Open dimitrisdovinos opened 2 months ago
No need to update it. The gem must be compatible with the base version, that does not mean that you cannot use the latest one in your project.
Our vulnerability scanner picks up the actionpack version that is required for this gem and flags it as a vulnerability. Even if I use a later version of actionpack for other parts of my project, I still have in my gemfile lock a "vulnerable" actionpack because of data-migrate.
I saw that you just submitted a PR. Perhaps it will resolve it. Thank you for looking into the issue.
So is not necessary to update the rails version in our gemfiles, but to bundle update rails
. Right?
If the bundle update rails
pushes actionpack to 7.1.3.4 or higher then we may be ok.
I think it works. PR
At the end of the day I will create a new release with this.
Can I close this? I think it is repaired with 11.0.0.rc3
The current version of actionpack (7.1.3.2) in the Gemfile.lock is vulnerable to CVE-2024-28103. Unfortunately, this is classed as a critical vulnerability by NIST. How can I help to upgrade the current actionpack to 7.1.3.4 ?