Skip to content

ops: Bump elasticsearch gem to 8.14.0#421

Merged
seanstory merged 1 commit intomainfrom
rachel/elasticsearch-8.14.0
Feb 27, 2026
Merged

ops: Bump elasticsearch gem to 8.14.0#421
seanstory merged 1 commit intomainfrom
rachel/elasticsearch-8.14.0

Conversation

@lhearachel
Copy link
Contributor

@lhearachel lhearachel commented Feb 17, 2026

https://github.com/elastic/search-team/issues/12889

This version bump updates the transitive dependency on faraday; elasticsearch@8.13.0 inherits faraday@2.8.1 via elastic-transport@8.3.2, which is vulnerable to CVE-2026-25765. elasticsearch@8.14.0 transitively depends on faraday@2.14.1, which fixes this vulnerability.

Checklists

Pre-Review Checklist

  • This PR does NOT contain credentials of any kind, such as API keys or username/passwords (double check crawler.yml.example and elasticsearch.yml.example)
  • This PR has a meaningful title
  • This PR links to all relevant GitHub issues that it fixes or partially addresses
    • If there is no GitHub issue, please create it. Each PR should have a link to an issue
  • this PR has a thorough description
  • Added a label for each target release version (example: v0.1.0)
  • Considered corresponding documentation changes
  • Contributed any configuration settings changes to the configuration reference
  • Ran make notice if any dependencies have been added

@lhearachel lhearachel requested a review from a team as a code owner February 17, 2026 20:23
@seanstory seanstory merged commit b90731c into main Feb 27, 2026
5 checks passed
@seanstory seanstory deleted the rachel/elasticsearch-8.14.0 branch February 27, 2026 13:08
github-actions bot pushed a commit that referenced this pull request Feb 27, 2026
@lhearachel
ops: Bump elasticsearch gem to 8.14.0 (#421)
7403533 
### elastic/search-team#12889

This version bump updates the transitive dependency on `faraday`;
`elasticsearch@8.13.0` inherits `faraday@2.8.1` via
`elastic-transport@8.3.2`, which is vulnerable to
[CVE-2026-25765](GHSA-33mh-2634-fwr2).
`elasticsearch@8.14.0` transitively depends on `faraday@2.14.1`, which
fixes this vulnerability.

### Checklists

#### Pre-Review Checklist
- [x] This PR does NOT contain credentials of any kind, such as API keys
or username/passwords (double check `crawler.yml.example` and
`elasticsearch.yml.example`)
- [x] This PR has a meaningful title
- [x] This PR links to all relevant GitHub issues that it fixes or
partially addresses
- If there is no GitHub issue, please create it. Each PR should have a
link to an issue
- [x] this PR has a thorough description
- [x] Added a label for each target release version (example: `v0.1.0`)
- [x] Considered corresponding documentation changes
- [x] Contributed any configuration settings changes to the
configuration reference
- [x] Ran `make notice` if any dependencies have been added
@github-actions github-actions bot mentioned this pull request Feb 27, 2026
Open
@github-actions
Copy link

github-actions bot commented Feb 27, 2026

💚 Backport PR(s) successfully created

Status Branch Result
0.4 #423

This backport PR will be merged automatically after passing CI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@seanstory seanstory seanstory approved these changes

Assignees

No one assigned

Labels

auto-backport v0.4.3 v0.5.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lhearachel @seanstory