Skip to content

Bump addressable from 2.8.8 to 2.9.0#591

Merged
marionbarker merged 1 commit intodevfrom
fix/dependabot-addressable-cve-2026-35611
Apr 9, 2026
Merged

Bump addressable from 2.8.8 to 2.9.0#591
marionbarker merged 1 commit intodevfrom
fix/dependabot-addressable-cve-2026-35611

Conversation

@bjorkert
Copy link
Copy Markdown
Contributor

@bjorkert bjorkert commented Apr 9, 2026
edited
Loading

Summary

  • Updates the addressable gem in Gemfile.lock from 2.8.8 to 2.9.0 to resolve Dependabot alert 14.
  • Fixes GHSA-h27x-rffw-24p4 / CVE-2026-35611, a high-severity (CVSS 7.5) ReDoS vulnerability in Addressable's URI template matching caused by catastrophic backtracking in generated regular expressions.
  • addressable is a transitive dependency of fastlane; the fix is a pure lockfile bump with no Gemfile changes.

@bjorkert
Bump addressable from 2.8.8 to 2.9.0
573e561 
Fixes GHSA-h27x-rffw-24p4 (CVE-2026-35611), a high-severity ReDoS
vulnerability in Addressable URI template matching.
@bjorkert bjorkert changed the base branch from main to dev April 9, 2026 09:02
@bjorkert bjorkert requested a review from marionbarker April 9, 2026 09:03
@marionbarker
Copy link
Copy Markdown
Collaborator

marionbarker commented Apr 9, 2026

Test

Built using Xcode 26.4 onto an iOS 26.4 device.
Built using Browser Build with this as the default branch:

@marionbarker marionbarker merged commit 3367d60 into dev Apr 9, 2026
@marionbarker marionbarker deleted the fix/dependabot-addressable-cve-2026-35611 branch April 9, 2026 13:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marionbarker marionbarker Awaiting requested review from marionbarker

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bjorkert @marionbarker