[core] fix: update addressable to 2.9.0 min for CVE-2026-35611#30060
Conversation
Automated dependency upgrade by OrbisAI Security
|
Match is looking to have issues with these upgrades. |
|
Hmm sorry, that appears to be an unrelated issue - googleapis/google-api-ruby-client#26611 |
Addressed. Pls review. |
iBotPeaches
left a comment
There was a problem hiding this comment.
Seems fine. Both of these versions are so old, dropping 2.8 just drops Ruby 2.0-2.2 support which isn't relevant to fastlane.
There was a problem hiding this comment.
Hey @orbisai0security 👋
Thank you for your contribution to fastlane and congrats on getting this pull request merged 🎉
The code change now lives in the master branch, however it wasn't released to RubyGems yet.
We usually ship about once a month, and your PR will be included in the next one.
Please let us know if this change requires an immediate release by adding a comment here 👍
We'll notify you once we shipped a new release with your changes 🚀"
There was a problem hiding this comment.
Congratulations! 🎉 This was released as part of fastlane 2.237.0 🚀
Summary
Upgrade addressable from 2.8.7 to >= 2.9.0 to fix CVE-2026-35611.
Vulnerability
CVE-2026-35611Gemfile.lockDescription: addressable: Addressable: Denial of Service via crafted URI templates
Evidence
Scanner confirmation: trivy rule
CVE-2026-35611flagged this pattern.Production code: This file is in the production codebase, not test-only code.
Changes
GemfileGemfile.lockVerification
This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.
Automated security fix by OrbisAI Security