diff --git a/actioncable/actioncable.gemspec b/actioncable/actioncable.gemspec index 29836f012f..c98ec9afc9 100644 --- a/actioncable/actioncable.gemspec +++ b/actioncable/actioncable.gemspec @@ -25,9 +25,6 @@ Gem::Specification.new do |s| "changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/actioncable/CHANGELOG.md" } - # NOTE: Please read our dependency guidelines before updating versions: - # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves - s.add_dependency "actionpack", version s.add_dependency "nio4r", "~> 2.0" diff --git a/actionmailer/actionmailer.gemspec b/actionmailer/actionmailer.gemspec index c76cb3ec72..4503a30cca 100644 --- a/actionmailer/actionmailer.gemspec +++ b/actionmailer/actionmailer.gemspec @@ -26,9 +26,6 @@ Gem::Specification.new do |s| "changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/actionmailer/CHANGELOG.md" } - # NOTE: Please read our dependency guidelines before updating versions: - # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves - s.add_dependency "actionpack", version s.add_dependency "actionview", version s.add_dependency "activejob", version diff --git a/actionpack/actionpack.gemspec b/actionpack/actionpack.gemspec index c4c755b7ac..b3967f6ce4 100644 --- a/actionpack/actionpack.gemspec +++ b/actionpack/actionpack.gemspec @@ -26,9 +26,6 @@ Gem::Specification.new do |s| "changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/actionpack/CHANGELOG.md" } - # NOTE: Please read our dependency guidelines before updating versions: - # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves - s.add_dependency "activesupport", version s.add_dependency "rack", "~> 2.0" diff --git a/actionview/actionview.gemspec b/actionview/actionview.gemspec index d8bd233ceb..dfc0072469 100644 --- a/actionview/actionview.gemspec +++ b/actionview/actionview.gemspec @@ -26,9 +26,6 @@ Gem::Specification.new do |s| "changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/actionview/CHANGELOG.md" } - # NOTE: Please read our dependency guidelines before updating versions: - # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves - s.add_dependency "activesupport", version s.add_dependency "builder", "~> 3.1" diff --git a/activejob/activejob.gemspec b/activejob/activejob.gemspec index c3c0447d8e..40ca33dbfd 100644 --- a/activejob/activejob.gemspec +++ b/activejob/activejob.gemspec @@ -25,9 +25,6 @@ Gem::Specification.new do |s| "changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/activejob/CHANGELOG.md" } - # NOTE: Please read our dependency guidelines before updating versions: - # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves - s.add_dependency "activesupport", version s.add_dependency "globalid", ">= 0.3.6" end diff --git a/activemodel/activemodel.gemspec b/activemodel/activemodel.gemspec index 4deb76814b..24e5e838dd 100644 --- a/activemodel/activemodel.gemspec +++ b/activemodel/activemodel.gemspec @@ -25,8 +25,5 @@ Gem::Specification.new do |s| "changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/activemodel/CHANGELOG.md" } - # NOTE: Please read our dependency guidelines before updating versions: - # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves - s.add_dependency "activesupport", version end diff --git a/activerecord/activerecord.gemspec b/activerecord/activerecord.gemspec index 1e198c3a55..a8c2cc76a6 100644 --- a/activerecord/activerecord.gemspec +++ b/activerecord/activerecord.gemspec @@ -28,9 +28,6 @@ Gem::Specification.new do |s| "changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/activerecord/CHANGELOG.md" } - # NOTE: Please read our dependency guidelines before updating versions: - # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves - s.add_dependency "activesupport", version s.add_dependency "activemodel", version end diff --git a/activestorage/activestorage.gemspec b/activestorage/activestorage.gemspec index dfada7054a..244065837c 100644 --- a/activestorage/activestorage.gemspec +++ b/activestorage/activestorage.gemspec @@ -25,9 +25,6 @@ Gem::Specification.new do |s| "changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/activestorage/CHANGELOG.md" } - # NOTE: Please read our dependency guidelines before updating versions: - # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves - s.add_dependency "actionpack", version s.add_dependency "activerecord", version diff --git a/activesupport/activesupport.gemspec b/activesupport/activesupport.gemspec index bdd7bc70a0..b5fa510bb3 100644 --- a/activesupport/activesupport.gemspec +++ b/activesupport/activesupport.gemspec @@ -27,9 +27,6 @@ Gem::Specification.new do |s| "changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/activesupport/CHANGELOG.md" } - # NOTE: Please read our dependency guidelines before updating versions: - # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves - s.add_dependency "i18n", ">= 0.7", "< 2" s.add_dependency "tzinfo", "~> 1.1" s.add_dependency "minitest", "~> 5.1" diff --git a/guides/source/security.md b/guides/source/security.md index dbec3cdd2d..bb996cc39c 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -1235,11 +1235,6 @@ version: Rails.application.credentials.some_api_key! # => raises KeyError: :some_api_key is blank ``` -Dependency Management and CVEs ------------------------------- - -We don’t bump dependencies just to encourage use of new versions, including for security issues. This is because application owners need to manually update their gems regardless of our efforts. Use `bundle update --conservative gem_name` to safely update vulnerable dependencies. - Additional Resources -------------------- diff --git a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt index c517b0f96b..d3bcaa5ec8 100644 --- a/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt +++ b/railties/lib/rails/generators/rails/app/templates/config/initializers/content_security_policy.rb.tt @@ -11,10 +11,6 @@ # policy.object_src :none # policy.script_src :self, :https # policy.style_src :self, :https -<%- unless options[:skip_javascript] -%> -# # If you are using webpack-dev-server then specify webpack-dev-server host -# policy.connect_src :self, :https, "http://localhost:3035", "ws://localhost:3035" if Rails.env.development? -<%- end -%> # # Specify URI for violation reports # # policy.report_uri "/csp-violation-report-endpoint" diff --git a/railties/railties.gemspec b/railties/railties.gemspec index 1bfb0dfe48..e7de51f52a 100644 --- a/railties/railties.gemspec +++ b/railties/railties.gemspec @@ -30,9 +30,6 @@ Gem::Specification.new do |s| "changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/railties/CHANGELOG.md" } - # NOTE: Please read our dependency guidelines before updating versions: - # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves - s.add_dependency "activesupport", version s.add_dependency "actionpack", version diff --git a/railties/test/generators/app_generator_test.rb b/railties/test/generators/app_generator_test.rb index 47e401c34f..a421ac326d 100644 --- a/railties/test/generators/app_generator_test.rb +++ b/railties/test/generators/app_generator_test.rb @@ -230,14 +230,6 @@ class AppGeneratorTest < Rails::Generators::TestCase assert_equal "false\n", output end - def test_csp_initializer_include_connect_src_example - run_generator - - assert_file "config/initializers/content_security_policy.rb" do |content| - assert_match(/# policy\.connect_src/, content) - end - end - def test_app_update_keep_the_cookie_serializer_if_it_is_already_configured app_root = File.join(destination_root, "myapp") run_generator [app_root] @@ -845,9 +837,6 @@ class AppGeneratorTest < Rails::Generators::TestCase end assert_no_gem "webpacker" - assert_file "config/initializers/content_security_policy.rb" do |content| - assert_no_match(/policy\.connect_src/, content) - end end def test_webpack_option_with_js_framework