Closed unleashed closed 4 years ago
I think we should update the Gemfile.base
to require ~>1.10.8
.
I think we should update the
Gemfile.base
to require~>1.10.8
.
We don't need to, and it's questionable we'd even want to specify a base patchlevel version. ~> 1.10.4
will always pick the latest 1.10.Z
available, even if you deleted Gemfile.lock
. It's a safety net useful only for internal repositories, which we don't use since we always vendor our gems straight from rubygems.org. I'd even change that and use ~> 1.10
, since the guarantees will be the same and we don't depend on anything present in 1.10.4/1.10.8 that was not there in 1.10.
In this case, I think it would be useful to signal that we require a minimum version which we know is the first one not affected by the CVE.
The text above is meant to say that it is not. :)
We are not obviously affected by the CVEs, but updating nonetheless.