2b296c06fb
This ignores `CVE-2026-33658` in `bundler-audit` after validating that Chatwoot's default and recommended storage setups do not use Active Storage proxy mode. Fixes: N/A Closes: N/A ## Why `CVE-2026-33658` is an Active Storage proxy-mode DoS issue triggered by multi-range requests. For Chatwoot, the default and recommended setups do not appear to route file downloads through Rails proxy mode: - `config/environments/production.rb` selects the Active Storage service but does not opt into `rails_storage_proxy` - `.env.example` defaults to `ACTIVE_STORAGE_SERVICE=local` - Chatwoot's storage docs recommend local/cloud storage with optional direct uploads to the storage provider - existing specs expect redirect/disk-style Active Storage URLs rather than proxy-mode URLs Given that validation, ignoring this advisory is a smaller and more accurate response than a framework-wide Rails upgrade. ## What this change does - adds `.bundler-audit.yml` - preserves the existing advisory ignore entries already used by Chatwoot - ignores `CVE-2026-33658` - documents why the ignore is acceptable for Chatwoot's current defaults - notes that this should be revisited if Chatwoot enables `rails_storage_proxy` or other app-served Active Storage proxy routes ## Validation - reviewed `config/environments/production.rb` - reviewed `.env.example` - reviewed Chatwoot storage docs: https://developers.chatwoot.com/self-hosted/deployment/storage/s3-bucket - reviewed Active Storage URL expectations in `spec/controllers/slack_uploads_controller_spec.rb` and `spec/services/line/send_on_line_service_spec.rb` - ran `bundle exec bundle-audit check --no-update`
571 B
571 B