chore(deps-dev): bump faraday from 2.9.0 to 2.14.2

Bumps [faraday](https://github.com/lostisland/faraday) from 2.9.0 to 2.14.2. - [Release notes](https://github.com/lostisland/faraday/releases) - [Changelog](https://github.com/lostisland/faraday/blob/main/CHANGELOG.md) - [Commits](https://github.com/lostisland/faraday/compare/v2.9.0...v2.14.2) --- updated-dependencies: - dependency-name: faraday dependency-version: 2.14.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
2026-06-03 21:45:48 +00:00 · 2026-06-03 14:43:15 +00:00
--- a/.release-please-manifest.json
+++ b/.release-please-manifest.json
@@ -1,3 +1,3 @@
 {
-  ".": "3.3.7"
+  ".": "3.3.6"
 }
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,21 +2,6 @@

 This file contains all the latest changes and updates to Postal.

-## [3.3.7](https://github.com/postalserver/postal/compare/3.3.6...3.3.7) (2026-06-03)
-
-
-### Bug Fixes
-
-* **http:** prevent SSRF in outbound webhook and HTTP endpoint requests ([11c9814](https://github.com/postalserver/postal/commit/11c9814474f956619da35e8385ef7fab9f304de0))
-* **message-db:** prevent SQL injection via condition keys (GHSA-x2hq-rfpg-3xr5) ([4314a6e](https://github.com/postalserver/postal/commit/4314a6ec1e2812daa67dd20effd1db1769c1f8e8))
-* **specs:** stub IPv6 support in address guard IPv6 literal spec ([029bfe0](https://github.com/postalserver/postal/commit/029bfe098d9b8c0b5cafc49eac33e767f5748cd3))
-
-
-### Miscellaneous Chores
-
-* **deps:** upgrade rack & rails ([0445e5c](https://github.com/postalserver/postal/commit/0445e5c509870dfe9c16366c53dee3fc02ad3904))
-* update security vulnerability reporting instructions ([8be1e27](https://github.com/postalserver/postal/commit/8be1e27fec489ab659ef5e909f705932028b1694))
-
 ## [3.3.6](https://github.com/postalserver/postal/compare/3.3.5...3.3.6) (2026-04-28)


--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -134,12 +134,14 @@ GEM
    factory_bot_rails (6.4.3)
      factory_bot (~> 6.4)
      railties (>= 5.0.0)
-    faraday (2.9.0)
-      faraday-net_http (>= 2.0, < 3.2)
+    faraday (2.14.2)
+      faraday-net_http (>= 2.0, < 3.5)
+      json
+      logger
    faraday-follow_redirects (0.3.0)
      faraday (>= 1, < 3)
-    faraday-net_http (3.1.0)
-      net-http
+    faraday-net_http (3.4.4)
+      net-http (~> 0.5)
    ffi (1.15.5)
    gelf (3.1.0)
      json
@@ -209,8 +211,8 @@ GEM
      prism (~> 1.5)
    mutex_m (0.3.0)
    mysql2 (0.5.6)
-    net-http (0.4.1)
-      uri
+    net-http (0.9.1)
+      uri (>= 0.11.1)
    net-imap (0.6.4)
      date
      net-protocol
@@ -418,7 +420,7 @@ GEM
    uglifier (4.2.0)
      execjs (>= 0.3.0, < 3)
    unicode-display_width (2.4.2)
-    uri (1.0.3)
+    uri (1.1.1)
    validate_url (1.0.15)
      activemodel (>= 3.0.0)
      public_suffix
--- a/doc/config/environment-variables.md
+++ b/doc/config/environment-variables.md
@@ -18,7 +18,6 @@ This document contains all the environment variables which are available for thi
 | `POSTAL_SIGNING_KEY_PATH` | String | Path to the private key used for signing | $config-file-root/signing.key |
 | `POSTAL_SMTP_RELAYS` | Array of strings | An array of SMTP relays in the format of smtp://host:port | [] |
 | `POSTAL_TRUSTED_PROXIES` | Array of strings | An array of IP addresses to trust for proxying requests to Postal (in addition to localhost addresses) | [] |
-| `POSTAL_ALLOWED_REQUEST_DESTINATIONS` | Array of strings | Hostnames or IP/CIDR ranges that outbound webhook and HTTP endpoint requests are permitted to reach even when they resolve to a private, loopback, link-local or otherwise reserved address. All other such destinations are blocked to prevent SSRF. | [] |
 | `POSTAL_QUEUED_MESSAGE_LOCK_STALE_DAYS` | Integer | The number of days after which to consider a lock as stale. Messages with stale locks will be removed and not retried. | 1 |
 | `POSTAL_BATCH_QUEUED_MESSAGES` | Boolean | When enabled queued messages will be de-queued in batches based on their destination | true |
 | `WEB_SERVER_DEFAULT_PORT` | Integer | The default port the web server should listen on unless overriden by the PORT environment variable | 5000 |
--- a/doc/config/yaml.yml
+++ b/doc/config/yaml.yml
@@ -29,8 +29,6 @@ postal:
  smtp_relays: []
  # An array of IP addresses to trust for proxying requests to Postal (in addition to localhost addresses)
  trusted_proxies: []
-  # Hostnames or IP/CIDR ranges that outbound webhook and HTTP endpoint requests are permitted to reach even when they resolve to a private, loopback, link-local or otherwise reserved address. All other such destinations are blocked to prevent SSRF.
-  allowed_request_destinations: []
  # The number of days after which to consider a lock as stale. Messages with stale locks will be removed and not retried.
  queued_message_lock_stale_days: 1
  # When enabled queued messages will be de-queued in batches based on their destination
--- a/spec/lib/postal/http/address_guard_spec.rb
+++ b/spec/lib/postal/http/address_guard_spec.rb
@@ -23,8 +23,6 @@ RSpec.describe Postal::HTTP::AddressGuard do
    context "when given a public IPv6 literal" do
      let(:host) { "2606:2800:220:1:248:1893:25c8:1946" }

-      before { allow(described_class).to receive(:ipv6_supported?).and_return(true) }
-
      it "returns the address to connect to" do
        expect(call).to eq "2606:2800:220:1:248:1893:25c8:1946"
      end