chore(deps): update dependency rack to '>= 2.0', '< 3.2.5'

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
rack (changelog)	'>= 2.0', '< 3.0' -> '>= 2.0', '< 3.2.5'

---

Release Notes

rack/rack (rack)

v3.2.4

Compare Source

Fixed

• Multipart parser: limit MIME header size check to the unread buffer region to avoid false multipart mime part header too large errors when previously read data accumulates in the scan buffer. (#​2392, @​alpaca-tc, @​willnet, @​krororo)

v3.2.3

Compare Source

v3.2.2

Compare Source

Security

• CVE-2025-61772 Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
• CVE-2025-61771 Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
• CVE-2025-61770 Unbounded multipart preamble buffering enables DoS (memory exhaustion)

v3.2.1

Compare Source

Added

• Add support for streaming bodies when using Rack::Events. (#​2375, @​unflxw)

Fixed

• Fix an issue where a NoMethodError would be raised when using Rack::Events with streaming bodies. (#​2375, @​unflxw)

v3.2.0

Compare Source

This release continues Rack's evolution toward a cleaner, more efficient foundation while maintaining backward compatibility for most applications. The breaking changes primarily affect deprecated functionality, so most users should experience a smooth upgrade with improved performance and standards compliance.

SPEC Changes

• Request environment keys must now be strings. (#​2310, [@​jeremyevans])
• Add nil as a valid return from a Response body.to_path (#​2318, [@​MSP-Greg])
• Rack::Lint#check_header_value is relaxed, only disallowing CR/LF/NUL characters. (#​2354, [@​ioquatix])

Added

• Introduce Rack::VERSION constant. (#​2199, [@​ioquatix])
• ISO-2022-JP encoded parts within MIME Multipart sections of an HTTP request body will now be converted to UTF-8. (#​2245, @​nappa)
• Add Rack::Request#query_parser= to allow setting the query parser to use. (#​2349, [@​jeremyevans])
• Add Rack::Request#form_pairs to access form data as raw key-value pairs, preserving duplicate keys. (#​2351, [@​matthewd])

Changed

• Invalid cookie keys will now raise an error. (#​2193, [@​ioquatix])
• Rack::MediaType#params now handles empty strings. (#​2229, [@​jeremyevans])
• Avoid unnecessary calls to the ip_filter lambda to evaluate Request#ip (#​2287, [@​willbryant])
• Only calculate Request#ip once per request (#​2292, [@​willbryant])
• Rack::Builder #use, #map, and #run methods now return nil. (#​2355, [@​ioquatix])
• Directly close the body in Rack::ConditionalGet when the response is 304 Not Modified. (#​2353, [@​ioquatix])
• Directly close the body in Rack::Head when the request method is HEAD(#​2360, @​skipkayhil)

Deprecated

• Rack::Auth::AbstractRequest#request is deprecated without replacement. (#​2229, [@​jeremyevans])
• Rack::Request#parse_multipart (private method designed to be overridden in subclasses) is deprecated without replacement. (#​2229, [@​jeremyevans])

Removed

• Rack::Request#values_at is removed. (#​2200, [@​ioquatix])
• Rack::Logger is removed with no replacement. (#​2196, [@​ioquatix])
• Automatic cache invalidation in Rack::Request#{GET,POST} has been removed. (#​2230, [@​jeremyevans])
• Support for CGI::Cookie has been removed. (#​2332, [@​ioquatix])

Fixed

• Rack::RewindableInput::Middleware no longer wraps a nil input. (#​2259, @​tt)
• Fix NoMethodError in Rack::Request#wrap_ipv6 when x-forwarded-host is empty. (#​2270, @​oieioi)
• Fix the specification for SERVER_PORT which was incorrectly documented as required to be an Integer if present - it must be a String containing digits only. (#​2296, [@​ioquatix])
• SERVER_NAME and HTTP_HOST are now more strictly validated according to the relevant specifications. (#​2298, [@​ioquatix])
• Rack::Lint now disallows PATH_INFO="" SCRIPT_NAME="". (#​2298, [@​jeremyevans])

v3.1.19

Compare Source

Fixed

• Multipart parser: limit MIME header size check to the unread buffer region to avoid false multipart mime part header too large errors when previously read data accumulates in the scan buffer. (#​2392, @​alpaca-tc, @​willnet, @​krororo)

v3.1.18

Compare Source

v3.1.17

Compare Source

Security

• CVE-2025-61772 Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
• CVE-2025-61771 Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
• CVE-2025-61770 Unbounded multipart preamble buffering enables DoS (memory exhaustion)

v3.1.16

Compare Source

Security

• CVE-2025-49007 Fix ReDoS in multipart request.

v3.1.15

Compare Source

• Optional support for CGI::Cookie if not available. (#​2327, #​2333, [@​earlopain])

v3.1.14

Compare Source

⚠️ This release includes a security fix that may cause certain routes in previously working applications to fail if query parameters exceed 4,096 in count or 4 MB in total size. See https://redirect.github.com/rack/rack/discussions/2356 for more details.

Security

• CVE-2025-46727 Unbounded parameter parsing in Rack::QueryParser can lead to memory exhaustion.

v3.1.13

Compare Source

• Ensure Rack::ETag correctly updates response body. (#​2324, [@​ioquatix])

v3.1.12

Compare Source

Security

• CVE-2025-27610 Local file inclusion in Rack::Static.

v3.1.11

Compare Source

Security

• CVE-2025-27111 Possible Log Injection in Rack::Sendfile.

v3.1.10

Compare Source

Security

• CVE-2025-25184 Possible Log Injection in Rack::CommonLogger.

v3.1.9

Compare Source

Fixed

• Rack::MediaType#params now handles parameters without values. (#​2263, @​AllyMarthaJ)

v3.1.8

Compare Source

Fixed

• Resolve deprecation warnings about uri DEFAULT_PARSER. (#​2249, [@​earlopain])

v3.1.7

Compare Source

Fixed

• Do not remove escaped opening/closing quotes for content-disposition filenames. (#​2229, [@​jeremyevans])
• Fix encoding setting for non-binary IO-like objects in MockRequest#env_for. (#​2227, [@​jeremyevans])
• Rack::Response should not generate invalid content-length header. (#​2219, [@​ioquatix])
• Allow empty PATH_INFO. (#​2214, [@​ioquatix])

v3.1.6

Compare Source

Fixed

• Fix several edge cases in Rack::Request#parse_http_accept_header's implementation. (#​2226, [@​ioquatix])

v3.1.5

Compare Source

Security

• Fix potential ReDoS attack in Rack::Request#parse_http_accept_header. (GHSA-cj83-2ww7-mvq7, @​dwisiswant0)

v3.1.4

Compare Source

Fixed

• Fix Rack::Lint matching some paths incorrectly as authority form. (#​2220, [@​ioquatix])

v3.1.3

Compare Source

Fixed

• Fix passing non-strings to Rack::Utils.escape_html. (#​2202, [@​earlopain])
• Rack::MockResponse gracefully handles empty cookies (#​2203 [@​wynksaiddestroy])

v3.1.2

Compare Source

• Rack::Response will take in to consideration chunked encoding responses (#​2204, [@​tenderlove])

v3.1.1

Compare Source

Security

• CVE-2025-61772 Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
• CVE-2025-61771 Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
• CVE-2025-61770 Unbounded multipart preamble buffering enables DoS (memory exhaustion)

v3.1.0

Compare Source

⚠️ This release includes several breaking changes. Refer to the Removed section below for the list of deprecated methods that have been removed in this release.

This release is primarily a maintenance release that removes features deprecated in Rack v3.0. Alongside these removals, there are several improvements to the Rack SPEC, mainly focused on enhancing input and output handling. These changes aim to make Rack more efficient and align better with the requirements of server implementations and relevant HTTP specifications.

SPEC Changes

• rack.input is now optional. (#​1997, #​2018, [@​ioquatix])
• PATH_INFO is now validated according to the HTTP/1.1 specification. (#​2117, #​2181, [@​ioquatix])
  • OPTIONS * is now accepted. (#​2114, @​doriantaylor)
• Introduce optional rack.protocol request and response header for handling connection upgrades. (#​1954, [@​ioquatix])

Added

• Introduce Rack::Multipart::MissingInputError for improved handling of missing input in #parse_multipart. (#​2018, [@​ioquatix])
• Introduce module Rack::BadRequest which is included in multipart and query parser errors. (#​2019, [@​ioquatix])
• Add .mjs MIME type (#​2057, @​axilleas)
• set_cookie_header utility now supports the partitioned cookie attribute. This is required by Chrome in some embedded contexts. (#​2131, @​flavio-b)
• Introduce rack.early_hints for sending 103 Early Hints informational responses. (#​1831, @​casperisfine, [@​jeremyevans])

Changed

• MIME type for JavaScript files (.js) changed from application/javascript to text/javascript (1bd0f15, [@​ioquatix])
• Update MIME types associated to .ttf, .woff, .woff2 and .otf extensions to use mondern font/* types. (#​2065, [@​davidstosik])
• Rack::Utils.escape_html is now delegated to CGI.escapeHTML. ' is escaped to #​39; instead of #x27;. (decimal vs hexadecimal) (#​2099, @​JunichiIto)
• Clarify use of @buffered and only update content-length when Rack::Response#finish is invoked. (#​2149, [@​ioquatix])

Deprecated

• Deprecate automatic cache invalidation in Request#{GET,POST} (#​2073, [@​jeremyevans])
• Only cookie keys that are not valid according to the HTTP specifications are escaped. We are planning to deprecate this behaviour, so now a deprecation message will be emitted in this case. In the future, invalid cookie keys may not be accepted. (#​2191, [@​ioquatix])
• Rack::Logger is deprecated. (#​2197, [@​ioquatix])
• Add fallback lookup and deprecation warning for obsolete status symbols. (#​2137, @​wtn)
• Deprecate Rack::Request#values_at, use request.params.values_at instead (#​2183, [@​ioquatix])

Removed

• Remove deprecated Rack::Auth::Digest with no replacement. (#​1966, [@​ioquatix])
• Remove deprecated Rack::Cascade::NotFound with no replacement. (#​1966, [@​ioquatix])
• Remove deprecated Rack::Chunked with no replacement. (#​1966, [@​ioquatix])
• Remove deprecated Rack::File, use Rack::Files instead. (#​1966, [@​ioquatix])
• Remove deprecated Rack::QueryParser key_space_limit parameter with no replacement. (#​1966, [@​ioquatix])
• Remove deprecated Rack::Response#header, use Rack::Response#headers instead. (#​1966, [@​ioquatix])
• Remove deprecated cookie methods from Rack::Utils: add_cookie_to_header, make_delete_cookie_header, add_remove_cookie_to_header. (#​1966, [@​ioquatix])
• Remove deprecated Rack::Utils::HeaderHash. (#​1966, [@​ioquatix])
• Remove deprecated Rack::VERSION, Rack::VERSION_STRING, Rack.version, use Rack.release instead. (#​1966, [@​ioquatix])
• Remove non-standard status codes 306, 509, & 510 and update descriptions for 413, 422, & 451. (#​2137, @​wtn)
• Remove any dependency on transfer-encoding: chunked. (#​2195, [@​ioquatix])
• Remove deprecated Rack::Request#[], use request.params[key] instead (#​2183, [@​ioquatix])

Fixed

• In Rack::Files, ignore the Range header if served file is 0 bytes. (#​2159, [@​zarqman])

v3.0.18

Compare Source

• Fix incorrect backport of optional CGI::Cookie support. (#​2335, [@​jeremyevans])

v3.0.17

Compare Source

• Optional support for CGI::Cookie if not available. (#​2327, #​2333, [@​earlopain])

v3.0.16

Compare Source

⚠️ This release includes a security fix that may cause certain routes in previously working applications to fail if query parameters exceed 4,096 in count or 4 MB in total size. See https://redirect.github.com/rack/rack/discussions/2356 for more details.

Security

• CVE-2025-46727 Unbounded parameter parsing in Rack::QueryParser can lead to memory exhaustion.

v3.0.15

Compare Source

• Ensure Rack::ETag correctly updates response body. (#​2324, [@​ioquatix])

v3.0.14

Compare Source

Security

• CVE-2025-27610 Local file inclusion in Rack::Static.

v3.0.13

Compare Source

Security

• CVE-2025-27111 Possible Log Injection in Rack::Sendfile.

Fixed

• Remove autoloads for constants no longer shipped with Rack. (#​2269, @​ccutrer)

v3.0.12

Security

• CVE-2025-25184 Possible Log Injection in Rack::CommonLogger.

v3.0.11

• Backport #​2062 to 3-0-stable: Do not allow BodyProxy to respond to to_str, make to_ary call close . (#​2062, @​jeremyevans)

v3.0.10

Compare Source

• Backport #​2104 to 3-0-stable: Return empty when parsing a multi-part POST with only one end delimiter. (#​2164, @​JoeDupuis)

v3.0.9.1

Compare Source

Security

• CVE-2024-26146 Fixed ReDoS in Accept header parsing
• CVE-2024-25126 Fixed ReDoS in Content Type header parsing
• CVE-2024-26141 Reject Range headers which are too large

v3.0.9

Compare Source

Security

• CVE-2024-26146 Fixed ReDoS in Accept header parsing
• CVE-2024-25126 Fixed ReDoS in Content Type header parsing
• CVE-2024-26141 Reject Range headers which are too large

v3.0.8

Compare Source

• Fix some unused variable verbose warnings. (#​2084, [@​jeremyevans], @​skipkayhil)

v3.0.7

Compare Source

• Make query parameters without = have nil values. (#​2059, [@​jeremyevans])

v3.0.6.1

Compare Source

Security

• [CVE-2023-27539] Avoid ReDoS in header parsing

v3.0.6

Compare Source

Security

• [CVE-2023-27539] Avoid ReDoS in header parsing

v3.0.5

Compare Source

• Split form/query parsing into two steps. (#​2038, @​matthewd)

v3.0.4.2

Compare Source

Security

• [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts

v3.0.4.1

Compare Source

Security

• [CVE-2022-44571] Fix ReDoS vulnerability in multipart parser
• [CVE-2022-44570] Fix ReDoS in Rack::Utils.get_byte_ranges
• [CVE-2022-44572] Forbid control characters in attributes (also ReDoS)

v3.0.4

Compare Source

Security

• [CVE-2023-27530] Introduce multipart_total_part_limit to limit total parts

v3.0.3

Compare Source

Fixed

• Rack::URLMap uses non-deprecated form of Regexp.new. (#​1998, @​weizheheng)

v3.0.2

Compare Source

Fixed

• Utils.build_nested_query URL-encodes nested field names including the square brackets.
• Allow Rack::Response to pass through streaming bodies. (#​1993, [@​ioquatix])

v3.0.1

Compare Source

• Fix incorrect backport of optional CGI::Cookie support. (#​2335, [@​jeremyevans])

v3.0.0

Compare Source

This release introduces major improvements to Rack, including enhanced support for streaming responses, expanded protocol handling, and stricter compliance with HTTP standards. It refines middleware interfaces, improves multipart and hijack handling, and strengthens security and error reporting. The update also brings performance optimizations, better compatibility with modern Ruby versions, and numerous bug fixes, making Rack more robust and flexible for web application development.

• No changes

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.