From 7fd8942b6d46da66af23fa44b56797dcde82ba3e Mon Sep 17 00:00:00 2001
From: Jagdeep Singh <1057835+jagdeepsingh@users.noreply.github.com>
Date: Fri, 19 Jun 2026 21:22:19 +0900
Subject: [PATCH] Allow excon 1.x to address CVE-2026-54171
 (GHSA-48rx-c7pg-q66r)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

excon < 1.5.0 is affected by a redirect header-leak advisory
(CVE-2026-54171), fixed in excon >= 1.5.0. The current `~> 0.20`
constraint caps excon below 1.0, preventing downstream apps from
upgrading to a patched release.

This widens the ceiling to `< 2` while keeping the existing `>= 0.20`
floor for backward compatibility. The client only uses stable excon
APIs (Excon.new, Excon.get/post, Excon::Errors::SocketError,
Excon::Response.new), all of which are present and unchanged in excon
1.x — verified against excon 1.2.3 — so no code changes are required.
---
 veritrans.gemspec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/veritrans.gemspec b/veritrans.gemspec
index 8b392b0..04a4f4a 100644
--- a/veritrans.gemspec
+++ b/veritrans.gemspec
@@ -16,6 +16,6 @@ Gem::Specification.new do |s|
 
   s.require_paths = ["lib"]
 
-  s.add_runtime_dependency "excon", "~> 0.20"
+  s.add_runtime_dependency "excon", ">= 0.20", "< 2"
 end