security: bump puma 6.6.0 -> 7.2.1 (GHSA-qpgp-93vx-g8v8)#393
Conversation
Fixes GHSA-qpgp-93vx-g8v8 (CVE-2026-47736): Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion. Vulnerable range: >= 5.5.0, < 7.2.1 First patched version: 7.2.1 Updated Gemfile constraint from ~> 6.6 to ~> 7.2 and regenerated Gemfile.lock via `bundle lock --update=puma`.
|
3PP Grackle Security ReviewAdvisories: GHSA-2vqw-3mp8-cgmx, CVE-2026-47737, GHSA-qpgp-93vx-g8v8, CVE-2026-47736 Security Review: PR #393 -- puma 6.6.0 -> 7.2.1Advisories Addressed
Severity: HIGH | Vulnerable range: >= 5.5.0, < 7.2.1 | Fix version: 7.2.1 Changes
Only 2 files changed, both dependency-related. No application code modified. Breaking Change Risk: LOWThis is a major version bump (6.x -> 7.x). Puma 7 removes some deprecated config options and changes defaults (thread counts, worker mode behavior). However:
CI Status
CI passes (heroku CI + SAST). Only the compliance gate is pending (expected for new PRs). RecommendationAPPROVE -- Low-risk lockfile-only change that resolves two HIGH-severity advisories. No custom Puma config exists to be broken by the major version bump, and CI confirms the app still builds and passes tests. skill-sig: |
Summary
Bumps puma from 6.6.0 to 7.2.1 to fix GHSA-qpgp-93vx-g8v8 (CVE-2026-47736).
Vulnerability: Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
Severity: HIGH
Vulnerable range: >= 5.5.0, < 7.2.1
Fix version: 7.2.1
Changes
Gemfileconstraint:~> 6.6->~> 7.2Gemfile.lockviabundle lock --update=pumaRisk Assessment
This is a major version bump (6.x -> 7.x). Puma 7 drops some deprecated configuration options and changes some defaults. Review the Puma 7 upgrade guide for breaking changes relevant to this application.
Verification
bundler-audit checkconfirms GHSA-qpgp-93vx-g8v8 is resolved