patch vulnerable not handling 4 digit version properly

livingsocial / bundler-patch

Update your gems conservatively to deal with vulnerable gems or just get more current.

MIT License

65 stars 3 forks source link

patch vulnerable not handling 4 digit version properly #39

Open chrismo opened 7 years ago

chrismo commented 7 years ago

CVE-2016-4658 came out, saying >= 1.7.1 is patched, but this tool is only bumping 1.6.8 to 1.6.8.1

chrismo commented 7 years ago

Not really a bug, turns out. It's another common constraint keeping it from getting to 1.7.1. BUT what may be a bug, is that it does an inadequate update, rather than just not updating at all.

chrismo commented 7 years ago

It should perhaps error out or something.