fix(deps): resolve bundler-audit advisories (json, loofah, nokogiri, rack)

[mdkaraman]

Security Advisories Fixed

Gem	Advisory	Severity	Old Version	New Version
json	CVE-2026-33210 / GHSA-3m6g-2423-7cp3	Unknown	2.18.0	2.19.3
loofah	GHSA-46fp-8f5p-pf2m	Unknown	2.25.0	2.25.1
nokogiri	GHSA-wx95-c6cv-8532	Medium	1.19.0	1.19.2
rack	CVE-2026-22860 / GHSA-mxw3-3hh2-x2mh	High	3.2.4	3.2.5
rack	CVE-2026-25500 / GHSA-whrj-4476-wvmp	Medium	3.2.4	3.2.5

Codebase Impact Analysis

All four gems are transitive dependencies. Research confirmed minimal direct exposure to the vulnerable code paths:

• json: JSON.parse used in app/controllers/api/v1/documents_controller.rb:101 and app/domain/cartafact/operations/validate_resource_identity_signature.rb:46. The vulnerable allow_duplicate_key: false option is not used anywhere in the codebase.
• loofah: Transitive dep via rails-html-sanitizer → actionpack/actionview. No direct usage in application code. App is API-only (config.api_only = true), so HTML sanitization helpers are not active.
• nokogiri: Transitive dep via loofah and rails-html-sanitizer. No direct usage, no #canonicalize calls, no XML/HTML parsing, no SAML. App uses JWT + HMAC-SHA256 for auth.
• rack: Used only via rack-cors (config/initializers/cors.rb:10) and Rack::Test::UploadedFile in specs. The vulnerable Rack::Directory class is not used anywhere.

Full research document: tmp/research/2026-03-25-bundler-audit-json-loofah-nokogiri-rack.md

Verification

gem install bundler-audit && bundler-audit update
bundler-audit --verbose   # must return "No vulnerabilities found."

Checklist

• bundler-audit returns "No vulnerabilities found."
• Affected gem specs still pass (bundle exec rspec spec/controllers/api/v1/documents_controller_spec.rb spec/domain/operations/validate_resource_identity_signature_spec.rb)
• No breaking changes observed in the impacted functional areas (all upgrades are patch-level)