Skip to content

fix(deps): Bump faraday to 1.10.6#6371

Merged
alwx merged 4 commits into
mainfrom
alwx/fix/faraday-cve-2026-54297
Jun 29, 2026
Merged

fix(deps): Bump faraday to 1.10.6#6371
alwx merged 4 commits into
mainfrom
alwx/fix/faraday-cve-2026-54297

Conversation

@alwx

@alwx alwx commented Jun 29, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

📢 Type of change

  • Bugfix
  • New feature
  • Enhancement
  • Refactoring

📜 Description

Bumps faraday from 1.10.5 to 1.10.6 in performance-tests/Gemfile.lock and in samples/react-native-macos/Gemfile.lock

#skip-changelog

💡 Motivation and Context

Addresses Dependabot alerts.

💚 How did you test it?

Lockfile-only change. CI runs the performance-tests bundle install/use; no functional behavior in this SDK changes.

📝 Checklist

  • I added tests to verify changes
  • No new PII added or SDK only sends newly added PII if sendDefaultPII is enabled
  • I updated the docs if needed.
  • I updated the wizard if needed.
  • All tests passing
  • No breaking changes

🔮 Next steps

@github-actions

github-actions Bot commented Jun 29, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Semver Impact of This PR

None (no version bump detected)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

This PR will not appear in the changelog.

🤖 This preview updates automatically when you update the PR.

@alwx

alwx commented Jun 29, 2026

Copy link
Copy Markdown
Contributor Author

Also folding in Dependabot alert #579 — same advisory (GHSA-98m9-hrrm-r99r / CVE-2026-54297), different lockfile: samples/react-native-macos/Gemfile.lock was also pinned to faraday 1.10.5. Bumped to 1.10.6 in 027d07b.

alwx added 2 commits June 29, 2026 11:26
@alwx
fix(deps): Bump faraday to 1.10.6 in performance-tests
6d01e66 
Addresses GHSA-98m9-hrrm-r99r (CVE-2026-54297): uncontrolled recursion in Faraday::NestedParamsEncoder allowing a stack-exhaustion DoS via deeply nested query parameters.

The fix is shipped in faraday 1.10.6 (backport) and 2.14.3. Bumps the locked version in performance-tests/Gemfile.lock from 1.10.5 to 1.10.6; the gem stays on the 1.x line to remain compatible with fastlane 2.228.0 and faraday-* 1.x sub-gems.
@alwx
fix(deps): Bump faraday to 1.10.6 in react-native-macos sample
901343a 
Same advisory as the previous commit (GHSA-98m9-hrrm-r99r / CVE-2026-54297): uncontrolled recursion in Faraday::NestedParamsEncoder allowing stack-exhaustion DoS via deeply nested query parameters.

Addresses Dependabot alert #579. Lockfile bump only; stays on the 1.x line for compatibility with the pinned faraday-* companion gems and fastlane.
@alwx alwx force-pushed the alwx/fix/faraday-cve-2026-54297 branch from 027d07b to 901343a Compare June 29, 2026 09:26
@alwx alwx changed the title fix(deps): Bump faraday to 1.10.6 in performance-tests fix(deps): Bump faraday to 1.10.6 Jun 29, 2026
@getsentry getsentry deleted a comment from github-actions Bot Jun 29, 2026
@alwx alwx marked this pull request as ready for review June 29, 2026 09:28
@github-actions

github-actions Bot commented Jun 29, 2026
edited
Loading

Copy link
Copy Markdown
Contributor
Fails
🚫 Pull request is not ready for merge, please add the "ready-to-merge" label to the pull request

Generated by 🚫 dangerJS against 8160ee7

@alwx alwx enabled auto-merge (squash) June 29, 2026 09:53
@alwx alwx merged commit a858ac3 into main Jun 29, 2026
49 of 62 checks passed
@alwx alwx deleted the alwx/fix/faraday-cve-2026-54297 branch June 29, 2026 09:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@antonis antonis antonis approved these changes
@lucas-zimerman lucas-zimerman Awaiting requested review from lucas-zimerman lucas-zimerman is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@alwx @antonis