From 28468f6f135ca95e36b93c7d55a080c29e07b57a Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Wed, 20 May 2020 05:25:26 -0300 Subject: [PATCH 1/2] fix: Gemfile & Gemfile.lock to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-569599 - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-569600 - https://snyk.io/vuln/SNYK-RUBY-ACTIONVIEW-569601 - https://snyk.io/vuln/SNYK-RUBY-ACTIVESTORAGE-569602 - https://snyk.io/vuln/SNYK-RUBY-ACTIVESUPPORT-569598 --- Gemfile | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/Gemfile b/Gemfile index 2b309a7..9cf597e 100644 --- a/Gemfile +++ b/Gemfile @@ -4,13 +4,13 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" } ruby '2.5.1' # Bundle edge Rails instead: gem 'rails', github: 'rails/rails' -gem 'rails', '~> 5.2.0' +gem 'rails', '~> 5.2.4', '>= 5.2.4.3' # Use mysql as the database for Active Record gem 'mysql2', '>= 0.4.4', '< 0.6.0' # Use Puma as the app server gem 'puma', '~> 3.11' # Use SCSS for stylesheets -gem 'sass-rails', '~> 5.0' +gem 'sass-rails', '~> 5.0', '>= 5.0.7' #gem 'sass-rails', '>= 3.2' # Use Uglifier as compressor for JavaScript assets gem 'uglifier', '>= 1.3.0' @@ -18,13 +18,13 @@ gem 'uglifier', '>= 1.3.0' # gem 'mini_racer', platforms: :ruby # Use jquery as the JavaScript library -gem 'jquery-rails' +gem 'jquery-rails', '>= 4.3.3' # Authentication -gem 'devise' +gem 'devise', '>= 4.6.2' gem 'devise-bootstrap-views' -gem 'devise-async' -gem 'simple_token_authentication', '~> 1.0' +gem 'devise-async', '>= 1.0.0' +gem 'simple_token_authentication', '~> 1.15', '>= 1.15.1' gem 'bootstrap-generators', '~> 3.3.4' @@ -32,10 +32,10 @@ gem 'rack-cors', require: 'rack/cors' gem 'rack-attack' # Authorization -gem 'pundit' +gem 'pundit', '>= 2.0.1' # content_tag_for was removed from Rails 5, so we need this gem -gem 'record_tag_helper', '~> 1.0' +gem 'record_tag_helper', '~> 1.0', '>= 1.0.0' # Background jobs gem 'sidekiq' @@ -45,10 +45,10 @@ gem 'cityhash' gem 'dalli' # Use CoffeeScript for .coffee assets and views -gem 'coffee-rails', '~> 4.2' +gem 'coffee-rails', '~> 4.2', '>= 4.2.2' # Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder -gem 'jbuilder', '~> 2.5' +gem 'jbuilder', '~> 2.8', '>= 2.8.0' # Use Redis adapter to run Action Cable in production # gem 'redis', '~> 4.0' @@ -57,7 +57,7 @@ gem 'jbuilder', '~> 2.5' gem 'bcrypt', '~> 3.1.7' # Paging records -gem 'kaminari' +gem 'kaminari', '>= 1.1.1' # Use ActiveStorage variant # gem 'mini_magick', '~> 4.8' @@ -75,11 +75,11 @@ end group :development do # Access an interactive console on exception pages or by calling 'console' anywhere in the code. - gem 'web-console', '>= 3.3.0' + gem 'web-console', '>= 3.7.0' gem 'listen', '>= 3.0.5', '< 3.2' # Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring - gem 'spring' - gem 'spring-watcher-listen', '~> 2.0.0' + gem 'spring', '>= 2.0.2' + gem 'spring-watcher-listen', '~> 2.0.1' # Use Capistrano for deployment gem "capistrano", "~> 3.10", require: false From d5248f9f3c6c46f09bc1c194bac6d4e18f93f352 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Wed, 20 May 2020 05:25:27 -0300 Subject: [PATCH 2/2] fix: Gemfile & Gemfile.lock to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-569599 - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-569600 - https://snyk.io/vuln/SNYK-RUBY-ACTIONVIEW-569601 - https://snyk.io/vuln/SNYK-RUBY-ACTIVESTORAGE-569602 - https://snyk.io/vuln/SNYK-RUBY-ACTIVESUPPORT-569598 --- Gemfile.lock | 213 +++++++++++++++++++++++++-------------------------- 1 file changed, 105 insertions(+), 108 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 176afa7..8f5dd18 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,43 +1,43 @@ GEM remote: https://rubygems.org/ specs: - actioncable (5.2.3) - actionpack (= 5.2.3) + actioncable (5.2.4.3) + actionpack (= 5.2.4.3) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailer (5.2.3) - actionpack (= 5.2.3) - actionview (= 5.2.3) - activejob (= 5.2.3) + actionmailer (5.2.4.3) + actionpack (= 5.2.4.3) + actionview (= 5.2.4.3) + activejob (= 5.2.4.3) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) - actionpack (5.2.3) - actionview (= 5.2.3) - activesupport (= 5.2.3) - rack (~> 2.0) + actionpack (5.2.4.3) + actionview (= 5.2.4.3) + activesupport (= 5.2.4.3) + rack (~> 2.0, >= 2.0.8) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.2) - actionview (5.2.3) - activesupport (= 5.2.3) + actionview (5.2.4.3) + activesupport (= 5.2.4.3) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.3) - activejob (5.2.3) - activesupport (= 5.2.3) + activejob (5.2.4.3) + activesupport (= 5.2.4.3) globalid (>= 0.3.6) - activemodel (5.2.3) - activesupport (= 5.2.3) - activerecord (5.2.3) - activemodel (= 5.2.3) - activesupport (= 5.2.3) + activemodel (5.2.4.3) + activesupport (= 5.2.4.3) + activerecord (5.2.4.3) + activemodel (= 5.2.4.3) + activesupport (= 5.2.4.3) arel (>= 9.0) - activestorage (5.2.3) - actionpack (= 5.2.3) - activerecord (= 5.2.3) + activestorage (5.2.4.3) + actionpack (= 5.2.4.3) + activerecord (= 5.2.4.3) marcel (~> 0.3.1) - activesupport (5.2.3) + activesupport (5.2.4.3) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 0.7, < 2) minitest (~> 5.1) @@ -49,13 +49,13 @@ GEM archive-zip (0.12.0) io-like (~> 0.3.0) arel (9.0.0) - bcrypt (3.1.12) - bindex (0.6.0) + bcrypt (3.1.13) + bindex (0.8.1) bootsnap (1.4.2) msgpack (~> 1.0) bootstrap-generators (3.3.4) railties (>= 3.1.0) - builder (3.2.3) + builder (3.2.4) byebug (11.0.1) capistrano (3.11.0) airbrussh (>= 1.0.0) @@ -93,78 +93,76 @@ GEM coffee-script-source execjs coffee-script-source (1.12.2) - concurrent-ruby (1.1.5) + concurrent-ruby (1.1.6) connection_pool (2.2.2) - crass (1.0.4) + crass (1.0.6) dalli (2.7.10) - devise (4.6.2) + devise (4.7.1) bcrypt (~> 3.0) orm_adapter (~> 0.1) - railties (>= 4.1.0, < 6.0) + railties (>= 4.1.0) responders warden (~> 1.2.3) devise-async (1.0.0) activejob (>= 5.0) devise (>= 4.0) devise-bootstrap-views (1.1.0) - erubi (1.8.0) + erubi (1.9.0) execjs (2.7.0) - ffi (1.10.0) + ffi (1.12.2) globalid (0.4.2) activesupport (>= 4.2.0) - i18n (1.6.0) + i18n (1.8.2) concurrent-ruby (~> 1.0) io-like (0.3.0) - jbuilder (2.8.0) - activesupport (>= 4.2.0) - multi_json (>= 1.2) - jquery-rails (4.3.3) + jbuilder (2.10.0) + activesupport (>= 5.0.0) + jquery-rails (4.4.0) rails-dom-testing (>= 1, < 3) railties (>= 4.2.0) thor (>= 0.14, < 2.0) - kaminari (1.1.1) + kaminari (1.2.0) activesupport (>= 4.1.0) - kaminari-actionview (= 1.1.1) - kaminari-activerecord (= 1.1.1) - kaminari-core (= 1.1.1) - kaminari-actionview (1.1.1) + kaminari-actionview (= 1.2.0) + kaminari-activerecord (= 1.2.0) + kaminari-core (= 1.2.0) + kaminari-actionview (1.2.0) actionview - kaminari-core (= 1.1.1) - kaminari-activerecord (1.1.1) + kaminari-core (= 1.2.0) + kaminari-activerecord (1.2.0) activerecord - kaminari-core (= 1.1.1) - kaminari-core (1.1.1) + kaminari-core (= 1.2.0) + kaminari-core (1.2.0) listen (3.1.5) rb-fsevent (~> 0.9, >= 0.9.4) rb-inotify (~> 0.9, >= 0.9.7) ruby_dep (~> 1.2) - loofah (2.2.3) + loofah (2.5.0) crass (~> 1.0.2) nokogiri (>= 1.5.9) mail (2.7.1) mini_mime (>= 0.1.1) marcel (0.3.3) mimemagic (~> 0.3.2) - method_source (0.9.2) - mimemagic (0.3.3) - mini_mime (1.0.1) + method_source (1.0.0) + mimemagic (0.3.5) + mini_mime (1.0.2) mini_portile2 (2.4.0) - minitest (5.11.3) + minitest (5.14.1) msgpack (1.2.9) - multi_json (1.13.1) mysql2 (0.5.2) net-scp (2.0.0) net-ssh (>= 2.6.5, < 6.0.0) net-ssh (5.2.0) - nio4r (2.3.1) - nokogiri (1.10.2) + nio4r (2.5.2) + nokogiri (1.10.9) mini_portile2 (~> 2.4.0) orm_adapter (0.5.0) public_suffix (3.0.3) puma (3.12.1) - pundit (2.0.1) + pundit (2.1.0) activesupport (>= 3.0.0) - rack (2.0.7) + rack (2.2.2) rack-attack (5.4.2) rack (>= 1.0, < 3) rack-cors (1.0.3) @@ -172,50 +170,50 @@ GEM rack rack-test (1.1.0) rack (>= 1.0, < 3) - rails (5.2.3) - actioncable (= 5.2.3) - actionmailer (= 5.2.3) - actionpack (= 5.2.3) - actionview (= 5.2.3) - activejob (= 5.2.3) - activemodel (= 5.2.3) - activerecord (= 5.2.3) - activestorage (= 5.2.3) - activesupport (= 5.2.3) + rails (5.2.4.3) + actioncable (= 5.2.4.3) + actionmailer (= 5.2.4.3) + actionpack (= 5.2.4.3) + actionview (= 5.2.4.3) + activejob (= 5.2.4.3) + activemodel (= 5.2.4.3) + activerecord (= 5.2.4.3) + activestorage (= 5.2.4.3) + activesupport (= 5.2.4.3) bundler (>= 1.3.0) - railties (= 5.2.3) + railties (= 5.2.4.3) sprockets-rails (>= 2.0.0) rails-dom-testing (2.0.3) activesupport (>= 4.2.0) nokogiri (>= 1.6) - rails-html-sanitizer (1.0.4) - loofah (~> 2.2, >= 2.2.2) - railties (5.2.3) - actionpack (= 5.2.3) - activesupport (= 5.2.3) + rails-html-sanitizer (1.3.0) + loofah (~> 2.3) + railties (5.2.4.3) + actionpack (= 5.2.4.3) + activesupport (= 5.2.4.3) method_source rake (>= 0.8.7) thor (>= 0.19.0, < 2.0) - rake (12.3.2) - rb-fsevent (0.10.3) - rb-inotify (0.10.0) + rake (13.0.1) + rb-fsevent (0.10.4) + rb-inotify (0.10.1) ffi (~> 1.0) - record_tag_helper (1.0.0) - actionview (~> 5.x) + record_tag_helper (1.0.1) + actionview (>= 5) redis (4.1.0) regexp_parser (1.4.0) - responders (2.4.1) - actionpack (>= 4.2.0, < 6.0) - railties (>= 4.2.0, < 6.0) + responders (3.0.0) + actionpack (>= 5.0) + railties (>= 5.0) ruby_dep (1.5.0) rubyzip (1.2.2) - sass (3.7.3) + sass (3.7.4) sass-listen (~> 4.0.0) sass-listen (4.0.0) rb-fsevent (~> 0.9, >= 0.9.4) rb-inotify (~> 0.9, >= 0.9.7) - sass-rails (5.0.7) - railties (>= 4.0.0, < 6) + sass-rails (5.1.0) + railties (>= 5.2.0) sass (~> 3.1) sprockets (>= 2.8, < 4.0) sprockets-rails (>= 2.0, < 4.0) @@ -228,12 +226,11 @@ GEM rack (>= 1.5.0) rack-protection (>= 1.5.0) redis (>= 3.3.5, < 5) - simple_token_authentication (1.15.1) - actionmailer (>= 3.2.6, < 6) - actionpack (>= 3.2.6, < 6) + simple_token_authentication (1.17.0) + actionmailer (>= 3.2.6, < 7) + actionpack (>= 3.2.6, < 7) devise (>= 3.2, < 6) - spring (2.0.2) - activesupport (>= 4.2) + spring (2.1.0) spring-watcher-listen (2.0.1) listen (>= 2.7, < 4.0) spring (>= 1.2, < 3.0) @@ -247,10 +244,10 @@ GEM sshkit (1.18.2) net-scp (>= 1.1.2) net-ssh (>= 2.8.0) - thor (0.20.3) + thor (1.0.1) thread_safe (0.3.6) - tilt (2.0.9) - tzinfo (1.2.5) + tilt (2.0.10) + tzinfo (1.2.7) thread_safe (~> 0.1) uglifier (4.1.20) execjs (>= 0.3.0, < 3) @@ -261,9 +258,9 @@ GEM activemodel (>= 5.0) bindex (>= 0.4.0) railties (>= 5.0) - websocket-driver (0.7.0) + websocket-driver (0.7.1) websocket-extensions (>= 0.1.0) - websocket-extensions (0.1.3) + websocket-extensions (0.1.4) xpath (3.2.0) nokogiri (~> 1.8) @@ -282,33 +279,33 @@ DEPENDENCIES capybara (>= 2.15, < 4.0) chromedriver-helper cityhash - coffee-rails (~> 4.2) + coffee-rails (~> 4.2, >= 4.2.2) dalli - devise - devise-async + devise (>= 4.6.2) + devise-async (>= 1.0.0) devise-bootstrap-views - jbuilder (~> 2.5) - jquery-rails - kaminari + jbuilder (~> 2.8, >= 2.8.0) + jquery-rails (>= 4.3.3) + kaminari (>= 1.1.1) listen (>= 3.0.5, < 3.2) mysql2 (>= 0.4.4, < 0.6.0) puma (~> 3.11) - pundit + pundit (>= 2.0.1) rack-attack rack-cors - rails (~> 5.2.0) - record_tag_helper (~> 1.0) - sass-rails (~> 5.0) + rails (~> 5.2.4, >= 5.2.4.3) + record_tag_helper (~> 1.0, >= 1.0.0) + sass-rails (~> 5.0, >= 5.0.7) selenium-webdriver sidekiq - simple_token_authentication (~> 1.0) - spring - spring-watcher-listen (~> 2.0.0) + simple_token_authentication (~> 1.15, >= 1.15.1) + spring (>= 2.0.2) + spring-watcher-listen (~> 2.0.1) uglifier (>= 1.3.0) - web-console (>= 3.3.0) + web-console (>= 3.7.0) RUBY VERSION ruby 2.5.1p57 BUNDLED WITH - 2.0.1 + 1.17.3