From f26750622a131f8144eba8882a203c8b8d5df44e Mon Sep 17 00:00:00 2001 From: dadachi Date: Fri, 3 Apr 2026 07:49:40 +0900 Subject: [PATCH 1/2] update pagy gem from 9.x to 43 and fix bundler-audit vulnerabilities MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - pagy 9.4.0 → 43.4.4: Pagy::Backend → Pagy::Method, removed cycle option - rails 8.1.2 → 8.1.3: fixes activestorage CVE-2026-33658 - action_text-trix 2.1.17 → 2.1.18: fixes GHSA-53p3-c7vp-4mcc - mcp updated: fixes CVE-2026-33946 - devise CVE-2026-32700: ignored (devise_token_auth pins devise < 5) Co-Authored-By: Claude Opus 4.6 (1M context) --- Gemfile | 2 +- Gemfile.lock | 142 +++++++++--------- app/controllers/display/base_controller.rb | 2 +- .../display/item_tags_controller.rb | 4 +- config/bundler-audit.yml | 3 +- 5 files changed, 78 insertions(+), 75 deletions(-) diff --git a/Gemfile b/Gemfile index cb1fd39..67ecc6e 100644 --- a/Gemfile +++ b/Gemfile @@ -50,7 +50,7 @@ gem "after_commit_everywhere", "~> 1.4" gem "config" gem "acts_as_tenant" gem "inline_svg", "~> 1.6" -gem "pagy", "~> 9.0" +gem "pagy", "~> 43" gem "seed-fu", "~> 2.3" gem "whenever", require: false gem "madmin", github: "excid3/madmin" diff --git a/Gemfile.lock b/Gemfile.lock index 9fd62d6..d5b38f2 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -15,31 +15,31 @@ GEM specs: aasm (5.5.2) concurrent-ruby (~> 1.0) - action_text-trix (2.1.17) + action_text-trix (2.1.18) railties - actioncable (8.1.2) - actionpack (= 8.1.2) - activesupport (= 8.1.2) + actioncable (8.1.3) + actionpack (= 8.1.3) + activesupport (= 8.1.3) nio4r (~> 2.0) websocket-driver (>= 0.6.1) zeitwerk (~> 2.6) - actionmailbox (8.1.2) - actionpack (= 8.1.2) - activejob (= 8.1.2) - activerecord (= 8.1.2) - activestorage (= 8.1.2) - activesupport (= 8.1.2) + actionmailbox (8.1.3) + actionpack (= 8.1.3) + activejob (= 8.1.3) + activerecord (= 8.1.3) + activestorage (= 8.1.3) + activesupport (= 8.1.3) mail (>= 2.8.0) - actionmailer (8.1.2) - actionpack (= 8.1.2) - actionview (= 8.1.2) - activejob (= 8.1.2) - activesupport (= 8.1.2) + actionmailer (8.1.3) + actionpack (= 8.1.3) + actionview (= 8.1.3) + activejob (= 8.1.3) + activesupport (= 8.1.3) mail (>= 2.8.0) rails-dom-testing (~> 2.2) - actionpack (8.1.2) - actionview (= 8.1.2) - activesupport (= 8.1.2) + actionpack (8.1.3) + actionview (= 8.1.3) + activesupport (= 8.1.3) nokogiri (>= 1.8.5) rack (>= 2.2.4) rack-session (>= 1.0.1) @@ -47,36 +47,36 @@ GEM rails-dom-testing (~> 2.2) rails-html-sanitizer (~> 1.6) useragent (~> 0.16) - actiontext (8.1.2) + actiontext (8.1.3) action_text-trix (~> 2.1.15) - actionpack (= 8.1.2) - activerecord (= 8.1.2) - activestorage (= 8.1.2) - activesupport (= 8.1.2) + actionpack (= 8.1.3) + activerecord (= 8.1.3) + activestorage (= 8.1.3) + activesupport (= 8.1.3) globalid (>= 0.6.0) nokogiri (>= 1.8.5) - actionview (8.1.2) - activesupport (= 8.1.2) + actionview (8.1.3) + activesupport (= 8.1.3) builder (~> 3.1) erubi (~> 1.11) rails-dom-testing (~> 2.2) rails-html-sanitizer (~> 1.6) - activejob (8.1.2) - activesupport (= 8.1.2) + activejob (8.1.3) + activesupport (= 8.1.3) globalid (>= 0.3.6) - activemodel (8.1.2) - activesupport (= 8.1.2) - activerecord (8.1.2) - activemodel (= 8.1.2) - activesupport (= 8.1.2) + activemodel (8.1.3) + activesupport (= 8.1.3) + activerecord (8.1.3) + activemodel (= 8.1.3) + activesupport (= 8.1.3) timeout (>= 0.4.0) - activestorage (8.1.2) - actionpack (= 8.1.2) - activejob (= 8.1.2) - activerecord (= 8.1.2) - activesupport (= 8.1.2) + activestorage (8.1.3) + actionpack (= 8.1.3) + activejob (= 8.1.3) + activerecord (= 8.1.3) + activesupport (= 8.1.3) marcel (~> 1.0) - activesupport (8.1.2) + activesupport (8.1.3) base64 bigdecimal concurrent-ruby (~> 1.0, >= 1.3.1) @@ -106,7 +106,7 @@ GEM erubi (~> 1.4) parser (>= 2.4) smart_properties - bigdecimal (4.0.1) + bigdecimal (4.1.0) bindex (0.8.1) bootsnap (1.23.0) msgpack (~> 1.2) @@ -203,7 +203,7 @@ GEM jbuilder (2.14.1) actionview (>= 7.0.0) activesupport (>= 7.0.0) - json (2.19.0) + json (2.19.3) json-schema (6.2.0) addressable (~> 2.8) bigdecimal (>= 3.1, < 5) @@ -212,7 +212,7 @@ GEM language_server-protocol (3.17.0.5) lint_roller (1.1.0) logger (1.7.0) - loofah (2.25.0) + loofah (2.25.1) crass (~> 1.0.2) nokogiri (>= 1.12.0) mail (2.9.0) @@ -227,13 +227,13 @@ GEM turbo-rails marcel (1.1.0) matrix (0.4.3) - mcp (0.8.0) + mcp (0.10.0) json-schema (>= 4.1) mini_magick (5.3.1) logger mini_mime (1.1.5) mini_portile2 (2.8.9) - minitest (6.0.2) + minitest (6.0.3) drb (~> 2.0) prism (~> 1.5) minitest-mock (5.27.0) @@ -260,18 +260,18 @@ GEM net-smtp (0.5.1) net-protocol nio4r (2.7.5) - nokogiri (1.19.1) + nokogiri (1.19.2) mini_portile2 (~> 2.8.2) racc (~> 1.4) - nokogiri (1.19.1-aarch64-linux-gnu) + nokogiri (1.19.2-aarch64-linux-gnu) racc (~> 1.4) - nokogiri (1.19.1-arm-linux-gnu) + nokogiri (1.19.2-arm-linux-gnu) racc (~> 1.4) - nokogiri (1.19.1-arm64-darwin) + nokogiri (1.19.2-arm64-darwin) racc (~> 1.4) - nokogiri (1.19.1-x86_64-darwin) + nokogiri (1.19.2-x86_64-darwin) racc (~> 1.4) - nokogiri (1.19.1-x86_64-linux-gnu) + nokogiri (1.19.2-x86_64-linux-gnu) racc (~> 1.4) orm_adapter (0.5.0) ostruct (0.6.3) @@ -279,7 +279,10 @@ GEM childprocess (>= 0.6.3, < 6) iniparse (~> 1.4) rexml (>= 3.3.9) - pagy (9.4.0) + pagy (43.4.4) + json + uri + yaml parallel (1.27.0) parser (3.3.10.2) ast (~> 2.4.1) @@ -307,7 +310,7 @@ GEM activesupport (>= 3.0.0) raabro (1.4.0) racc (1.8.1) - rack (3.2.5) + rack (3.2.6) rack-attack (6.8.0) rack (>= 1.0, < 4) rack-session (2.1.1) @@ -317,20 +320,20 @@ GEM rack (>= 1.3) rackup (2.3.1) rack (>= 3) - rails (8.1.2) - actioncable (= 8.1.2) - actionmailbox (= 8.1.2) - actionmailer (= 8.1.2) - actionpack (= 8.1.2) - actiontext (= 8.1.2) - actionview (= 8.1.2) - activejob (= 8.1.2) - activemodel (= 8.1.2) - activerecord (= 8.1.2) - activestorage (= 8.1.2) - activesupport (= 8.1.2) + rails (8.1.3) + actioncable (= 8.1.3) + actionmailbox (= 8.1.3) + actionmailer (= 8.1.3) + actionpack (= 8.1.3) + actiontext (= 8.1.3) + actionview (= 8.1.3) + activejob (= 8.1.3) + activemodel (= 8.1.3) + activerecord (= 8.1.3) + activestorage (= 8.1.3) + activesupport (= 8.1.3) bundler (>= 1.15.0) - railties (= 8.1.2) + railties (= 8.1.3) rails-dom-testing (2.3.0) activesupport (>= 5.0.0) minitest @@ -338,9 +341,9 @@ GEM rails-html-sanitizer (1.7.0) loofah (~> 2.25) nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0) - railties (8.1.2) - actionpack (= 8.1.2) - activesupport (= 8.1.2) + railties (8.1.3) + actionpack (= 8.1.3) + activesupport (= 8.1.3) irb (~> 1.13) rackup (>= 1.0.0) rake (>= 12.2) @@ -436,7 +439,7 @@ GEM tailwindcss-ruby (3.4.19-x86_64-darwin) tailwindcss-ruby (3.4.19-x86_64-linux) thor (1.5.0) - timeout (0.6.0) + timeout (0.6.1) tsort (0.2.0) turbo-rails (2.0.23) actionpack (>= 7.1.0) @@ -470,6 +473,7 @@ GEM chronic (>= 0.6.3) xpath (3.2.0) nokogiri (~> 1.8) + yaml (0.4.0) zeitwerk (2.7.5) PLATFORMS @@ -504,7 +508,7 @@ DEPENDENCIES mission_control-jobs nokogiri (>= 1.12.5) overcommit - pagy (~> 9.0) + pagy (~> 43) pg propshaft (~> 1.0) puma (~> 7.0) diff --git a/app/controllers/display/base_controller.rb b/app/controllers/display/base_controller.rb index 9446261..229adf0 100644 --- a/app/controllers/display/base_controller.rb +++ b/app/controllers/display/base_controller.rb @@ -1,5 +1,5 @@ module Display class BaseController < NonApiApplicationController - include Pagy::Backend + include Pagy::Method end end diff --git a/app/controllers/display/item_tags_controller.rb b/app/controllers/display/item_tags_controller.rb index 32bc5f3..2cf1761 100644 --- a/app/controllers/display/item_tags_controller.rb +++ b/app/controllers/display/item_tags_controller.rb @@ -4,11 +4,9 @@ class Display::ItemTagsController < Display::BaseController def completings items_count = 9 - # Use pagy method because pagy_countless method causes Pagy::OverflowError. @pagy, @completed_item_tags = pagy( @shop.item_tags.completed.sorted, - limit: items_count, - cycle: true + limit: items_count ) @type = params[:type] diff --git a/config/bundler-audit.yml b/config/bundler-audit.yml index e74b3af..2c0d8cb 100644 --- a/config/bundler-audit.yml +++ b/config/bundler-audit.yml @@ -2,4 +2,5 @@ # CVEs that are not relevant to the application can be enumerated on the ignore list below. ignore: - - CVE-THAT-DOES-NOT-APPLY + # devise 5.0.3+ fixes this, but devise_token_auth ~> 1.2 pins devise < 5 + - CVE-2026-32700 From feca04173acedb0d1ba3fc1b2a5cbe6278cc465d Mon Sep 17 00:00:00 2001 From: dadachi Date: Fri, 3 Apr 2026 07:53:36 +0900 Subject: [PATCH 2/2] fix bcrypt CVE-2026-33306: update to 3.1.22 Co-Authored-By: Claude Opus 4.6 (1M context) --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index d5b38f2..c466afe 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -98,7 +98,7 @@ GEM activesupport ast (2.4.3) base64 (0.3.0) - bcrypt (3.1.21) + bcrypt (3.1.22) better_html (2.2.0) actionview (>= 7.0) activesupport (>= 7.0)