Description
The ferrum gem currently relies on webrick as a hard runtime dependency in its gemspec. Because webrick was extracted from the Ruby standard library, it receives fewer updates and has recently been hit with a security vulnerability that forces automated bundle security audits (like bundler-audit or Dependabot) to fail.
Running security checks against a project using ferrum now throws the following vulnerability warning:
Name: webrick
Version: 1.9.2
CVE: CVE-2026-38969
GHSA: GHSA-h4w6-wx8r-p68v
Criticality: Unknown
URL: https://nvd.nist.gov/vuln/detail/CVE-2026-38969
Title: ruby webrick through v1.9.2 WEBrick reparses trailer
Solution: remove or disable this gem until a patch is available!
Why this is a problem
Because webrick is a hard dependency of ferrum, downstream users of ferrum and cuprite cannot simply delete or exclude webrick from their projects without breaking Bundler resolution. This blocks CI/CD pipelines that enforce strict security audit checks.
Suggested Solutions
-
Make WEBrick an Optional Dependency: Remove spec.add_dependency "webrick" from ferrum.gemspec. Instead, wrap the internal proxy initialization in a lazy-load check:
begin
require "webrick"
rescue LoadError
raise "Please add `gem 'webrick'` to your Gemfile to use Ferrum's proxy/request interception features."
end
This ensures standard browser interaction testing doesn't bundle the vulnerable gem by default.
-
Migrate away from WEBrick: Refactor the internal proxy server to use a modern, actively maintained and secure alternative (like a minimal rack-compatible server setup or async-http).
Are the maintainers open to a Pull Request implementing option 1 to unblock downstream security audits?
Description
The
ferrumgem currently relies onwebrickas a hard runtime dependency in its gemspec. Becausewebrickwas extracted from the Ruby standard library, it receives fewer updates and has recently been hit with a security vulnerability that forces automated bundle security audits (likebundler-auditor Dependabot) to fail.Running security checks against a project using
ferrumnow throws the following vulnerability warning:Why this is a problem
Because
webrickis a hard dependency offerrum, downstream users offerrumandcupritecannot simply delete or excludewebrickfrom their projects without breaking Bundler resolution. This blocks CI/CD pipelines that enforce strict security audit checks.Suggested Solutions
Make WEBrick an Optional Dependency: Remove
spec.add_dependency "webrick"fromferrum.gemspec. Instead, wrap the internal proxy initialization in a lazy-load check:This ensures standard browser interaction testing doesn't bundle the vulnerable gem by default.
Migrate away from WEBrick: Refactor the internal proxy server to use a modern, actively maintained and secure alternative (like a minimal rack-compatible server setup or
async-http).Are the maintainers open to a Pull Request implementing option 1 to unblock downstream security audits?