v0.3.6
Released: 2026-06-27
Changes since v0.3.5 (d67781d..55e3db8).
Security
- crass 1.0.6 -> 1.0.7 (transitive): four CVEs in the CSS parser used by sanitize / loofah —
SystemStackErrorfrom deeply-nested blocks/functions, ReDoS-style CPU/memory blow-up on large numeric exponents, superlinear CPU consumption on non-ASCII characters, and anotherSystemStackErrorfrom a large number of adjacent CSS comments. - faraday 2.14.2 -> 2.14.3 (transitive): uncontrolled recursion in
NestedParamsEncoderallows stack-exhaustion DoS via deeply-nested query parameters.
Infrastructure
- Bumped
actions/cachev4 -> v6 inci.yml.
Test Coverage
- 450 Ruby tests, 1,393 JavaScript tests (1,843 total) — unchanged from v0.3.5.