Bump faraday from 2.14.2 to 2.14.3

[dependabot]

Bumps faraday from 2.14.2 to 2.14.3.

Release notes

Sourced from faraday's releases.

v2.14.3

Security Note

This release contains a security fix, we recommend all users to upgrade as soon as possible. A Security Advisory with more details will be posted shortly.

What's Changed

• Upgrade CI lint step from Ruby 3 to 4 by @​larouxn in lostisland/faraday#1673
• feat(test): add Stubs#clear to remove all stubs by @​SAY-5 in lostisland/faraday#1675

New Contributors

• @​SAY-5 made their first contribution in lostisland/faraday#1675

Full Changelog: lostisland/faraday@v2.14.2...v2.14.3

Commits

• f1ace87 Version bump to 2.14.3
• 36764bf Merge commit from fork
• 59334e0 feat(test): add Stubs#clear to remove all stubs (#1675)
• 469f25c Upgrade CI lint step from Ruby 3 to 4 (#1673)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[github-actions]

Test coverage

91.86% line coverage reported by SimpleCov.
Run: https://github.com/RaspberryPiFoundation/editor-api/actions/runs/28041678046

[cursor]

Stale comment

Dependabot assessment: faraday 2.14.2 → 2.14.3

Verdict: Safe to merge.

Verification

• CI: lint and full RSpec suite passed (2507 examples, 0 failures).
• Local: Docker unavailable in this environment; relied on GitHub Actions.

Safety of merging

Lockfile-only bump. Transitive updates: faraday-net_http 3.4.2 → 3.4.4, json 2.19.8 → 2.19.9.

Faraday usage here is limited to outbound HTTP clients (Hydra, Profile/UserInfo APIs, Google OAuth, Turnstile, Pardot, Scratch importers). Most use JSON request/response middleware; the two url_encoded call sites (Hydra userinfo, Google token exchange) send flat form fields, not deeply nested query strings.

Concerns unlikely to be caught by the test suite:

• Live integration behaviour with external services (auth, profile, Turnstile, Pardot) — specs stub or mock Faraday rather than hitting real endpoints.
• Transport-layer edge cases in faraday-net_http (TLS, timeouts, proxies, connection reuse) are not exercised end-to-end in CI.
• Nested query-param depth limit (new default of 100 in 2.14.3, part of the security fix) could raise Faraday::Error if the app ever parsed or built query strings deeper than that; current call sites do not appear to do so.

The faraday-net_http 3.4.4 change (mutable empty body when no Content-Type) is a small compatibility fix and is low risk for this codebase.

Proposed fixes

None required — tests pass, no new gem deprecations observed, and this is a recommended security patch.

  

_{Sent by Cursor Automation: Editor-* - Tests Dependabot PRs}

[cursor]

Dependabot assessment: faraday 2.14.2 → 2.14.3

Verdict: Safe to merge — lockfile-only patch bump; CI lint and test both passed on this branch.

Safety of merging

This is a security release (nested-query DoS in NestedParamsEncoder; protocol-relative URI host override when the request target is a URI object). Upgrading is recommended.

Concerns unlikely to be caught by tests:

• Transitive faraday-net_http 3.4.4 changes handling of empty responses with no Content-Type (body mutability). Our Faraday clients mostly use :json responses or simple form posts; empty-body edge cases against real upstreams are not fully exercised in specs.
• Nested-params depth limit could affect :url_encoded requests with very deep nesting. In this app that middleware is used for simple form posts (Hydra, Google OAuth, Turnstile, Pardot); Profile/UserInfo clients use :json.
• SSRF hardening is defense-in-depth here: Faraday call sites use env-configured or hardcoded base URLs with app-controlled paths, not user-supplied request targets.

Proposed fixes

None. No CI failures, no new deprecations observed, and no application code changes are required.

Test verification

Could not run the suite locally (Docker/Ruby unavailable in this environment). GitHub Actions CI on commit 374acb9 completed successfully (bundle exec rubocop, bundle exec rspec).

  

_{Sent by Cursor Automation: Editor-* - Tests Dependabot PRs}