chore(deps-dev): bump faraday from 2.9.0 to 2.14.2

Bumps [faraday](https://github.com/lostisland/faraday) from 2.9.0 to 2.14.2.
- [Release notes](https://github.com/lostisland/faraday/releases)
- [Changelog](https://github.com/lostisland/faraday/blob/main/CHANGELOG.md)
- [Commits](https://github.com/lostisland/faraday/compare/v2.9.0...v2.14.2)

---
updated-dependencies:
- dependency-name: faraday
  dependency-version: 2.14.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "3.3.7"
+  ".": "3.3.6"
 }

CHANGELOG.md

@@ -2,21 +2,6 @@
 
 This file contains all the latest changes and updates to Postal.
 
-## [3.3.7](https://github.com/postalserver/postal/compare/3.3.6...3.3.7) (2026-06-03)
-
-
-### Bug Fixes
-
-* **http:** prevent SSRF in outbound webhook and HTTP endpoint requests ([11c9814](https://github.com/postalserver/postal/commit/11c9814474f956619da35e8385ef7fab9f304de0))
-* **message-db:** prevent SQL injection via condition keys (GHSA-x2hq-rfpg-3xr5) ([4314a6e](https://github.com/postalserver/postal/commit/4314a6ec1e2812daa67dd20effd1db1769c1f8e8))
-* **specs:** stub IPv6 support in address guard IPv6 literal spec ([029bfe0](https://github.com/postalserver/postal/commit/029bfe098d9b8c0b5cafc49eac33e767f5748cd3))
-
-
-### Miscellaneous Chores
-
-* **deps:** upgrade rack & rails ([0445e5c](https://github.com/postalserver/postal/commit/0445e5c509870dfe9c16366c53dee3fc02ad3904))
-* update security vulnerability reporting instructions ([8be1e27](https://github.com/postalserver/postal/commit/8be1e27fec489ab659ef5e909f705932028b1694))
-
 ## [3.3.6](https://github.com/postalserver/postal/compare/3.3.5...3.3.6) (2026-04-28)
 
 

Gemfile.lock

@@ -134,12 +134,14 @@ GEM
     factory_bot_rails (6.4.3)
       factory_bot (~> 6.4)
       railties (>= 5.0.0)
-    faraday (2.9.0)
+    faraday (2.14.2)
-      faraday-net_http (>= 2.0, < 3.2)
+      faraday-net_http (>= 2.0, < 3.5)
+      json
+      logger
     faraday-follow_redirects (0.3.0)
       faraday (>= 1, < 3)
-    faraday-net_http (3.1.0)
+    faraday-net_http (3.4.4)
-      net-http
+      net-http (~> 0.5)
     ffi (1.15.5)
     gelf (3.1.0)
       json
@@ -209,8 +211,8 @@ GEM
       prism (~> 1.5)
     mutex_m (0.3.0)
     mysql2 (0.5.6)
-    net-http (0.4.1)
+    net-http (0.9.1)
-      uri
+      uri (>= 0.11.1)
     net-imap (0.6.4)
       date
       net-protocol
@@ -418,7 +420,7 @@ GEM
     uglifier (4.2.0)
       execjs (>= 0.3.0, < 3)
     unicode-display_width (2.4.2)
-    uri (1.0.3)
+    uri (1.1.1)
     validate_url (1.0.15)
       activemodel (>= 3.0.0)
       public_suffix

doc/config/environment-variables.md

@@ -18,7 +18,6 @@ This document contains all the environment variables which are available for thi
 | `POSTAL_SIGNING_KEY_PATH` | String | Path to the private key used for signing | $config-file-root/signing.key |
 | `POSTAL_SMTP_RELAYS` | Array of strings | An array of SMTP relays in the format of smtp://host:port | [] |
 | `POSTAL_TRUSTED_PROXIES` | Array of strings | An array of IP addresses to trust for proxying requests to Postal (in addition to localhost addresses) | [] |
-| `POSTAL_ALLOWED_REQUEST_DESTINATIONS` | Array of strings | Hostnames or IP/CIDR ranges that outbound webhook and HTTP endpoint requests are permitted to reach even when they resolve to a private, loopback, link-local or otherwise reserved address. All other such destinations are blocked to prevent SSRF. | [] |
 | `POSTAL_QUEUED_MESSAGE_LOCK_STALE_DAYS` | Integer | The number of days after which to consider a lock as stale. Messages with stale locks will be removed and not retried. | 1 |
 | `POSTAL_BATCH_QUEUED_MESSAGES` | Boolean | When enabled queued messages will be de-queued in batches based on their destination | true |
 | `WEB_SERVER_DEFAULT_PORT` | Integer | The default port the web server should listen on unless overriden by the PORT environment variable | 5000 |

doc/config/yaml.yml

@@ -29,8 +29,6 @@ postal:
   smtp_relays: []
   # An array of IP addresses to trust for proxying requests to Postal (in addition to localhost addresses)
   trusted_proxies: []
-  # Hostnames or IP/CIDR ranges that outbound webhook and HTTP endpoint requests are permitted to reach even when they resolve to a private, loopback, link-local or otherwise reserved address. All other such destinations are blocked to prevent SSRF.
-  allowed_request_destinations: []
   # The number of days after which to consider a lock as stale. Messages with stale locks will be removed and not retried.
   queued_message_lock_stale_days: 1
   # When enabled queued messages will be de-queued in batches based on their destination

spec/lib/postal/http/address_guard_spec.rb

@@ -23,8 +23,6 @@ RSpec.describe Postal::HTTP::AddressGuard do
     context "when given a public IPv6 literal" do
       let(:host) { "2606:2800:220:1:248:1893:25c8:1946" }
 
-      before { allow(described_class).to receive(:ipv6_supported?).and_return(true) }
-
       it "returns the address to connect to" do
         expect(call).to eq "2606:2800:220:1:248:1893:25c8:1946"
       end