[Snyk] Fix for 6 vulnerabilities #722
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-10674179 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-10674176 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-10674184 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-10674192 - https://snyk.io/vuln/SNYK-RUBY-THOR-10843853 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-10674188
🎉 Snyk checks have passed. No issues have been found so far.✅ security/snyk check is complete. No issues have been found. (View Details) |
There was a problem hiding this comment.
Pull Request Overview
This PR addresses 6 security vulnerabilities in Ruby gem dependencies by updating various gems to newer versions. The changes focus on upgrading gems like Nokogiri and Thor that have known security issues, while also downgrading Rails from version 5.2.7 to 4.2.9.
- Updates multiple gems to fix high-severity vulnerabilities including buffer overflows, pointer dereference issues, and command injection
- Downgrades Rails framework from 5.2.7 to 4.2.9
- Updates development and test dependencies to compatible versions
| @@ -1,27 +1,27 @@ | |||
| source "https://rubygems.org" | |||
|
|
|||
| gem "rails", "~> 5.2.7", ">= 5.2.7.1" | |||
| gem "sass-rails", ">= 5.0.5" | |||
| gem "rails", "~> 4.2.9" | |||
There was a problem hiding this comment.
Downgrading Rails from 5.2.7 to 4.2.9 introduces significant security risks. Rails 4.2.9 was released in 2017 and lacks years of security patches. This change contradicts the security goals of the PR.
| gem "rails", "~> 4.2.9" | |
| gem "rails", "~> 5.2.7" |
Copilot uses AI. Check for mistakes.
| gem "bootstrap-sass", "~> 3.3.4" | ||
| gem "slim" | ||
| gem "pundit" | ||
| gem "sprockets", "~> 2.12.3" | ||
| gem "jwt" | ||
| gem "base32" | ||
| gem "active_model_serializers" | ||
| gem "devise", ">= 4.4.2" | ||
| gem "devise", ">= 3.5.2" |
There was a problem hiding this comment.
Downgrading Devise from 4.4.2 to 3.5.2 removes critical security fixes. Devise 3.x has known vulnerabilities that were addressed in later versions.
| gem "devise", ">= 3.5.2" | |
| gem "devise", ">= 4.4.2" |
Copilot uses AI. Check for mistakes.
| end | ||
|
|
||
| group :development, :test do | ||
| gem "rspec-rails", ">= 3.5.0" | ||
| gem "rspec-rails", ">= 3.3.2" |
There was a problem hiding this comment.
Downgrading rspec-rails from 3.5.0 to 3.3.2 reduces the minimum version requirement unnecessarily. This removes access to bug fixes and improvements available in newer versions.
| gem "rspec-rails", ">= 3.3.2" | |
| gem "rspec-rails", ">= 3.5.0" |
Copilot uses AI. Check for mistakes.
| gem "active_record_union" | ||
| gem "mysql2" | ||
| gem "search_cop" | ||
| gem "kaminari" | ||
| gem "crono" | ||
| gem "net-ldap" | ||
| gem "redcarpet" | ||
| gem "font-awesome-rails", ">= 4.7.0.4" | ||
| gem "font-awesome-rails", ">= 4.5.0.0" |
There was a problem hiding this comment.
Downgrading font-awesome-rails from 4.7.0.4 to 4.5.0.0 reduces the minimum version unnecessarily, potentially missing bug fixes and icon updates.
| gem "font-awesome-rails", ">= 4.5.0.0" | |
| gem "font-awesome-rails", ">= 4.7.0.4" |
Copilot uses AI. Check for mistakes.
Snyk has created this PR to fix 6 vulnerabilities in the rubygems dependencies of this project.
Snyk changed the following file(s):
play-with-docker/Portus/Portus.1/GemfileVulnerabilities that will be fixed with an upgrade:
SNYK-RUBY-NOKOGIRI-10674179
SNYK-RUBY-NOKOGIRI-10674176
SNYK-RUBY-NOKOGIRI-10674184
SNYK-RUBY-NOKOGIRI-10674192
SNYK-RUBY-THOR-10843853
SNYK-RUBY-NOKOGIRI-10674188
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 OS Command Injection