bruno-costanzo
commented
3 weeks ago No need to update it. The gem must be compatible with the base version, that does not mean that you cannot use the latest one in your project.
Open dimitrisdovinos opened 2 months ago
bruno-costanzo
commented
3 weeks ago No need to update it. The gem must be compatible with the base version, that does not mean that you cannot use the latest one in your project.
dimitrisdovinos
commented
3 weeks ago Our vulnerability scanner picks up the actionpack version that is required for this gem and flags it as a vulnerability. Even if I use a later version of actionpack for other parts of my project, I still have in my gemfile lock a "vulnerable" actionpack because of data-migrate.
I saw that you just submitted a PR. Perhaps it will resolve it. Thank you for looking into the issue.
bruno-costanzo
commented
3 weeks ago So is not necessary to update the rails version in our gemfiles, but to bundle update rails. Right?
dimitrisdovinos
commented
3 weeks ago If the bundle update rails pushes actionpack to 7.1.3.4 or higher then we may be ok.
bruno-costanzo
commented
3 weeks ago I think it works. PR
bruno-costanzo
commented
3 weeks ago At the end of the day I will create a new release with this.
bruno-costanzo
commented
3 weeks ago Can I close this? I think it is repaired with 11.0.0.rc3
The current version of actionpack (7.1.3.2) in the Gemfile.lock is vulnerable to CVE-2024-28103. Unfortunately, this is classed as a critical vulnerability by NIST. How can I help to upgrade the current actionpack to 7.1.3.4 ?