fix(deps): bump rack from 3.1.16 to 3.2.6 (7 CVEs)

[barretts]

3PP Grackle (automated dependency triage -- Frontend DX) -- babysit (AT run cc80d33f)

Summary

Fixes 7 HIGH severity 3PP vulnerabilities in rack (CVE-2025-61770, CVE-2025-61771, CVE-2025-61772, CVE-2025-61919, CVE-2026-22860, CVE-2025-61780, CVE-2026-25500).

All advisories are in Rack's multipart / URL-encoded body parsers, Rack::Directory, and Rack::Sendfile. They enable memory-exhaustion DoS, directory traversal, information disclosure, and stored XSS reachable on every HTTP request.

Production risk: Runtime. rack sits on every request path of the 12factor Sinatra app.

Strategy: upgrade

Changes

Gemfile.lock

Bumped rack from 3.1.16 to 3.2.6 via bundle update --conservative rack.

Why conservative upgrade (no Gemfile edit)? rack is not a direct dependency of this app -- it is pulled in transitively via sinatra (~> 4.1.0), rack-protection, rack-session, rack-ssl-enforcer, and rackup. Each of those constraints already admits rack >= 3.0.0, < 4, so the patched 3.2.6 satisfies every parent without any Gemfile change. --conservative minimizes unrelated lockfile churn.

test/smoke_test.rb

Added a minimal Rack::Test smoke suite (4 runs, 6 assertions) covering the homepage, a factor page, 404 handling, and an assertion that the loaded Rack.release matches the patched 3.2.6. This gives the security bump explicit regression coverage on the request path that the CVEs target.

Risk Classification

Classification	When to use	PR copy
Runtime	Vulnerable package reaches the production code path (any path from a dependencies entry)	"This vulnerability is reachable in production. Priority: HIGH."

This vulnerability is reachable in production. Priority: HIGH.

Vulnerabilities Fixed

CVE/GHSA	Package	Severity	Fixed Version
CVE-2025-61770	rack	HIGH	>= 3.2.6
CVE-2025-61771	rack	HIGH	>= 3.2.6
CVE-2025-61772	rack	HIGH	>= 3.2.6
CVE-2025-61919	rack	HIGH	>= 3.2.6
CVE-2026-22860	rack	HIGH	>= 3.2.6
CVE-2025-61780	rack	HIGH	>= 3.2.6
CVE-2026-25500	rack	HIGH	>= 3.2.6

Resolutions and overrides

None. The fix is a straight lockfile upgrade; no Gemfile pin, no bundler override, no vendored patch.

How to test

bundle install
bundle exec ruby test/smoke_test.rb

Expected: 4 runs, 6 assertions, 0 failures, 0 errors, 0 skips.

Affected Rack surface to exercise manually when reviewing:

• Multipart form uploads (CVE-2025-61770/61771/61772 -- parser DoS)
• URL-encoded POST bodies (CVE-2025-61919 -- parser DoS)
• Any Rack::Directory or Rack::Sendfile usage (CVE-2026-22860 traversal, CVE-2025-61780 disclosure, CVE-2026-25500 XSS)

This app does not mount Rack::Directory or Rack::Sendfile directly, so the practical risk reduction is concentrated in the multipart / URL-encoded parsers that every Sinatra request passes through.

Validation

Before/after comparison on the patched branch (ruby 3.3.5):

Check	Command	Exit code	Log
Syntax	ruby -c web.rb	0	.logs/babysit-rebody-validate-1777141792.log
Install	bundle install	0	.logs/babysit-rebody-validate-1777141792.log
Tests	bundle exec ruby test/smoke_test.rb	0 (4 runs, 6 assertions, 0 failures)	.logs/babysit-rebody-validate-1777141792.log

bundler-audit check (previously run on this branch) reports the rack CVEs resolved; the only residual advisories are rexml (tracked separately by PR #369) and a sinatra ReDoS that is not exploitable on the pinned Ruby 3.3.5.

Notes

• Dependency chain: 12factor app -> sinatra 4.1.x / rack-protection / rack-session / rack-ssl-enforcer / rackup -> rack.
• No Gemfile edit required; all parents already accept rack >= 3.0.0, < 4.
• No code changes in web.rb, views, or middleware stack.

---

_{skill-sig: 26cfcbaf · grackle-sig: cc80d33f · 3pp-skill canonical pipeline · 3pp-grackle babysit}