🚨 [security] [ruby] Update sidekiq 7.3.6 → 8.0.4 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ sidekiq (7.3.6 → 8.0.4) · Repo · Changelog

Release Notes

8.0.4 (from changelog)

• Adjust Rails integration for various edge cases [6713]
• Flush job iteration state when an error is raised [#6704]
• Update Accept-Language parsing in Web UI [#6721]
• Remove fixed-width in Web UI [#6686]
• Adjust CSRF middleware ordering [#6688]
• Support proxies when POSTing profiles to profiler.firefox.com [#6687]
• Dont swallow NoMethodErrors in CurrentAttributes [#6685]

8.0.2 (from changelog)

• Add on(:exit) event to run code right before the Sidekiq process exits [#6637]
• Metrics page crashes with Rack 3.1+ [#6646]

8.0.1 (from changelog)

• Relax Redis requirement to 7.0 for compatibility with AWS and Ubuntu 24.04 LTS. [#6630]

8.0.0 (from changelog)

• WARNING The underlying class name for Active Jobs has changed from ActiveJob::QueueAdapters::SidekiqAdapter::JobWrapper to Sidekiq::ActiveJob::Wrapper. The old name will still work in 8.x.
• WARNING The created_at, enqueued_at, failed_at and retried_at attributes are now stored as epoch milliseconds, rather than epoch floats. This is meant to avoid precision issues with JSON and JavaScript's 53-bit Floats. Example: "created_at" => 1234567890.123456 -> "created_at" => 1234567890123.
• NEW FEATURE Job Profiling is now supported with Vernier which makes it really easy to performance tune your slow jobs. The Web UI contains a new Profiles tab to view any collected profile data. Please read the new Profiling wiki page for details.
• NEW FEATURE Job Metrics now store up to 72 hours of data and the Web UI allows display of 24/48/72 hours. [#6614]
• CurrentAttribute support now uses ActiveJob::Arguments to serialize the context object, supporting Symbols and GlobalID. The change should be backwards compatible. [#6510]
• Freshen up Sidekiq::Web to simplify the code and improve security [#6532] The CSS has been rewritten from scratch to remove the Bootstrap framework.
• Add on_cancel callback for iterable jobs [#6607]
• Add cursor reader to get the current cursor inside iterable jobs [#6606]
• Default error logging has been modified to use Ruby's Exception#detailed_message and #full_message APIs.
• CI now runs against Redis, Dragonfly and Valkey.
• Job tags now allow custom CSS display [#6595]
• The Web UI's language picker now shows options in the native language
• Remove global variable usage within the codebase
• Colorize and adjust logging for easier reading
• Adjust Sidekiq's default thread priority to -1 for a 50ms timeslice. This can help avoid TimeoutErrors when Sidekiq is overloaded. [#6543]
• Use Logger#with_level, remove Sidekiq's custom impl
• Remove base64 gem dependency
• Support: (Dragonfly 1.27+, Valkey 7.2+, Redis 7.2+), Ruby 3.2+, Rails 7.0+

7.3.9 (from changelog)

• Only require activejob if necessary [#6584]
• Fix iterable job cancellation [#6589]
• Web UI accessibility improvements [#6604]

7.3.8 (from changelog)

• Fix dead tag links [#6554]
• Massive Web UI performance improvement, some pages up to 15x faster [#6555]

7.3.7 (from changelog)

• Backport Sidekiq::Web.configure for compatibility with 8.0 [#6532]
• Backport url_params(key) and route_params(key) for compatibility with 8.0 [#6532]
• Various fixes for UI filtering [#6508]
• Tune inspect for internal S::Components to keep size managable [#6553]

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ connection_pool (2.5.0 → 2.5.3) · Repo · Changelog

Release Notes

2.5.3 (from changelog)

• Fix TruffleRuby/JRuby crash [#201]

2.5.2 (from changelog)

• Rollback inadvertant change to auto_reload_after_fork default. [#200]

2.5.1 (from changelog)

• Pass options to TimedStack in checkout [#195]
• Optimize connection lookup [#196]
• Fixes for use with Ractors

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 17 commits:

• fix: jruby
• fix jruby
• Skip ractor test on rubies without ractor
• fix: Rollback default change, fixes #200
• 251
• Ractor fixes, freeze and dont reference constants if we dont need to
• Update ci.yml (#199)
• doc, bump
• formatting
• more explicit reset
• Test naming tweak
• Style fixes
• Fix cross-test contamination
• Tests for `try_fetch_connection` override
• Wrap `stored?`/`fetch` logic to enable subclass to refactor
• fmt
• Passthru `options` to `TimedStack` in `checkout` (#195)

↗️ logger (indirect, 1.6.6 → 1.7.0) · Repo

Sorry, we couldn't find anything useful about this release.

↗️ rack (indirect, 3.1.11 → 3.1.15) · Repo · Changelog

Security Advisories 🚨

🚨 Rack has an Unbounded-Parameter DoS in Rack::QueryParser

Summary

Rack::QueryParser parses query strings and application/x-www-form-urlencoded bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters.

Details

The vulnerability arises because Rack::QueryParser iterates over each &-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing.

Impact

An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted.

Mitigation

• Update to a version of Rack that limits the number of parameters parsed, or
• Use middleware to enforce a maximum query string size or parameter count, or
• Employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies.

Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation.

🚨 Local File Inclusion in Rack::Static

Summary

Rack::Static can serve files under the specified root: even if urls: are provided, which may expose other files under the specified root: unexpectedly.

Details

The vulnerability occurs because Rack::Static does not properly sanitize user-supplied paths before serving files. Specifically, encoded path traversal sequences are not correctly validated, allowing attackers to access files outside the designated static file directory.

Impact

By exploiting this vulnerability, an attacker can gain access to all files under the specified root: directory, provided they are able to determine then path of the file.

Mitigation

• Update to the latest version of Rack, or
• Remove usage of Rack::Static, or
• Ensure that root: points at a directory path which only contains files which should be accessed publicly.

It is likely that a CDN or similar static file server would also mitigate the issue.

Release Notes

3.1.15 (from changelog)

• Optional support for CGI::Cookie if not available. (#2327, #2333, @earlopain)

3.1.14 (from changelog)

Security

• CVE-2025-46727 Unbounded parameter parsing in Rack::QueryParser can lead to memory exhaustion.

3.1.13 (from changelog)

• Ensure Rack::ETag correctly updates response body. (#2324, @ioquatix)

3.1.12 (from changelog)

Security

• CVE-2025-27610 Local file inclusion in Rack::Static.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 11 commits:

• Bump patch version.
• Feature detect `CGI::Cookie`. (#2333)
• Replace usage of `CGI::Cookie` (#2328)
• Test on Ruby v3.4.
• Bump patch version.
• Merge commit from fork
• Bump patch version.
• Ensure `Rack::ETag` correctly updates response body. (#2324)
• Bump patch version.
• Update changelog.
• Use a fully resolved file path when confirming if a file can be served by `Rack::Static`.

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #234.