Bumps sprockets from 3.7.1 to 3.7.2. This update includes security fixes.
Vulnerabilities fixed
*Sourced from The GitHub Vulnerability Alert Database.*
> **CVE-2018-3760**
> See https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k.
>
> Affected versions: >=3.0.0,<3.7.2
*Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sprockets/CVE-2018-3760.yml).*
> **Path Traversal in Sprockets**
> Specially crafted requests can be used to access files that exist on
> the filesystem that is outside an application's root directory, when the
> Sprockets server is used in production.
>
> All users running an affected release should either upgrade or use one of the work arounds immediately.
>
> Workaround:
> In Rails applications, work around this issue, set `config.assets.compile = false` and
> `config.public_file_server.enabled = true` in an initializer and precompile the assets.
>
> This work around will not be possible in all hosting environments and upgrading is advised.
>
> Patched versions: >= 2.12.5, < 3.0.0; >= 3.7.2, < 4.0.0; >= 4.0.0.beta8
> Unaffected versions: none
(This is an example of the kind of PRs Dependabot creates, so you can see it in action alongside #438. It won't automatically rebase or any of the clever stuff Dependabot normally does because I've manually copied it across, though.)
Coverage remained the same at 92.221% when pulling 1add2d9c6feaf2135755e14a4831bffd8cc1ba62 on greysteil:dependabot/bundler/sprockets-3.7.2 into 1b9adfd4a350f2b64cd60500a17406328ebd46f9 on ivaldi:master.
Coverage remained the same at 92.221% when pulling 1add2d9c6feaf2135755e14a4831bffd8cc1ba62 on greysteil:dependabot/bundler/sprockets-3.7.2 into 1b9adfd4a350f2b64cd60500a17406328ebd46f9 on ivaldi:master.
Bumps sprockets from 3.7.1 to 3.7.2. This update includes security fixes.
Vulnerabilities fixed
*Sourced from The GitHub Vulnerability Alert Database.* > **CVE-2018-3760** > See https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k. > > Affected versions: >=3.0.0,<3.7.2 *Sourced from [The Ruby Advisory Database](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sprockets/CVE-2018-3760.yml).* > **Path Traversal in Sprockets** > Specially crafted requests can be used to access files that exist on > the filesystem that is outside an application's root directory, when the > Sprockets server is used in production. > > All users running an affected release should either upgrade or use one of the work arounds immediately. > > Workaround: > In Rails applications, work around this issue, set `config.assets.compile = false` and > `config.public_file_server.enabled = true` in an initializer and precompile the assets. > > This work around will not be possible in all hosting environments and upgrading is advised. > > Patched versions: >= 2.12.5, < 3.0.0; >= 3.7.2, < 4.0.0; >= 4.0.0.beta8 > Unaffected versions: none(This is an example of the kind of PRs Dependabot creates, so you can see it in action alongside #438. It won't automatically rebase or any of the clever stuff Dependabot normally does because I've manually copied it across, though.)