Skip to content
This repository was archived by the owner on Jun 26, 2026. It is now read-only.

RP-6332: Fix Dependabot alerts (json, addressable, ffi)#1

Open
ryanbond wants to merge 1 commit into
masterfrom
RP-6332-dependabot-vuln-fixes
Open

RP-6332: Fix Dependabot alerts (json, addressable, ffi)#1
ryanbond wants to merge 1 commit into
masterfrom
RP-6332-dependabot-vuln-fixes

Conversation

@ryanbond

@ryanbond ryanbond commented Jun 10, 2026

Copy link
Copy Markdown
Member

Summary

Resolves four open high-severity Dependabot alerts on Gemfile.lock by upgrading the affected gems. Changes are confined to Gemfile and Gemfile.lock; the gem's public API is unchanged (no edits under lib/ and no .gemspec change).

Fixed

Package Old -> New Severity GHSA Root-cause direct dep + mechanism
json 2.1.0 -> 2.7.6 high GHSA-jphg-qwrw-7w9g Direct runtime dep in clever-ruby.gemspec (json ">= 1.8", "< 3"). Bumped within the existing range via lockfile; no gemspec/API change.
addressable 2.4.0 -> 2.9.0 high GHSA-h27x-rffw-24p4 Transitive via webmock (dev/test). Added gem 'addressable', '>= 2.9.0' to the development/test group so bundler resolves the patched version.
addressable 2.4.0 -> 2.9.0 high GHSA-jxhc-q857-3j6g Same root cause as above; 2.9.0 also covers the earlier (<= 2.7.0) ReDoS advisory.
ffi 1.9.18 -> 1.16.3 high GHSA-2gw2-8q9w-cw8p Transitive via sys-uname/ethon (dev/test). Added gem 'ffi', '>= 1.9.24', '< 1.17' to the development/test group. The < 1.17 cap is required because ffi >= 1.17 requires Ruby >= 3.0 while this project targets Ruby 2.6; 1.16.3 is the highest patched version compatible with the toolchain.

addressable 2.9.0 introduced public_suffix (5.1.1) as a new transitive dependency (reflected in the lockfile).

Not fixed / dead-end

None. All four open alerts are resolved.

Backward incompatibility

None. json stays within the gemspec's declared < 3 runtime range, so no consumer-visible change and no major bump. addressable and ffi are development/test-only transitive dependencies and are not part of the gem's published runtime surface.

Testing

  • Toolchain: Ruby 2.6.10, Bundler 1.x. Gems installed at locked versions into a local vendor/bundle (gitignored).
  • Spec suite (rspec, equivalent to rake spec): 2 examples, 0 failures.
..
Finished in 0.08174 seconds (files took 1.99 seconds to load)
2 examples, 0 failures

Note: a full bundle install cannot complete in the CI/sandbox environment because the unrelated dev gem autotest-fsevent (0.2.14) fails its native build on macOS Darwin 25 (Darwin 25 is not (yet) supported). This is a pre-existing environment limitation independent of these security changes (the unmodified baseline also fails to install, on the old ffi 1.9.18 native build). The four security-relevant gems plus all gems required to run the spec suite were installed at their locked versions and the suite passes.

🤖 Generated with Claude Code

@ryanbond @claude
RP-6332: Fix Dependabot alerts (json, addressable, ffi)
7a7466c 
Resolve four open high-severity Dependabot alerts by upgrading the
affected gems via Gemfile/Gemfile.lock only. No gem public API changes.

- json 2.1.0 -> 2.7.6 (GHSA-jphg-qwrw-7w9g): direct runtime dep declared
  in clever-ruby.gemspec as ">= 1.8, < 3"; bumped within range, no gemspec
  change required.
- addressable 2.4.0 -> 2.9.0 (GHSA-h27x-rffw-24p4, GHSA-jxhc-q857-3j6g):
  pulled transitively by webmock (dev/test); added a ">= 2.9.0" pin in the
  development/test group so bundler resolves the patched version.
- ffi 1.9.18 -> 1.16.3 (GHSA-2gw2-8q9w-cw8p): pulled transitively by
  sys-uname/ethon (dev/test); pinned ">= 1.9.24, < 1.17" in the
  development/test group (cap keeps Ruby 2.6 toolchain compatibility, since
  ffi >= 1.17 requires Ruby >= 3.0).

Spec suite (rspec) passes: 2 examples, 0 failures.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
github-license-compliance[bot]
github-license-compliance Bot found potential problems Jun 10, 2026
View reviewed changes
Comment thread Gemfile.lock
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers
@github-license-compliance github-license-compliance[bot] github-license-compliance[bot] left review comments
@waldomilanes waldomilanes waldomilanes approved these changes
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ryanbond @waldomilanes