Bump puma 6.6.0 -> 7.2.1 past Snyk High advisories#46
Merged
Conversation
…VE-2026-47736 Both advisories are in puma's PROXY protocol v1 parser. We don't enable set_remote_address proxy_protocol: :v1, so we aren't directly exploitable, but the bump clears the Snyk scan. Fixes: - User Impersonation via PROXY v1 spoofing on persistent connections CVE-2026-47737 / GHSA-2vqw-3mp8-cgmx / SNYK-RUBY-PUMA-17220028 - Allocation of Resources Without Limits or Throttling (memory exhaustion via PROXY v1 parser, missing CRLF) CVE-2026-47736 / GHSA-qpgp-93vx-g8v8 / SNYK-RUBY-PUMA-17219754 Both fixed in puma 7.2.1 (and 8.0.2 on the 8.x line). Pinned to ~> 7.2, >= 7.2.1 to take the minimum-churn line; deferred the puma 8.x bump. Notable puma 7.0 breaking changes audited against this repo: - on_worker_boot -> before_worker_boot rename: we don't use hooks (workers 0) - HTTP_VERSION no longer set for Rack > 3.1: not referenced - ruby_engine removed from Runner: not referenced - Default bind 0.0.0.0 -> ::: we set port/bind explicitly - preload_app! default in clustered: workers 0, single mode Verified: bundle exec rspec -> 512 examples, 0 failures. Smoke boot under test env returns HTTP 200 on /.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps puma from 6.6.0 to 7.2.1 to clear two Snyk High advisories that cannot be auto-PR'd. Both are in puma's PROXY protocol v1 parser, only exploitable when the server is configured with
set_remote_address proxy_protocol: :v1. We don't enable that, so we aren't directly exploitable — but the bump clears the scan.Advisories resolved
Both are also fixed in 8.0.2 on the 8.x line. Pinned to
~> 7.2, >= 7.2.1to minimize churn; the 8.x bump is deferred.Version delta (6.6.0 -> 7.2.1)
Notable changes across the range:
rack.after_replychain error handling, better HttpParserError messages.rack.response_finished, custom logger.after_worker_shutdownhook, restores faster keepalive inline pipelining.workers :auto, stats-only control server mode.Puma 7.0 breaking-change audit against this repo
on_worker_boot->before_worker_boot)workers 0, no hooks definedHTTP_VERSIONno longer set for Rack > 3.1ruby_engineremoved from Runner0.0.0.0->::(IPv6)port/bindexplicitlypreload_app!default in clustered modeworkers 0)ruby '~> 3.2'puma.rbconfig keys still supported:log_requests,workers,threads,raise_exception_on_sigterm,force_shutdown_after,port,bind,stdout_redirect.Verification
bundle exec rspec— 512 examples, 0 failures (matches post-Fix XSS escaping flagged by Snyk Code #45 baseline)bundle exec puma -p 4567 -e test->Puma version: 7.2.1 ("On The Corner"),curl http://localhost:4567/returns HTTP 200 (49583 bytes)Scope
Only Gemfile + Gemfile.lock. Adjacent dependabot/Snyk findings (if any) are deferred to follow-ups.