Skip to content

fix(deps): bump sinatra to >=4.2.0 (GHSA-mr3q-g2mv-mr4q)#390

Draft
barretts wants to merge 1 commit intomainfrom
babysit/d4fe6cf1/sinatra
Draft

fix(deps): bump sinatra to >=4.2.0 (GHSA-mr3q-g2mv-mr4q)#390
barretts wants to merge 1 commit intomainfrom
babysit/d4fe6cf1/sinatra

Conversation

@barretts
Copy link
Copy Markdown

@barretts barretts commented Apr 25, 2026
edited
Loading

3PP Grackle (automated dependency triage -- Frontend DX) -- babysit (AT run cc80d33f)

Summary

Fixes 1 LOW severity 3PP vulnerability in sinatra (GHSA-mr3q-g2mv-mr4q).

Sinatra is vulnerable to a reflected file download via a crafted User-Agent header: when an attacker controls the UA string, Sinatra can be coerced into emitting it unsanitized into a response such that browsers treat the download as originating from the server. First patched in sinatra 4.2.0.

Production risk: Runtime
This vulnerability is reachable in production. sinatra is the web framework serving web.rb on the running dyno; any request path that reflects or logs the User-Agent header exercises the vulnerable code. Priority: LOW (severity), but production-reachable.

Strategy: upgrade (direct dependency bump)

Changes

Gemfile

Bumped the sinatra gem constraint to admit the patched minor:

gem 'sinatra', '~> 4.2.0'

Why a direct bump (not an override)? sinatra is a direct dependency in Gemfile (the app's web framework). The simplest correct fix is to move the constraint to the patched minor series. Bundler has no first-class override mechanism equivalent to npm overrides / pnpm pnpm.overrides, so for direct deps the canonical remediation is to bump the Gemfile pin and let Bundler re-resolve transitives.

Gemfile.lock

Re-resolved via bundle update sinatra --conservative so the upgrade is scoped to sinatra and its pinned transitives:

  • sinatra: 4.1.1 -> 4.2.1
  • rack-protection: 4.1.1 -> 4.2.1 (pinned by sinatra)
  • rack-session: 2.1.1 -> 2.1.2 (transitive)
  • mustermann: 3.0.3 -> 3.1.1 (transitive)
  • tilt: 2.6.1 -> 2.7.0 (transitive)

Why --conservative? Prevents Bundler from drifting unrelated gems (puma, rackup, thin, etc.) that the advisory does not require touching. Keeps the lockfile delta scoped to what the CVE actually needs.

Resolutions and overrides

None. Bundler does not use a pnpm.overrides / resolutions / npm overrides field; this fix is a direct Gemfile version bump with a matching Gemfile.lock re-resolution. There are no override rows to register.

How to test

This repository is a Sinatra-backed static content site (web.rb + views/ + content/). There is no automated test suite (confirmed: no spec/, test/, or Rakefile test task).

Manual verification steps a reviewer or downstream consumer should exercise:

  1. bundle install -- must re-resolve cleanly against the updated Gemfile.lock.
  2. bundle exec ruby -c web.rb -- syntax check on the Sinatra app.
  3. bundle exec rackup (or heroku local web via Procfile) -- boot the app locally and confirm it serves / and a localized path (e.g. /ja/) without exceptions.
  4. Sinatra 4.2 API surface used by web.rb (get, before, set, redirect, ERB rendering, i18n) is stable across 4.1 -> 4.2; no caller changes required. Spot-check by hitting a few locale routes defined in web.rb.
  5. Affected library surface: anything that reflects or logs the User-Agent header. web.rb does not currently echo request.user_agent into a response, so the app's concrete exposure is limited to whatever Sinatra itself does internally -- the upgrade closes that path regardless.

Vulnerabilities Fixed

CVE/GHSA Package Severity Fixed Version
GHSA-mr3q-g2mv-mr4q sinatra low >= 4.2.0

Validation

Validation is a before/after comparison. This PR's body-refresh pass re-ran validation against the already-fixed branch to capture fresh exit codes.

  • Install (baseline / post-fix): PASS / PASS (bundle update sinatra --conservative exit 0 during original fix)
  • Tests (baseline / post-fix): N/A / N/A (no test suite exists in this repo)
  • Lint (baseline / post-fix): PASS / PASS (ruby -c web.rb exit 0; log at .logs/babysit-rebody-validate-1777139521.log)
  • Build (baseline / post-fix): N/A / N/A (static site; no build step beyond bundle install)

Notes

  • Dependency chain: app (Gemfile) -> sinatra (direct). No transitive hop; the vulnerable package is a direct dependency.
  • Bundler has no pnpm.overrides analogue, so no Override Registry update is required and no README registry row is added.
  • Ruby version pin in Gemfile (3.3.5 via .ruby-version) is unchanged by this PR. Local validation on a machine with Ruby 3.2.2 reports the pin mismatch cosmetically but does not affect the correctness of the lockfile resolution.

skill-sig: 26cfcbaf · grackle-sig: cc80d33f · 3pp-skill canonical pipeline · 3pp-grackle babysit

@barretts
fix(deps): bump sinatra to >=4.2.0
3580d34 
Resolves:
- GHSA-mr3q-g2mv-mr4q (low) -- sinatra reflected file download via User-Agent header (first patched in 4.2.0)

AT: babysit-2026-04-25-05-46-47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@barretts