Closed bsp3ars closed 2 years ago
BrowseEverything has puma pinned to version 3.x
hyrax (= 2.9.4) was resolved to 2.9.4, which depends on
browse-everything (>= 0.16) was resolved to 1.0.2, which depends on
puma (~> 3.11)
https://github.com/samvera/browse-everything/blob/v1.0.2/browse-everything.gemspec#L28
This may be fixed by hyrax upgrade.
Descriptive summary
We need to upgrade the Puma gem to ~> 4.3.8
Bundler-audit message:
Name: puma Version: 3.12.6 CVE: CVE-2021-29509 GHSA: GHSA-q28m-8xjw-8vr5 Criticality: High URL: GHSA-q28m-8xjw-8vr5 Title: Keepalive Connections Causing Denial Of Service in puma Solution: upgrade to ~> 4.3.8, >= 5.3.1