kreintjes
commented
2 years ago The gemspec in the master branch of this repository (https://github.com/patricklindsay/wice_grid/blob/master/wice_grid.gemspec#L19) does not limit kaminari to 1.1.x. It is progressively locked on '~> 1.1', meaning any 1.x.y version is allowed, including 1.2.2 or even 1.3 if it's released. You can upgrade kaminari to a secure version with this lock.
You might run into problems because the current version of wice_grid on RubyGems (version 4.1.0) still only allows kaminari 1.1.x. This PR won't change that. It can only be fixed by releasing a new version of the gem on RubyGems, but only @leikind and @patricklindsay have the access to do that. Both don't actively maintain this gem any longer (and neither do I to be honest, although I'm still using it for one project).
Your PR won't fix the problem. In fact it could make it worse in the future, because you are hard-locking on kaminari 1.2.x, blocking a potential upgrade to 1.3 whenever a vulnerability in 1.2 is found. Therefore I'm closing this.
djmolny
Fixed issue https://github.com/patricklindsay/wice_grid/issues/85: up…grade kaminari gem to ~> 1.2.1