Update dependencies: erb 6.0.4, marcel 1.2.1

[flavorjones]

Summary

Routine dependency updates (2026-05-31). Each gem analyzed commit-by-commit; full unit suite green after each.

Gem	From	To	Commits	Mitigations	Transitive
erb	6.0.2	6.0.4	12	0	0
marcel	1.1.0	1.2.1	37	0	0

• erb: range is mostly CI/dependabot noise. Lone runtime change (9d017be4, block def_method on marshal-loaded ERB) doesn't affect Fizzy.
• marcel: transitive dep via ActiveStorage; public API unchanged. None of the changed MIME detections intersect Fizzy's accepted upload types. Also clears the frozen-string-literal warnings emitted by marcel 1.1.0.

Tests: 1506 runs, 5729 assertions, 0 failures after each upgrade.

Upgrade Plans

Full per-gem analysis in 37signals-hq upgrade-analysis/ and posted as PR comments below.

🤖 Assisted by Claude

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[flavorjones]

🤖 Upgrade Plan: erb v6.0.2..v6.0.4

Upgrade Plan: erb v6.0.2..v6.0.4 for fizzy

• Date: 2026-05-31
• Gem: erb
• Range: v6.0.2..v6.0.4 (12 commits)
• Target: fizzy

Summary

• Total commits: 12
• No impact: 11 (skipped at recon — CI workflow, gemspec packaging, version/NEWS bumps)
• Analyzed, not affected: 1
• Requires mitigation: 0

This is a low-risk patch upgrade. Of the 12 commits, 11 touch only CI workflows (.github/), gemspec packaging metadata, NEWS.md, or lib/erb/version.rb — none change runtime behavior. The single runtime change is a security-hardening guard on ERB#def_method that only affects ERB instances reconstructed via Marshal.load, a pattern Fizzy does not use.

Commits Requiring Mitigation

None.

Analyzed — No App Impact

9d017be4: Prohibit def_method on marshal-loaded ERB instances

Impact: unlikely impact

ERB#def_method now raises ArgumentError, "not initialized" unless @_init matches the instance singleton class. def_module and def_class delegate to def_method and are covered by the same guard. This blocks eval of arbitrary src on an ERB object created via Marshal.load (which bypasses initialize).

Searched and NOT matched in fizzy:

• App ERB usage is limited to ERB::Util.html_escape (app/helpers/html_helper.rb:9), the ERB::Util mixin (app/models/event/description.rb:3, app/models/card/eventable/system_commenter.rb:2), and ERB.new(...).result (config/database.yml:9, config/storage.yml:9). None call def_method/def_module/def_class, and none marshal ERB instances.
• Gem dependencies (173 lib/app dirs): no ERB#def_method/def_module/def_class calls. The parser and prism gems contain builder.def_method/def_class/def_module calls, but those operate on AST builder objects, not ERB instances — false positives.
• No Marshal.load/Marshal.dump of ERB instances anywhere in app or dependencies.

The guard fires only for the pathological case of calling these methods on an uninitialized (marshal-loaded) ERB instance. Standard usage is unaffected.

Commit	Summary	Impact Level
9d017be4	Prohibit def_method on marshal-loaded ERB instances	unlikely impact

No Impact (Skipped)

11 commits assessed as "no impact" during recon — not analyzed against the app:

Commit	Summary
677f418f	Bump step-security/harden-runner 2.14.1->2.15.0 (CI)
4359937d	Fix a missing action tag (CI)
bf1ded95	Use tag instead of branch for lewagon/wait-on-check-action (CI)
2fd0a6b7	Exclude test/.git/.github from published gem (gemspec packaging)
afc32b6d	Fix dependabot auto-merge using GH_TOKEN env var (CI)
890d87f0	Use github.token instead of missing secret (CI)
26113660	Bump lewagon/wait-on-check-action 1.5.0->1.6.0 (CI)
98208023	Bump actions/create-github-app-token 2->3 (CI)
25a729a9	Bump step-security/harden-runner 2.15.0->2.16.1 (CI)
0ebc6aef	Bump rubygems/release-gem 1.1.2->1.2.0 (CI)
9c8fa8a3	Version 6.0.3 (NEWS.md + version.rb)
4d2b45e1	Version 6.0.4 (NEWS.md + version.rb)

Recommendation

Safe to upgrade erb from v6.0.2 to v6.0.4 with no code changes. Run the standard test suite (bin/rails test) to confirm. No mitigations required.

Note on analysis method

This environment did not expose a subagent-dispatch tool (Task/Agent), so recon and app-impact analysis were performed inline rather than via parallel subagents. The commit range is small (12 commits, 1 runtime change), so direct analysis was tractable without exhausting context.

[Copilot]

Copilot wasn't able to review any files in this pull request.

[flavorjones]

🤖 Upgrade Plan: marcel v1.1.0..v1.2.1

Upgrade Plan: marcel v1.1.0..v1.2.1 for fizzy

• Date: 2026-05-31
• Gem: marcel
• Range: v1.1.0..v1.2.1 (37 commits)
• Target: fizzy

Summary

• Total commits: 37
• No impact: 32 (skipped at recon)
• Analyzed, not affected: 5
• Requires mitigation: 0

Marcel is a transitive dependency in fizzy, pulled in via ActiveStorage (marcel (~> 1.0)). Fizzy has no direct references to Marcel:: (confirmed: only Gemfile.lock mentions it). It is exercised indirectly: ActiveStorage calls Marcel::MimeType.for(io, name:, declared_type:), Marcel::Magic.new, Marcel::Magic.child?, and Marcel::Magic.by_extension when identifying/serving attachments.

Public API is unchanged across this range. The entire public surface (Marcel::MimeType.for/.extend, Marcel::Magic.new/.by_magic/.by_path/.by_extension/.child?/.add/.remove/.extend) is identical between v1.1.0 and v1.2.1. Marcel::Magic.remove already existed in v1.1.0 — it is not new.

The changes in this range are (a) MIME-type detection-table data updates and (b) a new internal regexp magic-match mechanism. MimeType.for always runs magic-byte detection first and prefers it over the declared type, so changed detection rules can alter the content type assigned to an upload. However, none of the changed detections intersect the content types fizzy actually accepts or references.

Fizzy's attachment surface (the only way marcel runs)

• User::Avatar::ALLOWED_AVATAR_CONTENT_TYPES = %w[image/jpeg image/png image/gif image/webp] (app/models/user/avatar.rb:6) — magic for jpeg/png/gif/webp is unchanged in this range.
• Card#image (app/models/card.rb:11), accept list image/png, image/jpeg, image/jpg, image/webp (app/views/cards/container/_image.html.erb:14) — unchanged magic.
• Export#file, Account::Import#file, ZipFile all use an explicit content_type: "application/zip" (app/models/export.rb:5, app/models/zip_file.rb:38,51,79) — zip magic is unchanged.
• Identity#avatar (app/models/identity.rb:12).

No fizzy code references text/html, image/svg, application/x-bzip2, audio/ogg, audio/mpeg, text/markdown, image/bmp, application/pkcs8, application/gpx+xml, or image/x-raw-sony as content-type strings (the content-type^= references in attachments.css/lexxy.css and account/seeder.rb are ActionText attachment HTML attributes, unrelated to marcel detection).

Conclusion: this upgrade is safe to apply with no code changes.

Commits Requiring Mitigation

None.

Analyzed — No App Impact

Commit	Summary	Impact Level
5cba16fc	Improve HTML detection (add <html>, leading-whitespace/DOCTYPE variants; HTML magic → anchored regexp)	unlikely impact
631b3281	Improve SVG detection (narrow magic from offset 0..4096 to anchored offset 0)	unlikely impact
61957fc0	Stop mutating source IO encoding during magic-byte detection (use String#b buffer instead of binmode/set_encoding on caller IO)	unlikely impact
bc33f495	Add regexp magic-match support; convert bzip2 (and internal dbf/matlab/aac) magic to Ruby Regexp; remove untested regex-string entries	unlikely impact
65a6a56d	image/bmp magic refinement; add audio/mpeg (mp3) ID3 magic; remap markdown extensions text/x-web-markdown → text/markdown	unlikely impact

Why none affect fizzy:

• HTML / SVG detection changes (5cba16fc, 631b3281): change what resolves to text/html / image/svg+xml. Fizzy accepts neither — avatar and card-image allowlists are jpeg/png/gif/webp only. An SVG with a leading XML prolog will no longer detect as image/svg+xml (now requires literal <svg at byte 0), but this is moot for fizzy.
• IO-encoding fix (61957fc0): strictly safer — marcel no longer calls binmode/set_encoding(BINARY) on the caller's IO. ActiveStorage passes a fresh identify/download chunk, so there is no observable change. No regression risk.
• Regexp magic + bzip2 (bc33f495): new internal Magic.match_regex (private) matches Regexp patterns against the first 256 bytes; bzip2 now detected correctly and several never-matching regex-string entries (dbf, matlab, some aac) were removed. Fizzy does not accept bzip2/dbf/matlab/aac uploads.
• bmp/mp3/markdown (65a6a56d): .md/.mkd/.markdown/.mdtext now map to text/markdown (was text/x-web-markdown); mp3 detects as audio/mpeg; bmp magic refined. None of these MIME strings or extensions are referenced by fizzy or appear in its upload allowlists.

No Impact (Skipped)

32 commits assessed as "no impact" during recon — not analyzed against the app. These are test fixtures, build/data-regeneration scripts (generate_tables.rb, tika.xml/custom.xml), version bumps (1.1.1, 1.2.0, 1.2.1), merge commits, and additive type/extension additions (pkcs8 9f11bea9/2b957616, Sony RAW b5a2f240/8fcf98f0, gpx 2410e570/8058fd5c, ogg/opus 8bf76906) for formats fizzy does not handle, plus whitespace/trailing-name table cleanups (9f9833c3, 5a3fbac1, 6ea009af, hprof) whose runtime data effect is already covered by the analyzed commits above.

Recommendation

Bump marcel from 1.1.0 to 1.2.1 in Gemfile.lock (bundle update marcel). No application code changes required. Standard test suite run (bin/rails test, including ActiveStorage attachment system tests) is sufficient verification; pay light attention to avatar/card-image upload tests, though no behavior change is expected for the accepted image types.