search

uclibs / ucrate

Scholar@UC: University of Cincinnati's self-submission institutional repository
https://scholar.uc.edu
Other
5 stars 3 forks source link

Upgrade Puma gem #944

Closed bsp3ars closed 2 years ago

bsp3ars commented 3 years ago

Descriptive summary

We need to upgrade the Puma gem to ~> 4.3.8

Bundler-audit message:

Name: puma Version: 3.12.6 CVE: CVE-2021-29509 GHSA: GHSA-q28m-8xjw-8vr5 Criticality: High URL: GHSA-q28m-8xjw-8vr5 Title: Keepalive Connections Causing Denial Of Service in puma Solution: upgrade to ~> 4.3.8, >= 5.3.1

crowesn commented 2 years ago

BrowseEverything has puma pinned to version 3.x

    hyrax (= 2.9.4) was resolved to 2.9.4, which depends on
      browse-everything (>= 0.16) was resolved to 1.0.2, which depends on
        puma (~> 3.11)

https://github.com/samvera/browse-everything/blob/v1.0.2/browse-everything.gemspec#L28

This may be fixed by hyrax upgrade.