New release required due to XSS security issues

[lao]

Due to the following vulnerability:

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned the CVE identifier CVE-2022-22577.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1

Fullcontent: https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533

The latest released version of the gem is not allowing us to fix this vulnerability. In the version 6.3.0 the latest release, we have this version range:

['>= 5.2.0', '<= 6.1'] https://github.com/departurerb/departure/blob/2ccf2f3dd7b113f77a54dc50499c078c1124b111/departure.gemspec#L10

Which does not allow us to update railties and actionrecord to version 6.1.5.1 which fixes the security issues.

Is there a reason why master was not released? It seems to have a version range that corrects the issue.

[madlew]

I'm also looking forward to find out more about it.

[benlangfeld]

I'm closing this as a duplicate of https://github.com/departurerb/departure/issues/68. A release should be coming up shortly, you should monitor that issue for news.