Ruby vulnerability roundup 002

FliegendeWurst commented 1 week ago

Using the script in https://github.com/NixOS/nixpkgs/issues/58823#issue-428345860, the following packages have vulnerable dependencies: (full log)

[ ] mailcatcher (@zarelit @nicknovitski)
[ ] redis-dump (@offlinehacker @manveru @nicknovitski)
[ ] scss-lint (@lovek323 @nicknovitski)
[ ] corundum (@nyarly @nicknovitski)
[ ] github-changelog-generator (@Scriptkiddi @nicknovitski)
[ ] xcode-install (@q3k)
[ ] travis (@zimbatm @nicknovitski)
[ ] watson-ruby (@robertodr @nicknovitski)
[ ] mdl (@Gerschtli @manveru @nicknovitski @totoroot)
[ ] jsduck (@periklis @nicknovitski)
[ ] license_finder (no maintainers)
[ ] jazzy (@peterromfeldhk @nicknovitski)
[x] sqlint (@ariutta @nicknovitski @purcell) #351942
[x] gemstash (@viraptor)
[ ] cocoapods (@peterromfeldhk)
[ ] fusuma (@nicknovitski @Br1ght0ne)
[x] redmine (@aanderse @felixsinger @megheaiulian) #352106
[ ] maid (@alanpearce) #352628
[ ] ronn (@zimbatm @nicknovitski)
[ ] bashly (@drupol)
[ ] flatito (@Rucadi)
[ ] pghero (@tie)
[ ] coltrane (@PanAeon)
[ ] doing (@ktf @nicknovitski)
[ ] taskjuggler (@manveru @nicknovitski)
[ ] pt (@sarcasticadmin)
[ ] jekyll (no maintainers)
[x] gollum (@erictapen @jgillich @nicknovitski @bbenno)
[ ] terraforming (@kalbasit)
[ ] terraform-landscape (@mbode @manveru @nicknovitski)
[ ] terraspace (@mislavzanic)
[ ] bitbucket-server-cli (@jgertm @nicknovitski)
[ ] gitlab (@NixOS/gitlab)
[ ] danger-gitlab (@balsoft)
[ ] git-fame (@expipiplus1 @nicknovitski)
[ ] ledger-web (@peterhoeg @manveru @nicknovitski)
[ ] sensu (@ctheune @peterhoeg @manveru @nicknovitski) #351916
[ ] riemann-dash (@manveru @nicknovitski)
[ ] discourse (@talyz)
[ ] showoff (@mwilsoncoding @nicknovitski)
[ ] elm-github-install (@roberth @nicknovitski)
[ ] fpm (@manveru @nicknovitski)
[ ] licensee (@sternenseemann)
[ ] mpdcron (@lovek323 @manveru)
[ ] metasploit (@fabaff @makefu)
[ ] cewl (no maintainers)
[ ] ronin (@Ch1keen)
[ ] procodile (@manveru @nicknovitski)
[ ] anystyle-cli (@shamilt @SCOTT-HAMILTON)
[ ] html-proofer (no maintainers)
[ ] chef-cli (@dylanmtaylor)
[ ] inspec (@dylanmtaylor)
[ ] fluentd (@offlinehacker @nicknovitski)
[ ] t (@offlinehacker @manveru @nicknovitski)
[ ] polar (@jluttine)
[ ] td (@groodt @nicknovitski)
[ ] riemann-tools (@manveru @nicknovitski)
[ ] hue-cli (@manveru @nicknovitski)
[x] asciidoctor-with-extensions (@doronbehar)
[ ] kramdown-asciidoc (no maintainers)
[x] asciidoctor (@yacinehmito @nicknovitski)
[ ] fastlane (@peterromfeldhk @nicknovitski @shahrukh330)
[ ] oxidized (@nicknovitski @n0emis @vidister @johannwagner @yu-re-ka)

To check whether your update is sufficient, run bundler-audit check in the directory with the lockfile.

Note: do not reply to this issue directly (will send an email to all pinged maintainers). Open a PR and reference this issue.

Add a :+1: reaction to issues you find important.

tomodachi94 commented 1 week ago

The following maintainers weren't pinged in the original comment due to a limitation of GitHub. They are repeated here below:

asciidoctor-with-extensions (@doronbehar)
asciidoctor (@yacinehmito @nicknovitski)
fastlane (@peterromfeldhk @nicknovitski @shahrukh330)
oxidized (@nicknovitski @n0emis @vidister @johannwagner @yu-re-ka)

doronbehar commented 1 week ago

Thanks for pinging. I ran nix-shell maintainers/scripts/update.nix --argstr package ... for my bundlerApp application. Is there an easy way to tell if the vulnerabilities were removed?

mohe2015 commented 3 days ago

Thanks for pinging. I ran nix-shell maintainers/scripts/update.nix --argstr package ... for my bundlerApp application. Is there an easy way to tell if the vulnerabilities were removed?

Probably check what the linked script to produce this report does

roberth commented 1 day ago

I may have to drop maintainership of elm-github-install, as I'm already backlogged on updates, I don't use the package anymore, and it doesn't have a test.

NixOS / nixpkgs

Ruby vulnerability roundup 002 #351833