restify 2.0.2 → 2.1.0

data/vendor/bundle/ruby/4.0.0/gems/racc-1.8.1/README.ja.rdoc

@@ -0,0 +1,58 @@
+= Racc
+
+* https://github.com/ruby/racc
+
+== DESCRIPTION:
+
+  Racc は LALR(1) パーサジェネレータです。
+  yacc の Ruby 版に相当します。
+
+== 必要環境
+
+  *  Ruby 2.5 以降
+
+== インストール
+
+  gem インストール:
+
+    $ gem install racc
+
+== テスト
+
+  sample/ 以下にいくつか Racc の文法ファイルのサンプルが用意
+  してあります。動くのも動かないのもありますが、少なくとも
+  calc-ja.y は動くのでこれを処理してみましょう。Racc をインス
+  トールしたあと
+
+      $ racc -ocalc.rb calc-ja.y
+
+  として下さい。処理は一瞬から数秒で終わるので、
+
+      $ ruby calc.rb
+
+  を実行してください。ちゃんと動いてますか？
+
+  Racc の文法など詳しいことは doc.ja/ ディレクトリ以下の HTML を
+  見てください。
+
+
+== ライセンス
+
+  このパッケージに付属するファイルの著作権は青木峰郎が保持します。
+  ライセンスは Ruby ライセンスです。ただしユーザが書いた規則
+  ファイルや、Racc がそこから生成した Ruby スクリプトはその対象
+  外です。好きなライセンスで配布してください。
+
+
+== バグなど
+
+  Racc を使っていてバグらしき現象に遭遇したら、下記のアドレスまで
+  メールをください。作者にはバグを修正する義務はありませんがその
+  意思はあります。また、そのときはできるだけバグを再現できる文法
+  ファイルを付けてください。
+
+
+                                         青木峰郎(あおきみねろう)
+                                              aamine@loveruby.net
+                                            http://i.loveruby.net
+

data/vendor/bundle/ruby/4.0.0/gems/racc-1.8.1/README.rdoc

@@ -0,0 +1,60 @@
+= Racc
+
+* https://github.com/ruby/racc
+
+== DESCRIPTION:
+
+  Racc is an LALR(1) parser generator.
+  It is written in Ruby itself, and generates Ruby program.
+
+== Requirement
+
+  *  Ruby 2.5 or later.
+
+== Installation
+
+  gem install:
+
+    $ gem install racc
+
+== Testing Racc
+
+  Racc comes with simple calculator. To compile this, on shell:
+
+      $ racc -o calc calc.y
+
+  This process costs few seconds (or less). Then type:
+
+      $ ruby calc
+
+  ... Does it work?
+  For details of Racc, see HTML documents placed under 'doc/en/'
+  and sample grammar files under 'sample/'.
+
+== Release flow
+
+* Update VERSION number of these files
+  * <code>RACC_VERSION</code> in "ext/racc/com/headius/racc/Cparse.java"
+  * <code>VERSION</code> in "lib/racc/info.rb"
+* Release as a gem by <code>rake release</code> with CRuby and JRuby because Racc gem provides 2 packages
+* Create new release on {GitHub}[https://github.com/ruby/racc/releases]
+
+== License
+
+  Racc is distributed under the same terms of ruby.
+  (see the file COPYING). Note that you do NOT need to follow
+  ruby license for your own parser (racc outputs).
+  You can distribute those files under any licenses you want.
+
+
+== Bug Reports
+
+  Any kind of bug report is welcome.
+  If you find a bug of Racc, please report an issue at 
+  https://github.com/ruby/racc/issues. Your grammar file,
+  debug output generated by "racc -g", are helpful.
+
+
+                                                      Minero Aoki
+                                              aamine@loveruby.net
+                                            http://i.loveruby.net

data/vendor/bundle/ruby/{3.4.0/gems/rack-3.1.15 → 4.0.0/gems/rack-3.2.6}/CHANGELOG.md

@@ -2,15 +2,158 @@
 
 All notable changes to this project will be documented in this file. For info on how to format all future additions to this file please reference [Keep A Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [3.2.6] - 2026-04-01
+
+### Security
+
+- [CVE-2026-34763](https://github.com/advisories/GHSA-7mqq-6cf9-v2qp) Root directory disclosure via unescaped regex interpolation in `Rack::Directory`.
+- [CVE-2026-34230](https://github.com/advisories/GHSA-v569-hp3g-36wr) Avoid O(n^2) algorithm in `Rack::Utils.select_best_encoding` which could lead to denial of service.
+- [CVE-2026-32762](https://github.com/advisories/GHSA-qfgr-crr9-7r49) Forwarded header semicolon injection enables Host and Scheme spoofing.
+- [CVE-2026-26961](https://github.com/advisories/GHSA-vgpv-f759-9wx3) Raise error for multipart requests with multiple boundary parameters.
+- [CVE-2026-34786](https://github.com/advisories/GHSA-q4qf-9j86-f5mh) `Rack::Static` `header_rules` bypass via URL-encoded path mismatch.
+- [CVE-2026-34831](https://github.com/advisories/GHSA-q2ww-5357-x388) `Content-Length` mismatch in `Rack::Files` error responses.
+- [CVE-2026-34826](https://github.com/advisories/GHSA-x8cg-fq8g-mxfx) Multipart byte range processing allows denial of service via excessive overlapping ranges.
+- [CVE-2026-34835](https://github.com/advisories/GHSA-g2pf-xv49-m2h5) `Rack::Request` accepts invalid Host characters, enabling host allowlist bypass.
+- [CVE-2026-34830](https://github.com/advisories/GHSA-qv7j-4883-hwh7) `Rack::Sendfile` header-based `X-Accel-Mapping` regex injection enables unauthorized `X-Accel-Redirect`.
+- [CVE-2026-34785](https://github.com/advisories/GHSA-h2jq-g4cq-5ppq) `Rack::Static` prefix matching can expose unintended files under the static root.
+- [CVE-2026-34829](https://github.com/advisories/GHSA-8vqr-qjwx-82mw) Multipart parsing without `Content-Length` header allows unbounded chunked file uploads.
+- [CVE-2026-34827](https://github.com/advisories/GHSA-v6x5-cg8r-vv6x) Quadratic-time multipart header parsing allows denial of service via escape-heavy quoted parameters.
+- [CVE-2026-26962](https://github.com/advisories/GHSA-rx22-g9mx-qrhv) Improper unfolding of folded multipart headers preserves CRLF in parsed parameter values.
+
+## [3.2.5] - 2026-02-16
+
+### Security
+
+- [CVE-2026-25500](https://github.com/advisories/GHSA-whrj-4476-wvmp) XSS injection via malicious filename in `Rack::Directory`.
+- [CVE-2026-22860](https://github.com/advisories/GHSA-mxw3-3hh2-x2mh) Directory traversal via root prefix bypass in `Rack::Directory`.
+
+### Fixed
+
+- Fix `Rack::MockResponse#body` when the body is a Proc. ([#2420](https://github.com/rack/rack/pull/2420), [#2423](https://github.com/rack/rack/pull/2423), [@tavianator](https://github.com/tavianator), [@ioquatix])
+
+## [3.2.4] - 2025-11-03
+
+### Fixed
+
+- Multipart parser: limit MIME header size check to the unread buffer region to avoid false `multipart mime part header too large` errors when previously read data accumulates in the scan buffer. ([#2392](https://github.com/rack/rack/pull/2392), [@alpaca-tc](https://github.com/alpaca-tc), [@willnet](https://github.com/willnet), [@krororo](https://github.com/krororo))
+
+## [3.2.3] - 2025-10-10
+
+### Security
+
+- [CVE-2025-61780](https://github.com/advisories/GHSA-r657-rxjc-j557) Improper handling of headers in `Rack::Sendfile` may allow proxy bypass.
+- [CVE-2025-61919](https://github.com/advisories/GHSA-6xw4-3v39-52mm) Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion.
+
+## [3.2.2] - 2025-10-07
+
+### Security
+
+- [CVE-2025-61772](https://github.com/advisories/GHSA-wpv5-97wm-hp9c) Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
+- [CVE-2025-61771](https://github.com/advisories/GHSA-w9pc-fmgc-vxvw) Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
+- [CVE-2025-61770](https://github.com/advisories/GHSA-p543-xpfm-54cp) Unbounded multipart preamble buffering enables DoS (memory exhaustion)
+
+## [3.2.1] -- 2025-09-02
+
+### Added
+
+- Add support for streaming bodies when using `Rack::Events`. ([#2375](github.com/rack/rack/pull/2375), [@unflxw](https://github.com/unflxw))
+
+### Fixed
+
+- Fix an issue where a `NoMethodError` would be raised when using `Rack::Events` with streaming bodies. ([#2375](github.com/rack/rack/pull/2375), [@unflxw](https://github.com/unflxw))
+
+## [3.2.0] - 2025-07-31
+
+This release continues Rack's evolution toward a cleaner, more efficient foundation while maintaining backward compatibility for most applications. The breaking changes primarily affect deprecated functionality, so most users should experience a smooth upgrade with improved performance and standards compliance.
+
+### SPEC Changes
+
+- Request environment keys must now be strings. ([#2310](https://github.com/rack/rack/issues/2310), [@jeremyevans])
+- Add `nil` as a valid return from a Response `body.to_path` ([#2318](https://github.com/rack/rack/pull/2318), [@MSP-Greg])
+- `Rack::Lint#check_header_value` is relaxed, only disallowing CR/LF/NUL characters. ([#2354](https://github.com/rack/rack/pull/2354), [@ioquatix])
+
+### Added
+
+- Introduce `Rack::VERSION` constant. ([#2199](https://github.com/rack/rack/pull/2199), [@ioquatix])
+- `ISO-2022-JP` encoded parts within MIME Multipart sections of an HTTP request body will now be converted to `UTF-8`. ([#2245](https://github.com/rack/rack/pull/2245), [@nappa](https://github.com/nappa))
+- Add `Rack::Request#query_parser=` to allow setting the query parser to use. ([#2349](https://github.com/rack/rack/pull/2349), [@jeremyevans])
+- Add `Rack::Request#form_pairs` to access form data as raw key-value pairs, preserving duplicate keys. ([#2351](https://github.com/rack/rack/pull/2351), [@matthewd])
+
+### Changed
+
+- Invalid cookie keys will now raise an error. ([#2193](https://github.com/rack/rack/pull/2193), [@ioquatix])
+- `Rack::MediaType#params` now handles empty strings. ([#2229](https://github.com/rack/rack/pull/2229), [@jeremyevans])
+- Avoid unnecessary calls to the `ip_filter` lambda to evaluate `Request#ip` ([#2287](https://github.com/rack/rack/pull/2287), [@willbryant])
+- Only calculate `Request#ip` once per request ([#2292](https://github.com/rack/rack/pull/2292), [@willbryant])
+- `Rack::Builder` `#use`, `#map`, and `#run` methods now return `nil`. ([#2355](https://github.com/rack/rack/pull/2355), [@ioquatix])
+- Directly close the body in `Rack::ConditionalGet` when the response is `304 Not Modified`. ([#2353](https://github.com/rack/rack/pull/2353), [@ioquatix])
+- Directly close the body in `Rack::Head` when the request method is `HEAD`([#2360](https://github.com/rack/rack/pull/2360), [@skipkayhil](https://github.com/skipkayhil))
+
+### Deprecated
+
+- `Rack::Auth::AbstractRequest#request` is deprecated without replacement. ([#2229](https://github.com/rack/rack/pull/2229), [@jeremyevans])
+- `Rack::Request#parse_multipart` (private method designed to be overridden in subclasses) is deprecated without replacement. ([#2229](https://github.com/rack/rack/pull/2229), [@jeremyevans])
+
+### Removed
+
+- `Rack::Request#values_at` is removed. ([#2200](https://github.com/rack/rack/pull/2200), [@ioquatix])
+- `Rack::Logger` is removed with no replacement. ([#2196](https://github.com/rack/rack/pull/2196), [@ioquatix])
+- Automatic cache invalidation in `Rack::Request#{GET,POST}` has been removed. ([#2230](https://github.com/rack/rack/pull/2230), [@jeremyevans])
+- Support for `CGI::Cookie` has been removed. ([#2332](https://github.com/rack/rack/pull/2332), [@ioquatix])
+
+### Fixed
+
+- `Rack::RewindableInput::Middleware` no longer wraps a nil input. ([#2259](https://github.com/rack/rack/pull/2259), [@tt](https://github.com/tt))
+- Fix `NoMethodError` in `Rack::Request#wrap_ipv6` when `x-forwarded-host` is empty. ([#2270](https://github.com/rack/rack/pull/2270), [@oieioi](https://github.com/oieioi))
+- Fix the specification for `SERVER_PORT` which was incorrectly documented as required to be an `Integer` if present - it must be a `String` containing digits only. ([#2296](https://github.com/rack/rack/pull/2296), [@ioquatix])
+- `SERVER_NAME` and `HTTP_HOST` are now more strictly validated according to the relevant specifications. ([#2298](https://github.com/rack/rack/pull/2298), [@ioquatix])
+- `Rack::Lint` now disallows `PATH_INFO="" SCRIPT_NAME=""`. ([#2298](https://github.com/rack/rack/issues/2307), [@jeremyevans])
+
+## [3.1.20] - 2026-02-16
+
+### Security
+
+- [CVE-2026-25500](https://github.com/advisories/GHSA-whrj-4476-wvmp) XSS injection via malicious filename in `Rack::Directory`.
+- [CVE-2026-22860](https://github.com/advisories/GHSA-mxw3-3hh2-x2mh) Directory traversal via root prefix bypass in `Rack::Directory`.
+
+## [3.1.19] - 2025-11-03
+
+### Fixed
+
+- Multipart parser: limit MIME header size check to the unread buffer region to avoid false `multipart mime part header too large` errors when previously read data accumulates in the scan buffer. ([#2392](https://github.com/rack/rack/pull/2392), [@alpaca-tc](https://github.com/alpaca-tc), [@willnet](https://github.com/willnet), [@krororo](https://github.com/krororo))
+
+## [3.1.18] - 2025-10-10
+
+### Security
+
+- [CVE-2025-61780](https://github.com/advisories/GHSA-r657-rxjc-j557) Improper handling of headers in `Rack::Sendfile` may allow proxy bypass.
+- [CVE-2025-61919](https://github.com/advisories/GHSA-6xw4-3v39-52mm) Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion.
+
+## [3.1.17] - 2025-10-07
+
+### Security
+
+- [CVE-2025-61772](https://github.com/advisories/GHSA-wpv5-97wm-hp9c) Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
+- [CVE-2025-61771](https://github.com/advisories/GHSA-w9pc-fmgc-vxvw) Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
+- [CVE-2025-61770](https://github.com/advisories/GHSA-p543-xpfm-54cp) Unbounded multipart preamble buffering enables DoS (memory exhaustion)
+
+## [3.1.16] - 2025-06-04
+
+### Security
+
+- [CVE-2025-49007](https://github.com/advisories/GHSA-47m2-26rw-j2jw) Fix ReDoS in multipart request.
+
 ## [3.1.15] - 2025-05-18
 
 - Optional support for `CGI::Cookie` if not available. ([#2327](https://github.com/rack/rack/pull/2327), [#2333](https://github.com/rack/rack/pull/2333), [@earlopain])
 
 ## [3.1.14] - 2025-05-06
 
+:warning: **This release includes a security fix that may cause certain routes in previously working applications to fail if query parameters exceed 4,096 in count or 4 MB in total size. See <https://github.com/rack/rack/discussions/2356> for more details.**
+
 ### Security
 
-- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
+- [CVE-2025-46727](https://github.com/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
 
 ## [3.1.13] - 2025-04-13
 
@@ -20,19 +163,19 @@ All notable changes to this project will be documented in this file. For info on
 
 ### Security
 
-- [CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
+- [CVE-2025-27610](https://github.com/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
 
 ## [3.1.11] - 2025-03-04
 
 ### Security
 
-- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
+- [CVE-2025-27111](https://github.com/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
 
 ## [3.1.10] - 2025-02-12
 
 ### Security
 
-- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
+- [CVE-2025-25184](https://github.com/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
 
 ## [3.1.9] - 2025-01-31
 
@@ -65,7 +208,7 @@ All notable changes to this project will be documented in this file. For info on
 
 ### Security
 
-- Fix potential ReDoS attack in `Rack::Request#parse_http_accept_header`. ([GHSA-cj83-2ww7-mvq7](https://github.com/rack/rack/security/advisories/GHSA-cj83-2ww7-mvq7), [@dwisiswant0](https://github.com/dwisiswant0))
+- Fix potential ReDoS attack in `Rack::Request#parse_http_accept_header`. ([GHSA-cj83-2ww7-mvq7](https://github.com/advisories/GHSA-cj83-2ww7-mvq7), [@dwisiswant0](https://github.com/dwisiswant0))
 
 ## [3.1.4] - 2024-06-22
 
@@ -92,7 +235,7 @@ All notable changes to this project will be documented in this file. For info on
 
 :warning: **This release includes several breaking changes.** Refer to the **Removed** section below for the list of deprecated methods that have been removed in this release.
 
-Rack v3.1 is primarily a maintenance release that removes features deprecated in Rack v3.0. Alongside these removals, there are several improvements to the Rack SPEC, mainly focused on enhancing input and output handling. These changes aim to make Rack more efficient and align better with the requirements of server implementations and relevant HTTP specifications.
+This release is primarily a maintenance release that removes features deprecated in Rack v3.0. Alongside these removals, there are several improvements to the Rack SPEC, mainly focused on enhancing input and output handling. These changes aim to make Rack more efficient and align better with the requirements of server implementations and relevant HTTP specifications.
 
 ### SPEC Changes
 
@@ -143,16 +286,21 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
 
 - In `Rack::Files`, ignore the `Range` header if served file is 0 bytes. ([#2159](https://github.com/rack/rack/pull/2159), [@zarqman])
 
+## [3.0.18] - 2025-05-22
+
+- Fix incorrect backport of optional `CGI::Cookie` support. ([#2335](https://github.com/rack/rack/pull/2335), [@jeremyevans])
+
 ## [3.0.17] - 2025-05-18
 
 - Optional support for `CGI::Cookie` if not available. ([#2327](https://github.com/rack/rack/pull/2327), [#2333](https://github.com/rack/rack/pull/2333), [@earlopain])
 
-
 ## [3.0.16] - 2025-05-06
 
+:warning: **This release includes a security fix that may cause certain routes in previously working applications to fail if query parameters exceed 4,096 in count or 4 MB in total size. See <https://github.com/rack/rack/discussions/2356> for more details.**
+
 ### Security
 
-- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
+- [CVE-2025-46727](https://github.com/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
 
 ## [3.0.15] - 2025-04-13
 
@@ -162,19 +310,23 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
 
 ### Security
 
-- [CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
+- [CVE-2025-27610](https://github.com/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
 
 ## [3.0.13] - 2025-03-04
 
 ### Security
 
-- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
+- [CVE-2025-27111](https://github.com/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
+
+### Fixed
+
+- Remove autoloads for constants no longer shipped with Rack. ([#2269](https://github.com/rack/rack/pull/2269), [@ccutrer](https://github.com/ccutrer))
 
 ## [3.0.12] - 2025-02-12
 
 ### Security
 
-- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
+- [CVE-2025-25184](https://github.com/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
 
 ## [3.0.11] - 2024-05-10
 
@@ -264,6 +416,8 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
 
 ## [3.0.0] - 2022-09-06
 
+This release introduces major improvements to Rack, including enhanced support for streaming responses, expanded protocol handling, and stricter compliance with HTTP standards. It refines middleware interfaces, improves multipart and hijack handling, and strengthens security and error reporting. The update also brings performance optimizations, better compatibility with modern Ruby versions, and numerous bug fixes, making Rack more robust and flexible for web application development.
+
 - No changes
 
 ## [3.0.0.rc1] - 2022-09-04
@@ -304,7 +458,7 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
 - Remove deprecated Rack::Request::SCHEME_WHITELIST. ([@jeremyevans])
 - Remove internal cookie deletion using pattern matching, there are very few practical cases where it would be useful and browsers handle it correctly without us doing anything special. ([#1844](https://github.com/rack/rack/pull/1844), [@ioquatix])
 - Remove `rack.version` as it comes too late to be useful. ([#1938](https://github.com/rack/rack/pull/1938), [@ioquatix])
-- Extract `rackup` command, `Rack::Server`, `Rack::Handler`, `Rack::Lobster` and related code into a separate gem. ([#1937](https://github.com/rack/rack/pull/1937), [@ioquatix])
+- Extract `rackup` command, `Rack::Server`, `Rack::Handler` and related code into a separate gem. ([#1937](https://github.com/rack/rack/pull/1937), [@ioquatix])
 
 ### Added
 
@@ -352,33 +506,77 @@ Rack v3.1 is primarily a maintenance release that removes features deprecated in
 - Fix multipart filename generation for filenames that contain spaces. Encode spaces as "%20" instead of "+" which will be decoded properly by the multipart parser. ([#1736](https://github.com/rack/rack/pull/1645), [@muirdm](https://github.com/muirdm))
 - `Rack::Request#scheme` returns `ws` or `wss` when one of the `X-Forwarded-Scheme` / `X-Forwarded-Proto` headers is set to `ws` or `wss`, respectively. ([#1730](https://github.com/rack/rack/issues/1730), [@erwanst](https://github.com/erwanst))
 
+## [2.2.22] - 2026-02-16
+
+### Security
+
+- [CVE-2026-25500](https://github.com/advisories/GHSA-whrj-4476-wvmp) XSS injection via malicious filename in `Rack::Directory`.
+- [CVE-2026-22860](https://github.com/advisories/GHSA-mxw3-3hh2-x2mh) Directory traversal via root prefix bypass in `Rack::Directory`.
+
+## [2.2.21] - 2025-11-03
+
+### Fixed
+
+- Multipart parser: limit MIME header size check to the unread buffer region to avoid false `multipart mime part header too large` errors when previously read data accumulates in the scan buffer. ([#2392](https://github.com/rack/rack/pull/2392), [@alpaca-tc](https://github.com/alpaca-tc), [@willnet](https://github.com/willnet), [@krororo](https://github.com/krororo))
+
+## [2.2.20] - 2025-10-10
+
+### Security
+
+- [CVE-2025-61780](https://github.com/advisories/GHSA-r657-rxjc-j557) Improper handling of headers in `Rack::Sendfile` may allow proxy bypass.
+- [CVE-2025-61919](https://github.com/advisories/GHSA-6xw4-3v39-52mm) Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion.
+
+## [2.2.19] - 2025-10-07
+
+### Security
+
+- [CVE-2025-61772](https://github.com/advisories/GHSA-wpv5-97wm-hp9c) Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
+- [CVE-2025-61771](https://github.com/advisories/GHSA-w9pc-fmgc-vxvw) Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
+- [CVE-2025-61770](https://github.com/advisories/GHSA-p543-xpfm-54cp) Unbounded multipart preamble buffering enables DoS (memory exhaustion)
+
+## [2.2.18] - 2025-09-25
+
+### Security
+
+- [CVE-2025-59830](https://github.com/advisories/GHSA-625h-95r8-8xpm) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion via semicolon-separated parameters.
+
+## [2.2.17] - 2025-06-03
+
+- Backport `Rack::MediaType#params` now handles parameters without values. ([#2263](https://github.com/rack/rack/pull/2263), [@AllyMarthaJ](https://github.com/AllyMarthaJ))
+
+## [2.2.16] - 2025-05-22
+
+- Fix incorrect backport of optional `CGI::Cookie` support. ([#2335](https://github.com/rack/rack/pull/2335), [@jeremyevans])
+
 ## [2.2.15] - 2025-05-18
 
 - Optional support for `CGI::Cookie` if not available. ([#2327](https://github.com/rack/rack/pull/2327), [#2333](https://github.com/rack/rack/pull/2333), [@earlopain])
 
 ## [2.2.14] - 2025-05-06
 
+:warning: **This release includes a security fix that may cause certain routes in previously working applications to fail if query parameters exceed 4,096 in count or 4 MB in total size. See <https://github.com/rack/rack/discussions/2356> for more details.**
+
 ### Security
 
-- [CVE-2025-46727](https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
+- [CVE-2025-46727](https://github.com/advisories/GHSA-gjh7-p2fx-99vx) Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion.
 
 ## [2.2.13] - 2025-03-11
 
 ### Security
 
-- [CVE-2025-27610](https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
+- [CVE-2025-27610](https://github.com/advisories/GHSA-7wqh-767x-r66v) Local file inclusion in `Rack::Static`.
 
 ## [2.2.12] - 2025-03-04
 
 ### Security
 
-- [CVE-2025-27111](https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
+- [CVE-2025-27111](https://github.com/advisories/GHSA-8cgq-6mh2-7j6v) Possible Log Injection in `Rack::Sendfile`.
 
 ## [2.2.11] - 2025-02-12
 
 ### Security
 
-- [CVE-2025-25184](https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
+- [CVE-2025-25184](https://github.com/advisories/GHSA-7g2v-jj9q-g3rg) Possible Log Injection in `Rack::CommonLogger`.
 
 ## [2.2.10] - 2024-10-14
 
@@ -1144,3 +1342,5 @@ Items below this line are from the previously maintained HISTORY.md and NEWS.md
 [@BlakeWilliams]: https://github.com/BlakeWilliams "Blake Williams"
 [@davidstosik]: https://github.com/davidstosik "David Stosik"
 [@earlopain]: https://github.com/earlopain "Earlopain"
+[@wynksaiddestroy]: https://github.com/wynksaiddestroy "Fabian Winkler"
+[@matthewd]: https://github.com/matthewd "Matthew Draper"

data/vendor/bundle/ruby/{3.4.0/gems/rack-3.1.15 → 4.0.0/gems/rack-3.2.6}/README.md

@@ -6,26 +6,43 @@ way possible, it unifies and distills the bridge between web servers, web
 frameworks, and web application into a single method call.
 
 The exact details of this are described in the [Rack Specification], which all
-Rack applications should conform to.
+Rack applications should conform to. Browse the [Documentation] for more
+information.
 
 ## Version support
 
 | Version  | Support                            |
 |----------|------------------------------------|
-|    3.0.x | Bug fixes and security patches.    |
+|    3.2.x | Bug fixes and security patches.    |
+|    3.1.x | Security patches only.             |
+|    3.0.x | End of support.                    |
 |    2.2.x | Security patches only.             |
 | <= 2.1.x | End of support.                    |
 
+**Rack 2.2.x is in security maintenance mode**. Please upgrade to Rack 3.1+ as soon
+as possible to ensure you are receiving the latest features and security patches.
+
 Please see the [Security Policy] for more information.
 
-## Rack 3.0
+## Change log
+
+See the [Changelog](CHANGELOG.md) for a detailed list of changes in each version of Rack.
+
+### Rack 3.2 (latest release)
+
+This version of rack contains bug fixes and security patches.
+
+### Rack 3.1
 
-This is the latest version of Rack. It contains API improvements but also some
-breaking changes. Please check the [Upgrade Guide](UPGRADE-GUIDE.md) for more
-details about migrating servers, middlewares and applications designed for Rack 2
-to Rack 3. For detailed information on specific changes, check the [Change Log](CHANGELOG.md).
+This version of rack contains bug fixes and security patches.
 
-## Rack 2.2
+### Rack 3.0
+
+This version of rack contains significant changes which are detailed in the
+[Upgrade Guide](UPGRADE-GUIDE.md). It is recommended to upgrade to Rack 3 as soon
+as possible to receive the latest features and security patches.
+
+### Rack 2.2
 
 This version of Rack is receiving security patches only, and effort should be
 made to move to Rack 3.
@@ -69,6 +86,8 @@ server](#supported-web-servers).
 ```bash
 $ gem install rackup
 $ rackup
+
+# In another shell:
 $ curl http://localhost:9292
 Hello World
 ```
@@ -83,6 +102,7 @@ Rack is supported by a wide range of servers, including:
 * [NGINX Unit](https://unit.nginx.org/)
 * [Phusion Passenger](https://www.phusionpassenger.com/) (which is mod_rack for
   Apache and for nginx)
+* [Pitchfork](https://github.com/Shopify/pitchfork)
 * [Puma](https://puma.io/)
 * [Thin](https://github.com/macournoyer/thin)
 * [Unicorn](https://yhbt.net/unicorn/)
@@ -132,11 +152,9 @@ middleware:
 * `Rack::ETag` for setting `etag` header on bodies that can be buffered.
 * `Rack::Events` for providing easy hooks when a request is received and when
   the response is sent.
-* `Rack::Files` for serving static files.
 * `Rack::Head` for returning an empty body for HEAD requests.
 * `Rack::Lint` for checking conformance to the [Rack Specification].
 * `Rack::Lock` for serializing requests using a mutex.
-* `Rack::Logger` for setting a logger to handle logging errors.
 * `Rack::MethodOverride` for modifying the request method based on a submitted
   parameter.
 * `Rack::Recursive` for including data from other paths in the application, and
@@ -150,7 +168,7 @@ middleware:
   a nice and helpful way with clickable backtrace.
 * `Rack::ShowStatus` for using nice error pages for empty client error
   responses.
-* `Rack::Static` for more configurable serving of static files.
+* `Rack::Static` for configurable serving of static files.
 * `Rack::TempfileReaper` for removing temporary files creating during a request.
 
 All these components use the same interface, which is described in detail in the
@@ -172,6 +190,8 @@ quickly and without doing the same web stuff all over:
   returns a not found or method not supported response.
 * `Rack::Directory` for serving files under a given directory, with directory
   indexes.
+* `Rack::Files` for serving files under a given directory, without directory
+  indexes.
 * `Rack::MediaType` for parsing content-type headers.
 * `Rack::Mime` for determining content-type based on file extension.
 * `Rack::RewindableInput` for making any IO object rewindable, using a temporary
@@ -210,6 +230,14 @@ query string, before attempting parsing, so if the same parameter key is
 used multiple times in the query, each counts as a separate parameter for
 this check.
 
+### `RACK_MULTIPART_BUFFERED_UPLOAD_BYTESIZE_LIMIT`
+
+This environment variable sets the maximum amount of memory Rack will use
+to buffer multipart parameters when parsing a request body. This considers
+the size of the multipart mime headers and the body part for multipart
+parameters that are buffered in memory and do not use tempfiles. This
+defaults to 16MB if not provided.
+
 ### `param_depth_limit`
 
 ```ruby
@@ -247,7 +275,6 @@ Can also be set via the `RACK_MULTIPART_FILE_LIMIT` environment variable.
 
 (This is also aliased as `multipart_part_limit` and `RACK_MULTIPART_PART_LIMIT` for compatibility)
 
-
 ### `multipart_total_part_limit`
 
 The maximum total number of parts a request can contain of any type, including
@@ -260,18 +287,12 @@ Set to 0 for no limit.
 
 Can also be set via the `RACK_MULTIPART_TOTAL_PART_LIMIT` environment variable.
 
-
-## Changelog
-
-See [CHANGELOG.md](CHANGELOG.md).
-
 ## Contributing
 
 See [CONTRIBUTING.md](CONTRIBUTING.md) for specific details about how to make a
 contribution to Rack.
 
-Please post bugs, suggestions and patches to [GitHub
-Issues](https://github.com/rack/rack/issues).
+Please post bugs, suggestions and patches to [GitHub Issues](https://github.com/rack/rack/issues).
 
 Please check our [Security Policy](https://github.com/rack/rack/security/policy)
 for responsible disclosure and security bug reporting process. Due to wide usage
@@ -281,6 +302,13 @@ is greatly appreciated.
 
 ## See Also
 
+### `rackup`
+
+A useful tool for running Rack applications from the command line, including
+`Rackup::Server` (previously `Rack::Server`) for scripting servers.
+
+* https://github.com/rack/rackup
+
 ### `rack-contrib`
 
 The plethora of useful middleware created the need for a project that collects
@@ -351,5 +379,6 @@ would like to thank:
 
 Rack is released under the [MIT License](MIT-LICENSE).
 
-[Rack Specification]: SPEC.rdoc
+[Rack Specification]: https://rack.github.io/rack/main/SPEC_rdoc.html
+[Documentation]: https://rack.github.io/rack/
 [Security Policy]: SECURITY.md