Resolving dependencies for published CVE's

steveklabnik / request_store

Per-request global storage for Rack.

https://github.com/steveklabnik/request_store

MIT License

1.47k stars 87 forks source link

Resolving dependencies for published CVE's #88

Closed sameerchachiya closed 7 months ago

sameerchachiya commented 1 year ago

Hello 👋🏻

Rack version < 2 is causing vulnerabilities . There are included dependencies in this gem that have published CVEs

In particular, It is vulnerable to CVE-2011-5036 and CVE-2022-30123

Please resolve this to version above >2.

Expected Behavior

rack version greater than 2

Actual Behavior

fetching version less than 2

steveklabnik commented 1 year ago

I would be happy to accept a PR for this work, but I haven't written significant Ruby in years and so I'm not confident that I know how to update something across major versions.

orien commented 1 year ago

IMO, no work is needed here. The current constraint does not prevent downstream projects from using a patched and secure version of Rack.

https://github.com/steveklabnik/request_store/blob/5b6b2a1708730780d3b7f5d1b6069134809cb6ec/request_store.gemspec#L21

It's not the request_store gem's responsibility to ensure downstream projects are free from security vulnerabilities. Rather there is a responsibility not to force an insecure version.

It's not forcing an insecure version of Rack.

steveklabnik commented 7 months ago

I have decided to bump this up anyway, this is in the 1.6 release https://github.com/steveklabnik/request_store/commit/65e0efd247b89dc76f4e86cba741e7bf8ae45c7b