From bca2120c441096f85a63b163dbbcdf727f80be33 Mon Sep 17 00:00:00 2001
From: Micaherb <micah.erb@wealthbox.com>
Date: Tue, 2 Jun 2026 13:21:34 -0400
Subject: [PATCH 1/2] Bump Rails to 7.2.3.1 for Active Support / Action View
 security advisories

Clears all 5 open Dependabot alerts on this fork:

Rails (activesupport / actionview / actionpack / activerecord /
activejob / activemodel / railties) 7.1.5.2 -> 7.2.3.1
- GHSA-pj4j-9f6q-rh9c (medium): Active Support DoS in number helpers
- GHSA-7q67-mfvx-9pg5 (medium): Active Support ReDoS in number_to_delimited
- GHSA-c8v4-25w4-c8cv (medium): Active Support SafeBuffer#% XSS
- GHSA-r7p8-r9hf-mqrm (low):    Action View tag helpers XSS

rack-session 2.1.1 -> 2.1.2 (pulled in transitively by the new actionpack)
- GHSA-78j9-66rq-3p98 (critical): Rack::Session::Cookie secrets
  decrypt-failure fallback enables secretless session forgery and
  Marshal deserialization

The patches were only released on the 7.2.x line; no backport exists
in 7.1.x.

Pins railties to ~> 7.2.3 (>= 7.2.3.1) in the Gemfile so future bundle
updates can't regress below the patched floor. The gemspec keeps
railties >= 7.1, so consumers of the gem are unaffected and the
appraisal matrix (rails-7-1 / 7-2 / 8-0 / 8-1 / main) still resolves
independently.
---
 Gemfile      |  5 ++++
 Gemfile.lock | 65 +++++++++++++++++++++++++++++-----------------------
 2 files changed, 41 insertions(+), 29 deletions(-)

diff --git a/Gemfile b/Gemfile
index 5f929b7b..09e4bb62 100644
--- a/Gemfile
+++ b/Gemfile
@@ -3,3 +3,8 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
 
 # Specify your gem's dependencies in solid_queue.gemspec.
 gemspec
+
+# Security floor (Dependabot advisories on this fork):
+# Rails 7.2.3.1 patches activesupport (DoS/ReDoS/XSS) and actionview (XSS).
+# No backport exists in the 7.1.x line.
+gem "railties", "~> 7.2.3", ">= 7.2.3.1"
diff --git a/Gemfile.lock b/Gemfile.lock
index d2271ada..068c9b98 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -12,44 +12,46 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    actionpack (7.1.5.2)
-      actionview (= 7.1.5.2)
-      activesupport (= 7.1.5.2)
+    actionpack (7.2.3.1)
+      actionview (= 7.2.3.1)
+      activesupport (= 7.2.3.1)
+      cgi
       nokogiri (>= 1.8.5)
       racc
-      rack (>= 2.2.4)
+      rack (>= 2.2.4, < 3.3)
       rack-session (>= 1.0.1)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    actionview (7.1.5.2)
-      activesupport (= 7.1.5.2)
+      useragent (~> 0.16)
+    actionview (7.2.3.1)
+      activesupport (= 7.2.3.1)
       builder (~> 3.1)
+      cgi
       erubi (~> 1.11)
       rails-dom-testing (~> 2.2)
       rails-html-sanitizer (~> 1.6)
-    activejob (7.1.5.2)
-      activesupport (= 7.1.5.2)
+    activejob (7.2.3.1)
+      activesupport (= 7.2.3.1)
       globalid (>= 0.3.6)
-    activemodel (7.1.5.2)
-      activesupport (= 7.1.5.2)
-    activerecord (7.1.5.2)
-      activemodel (= 7.1.5.2)
-      activesupport (= 7.1.5.2)
+    activemodel (7.2.3.1)
+      activesupport (= 7.2.3.1)
+    activerecord (7.2.3.1)
+      activemodel (= 7.2.3.1)
+      activesupport (= 7.2.3.1)
       timeout (>= 0.4.0)
-    activesupport (7.1.5.2)
+    activesupport (7.2.3.1)
       base64
       benchmark (>= 0.3)
       bigdecimal
-      concurrent-ruby (~> 1.0, >= 1.0.2)
+      concurrent-ruby (~> 1.0, >= 1.3.1)
       connection_pool (>= 2.2.5)
       drb
       i18n (>= 1.6, < 2)
       logger (>= 1.4.2)
-      minitest (>= 5.1)
-      mutex_m
+      minitest (>= 5.1, < 6)
       securerandom (>= 0.3)
-      tzinfo (~> 2.0)
+      tzinfo (~> 2.0, >= 2.0.5)
     appraisal (2.5.0)
       bundler
       rake
@@ -59,6 +61,7 @@ GEM
     benchmark (0.4.1)
     bigdecimal (3.3.1)
     builder (3.3.0)
+    cgi (0.5.1)
     concurrent-ruby (1.3.5)
     connection_pool (2.5.4)
     crass (1.0.6)
@@ -84,13 +87,12 @@ GEM
     json (2.9.1)
     language_server-protocol (3.17.0.3)
     logger (1.6.2)
-    loofah (2.23.1)
+    loofah (2.25.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     minitest (5.26.0)
     mocha (2.1.0)
       ruby2_keywords (>= 0.0.5)
-    mutex_m (0.3.0)
     mysql2 (0.5.6)
     nio4r (2.7.4)
     nokogiri (1.19.3-aarch64-linux-gnu)
@@ -114,27 +116,29 @@ GEM
     raabro (1.4.0)
     racc (1.8.1)
     rack (3.2.6)
-    rack-session (2.1.1)
+    rack-session (2.1.2)
       base64 (>= 0.1.0)
       rack (>= 3.0.0)
     rack-test (2.2.0)
       rack (>= 1.3)
-    rackup (2.2.1)
+    rackup (2.3.1)
       rack (>= 3)
-    rails-dom-testing (2.2.0)
+    rails-dom-testing (2.3.0)
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
-    rails-html-sanitizer (1.6.2)
-      loofah (~> 2.21)
+    rails-html-sanitizer (1.7.0)
+      loofah (~> 2.25)
       nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
-    railties (7.1.5.2)
-      actionpack (= 7.1.5.2)
-      activesupport (= 7.1.5.2)
-      irb
+    railties (7.2.3.1)
+      actionpack (= 7.2.3.1)
+      activesupport (= 7.2.3.1)
+      cgi
+      irb (~> 1.13)
       rackup (>= 1.0.0)
       rake (>= 12.2)
       thor (~> 1.0, >= 1.2.2)
+      tsort (>= 0.2)
       zeitwerk (~> 2.6)
     rainbow (3.1.1)
     rake (13.2.1)
@@ -181,11 +185,13 @@ GEM
     stringio (3.1.2)
     thor (1.3.2)
     timeout (0.4.3)
+    tsort (0.2.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     unicode-display_width (3.1.3)
       unicode-emoji (~> 4.0, >= 4.0.4)
     unicode-emoji (4.0.4)
+    useragent (0.16.11)
     zeitwerk (2.6.0)
 
 PLATFORMS
@@ -206,6 +212,7 @@ DEPENDENCIES
   mysql2
   pg
   puma (~> 7.0)
+  railties (~> 7.2.3, >= 7.2.3.1)
   rdoc
   rubocop-rails-omakase
   solid_queue!

From 65e833a8de285858456c5395ff11670ae5f4e342 Mon Sep 17 00:00:00 2001
From: Micaherb <micah.erb@wealthbox.com>
Date: Tue, 2 Jun 2026 14:27:47 -0400
Subject: [PATCH 2/2] Re-trigger CI with refreshed PR merge ref