From 74035331facb9ecf37fed160941f7f3f106d6e67 Mon Sep 17 00:00:00 2001 From: Rachel Date: Fri, 27 Feb 2026 05:07:57 -0800 Subject: [PATCH] ops: Bump elasticsearch gem to 8.14.0 (#421) ### https://github.com/elastic/search-team/issues/12889 This version bump updates the transitive dependency on `faraday`; `elasticsearch@8.13.0` inherits `faraday@2.8.1` via `elastic-transport@8.3.2`, which is vulnerable to [CVE-2026-25765](https://github.com/advisories/GHSA-33mh-2634-fwr2). `elasticsearch@8.14.0` transitively depends on `faraday@2.14.1`, which fixes this vulnerability. ### Checklists #### Pre-Review Checklist - [x] This PR does NOT contain credentials of any kind, such as API keys or username/passwords (double check `crawler.yml.example` and `elasticsearch.yml.example`) - [x] This PR has a meaningful title - [x] This PR links to all relevant GitHub issues that it fixes or partially addresses - If there is no GitHub issue, please create it. Each PR should have a link to an issue - [x] this PR has a thorough description - [x] Added a label for each target release version (example: `v0.1.0`) - [x] Considered corresponding documentation changes - [x] Contributed any configuration settings changes to the configuration reference - [x] Ran `make notice` if any dependencies have been added --- Gemfile | 2 +- Gemfile.lock | 8 ++++---- NOTICE.txt | 21 +++------------------ 3 files changed, 8 insertions(+), 23 deletions(-) diff --git a/Gemfile b/Gemfile index 7f0970c8..01e35cdb 100644 --- a/Gemfile +++ b/Gemfile @@ -26,7 +26,7 @@ group :default do gem 'addressable', '>= 2.8.0' gem 'concurrent-ruby', '~> 1.1.4' gem 'dry-cli', '~> 0.7.0' - gem 'elasticsearch', '~> 8.13.0' + gem 'elasticsearch', '~> 8.14.0' gem 'json-schema', '~> 4.3.0' gem 'rexml', '~> 3.4.2' gem 'rufus-scheduler', '~> 3.9.1' diff --git a/Gemfile.lock b/Gemfile.lock index b07c1d64..d44aa92e 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -33,10 +33,10 @@ GEM elastic-transport (8.3.2) faraday (< 3) multi_json - elasticsearch (8.13.0) + elasticsearch (8.14.0) elastic-transport (~> 8.3) - elasticsearch-api (= 8.13.0) - elasticsearch-api (8.13.0) + elasticsearch-api (= 8.14.0) + elasticsearch-api (8.14.0) multi_json et-orbi (1.2.11) tzinfo @@ -163,7 +163,7 @@ DEPENDENCIES bundler (~> 2.6.6) concurrent-ruby (~> 1.1.4) dry-cli (~> 0.7.0) - elasticsearch (~> 8.13.0) + elasticsearch (~> 8.14.0) factory_bot (~> 6.2.0) faux! httpclient diff --git a/NOTICE.txt b/NOTICE.txt index 7933530b..b80fbeca 100644 --- a/NOTICE.txt +++ b/NOTICE.txt @@ -813,7 +813,7 @@ License: Apache-2.0 limitations under the License. -------------------------------------------------------------------------------- -Library: elasticsearch 8.13.0 +Library: elasticsearch 8.14.0 URL: https://www.elastic.co/guide/en/elasticsearch/client/ruby-api/current/index.html License: Apache-2.0 @@ -1021,7 +1021,7 @@ License: Apache-2.0 limitations under the License. -------------------------------------------------------------------------------- -Library: elasticsearch-api 8.13.0 +Library: elasticsearch-api 8.14.0 URL: https://www.elastic.co/guide/en/elasticsearch/client/ruby-api/current/index.html License: Apache-2.0 @@ -1537,21 +1537,6 @@ LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. --------------------------------------------------------------------------------- -Library: nokogiri 1.18.8 -URL: https://nokogiri.org -License: MIT - -The MIT License - -Copyright 2008 -- 2023 by Mike Dalessio, Aaron Patterson, Yoko Harada, Akinori MUSHA, John Shahid, Karol Bucek, Sam Ruby, Craig Barnes, Stephen Checkoway, Lars Kanis, Sergio Arbeo, Timothy Elliott, Nobuyoshi Nakada, Charles Nutter, Patrick Mahoney. - -Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - -------------------------------------------------------------------------------- Library: public_suffix 6.0.1 URL: https://simonecarletti.com/code/publicsuffix-ruby @@ -1639,7 +1624,7 @@ OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- -Library: rexml 3.4.0 +Library: rexml 3.4.2 URL: https://github.com/ruby/rexml License: BSD-2-Clause