Gem dependency updates#777
Conversation
FlexonyoPizza
changed the title
| spec.add_dependency 'pry-byebug' | ||
| spec.add_dependency 'puma', '~> 5.6.7' | ||
| spec.add_dependency 'rake', '~> 13.0' | ||
| spec.add_dependency 'rexml', '>= 3.4.2' |
There was a problem hiding this comment.
update to kramdown ~> 2.5.2 and you'll get this without adding a new dependency that we don't use directly.
| gem 'faraday', '>= 2.14.1' | ||
| gem 'nokogiri', '>= 1.19.1' | ||
| gem 'rexml', '>= 3.4.2' | ||
| gem 'uri', '>= 1.0.4' |
There was a problem hiding this comment.
looks like the old unmaintained github-pages gem is the actual source of the problem and moving away from that will require some architectural changes to our doc publication workflows. These appear to be relatively minor and doable, but let's handle in a separate ticket and leave this docs/Gemfile alone for now other than to run a bundle update in that directory, though it looks like the github-pages gem pegs a lot of stuff.
There was a problem hiding this comment.
I think I'd prefer to keep any package-lock.json updates out of here and focus instead on just the ruby updates.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #777 +/- ##
=======================================
Coverage 84.77% 84.77%
=======================================
Files 297 297
Lines 13968 13968
Branches 1955 1955
=======================================
Hits 11842 11842
Misses 2118 2118
Partials 8 8
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
2 participants
*Bumped fhir_models and fhir_client to new released versions
inferno_core.gemspec:
• rexml — added at >= 3.4.2 (was 3.3.9). CVE-2025-58767: DoS when parsing malformed XML. Used transitively by kramdown, rest-client, and others.
• activesupport — bumped ~> 7.2.3.1
Gemfile:
• yard — bumped to >= 0.9.42 (was 0.9.37). CVE: arbitrary path traversal and file access via the yard server command.
docs/Gemfile:
• nokogiri — added at >= 1.19.1 (was 1.18.7). 3 CVEs in vendored libxml2.
• addressable — added at >= 2.9.0 (was 2.8.7). ReDoS in Addressable templates.
• uri — added at >= 1.0.4 (was 1.0.3). CVE-2025-27221: credential leakage bypass.
• faraday — added at >= 2.14.1 (was 2.12.2). SSRF via protocol-relative URL host override.
• rexml — added at >= 3.4.2 (was 3.4.1). Same DoS CVE as above.
• activesupport — added at >= 8.0.4.1
application.rb
• logger requirement added since activesupport in >= 7.x versions no longer initializes it in non-rails applications