Update faraday CVE-2026-54297 for 1.10.6 backport

gems/faraday/CVE-2026-54297.yml

@@ -54,18 +54,28 @@ description: |
   This issue does not provide remote code execution, authentication
   bypass, or data disclosure. The confirmed impact is availability loss.
 
+  ## Patched Versions
+
+  The fix was released in Faraday 2.14.3 and backported to the 1.x
+  branch in Faraday 1.10.6, which adds a `param_depth_limit` to
+  `NestedParamsEncoder`.
+
   ## Reporter
 
   Reported by: Emre Koca
 cvss_v3: 7.5
 patched_versions:
+  - "~> 1.10.6"
   - ">= 2.14.3"
 related:
   url:
     - https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-54297
     - https://rubygems.org/gems/faraday/versions/2.14.3
     - https://github.com/lostisland/faraday/releases/tag/v2.14.3
     - https://github.com/lostisland/faraday/compare/v2.14.2...v2.14.3
+    - https://rubygems.org/gems/faraday/versions/1.10.6
+    - https://github.com/lostisland/faraday/releases/tag/v1.10.6
+    - https://github.com/lostisland/faraday/compare/v1.10.5...v1.10.6
     - https://test.osv.dev/vulnerability/GHSA-98m9-hrrm-r99r
     - https://advisories.gitlab.com/gem/faraday/CVE-2026-54297
     - https://github.com/lostisland/faraday/security/advisories/GHSA-98m9-hrrm-r99r
@@ -74,3 +84,4 @@ notes: |
   - cvss_v3 from GHSA
   - cve is reserved, but no cve at nvd.nist.gov, so no cvss_v2 or cvss_v4
   - Removed a lot of text from description field. See reference for details.
+  - Fix backported to the 1.x branch in faraday 1.10.6.