Update rack to v2.2.8.1

What does this MR do and why?

This addresses CVE-2024-25126, CVE-2024-26146, and CVE-2024-26141.

Diff: https://my.diffend.io/gems/rack/2.2.8/2.2.8.1

Relates to https://gitlab.com/gitlab-org/gitlab/-/issues/442679

assigned to @stanhu

changed the description

changed milestone to %16.10

added maintenancedependency typemaintenance labels

Dependency change review report

This automation is under testing, please leave your feedback in the issue.

Modified Dependency: rack (2.2.8.1) Location: Gemfile.lock Version diffs

Checks passed:6/7

• ️ Latest version: 3.0.9.1 released on: 2024-01-31. URL: https://rubygems.org/gems/rack
• Latest version is not in use.
• Total downloads: 846640910
• Reverse dependencies: 3410
• Total number of releases: 121
• Latest version age (months): 0
• Source project in Github not archived.
• Maintainer email domains are not expired.

Change in dependency identified, pinging @gitlab-com/gl-security/appsec for review. For review guidelines refer handbook page. Hi Appsec, please resolve this thread once review is completed.

added backend label

Reviewer roulette

Category	Reviewer	Maintainer
backend	@msaleiko (UTC+1, 9 hours ahead of author)	@acook.gitlab (UTC-5, 3 hours ahead of author)

Please check reviewer's status!

• Reviewer is available!
• Reviewer is unavailable!

Please refer to documentation page for guidance on how you can benefit from the Reviewer Roulette, or use the GitLab Review Workload Dashboard to find other available reviewers.

Rubygems

This merge request adds, or changes a Rubygems dependency. Please review the Gemfile guidelines.

If needed, you can retry the danger-review job that generated this comment.

Generated by Danger

NON-BLOCKING: This MR has changed Gemfile.checksum. GitLab team members should review the following dependency SAST scans when they finish:

• rack-2.2.8.1-ruby-a7121de6

If there appear to be any true-positive vulnerabilities identified with CRITICAL or HIGH severity, if the report is misconfigured, or if you have questions, reply to this thread and mention @gitlab-com/gl-security/appsec.

Otherwise, this does not require an AppSec review.

Please also review the Gemfile development AppSec guidelines. Thank you for keeping GitLab secure!

Generated by depSASTer. Open an issue to provide feedback.

requested review from @aluthra2

E2E Test Result Summary

allure-report-publisher generated test report!

e2e-package-and-test: test report for 4df84ee7

expand test summary

+---------------------------------------------------------------------+
|                           suites summary                            |
+----------------+--------+--------+---------+-------+-------+--------+
|                | passed | failed | skipped | flaky | total | result |
+----------------+--------+--------+---------+-------+-------+--------+
| Package        | 226    | 0      | 16      | 0     | 242   | ✅     |
| Create         | 560    | 0      | 70      | 0     | 630   | ✅     |
| Plan           | 242    | 0      | 13      | 0     | 255   | ✅     |
| Systems        | 8      | 0      | 0       | 0     | 8     | ✅     |
| Configure      | 1      | 0      | 9       | 0     | 10    | ✅     |
| Govern         | 269    | 0      | 19      | 0     | 288   | ✅     |
| Manage         | 39     | 0      | 11      | 0     | 50    | ✅     |
| Verify         | 150    | 0      | 27      | 0     | 177   | ✅     |
| Fulfillment    | 8      | 0      | 75      | 0     | 83    | ✅     |
| Analytics      | 7      | 0      | 0       | 0     | 7     | ✅     |
| Secure         | 6      | 0      | 3       | 0     | 9     | ✅     |
| Monitor        | 32     | 0      | 13      | 0     | 45    | ✅     |
| GitLab Metrics | 2      | 0      | 1       | 0     | 3     | ✅     |
| Data Stores    | 117    | 0      | 28      | 0     | 145   | ✅     |
| ModelOps       | 0      | 0      | 3       | 0     | 3     | ➖     |
| Ai-powered     | 0      | 0      | 3       | 0     | 3     | ➖     |
| Release        | 15     | 0      | 3       | 0     | 18    | ✅     |
| Growth         | 0      | 0      | 6       | 0     | 6     | ➖     |
+----------------+--------+--------+---------+-------+-------+--------+
| Total          | 1682   | 0      | 300     | 0     | 1982  | ✅     |
+----------------+--------+--------+---------+-------+-------+--------+

e2e-test-on-gdk: test report for 4df84ee7

expand test summary

+------------------------------------------------------------------+
|                          suites summary                          |
+-------------+--------+--------+---------+-------+-------+--------+
|             | passed | failed | skipped | flaky | total | result |
+-------------+--------+--------+---------+-------+-------+--------+
| Package     | 24     | 0      | 2       | 0     | 26    | ✅     |
| Plan        | 53     | 0      | 0       | 0     | 53    | ✅     |
| Govern      | 66     | 0      | 0       | 0     | 66    | ✅     |
| Verify      | 31     | 0      | 0       | 0     | 31    | ✅     |
| Release     | 5      | 0      | 0       | 0     | 5     | ✅     |
| Monitor     | 7      | 0      | 0       | 0     | 7     | ✅     |
| Create      | 60     | 0      | 9       | 0     | 69    | ✅     |
| Data Stores | 31     | 0      | 0       | 0     | 31    | ✅     |
| Manage      | 0      | 0      | 1       | 0     | 1     | ➖     |
| Analytics   | 2      | 0      | 0       | 0     | 2     | ✅     |
+-------------+--------+--------+---------+-------+-------+--------+
| Total       | 279    | 0      | 12      | 0     | 291   | ✅     |
+-------------+--------+--------+---------+-------+-------+--------+

resolved all threads

@stanhu - Should we also modify the Gemfile to update rack to 2.2.8.1?

removed review request for @aluthra2

added 51 commits

• c55295f4...c3ecc84a - 50 commits from branch master
• 4df84ee7 - Update rack to v2.2.8.1

Compare with previous version

changed the description

requested review from @aluthra2

resolved all threads

approved this merge request