davidor
commented
4 years ago I think we should update the Gemfile.base to require ~>1.10.8.
Closed unleashed closed 4 years ago
davidor
commented
4 years ago I think we should update the Gemfile.base to require ~>1.10.8.
unleashed
commented
4 years ago I think we should update the
Gemfile.baseto require~>1.10.8.
We don't need to, and it's questionable we'd even want to specify a base patchlevel version. ~> 1.10.4 will always pick the latest 1.10.Z available, even if you deleted Gemfile.lock. It's a safety net useful only for internal repositories, which we don't use since we always vendor our gems straight from rubygems.org. I'd even change that and use ~> 1.10, since the guarantees will be the same and we don't depend on anything present in 1.10.4/1.10.8 that was not there in 1.10.
davidor
commented
4 years ago In this case, I think it would be useful to signal that we require a minimum version which we know is the first one not affected by the CVE.
unleashed
commented
4 years ago The text above is meant to say that it is not. :)
We are not obviously affected by the CVEs, but updating nonetheless.