Bump json to >= 2.3.0 - Githubissues

wgranger commented 4 years ago

Dependabot isn't opening an automated PR, but the json gem needs to be bumped. This is a moderate vulnerability, and more info is contained here

wgranger commented 4 years ago

bundle update json won't resolve this (Bundler attempted to update json but its version stayed the same). Running gem dependency json shows the following:

Gem json-1.8.6
  rake (>= 0, development)
  test-unit (~> 2.0, development)

Gem json-2.1.0
  rake (>= 0, development)
  test-unit (~> 2.0, development)

Gem json-2.2.0
  rake (>= 0, development)
  test-unit (~> 2.0, development)

Only rake is in the Gemfile.lock. Neither are in the Gemfile. Is this bump something that is best done with a Rails upgrade?

camallen commented 4 years ago

looks like one of the other gems has locked the max version you can install with, you'll have to bump the offending gem to free the lock on json gem. Looks like sdoc might be the offending gem, i don't think that is used tbh - might be best to remove that dependency in Gemfile and see if you can bump. https://github.com/zooniverse/talk-api/search?q=sdoc&unscoped_q=sdoc

I thought bundler reports which gem is blocking the update as well?

zooniverse / talk-api

Bump json to >= 2.3.0 #243