This is a security and bug-fix release.

Compatibility:

NOTE: This release no longer supports JRuby.

Security:

1. Ruby 3.4.9. CVE-2026-27820 in zlib gem
2. Update bcrypt gem from 3.1.20 to 3.1.22. CVE-2026-33306
3. Update nokogiri gem from 1.18.9 to 1.19.2. GHSA-wx95-c6cv-8532
4. Update loofah gem from 2.24.0 to 2.25.1. GHSA-46fp-8f5p-pf2m
5. Update devise gem from 4.9.4 to 5.0.3. CVE-2026-32700
6. Update addressable gem from 2.8.7 to 2.9.0. CVE-2026-35611
7. Update rack-session gem from 2.1.1 to 2.1.2. CVE-2026-39324
8. Update Ruby on Rails from 7.2.2.2 to 7.2.3.1. CVE-2026-33176, CVE-2026-33170, CVE-2026-33169, CVE-2026-33168, CVE-2026-33173, CVE-2026-33174, CVE-2026-33658, CVE-2026-33195, CVE-2026-33202.

Bug-fixes:

1. Update thruster gem from 0.1.17 to 0.1.20.
2. Update bundler-audit gem from 0.9.2 to 0.9.3.
3. Update brakeman gem from 7.1.1 to 8.0.4.
4. Sync GitHub Actions with main.

This is security and bug-fix release.

Security:

1. Update rack gem from 3.1.18 to 3.1.20. CVE-2026-25500 and CVE-2026-22860.
2. Update faraday gem from 2.13.0 to 2.14.1 CVE-2026-25765.

Bug-fixes:

1. Sync GitHub Actions with main.

This is security and bug-fix release.

Security:

1. Update httparty gem to 0.24.2. Fix CVE-2025-68696.
2. Brakeman: set Rails.application.config.action_dispatch.cookies_serializer to :json (#2425).
3. Brakeman: add rel: "noopener noreferrer" to all places with target: "_blank" (#2425).

Bug-fixes:

1. Update brakeman gem from 7.0.2 to 7.1.1.
2. Update thruster gem from 0.1.15 to 0.1.17.
3. Update tzinfo-data gem from 1.2025.2 to 1.2025.3.
4. Ruby 3.4.8.
5. Sync GitHub Actions with main.
6. Fix API JSON serialization for Mongoid documents (PR #2601) by @elektronaut

This is security and bug-fix release.

Security:

1. Update uri gem to 1.0.4. Fix: CVE-2025-61594.
2. Update rexml gem from 3.4.1 to 3.4.4. Fix: CVE-2025-58767.
3. Update rack gem to 3.1.18. Fixes:

• CVE-2025-61770
• CVE-2025-61771
• CVE-2025-61772
• CVE-2025-59830
• CVE-2025-61919

4. Update rack-protection gem to 4.2.1. Fix: CVE-2025-61921.

Bug-fixes:

1. Ruby 3.4.7.
2. JRuby 9.4.14.0.
3. Sync GitHub Actions with main.
4. Update base ruby docker image.

This is security and bug-fix release.

Security:

1. Update Ruby On Rails to 7.2.2.2. CVE-2025-55193 and CVE-2025-24293.
2. Update nokogiri gem to 1.18.9. Multiple CVEs.
3. Update thruster gem to 0.1.15.

Bug-fixes:

1. Ruby 3.4.5.
2. JRuby 9.4.13.0.
3. Update base ruby docker image.
4. Update RubyGems to 3.6.9.
5. Update Bundler to 2.6.9.
6. Fix deprecations. Fix #2042.

This is security release.

Security

1. Bump rack from 3.1.14 to 3.1.16 (CVE-2025-49007)

This is security release.

Security:

1. Bump rack-session from 2.1.0 to 2.1.1 (CVE-2025-46336)
2. Bump rack from 3.1.13 to 3.1.14 (CVE-2025-46727)
3. JRuby 9.4.12.1 (CVE-2025-46551)

This is security release.

Security:

1. Bump net-imap from 0.5.6 to 0.5.8 (CVE-2025-43857)

This is security and bug-fix release.

Bug-fixes:

1. Update airbrake installation instructions

Security:

1. Bump thruster from 0.1.12 to 0.1.13
2. Bump nokogiri from 1.18.7 to 1.18.8 (CVE-2025-32414 and CVE-2025-32415 in libxml2)

v0.10.0 Release notes

Hello,

I am Igor (Ihor) Zubkov, new maintainer of Errbit.

Notable changes

Improvements

• Upgraded Ruby and Ruby on Rails gives us huge performance boost.
• Less memory, faster application due # frozen_string_literal: true.
• Mostly everything, upgraded. No more known CVE in dependencies.

Security Improvements

• Devise: change bcrypt cost from 11 to 12.
• Devise: change password_length from 6..128 to 8..128.
• Bundler: enable checksums.

All changes

1. Upgrade Ruby from 2.5.1 to 3.4.3
2. Upgrade Ruby on Rails from 4.2.11.1 to 7.2.2.1
3. Upgrade RubyGems to 3.6.8
4. Upgrade Bundler to 2.6.8
5. Enable Bundler 2.6 feature checksums
6. Enable bootsnap
7. Migrate to zeitwerk
8. Migrate to # frozen_string_literal: true. Less memory, faster application.
9. You can run Errbit with JRuby 9.4. Experimental. We need help with docker jruby container to mark it as production-ready.
10. Flowdock support was removed. This service is no longer running.
11. We migrate from Circle CI (Sorry, Circle CI!) to GitHub Actions
12. Test suite much faster and stable. But, we are still working on stability. Especially, for JRuby 9.4.
13. We integrate vcr and webmock to test suite to external calls.
14. Remove all bundler binstubs that is not in use
15. Dependabot: take care of any security and not security updates
16. Integrate thruster in docker image. So, you can run Errbit in docker without reverse proxy.

Deprecations and removals

Custom user gemfile name

Support of custom user gemfile name deprecated and removed. From now,
always use UserGemfile as custom user gemfile. So, if you have
USER_GEMFILE env, just remove it. And rename custom user gemfile to
UserGemfile.

Force SSL/TLS

From v0.10.0, Errbit requires reverse proxy with SSL/TLS support.

So, we enable config.force_ssl = true in config/environments/production.rb.

ERRBIT_ENFORCE_SSL env support and related code removed.

We recommend to use Traefik as reverse proxy. Or, you can run
Errbit with thruster.
Thruster integrated in our docker image.

ERRBIT_PROTOCOL and ERRBIT_PORT env support and related code was
removed too. It doesn't have any sense. ERRBIT_PROTOCOL is always
https and ERRBIT_PORT is always 443.

SERVE_STATIC_ASSETS env

Support of SERVE_STATIC_ASSETS env was removed. Just remove it
from configuration.

If you run Errbit behind reverse proxy in docker container,
thruster will serve static assets.

If you run Errbit without reverse proxy, docker container has
thruster inside. It will serve static assets and take care
about HTTPS (ACME).

RACK_ENV env

RACK_ENV env support was removed. Use RAILS_ENV env for this.

ERRBIT_LOG_LEVEL env

ERRBIT_LOG_LEVEL env support was removed. Use RAILS_LOG_LEVEL
for this.

MongoDB support

• MongoDB 4.0 is reached EOL on 21 Jun 2018. 4.0 support will be removed after v0.10.0 release.
• MongoDB 4.2 is reached EOL on 09 Aug 2019. 4.2 support will be removed after v0.10.0 release.
• MongoDB 4.4 is reached EOL an 25 Jul 2020. 4.4 support will be removed after v0.10.0 release.
• MongoDB 5.0 is reached EOL on 08 Jul 2021. 5.0 support will be removed after v0.10.0 release.

So, after upgrading Errbit to v0.10.0, upgrade MongoDB to 6.0 or later.

Docker

Docker image is recommended way to run Errbit.

You can run Errbit with reverse proxy like Traefik or with
thruster. Thruster is integrated in our docker image.

Read our new Quick Start Guide.

Support plan

We plan support Errbit v0.10 branch for 6 months til next release. Bug-fixes
and security. And 3 month after release of v0.11 with security fixes.