build(deps): bump activestorage from 8.0.3 to 8.0.4.1#995
build(deps): bump activestorage from 8.0.3 to 8.0.4.1#995dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [activestorage](https://github.com/rails/rails) from 8.0.3 to 8.0.4.1. - [Release notes](https://github.com/rails/rails/releases) - [Changelog](https://github.com/rails/rails/blob/v8.1.3/activestorage/CHANGELOG.md) - [Commits](rails/rails@v8.0.3...v8.0.4.1) --- updated-dependencies: - dependency-name: activestorage dependency-version: 8.0.4.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
Up to standards ✅🟢 Issues
|
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull Request Overview
This PR updates activestorage from 8.0.3 to 8.0.4.1 to address critical security vulnerabilities, including path traversal and glob injection. While the implementation fulfills the stated requirement and Codacy reports the PR is up to standards, the update is currently unverified by new automated test cases.
Note that the quality analysis identified additional high-severity security vulnerabilities in net-imap and yard within the Gemfile.lock. Although these are outside the immediate scope of the ActiveStorage update, they present significant risks (command injection and path traversal) and should be addressed in a subsequent or expanded update.
2 comments outside of the diff
Gemfile.lock
line 155🔴 HIGH RISK
Version 0.5.10 of net-imap is vulnerable to critical security issues (CVE-2026-42257, CVE-2026-42258) allowing command injection. Since you are already updating dependencies, upgrading this gem to 0.5.14 or 0.6.4 is strongly advised. Try running the following prompt in your IDE agent: > Run bundle update net-imap to upgrade to version 0.5.14 or later to fix critical security vulnerabilities.
line 441🔴 HIGH RISK
The yard gem (v0.9.37) has a high-severity path traversal vulnerability (CVE-2026-41493). It is recommended to update to version 0.9.42 or higher. Try running the following prompt in your IDE agent: > Run bundle update yard to upgrade to version 0.9.42 or later to address CVE-2026-41493.
Test suggestions
- Verify that the application's dependency resolution is successful and the build completes without version conflicts.
- Verify that ActiveStorage DiskService functionality (upload/delete) remains stable with the new security constraints.
- Confirm that DirectUploadController still accepts legitimate uploads while applying the new metadata filters.
- Test file streaming to ensure single-range request limits do not break existing media playback or downloads.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify that the application's dependency resolution is successful and the build completes without version conflicts.
2. Verify that ActiveStorage DiskService functionality (upload/delete) remains stable with the new security constraints.
3. Confirm that DirectUploadController still accepts legitimate uploads while applying the new metadata filters.
4. Test file streaming to ensure single-range request limits do not break existing media playback or downloads.
TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback
Bumps activestorage from 8.0.3 to 8.0.4.1.
Release notes
Sourced from activestorage's releases.
... (truncated)
Commits
a79efedPreparing for 8.0.4.1 releaseac7979bUpdate changelog955284dPrevent glob injection in ActiveStorage DiskService#delete_prefixeda290c8aPrevent path traversal in ActiveStorage DiskService8fcb934Active Storage: Filter user supplied metadata in DirectUploadControllerd7da4efActiveStorage::Streaming limit range requests to a single range2cd933cConfigurable maxmimum streaming chunk size624fe3cPreparing for 8.0.4 release82f2c96Disable GCS tests in CIDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.