From 6d01e664018a6bbc3a2ec9fa6a06206c19952cc9 Mon Sep 17 00:00:00 2001
From: Alexander Pantiukhov <alex@apantiukhov.com>
Date: Mon, 29 Jun 2026 11:22:43 +0200
Subject: [PATCH 1/2] fix(deps): Bump faraday to 1.10.6 in performance-tests

Addresses GHSA-98m9-hrrm-r99r (CVE-2026-54297): uncontrolled recursion in Faraday::NestedParamsEncoder allowing a stack-exhaustion DoS via deeply nested query parameters.

The fix is shipped in faraday 1.10.6 (backport) and 2.14.3. Bumps the locked version in performance-tests/Gemfile.lock from 1.10.5 to 1.10.6; the gem stays on the 1.x line to remain compatible with fastlane 2.228.0 and faraday-* 1.x sub-gems.
---
 performance-tests/Gemfile.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/performance-tests/Gemfile.lock b/performance-tests/Gemfile.lock
index 87f5d0cd49..2f045059ba 100644
--- a/performance-tests/Gemfile.lock
+++ b/performance-tests/Gemfile.lock
@@ -46,7 +46,7 @@ GEM
     dotenv (2.8.1)
     emoji_regex (3.2.3)
     excon (0.112.0)
-    faraday (1.10.5)
+    faraday (1.10.6)
       faraday-em_http (~> 1.0)
       faraday-em_synchrony (~> 1.0)
       faraday-excon (~> 1.1)

From 901343aff95bf02988497a172e822510d46a2c81 Mon Sep 17 00:00:00 2001
From: Alexander Pantiukhov <alex@apantiukhov.com>
Date: Mon, 29 Jun 2026 11:25:53 +0200
Subject: [PATCH 2/2] fix(deps): Bump faraday to 1.10.6 in react-native-macos
 sample

Same advisory as the previous commit (GHSA-98m9-hrrm-r99r / CVE-2026-54297): uncontrolled recursion in Faraday::NestedParamsEncoder allowing stack-exhaustion DoS via deeply nested query parameters.

Addresses Dependabot alert #579. Lockfile bump only; stays on the 1.x line for compatibility with the pinned faraday-* companion gems and fastlane.
---
 samples/react-native-macos/Gemfile.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/samples/react-native-macos/Gemfile.lock b/samples/react-native-macos/Gemfile.lock
index 5fd06911ef..5a8396ce81 100644
--- a/samples/react-native-macos/Gemfile.lock
+++ b/samples/react-native-macos/Gemfile.lock
@@ -102,7 +102,7 @@ GEM
     ethon (0.16.0)
       ffi (>= 1.15.0)
     excon (0.112.0)
-    faraday (1.10.5)
+    faraday (1.10.6)
       faraday-em_http (~> 1.0)
       faraday-em_synchrony (~> 1.0)
       faraday-excon (~> 1.1)