependencies, only webmock references Addressable::Template, but it uses standard template matching (no +/# operators with explode modifiers). Other addressable-dependent gems (capybara, geared_pagination, launchy) only use Addressable::URI, not Addressable::Template.

No Impact (Skipped)

3 commits assessed as "no impact" during recon. Not analyzed against app.

Commit	Summary
463a8196	Regenerate gemspec on newer rubygems (metadata-only)
a091e39f	Add adversarial ReDoS regression tests (test-only)
0c3e8589	Version bump to 2.9.0 and changelog update