Skip to content

security: bump puma 6.6.0 -> 7.2.1 (GHSA-qpgp-93vx-g8v8)#393

Open
barretts wants to merge 1 commit into
mainfrom
3pp/GHSA-qpgp-93vx-g8v8
Open

security: bump puma 6.6.0 -> 7.2.1 (GHSA-qpgp-93vx-g8v8)#393
barretts wants to merge 1 commit into
mainfrom
3pp/GHSA-qpgp-93vx-g8v8

Conversation

@barretts

Copy link
Copy Markdown

Summary

Bumps puma from 6.6.0 to 7.2.1 to fix GHSA-qpgp-93vx-g8v8 (CVE-2026-47736).

Vulnerability: Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
Severity: HIGH
Vulnerable range: >= 5.5.0, < 7.2.1
Fix version: 7.2.1

Changes

  • Updated Gemfile constraint: ~> 6.6 -> ~> 7.2
  • Regenerated Gemfile.lock via bundle lock --update=puma

Risk Assessment

This is a major version bump (6.x -> 7.x). Puma 7 drops some deprecated configuration options and changes some defaults. Review the Puma 7 upgrade guide for breaking changes relevant to this application.

Verification

Fixes GHSA-qpgp-93vx-g8v8 (CVE-2026-47736): Puma PROXY Protocol v1
Parser Allows Remote Memory Exhaustion.

Vulnerable range: >= 5.5.0, < 7.2.1
First patched version: 7.2.1

Updated Gemfile constraint from ~> 6.6 to ~> 7.2 and regenerated
Gemfile.lock via `bundle lock --update=puma`.
@barretts

Copy link
Copy Markdown
Author

3PP Grackle (automated dependency triage -- Frontend DX)

3PP Grackle Security Review

Advisories: GHSA-2vqw-3mp8-cgmx, CVE-2026-47737, GHSA-qpgp-93vx-g8v8, CVE-2026-47736
Packages: puma

Security Review: PR #393 -- puma 6.6.0 -> 7.2.1

Advisories Addressed

Advisory CVE Description
GHSA-qpgp-93vx-g8v8 CVE-2026-47736 Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion
GHSA-2vqw-3mp8-cgmx CVE-2026-47737 (coalesced -- same PR resolves both)

Severity: HIGH | Vulnerable range: >= 5.5.0, < 7.2.1 | Fix version: 7.2.1

Changes

  • Gemfile: constraint ~> 6.6 changed to ~> 7.2
  • Gemfile.lock: puma 6.6.0 -> 7.2.1, nio4r 2.7.4 -> 2.7.5

Only 2 files changed, both dependency-related. No application code modified.

Breaking Change Risk: LOW

This is a major version bump (6.x -> 7.x). Puma 7 removes some deprecated config options and changes defaults (thread counts, worker mode behavior). However:

  1. No Puma configuration exists -- no config/puma.rb, no puma.rb, no Puma CLI flags in the Procfile.
  2. Puma is not the primary server -- the Procfile runs ruby web.rb -p $PORT (Sinatra's built-in launcher). The app also depends on thin.
  3. No PROXY protocol usage -- the vulnerable parser is not exercised unless PROXY protocol is explicitly enabled, but the fix is still warranted as a defense-in-depth measure.
  4. nio4r bump (2.7.4 -> 2.7.5) is a patch-level transitive update; no risk.

CI Status

Check Status
continuous-integration/heroku SUCCESS
SAST SUCCESS
salesforce-cla SUCCESS
heroku/compliance PENDING

CI passes (heroku CI + SAST). Only the compliance gate is pending (expected for new PRs).

Recommendation

APPROVE -- Low-risk lockfile-only change that resolves two HIGH-severity advisories. No custom Puma config exists to be broken by the major version bump, and CI confirms the app still builds and passes tests.


skill-sig: 26cfcbaf · grackle-sig: 5489b7c4 · 3pp-skill-sig: ad61853a · 3pp-skill canonical pipeline · 3pp-grackle scheduled remediation

@barretts
barretts marked this pull request as ready for review June 15, 2026 22:04
@barretts
barretts requested a review from a team as a code owner June 15, 2026 22:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant