From 7fc03c4e815c10632243e0c4df5bb9391a62f492 Mon Sep 17 00:00:00 2001
From: "snyk-io[bot]" <141718529+snyk-io[bot]@users.noreply.github.com>
Date: Tue, 7 Oct 2025 08:45:09 +0000
Subject: [PATCH] fix: Gemfile to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-RUBY-RACK-13052974
---
 Gemfile | 50 +++++++++++++++++++++++++-------------------------
 1 file changed, 25 insertions(+), 25 deletions(-)

diff --git a/Gemfile b/Gemfile
index 5e3fb6ba9ed5..4bad3bdb9e59 100644
--- a/Gemfile
+++ b/Gemfile
@@ -37,16 +37,16 @@ ruby File.read(File.expand_path(".ruby-version", __dir__)).strip
 gem "actionpack-xml_parser", "~> 2.0.0"
 gem "activemodel-serializers-xml", "~> 1.0.1"
 gem "activerecord-import", "~> 1.7.0"
-gem "activerecord-session_store", "~> 2.1.0"
+gem "activerecord-session_store", "~> 2.2.0"
 gem "ox"
-gem "rails", "~> 7.1.3"
+gem "rails", "~> 7.1.4", ">= 7.1.4.1"
 gem "responders", "~> 3.0"
 
 gem "ffi", "~> 1.15"
 
 gem "rdoc", ">= 2.4.2"
 
-gem "doorkeeper", "~> 5.7.0"
+gem "doorkeeper", "~> 5.8.0"
 # Maintain our own omniauth due to relative URL root issues
 # see upstream PR: https://github.com/omniauth/omniauth/pull/903
 gem "omniauth", git: "https://github.com/opf/omniauth", ref: "fe862f986b2e846e291784d2caa3d90a658c67f0"
@@ -126,9 +126,9 @@ gem "multi_json", "~> 1.15.0"
 gem "oj", "~> 3.16.0"
 
 gem "daemons"
-gem "good_job", "= 3.26.2" # update should be done manually in sync with saas-openproject version.
+gem "good_job", "= 3.27.0" # update should be done manually in sync with saas-openproject version.
 
-gem "rack-protection", "~> 3.2.0"
+gem "rack-protection", "~> 4.0.0"
 
 # Rack::Attack is a rack middleware to protect your web app from bad clients.
 # It allows whitelisting, blacklisting, throttling, and tracking based
@@ -145,7 +145,7 @@ gem "browser", "~> 6.0.0"
 # Providing health checks
 gem "okcomputer", "~> 1.18.1"
 
-gem "gon", "~> 6.4.0"
+gem "gon", "~> 6.5.0"
 
 # Lograge to provide sane and non-verbose logging
 gem "lograge", "~> 0.14.0"
@@ -167,7 +167,7 @@ gem "matrix", "~> 0.4.2"
 
 gem "meta-tags", "~> 2.22.0"
 
-gem "paper_trail", "~> 15.2.0"
+gem "paper_trail", "~> 16.0.0"
 
 gem "op-clamav-client", "~> 3.4", require: "clamav"
 
@@ -179,9 +179,9 @@ group :production do
 end
 
 gem "i18n-js", "~> 4.2.3"
-gem "rails-i18n", "~> 7.0.0"
+gem "rails-i18n", "~> 7.0.10"
 
-gem "sprockets", "~> 3.7.2" # lock sprockets below 4.0
+gem "sprockets", "~> 4.0.0" # lock sprockets below 4.0
 gem "sprockets-rails", "~> 3.5.1"
 
 gem "puma", "~> 6.4"
@@ -218,25 +218,25 @@ gem "dry-validation"
 gem "store_attribute", "~> 1.0"
 
 # Appsignal integration
-gem "appsignal", "~> 3.10.0", require: false
+gem "appsignal", "~> 3.11.0", require: false
 
 gem "view_component"
 # Lookbook
-gem "lookbook", "~> 2.3.0"
+gem "lookbook", "~> 2.3.3"
 
 # Require factory_bot for usage with openproject plugins testing
 gem "factory_bot", "~> 6.5.0", require: false
 # require factory_bot_rails for convenience in core development
-gem "factory_bot_rails", "~> 6.4.0", require: false
+gem "factory_bot_rails", "~> 6.4.4", require: false
 
-gem "turbo_power", "~> 0.6.2"
-gem "turbo-rails", "~> 2.0.0"
+gem "turbo_power", "~> 0.7.0"
+gem "turbo-rails", "~> 2.0.11"
 
 gem "httpx"
 
 group :test do
   gem "launchy", "~> 3.0.0"
-  gem "rack-test", "~> 2.1.0"
+  gem "rack-test", "~> 2.2.0"
   gem "shoulda-context", "~> 2.0"
 
   # Test prof provides factories from code
@@ -247,7 +247,7 @@ group :test do
   gem "rack_session_access"
   gem "rspec", "~> 3.13.0"
   # also add to development group, so 'spec' rake task gets loaded
-  gem "rspec-rails", "~> 7.0.0", group: :development
+  gem "rspec-rails", "~> 7.0.2", group: :development
 
   # Retry failures within the same environment
   gem "retriable", "~> 3.1.1"
@@ -271,7 +271,7 @@ group :test do
   gem "capybara", "~> 3.40.0"
   gem "capybara_accessible_selectors", git: "https://github.com/citizensadvice/capybara_accessible_selectors", branch: "main"
   gem "capybara-screenshot", "~> 1.0.17"
-  gem "cuprite", "~> 0.15.0"
+  gem "cuprite", "~> 0.16.0"
   gem "rspec-wait"
   gem "selenium-devtools"
   gem "selenium-webdriver", "~> 4.20"
@@ -315,11 +315,11 @@ group :development do
 end
 
 group :development, :test do
-  gem "dotenv-rails"
+  gem "dotenv-rails", ">= 3.1.5"
 
   # Tracing and profiling gems
   gem "flamegraph", require: false
-  gem "rack-mini-profiler", require: false
+  gem "rack-mini-profiler", ">= 4.0.0", require: false
   gem "ruby-prof", require: false
   gem "stackprof", require: false
 
@@ -340,7 +340,7 @@ group :development, :test do
   gem "rubocop-factory_bot", require: false
   gem "rubocop-openproject", require: false
   gem "rubocop-performance", require: false
-  gem "rubocop-rails", require: false
+  gem "rubocop-rails", ">= 2.27.0", require: false
   gem "rubocop-rspec", require: false
   gem "rubocop-rspec_rails", require: false
 
@@ -352,18 +352,18 @@ group :development, :test do
   gem "brakeman", "~> 6.2.0"
 
   # i18n-tasks helps find and manage missing and unused translations.
-  gem "i18n-tasks", "~> 1.0.13", require: false
+  gem "i18n-tasks", "~> 1.0.15", require: false
 end
 
 gem "bootsnap", "~> 1.18.0", require: false
 
 # API gems
-gem "grape", "~> 2.2.0"
-gem "grape_logging", "~> 1.8.4"
+gem "grape", "~> 2.3.0"
+gem "grape_logging", "~> 2.0.0"
 gem "roar", "~> 1.2.0"
 
 # CORS for API
-gem "rack-cors", "~> 2.0.2"
+gem "rack-cors", "~> 3.0.0"
 
 # Gmail API
 gem "google-apis-gmail_v1", require: false
@@ -398,5 +398,5 @@ gemfiles.each do |file|
 end
 
 gem "openproject-octicons", "~>19.18.0"
-gem "openproject-octicons_helper", "~>19.18.0"
+gem "openproject-octicons_helper", "~> 19.18.1"
 gem "openproject-primer_view_components", "~>0.48.0"