Octobox

vjune-2026 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 3d Developer Productivity

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

github github-notifications inbox notifications octobox rails

+2 more

ruby triage

Affected surfaces

deps

ReleasePort's take

Moderate signal

editorial:auto 3d

Adopt secure_compare for webhook signature verification to mitigate timing attack risks.

Why it matters: The release recommends using secure_compare for webhook signature verification, a constant‑time comparison that prevents timing attacks; adopt it immediately for affected services.

Summary

AI summary

Minor fixes and improvements.

Changes in this release

Type	Severity	Summary	CVE
Security	High	Use secure_compare for webhook signature verification Use secure_compare for webhook signature verification Source: llm_adapter@2026-06-01 Confidence: high	—
Dependency
Dependency	Low	Bump nokogiri from 1.19.2 to 1.19.3 Bump nokogiri from 1.19.2 to 1.19.3 Source: llm_adapter@2026-06-01 Confidence: high	—
Dependency	Low	Bump ruby/setup-ruby from 1.305.0 to 1.306.0 Bump ruby/setup-ruby from 1.305.0 to 1.306.0 Source: llm_adapter@2026-06-01 Confidence: high	—
Dependency	Low	Bump playwright-ruby-client from 1.59.0 to 1.59.1 (dev) Bump playwright-ruby-client from 1.59.0 to 1.59.1 (dev) Source: llm_adapter@2026-06-01 Confidence: high	—
Dependency	Low	Bump bootsnap from 1.24.0 to 1.24.1 Bump bootsnap from 1.24.0 to 1.24.1 Source: llm_adapter@2026-06-01 Confidence: high	—
Dependency	Low	Bump minitest from 6.0.5 to 6.0.6 Bump minitest from 6.0.5 to 6.0.6 Source: llm_adapter@2026-06-01 Confidence: high	—
Dependency	Low	Bump github/codeql-action from 4.35.2 to 4.35.3 (CI) Bump github/codeql-action from 4.35.2 to 4.35.3 (CI) Source: llm_adapter@2026-06-01 Confidence: high	—
Bugfix
Bugfix	Medium	Validate return_to and remove inline onclick on extension page Validate return_to and remove inline onclick on extension page Source: llm_adapter@2026-06-01 Confidence: high	—
Bugfix	Medium	Build search suggestion DOM safely instead of via innerHTML Build search suggestion DOM safely instead of via innerHTML Source: llm_adapter@2026-06-01 Confidence: high	—
Bugfix	Medium	Allowlist import fields and gate thread view behind display? flag Allowlist import fields and gate thread view behind display? flag Source: llm_adapter@2026-06-01 Confidence: high	—

Full changelog

What's Changed

build(deps): Bump nokogiri from 1.19.2 to 1.19.3 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4499
build(deps): Bump ruby/setup-ruby from 1.305.0 to 1.306.0 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4498
build(deps-dev): Bump playwright-ruby-client from 1.59.0 to 1.59.1 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4502
build(deps): Bump bootsnap from 1.24.0 to 1.24.1 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4501
build(deps): Bump minitest from 6.0.5 to 6.0.6 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4503
build(deps): Bump github/codeql-action from 4.35.2 to 4.35.3 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4504
build(deps): Bump multi_xml from 0.8.1 to 0.9.1 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4505
build(deps): Bump json from 2.19.4 to 2.19.5 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4506
build(deps-dev): Bump spring from 4.4.2 to 4.5.0 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4507
build(deps-dev): Bump factory_bot from 6.5.6 to 6.6.0 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4508
build(deps): Bump bootsnap from 1.24.1 to 1.24.3 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4510
Use secure_compare for webhook signature verification by @andrew in https://github.com/octobox/octobox/pull/4472
Validate return_to and remove inline onclick on extension page by @andrew in https://github.com/octobox/octobox/pull/4469
Build search suggestion DOM safely instead of via innerHTML by @andrew in https://github.com/octobox/octobox/pull/4470
Allowlist import fields and gate thread view behind display? by @andrew in https://github.com/octobox/octobox/pull/4471
build(deps): Bump rb_sys from 0.9.127 to 0.9.128 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4509
build(deps): Bump sidekiq from 8.1.3 to 8.1.4 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4513
build(deps): Bump github/codeql-action from 4.35.3 to 4.35.4 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4512
build(deps): Bump commonmarker from 2.8.1 to 2.8.2 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4515
build(deps): Bump action_text-trix from 2.1.18 to 2.1.19 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4514
build(deps): Bump zizmorcore/zizmor-action from 0.5.3 to 0.5.5 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4520
build(deps): Bump ruby/setup-ruby from 1.306.0 to 1.307.0 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4517
build(deps): Bump faraday from 2.14.1 to 2.14.2 in the bundler group across 1 directory by @dependabot[bot] in https://github.com/octobox/octobox/pull/4516
build(deps): Bump bootsnap from 1.24.3 to 1.24.4 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4518
build(deps): Bump octicons_helper from 19.25.0 to 19.26.0 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4519
build(deps): Bump jwt from 3.1.2 to 3.2.0 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4521
build(deps): Bump sidekiq from 8.1.4 to 8.1.5 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4522
build(deps): Bump octicons_helper from 19.26.0 to 19.27.0 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4523
build(deps): Bump github/codeql-action from 4.35.4 to 4.35.5 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4524
build(deps): Bump jbuilder from 2.14.1 to 2.15.0 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4525
build(deps-dev): Bump playwright-ruby-client from 1.59.1 to 1.60.0 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4527
build(deps): Bump snaky_hash from 2.0.3 to 2.0.4 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4528
build(deps): Bump oauth2 from 2.0.18 to 2.0.20 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4529
build(deps): Bump oj from 3.17.0 to 3.17.1 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4526
build(deps): Bump zizmorcore/zizmor-action from 0.5.5 to 0.5.6 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4531
build(deps): Bump ruby/setup-ruby from 1.307.0 to 1.308.0 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4530
build(deps): Bump ruby/setup-ruby from 1.308.0 to 1.310.0 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4532
build(deps): Bump docker/build-push-action from 7.1.0 to 7.2.0 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4533
build(deps): Bump docker/metadata-action from 6.0.0 to 6.1.0 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4534
build(deps): Bump docker/login-action from 4.1.0 to 4.2.0 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4535
build(deps): Bump github/codeql-action from 4.35.5 to 4.36.0 by @dependabot[bot] in https://github.com/octobox/octobox/pull/4536

Full Changelog: https://github.com/octobox/octobox/compare/may-2026...june-2026

Security Fixes

Use secure_compare for webhook signature verification

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Octobox

Get notified when new releases ship.

About Octobox

Take back control of your GitHub Notifications.

All releases →