1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00

Add CVE note to security guide and gemspecs

[ci skip]
This commit is contained in:
Gannon McGibbon 2018-11-06 14:17:23 -05:00
parent 212c28ac86
commit 1c11688b56
11 changed files with 35 additions and 0 deletions

View file

@ -2,6 +2,9 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
# NOTE: There's no need to update dependencies for CVEs in minor
# releases when users can simply run `bundle update vulnerable_gem`.
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "actioncable"

View file

@ -2,6 +2,9 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
# NOTE: There's no need to update dependencies for CVEs in minor
# releases when users can simply run `bundle update vulnerable_gem`.
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "actionmailer"

View file

@ -2,6 +2,9 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
# NOTE: There's no need to update dependencies for CVEs in minor
# releases when users can simply run `bundle update vulnerable_gem`.
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "actionpack"

View file

@ -2,6 +2,9 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
# NOTE: There's no need to update dependencies for CVEs in minor
# releases when users can simply run `bundle update vulnerable_gem`.
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "actionview"

View file

@ -2,6 +2,9 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
# NOTE: There's no need to update dependencies for CVEs in minor
# releases when users can simply run `bundle update vulnerable_gem`.
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "activejob"

View file

@ -2,6 +2,9 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
# NOTE: There's no need to update dependencies for CVEs in minor
# releases when users can simply run `bundle update vulnerable_gem`.
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "activemodel"

View file

@ -2,6 +2,9 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
# NOTE: There's no need to update dependencies for CVEs in minor
# releases when users can simply run `bundle update vulnerable_gem`.
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "activerecord"

View file

@ -2,6 +2,9 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
# NOTE: There's no need to update dependencies for CVEs in minor
# releases when users can simply run `bundle update vulnerable_gem`.
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "activestorage"

View file

@ -2,6 +2,9 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
# NOTE: There's no need to update dependencies for CVEs in minor
# releases when users can simply run `bundle update vulnerable_gem`.
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "activesupport"

View file

@ -1235,6 +1235,11 @@ version:
Rails.application.credentials.some_api_key! # => raises KeyError: :some_api_key is blank
```
Dependency Management and CVEs
------------------------------
Please note that we do not accept patches for CVE version bumps. This is because application owners need to manually update their gems regardless of our efforts. Use `bundle update --conservative gem_name` to safely update vulnerable dependencies.
Additional Resources
--------------------

View file

@ -2,6 +2,9 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
# NOTE: There's no need to update dependencies for CVEs in minor
# releases when users can simply run `bundle update vulnerable_gem`.
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "railties"