mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Add CVE note to security guide and gemspecs
[ci skip]
This commit is contained in:
parent
212c28ac86
commit
1c11688b56
11 changed files with 35 additions and 0 deletions
|
@ -2,6 +2,9 @@
|
|||
|
||||
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
|
||||
|
||||
# NOTE: There's no need to update dependencies for CVEs in minor
|
||||
# releases when users can simply run `bundle update vulnerable_gem`.
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.platform = Gem::Platform::RUBY
|
||||
s.name = "actioncable"
|
||||
|
|
|
@ -2,6 +2,9 @@
|
|||
|
||||
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
|
||||
|
||||
# NOTE: There's no need to update dependencies for CVEs in minor
|
||||
# releases when users can simply run `bundle update vulnerable_gem`.
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.platform = Gem::Platform::RUBY
|
||||
s.name = "actionmailer"
|
||||
|
|
|
@ -2,6 +2,9 @@
|
|||
|
||||
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
|
||||
|
||||
# NOTE: There's no need to update dependencies for CVEs in minor
|
||||
# releases when users can simply run `bundle update vulnerable_gem`.
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.platform = Gem::Platform::RUBY
|
||||
s.name = "actionpack"
|
||||
|
|
|
@ -2,6 +2,9 @@
|
|||
|
||||
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
|
||||
|
||||
# NOTE: There's no need to update dependencies for CVEs in minor
|
||||
# releases when users can simply run `bundle update vulnerable_gem`.
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.platform = Gem::Platform::RUBY
|
||||
s.name = "actionview"
|
||||
|
|
|
@ -2,6 +2,9 @@
|
|||
|
||||
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
|
||||
|
||||
# NOTE: There's no need to update dependencies for CVEs in minor
|
||||
# releases when users can simply run `bundle update vulnerable_gem`.
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.platform = Gem::Platform::RUBY
|
||||
s.name = "activejob"
|
||||
|
|
|
@ -2,6 +2,9 @@
|
|||
|
||||
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
|
||||
|
||||
# NOTE: There's no need to update dependencies for CVEs in minor
|
||||
# releases when users can simply run `bundle update vulnerable_gem`.
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.platform = Gem::Platform::RUBY
|
||||
s.name = "activemodel"
|
||||
|
|
|
@ -2,6 +2,9 @@
|
|||
|
||||
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
|
||||
|
||||
# NOTE: There's no need to update dependencies for CVEs in minor
|
||||
# releases when users can simply run `bundle update vulnerable_gem`.
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.platform = Gem::Platform::RUBY
|
||||
s.name = "activerecord"
|
||||
|
|
|
@ -2,6 +2,9 @@
|
|||
|
||||
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
|
||||
|
||||
# NOTE: There's no need to update dependencies for CVEs in minor
|
||||
# releases when users can simply run `bundle update vulnerable_gem`.
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.platform = Gem::Platform::RUBY
|
||||
s.name = "activestorage"
|
||||
|
|
|
@ -2,6 +2,9 @@
|
|||
|
||||
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
|
||||
|
||||
# NOTE: There's no need to update dependencies for CVEs in minor
|
||||
# releases when users can simply run `bundle update vulnerable_gem`.
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.platform = Gem::Platform::RUBY
|
||||
s.name = "activesupport"
|
||||
|
|
|
@ -1235,6 +1235,11 @@ version:
|
|||
Rails.application.credentials.some_api_key! # => raises KeyError: :some_api_key is blank
|
||||
```
|
||||
|
||||
Dependency Management and CVEs
|
||||
------------------------------
|
||||
|
||||
Please note that we do not accept patches for CVE version bumps. This is because application owners need to manually update their gems regardless of our efforts. Use `bundle update --conservative gem_name` to safely update vulnerable dependencies.
|
||||
|
||||
Additional Resources
|
||||
--------------------
|
||||
|
||||
|
|
|
@ -2,6 +2,9 @@
|
|||
|
||||
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
|
||||
|
||||
# NOTE: There's no need to update dependencies for CVEs in minor
|
||||
# releases when users can simply run `bundle update vulnerable_gem`.
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.platform = Gem::Platform::RUBY
|
||||
s.name = "railties"
|
||||
|
|
Loading…
Reference in a new issue