From 1ca4d038499c18bd67513b36701f15b532b8c7bc Mon Sep 17 00:00:00 2001
From: Trevor Reiff <trevorreiff@gmail.com>
Date: Tue, 26 May 2026 11:47:37 -0400
Subject: [PATCH] Bump rack to 3.2.6 and nokogiri to 1.19.3 for security
 advisories

Clears the open high-severity Dependabot alerts on this fork:

rack 3.2.3 -> 3.2.6
- CVE-2026-22860 (GHSA-mxw3-3hh2-x2mh): Rack::Directory traversal
- CVE-2026-34785 (GHSA-h2jq-g4cq-5ppq): Rack::Static prefix matching exposes unintended files
- CVE-2026-34827 (GHSA-v6x5-cg8r-vv6x): Multipart header parsing DoS via escape-heavy quoted params
- CVE-2026-34230 (GHSA-v569-hp3g-36wr): Quadratic complexity in Rack::Utils.select_best_encoding
- CVE-2026-34829 (GHSA-8vqr-qjwx-82mw): Multipart parsing without Content-Length allows unbounded uploads

nokogiri 1.18.9 -> 1.19.3
- GHSA-c4rq-3m3g-8wgx (high): CSS selector tokenizer ReDoS
- GHSA-v2fc-qm4h-8hqv (moderate): XSLT transform memory leak

Conservative bundle update -- no other gems shifted.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 Gemfile.lock | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 7c4662de..d2271ada 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -93,13 +93,13 @@ GEM
     mutex_m (0.3.0)
     mysql2 (0.5.6)
     nio4r (2.7.4)
-    nokogiri (1.18.9-aarch64-linux-gnu)
+    nokogiri (1.19.3-aarch64-linux-gnu)
       racc (~> 1.4)
-    nokogiri (1.18.9-arm64-darwin)
+    nokogiri (1.19.3-arm64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.9-x86_64-darwin)
+    nokogiri (1.19.3-x86_64-darwin)
       racc (~> 1.4)
-    nokogiri (1.18.9-x86_64-linux-gnu)
+    nokogiri (1.19.3-x86_64-linux-gnu)
       racc (~> 1.4)
     parallel (1.26.3)
     parser (3.3.6.0)
@@ -113,7 +113,7 @@ GEM
       nio4r (~> 2.0)
     raabro (1.4.0)
     racc (1.8.1)
-    rack (3.2.3)
+    rack (3.2.6)
     rack-session (2.1.1)
       base64 (>= 0.1.0)
       rack (>= 3.0.0)