Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Dependencies to Resolve Security Advisories #10185

Closed
wants to merge 2 commits into from
Closed

Update Dependencies to Resolve Security Advisories #10185

wants to merge 2 commits into from

Conversation

charleyf
Copy link
Contributor

@charleyf charleyf commented Feb 29, 2024
edited
Loading

🛠 Summary of changes

This ticket continues the work from yesterday (PR) to keep main free of security advisories.

  1. This PR yesterday locked the version of rack-cors, that's since been fixed (here) so I'm reverting that change.
  2. There's a new security advisory about yard (included below). This PR addresses that too by forcing a newer version of yard.

A note: We've had three PRs about this in three days [1, 2, 3 (this one)] I'm not sure we need to do anything differently, but that'e enough of a pattern I'm asking about it here in Slack.

  identity-idp git:(main) bundle exec bundler-audit check --update                  
Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
Already up to date.
Updated ruby-advisory-db
ruby-advisory-db:
  advisories:   876 advisories
  last updated: 2024-02-28 16:01:01 -0800
  commit:       06f33746747e89af5634a5e6b41004ad7899a6c0
Name: yard
Version: 0.9.34
CVE: CVE-2024-27285
GHSA: GHSA-8mq4-9jjh-9xrc
Criticality: Medium
URL: https://github.com/advisories/GHSA-8mq4-9jjh-9xrc
Title: YARD's default template vulnerable to Cross-site Scripting in generated frames.html
Solution: upgrade to '>= 0.9.35'

Vulnerabilities found!

@charleyf charleyf requested a review from a team February 29, 2024 13:26
aduth
aduth requested changes Feb 29, 2024
View reviewed changes
Copy link
Member

@aduth aduth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not seeing that the original issue with rack-cors has been resolved, and it appears that 2.0.1 is still the latest version for the gem.

cyu/rack-cors#274
https://rubygems.org/gems/rack-cors

@charleyf charleyf closed this Feb 29, 2024
@aduth aduth deleted the charley/update-dependencies-for-security-advisories branch February 29, 2024 13:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aduth aduth aduth requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@charleyf @aduth