Upgrade Sinatra and Rack to fix vulnerability

The security alert says:

> [sinatra is] vulnerable to Reliance on Untrusted Inputs in a Security
> Decision via the X-Forwarded-Host (XFH) header. When making a request to
> a method with redirect applied, it is possible to trigger an Open
> Redirect Attack by inserting an arbitrary address into this header. If
> used for caching purposes, such as with servers like Nginx, or as a
> reverse proxy, without handling the X-Forwarded-Host header, attackers
> can potentially exploit Cache Poisoning or Routing-based SSRF.

See https://github.com/gma/nesta/security/dependabot/28 for details.

CHANGELOG.md

@@ -2,6 +2,9 @@
 
 ## 0.17.0 (Unreleased)
 
+ * Update Sinatra to verion 4.0, to fix a vulnerability. This has also
+   required a jump to Rack 3. (Graham Ashton)
+
  * Update Sass parser to sass-embedded 1.80, which (due to changes in CSS 4)
    deprecates the global colour functions and the @import statement. Any Sass
    code that uses these features will need updating before Dart Sass 3.0 is

Gemfile.lock

@@ -5,11 +5,11 @@ PATH
       RedCloth (~> 4.2)
       haml (>= 3.1, < 6.0)
       haml-contrib (>= 1.0)
-      rack (~> 2)
+      rack (~> 3)
       rake
       rdiscount (~> 2.1)
       sass-embedded (~> 1.58)
-      sinatra (~> 3.1)
+      sinatra (~> 4.0)
       tilt (~> 2.1)
 
 GEM
@@ -64,10 +64,12 @@ GEM
       racc (~> 1.4)
     public_suffix (6.0.1)
     racc (1.8.1)
-    rack (2.2.10)
-    rack-protection (3.2.0)
+    rack (3.1.8)
+    rack-protection (4.0.0)
       base64 (>= 0.1.0)
-      rack (~> 2.2, >= 2.2.4)
+      rack (>= 3.0.0, < 4)
+    rack-session (2.0.0)
+      rack (>= 3.0.0)
     rack-test (2.1.0)
       rack (>= 1.3)
     raindrops (0.20.1)
@@ -83,10 +85,11 @@ GEM
     sass-embedded (1.80.6)
       google-protobuf (~> 4.28)
       rake (>= 13)
-    sinatra (3.2.0)
+    sinatra (4.0.0)
       mustermann (~> 3.0)
-      rack (~> 2.2, >= 2.2.4)
-      rack-protection (= 3.2.0)
+      rack (>= 3.0.0, < 4)
+      rack-protection (= 4.0.0)
+      rack-session (>= 2.0.0, < 3)
       tilt (~> 2.0)
     temple (0.10.3)
     tilt (2.4.0)

nesta.gemspec

@@ -31,12 +31,12 @@ EOF
 
   s.add_dependency('haml', '>= 3.1', '< 6.0')
   s.add_dependency('haml-contrib', '>= 1.0')
-  s.add_dependency('rack', '~> 2')
+  s.add_dependency('rack', '~> 3')
   s.add_dependency('rake')
   s.add_dependency('rdiscount', '~> 2.1')
   s.add_dependency('RedCloth', '~> 4.2')
   s.add_dependency('sass-embedded', '~> 1.58')
-  s.add_dependency('sinatra', '~> 3.1')
+  s.add_dependency('sinatra', '~> 4.0')
   s.add_dependency('tilt', '~> 2.1')
 
   # Useful in development