Skip to content

Fix remaining Dependabot security alerts#2803

Merged
Lagoja merged 7 commits intomainfrom
mikeland73/fix-lint-issues
Mar 25, 2026
Merged

Fix remaining Dependabot security alerts#2803
Lagoja merged 7 commits intomainfrom
mikeland73/fix-lint-issues

Conversation

@mikeland73
Copy link
Collaborator

@mikeland73 mikeland73 commented Mar 25, 2026
edited
Loading

Summary

  • Rails example: Upgrade Rails 7.1.5 → 7.2.3, bringing rack 2.2.14 → 3.2.5 and nokogiri 1.18.9 → 1.19.2. Fixes Active Storage path traversal, Rack directory traversal/XSS, Active Support ReDoS/DoS/XSS, Action View XSS, and Active Storage glob injection/DoS/content type bypass.
  • Django example: Update sqlparse 0.5.0 → 0.5.3 (DoS fix for formatting list of tuples)
  • VS Code extension: Add flatted yarn resolution → 3.4.2 (prototype pollution via parse() fix)

Test plan

  • Verify go build ./... still passes (no Go changes, but confirmed)

🤖 Generated with Claude Code

@mikeland73 @claude
Fix remaining Dependabot security alerts
d521dbd 
- **Rails example**: Upgrade Rails 7.1.5 → 7.2.3, rack 2.2.14 → 3.2.5,
  nokogiri 1.18.9 → 1.19.2 (fixes Active Storage path traversal,
  Rack directory traversal, Active Support ReDoS/DoS/XSS, Action View
  XSS, and Active Storage glob injection/DoS/content type bypass)
- **Django example**: Update sqlparse 0.5.0 → 0.5.3 (DoS fix)
- **VS Code extension**: Add flatted resolution → 3.4.2 (prototype
  pollution fix)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@mikeland73 mikeland73 requested review from Lagoja and savil March 25, 2026 03:50
@mikeland73 @claude
Fix Rails example CI: match bundler/ruby to Nix versions
65b8bfc 
The regenerated Gemfile.lock had BUNDLED WITH 2.6.9 and RUBY VERSION
3.4.4, but the Nix devbox.json pins bundler@2.5 and ruby@3.3. Bundler
2.5.5 refuses to run when the lockfile requires ~> 2.6, causing the
stacks_rails_run_test CI job to fail.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
mikeland73 and others added 5 commits March 25, 2026 09:21
@mikeland73 @claude
Fix Rails example CI: stay on 7.1.x with latest security patches
a94da32 
The Rails 7.2 upgrade broke CI because rack 3.x requires config
changes incompatible with the 7.1-era blog app. Instead, update
within the 7.1.x line:

- Rails 7.1.5.2 → 7.1.6 (latest security patches)
- Rack 2.2.14 → 2.2.22 (fixes CVE-2025-27610 directory traversal)
- Nokogiri 1.18.9 → 1.19.2
- Pin rack to ~> 2.2.15 to prevent accidental rack 3 resolution
- Match BUNDLED WITH (2.5.5) and RUBY VERSION (3.3.0) to Nix env

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@Lagoja
Add libyaml dev output to Rails example for psych gem compilation
a8804ef 
The Rails 7.2.3 upgrade pulls in psych 5.3.1 which requires yaml.h
headers to build its native extension. Adding libyaml with dev output
makes the headers available in the Devbox environment.
@mikeland73
update ruby project
e884d39
@mikeland73
Merge remote-tracking branch 'origin/mikeland73/fix-lint-issues' into…
bd15d01 
… mikeland73/fix-lint-issues
@mikeland73
Add libyaml
5a8c3a1
@Lagoja Lagoja merged commit 27a1502 into main Mar 25, 2026
24 checks passed
@Lagoja Lagoja deleted the mikeland73/fix-lint-issues branch March 25, 2026 18:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@savil savil savil approved these changes

@Lagoja Lagoja Awaiting requested review from Lagoja

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mikeland73 @savil @Lagoja