Bug #18855
closedUpgrade to rails 5.2.6.3 to fix security issues on Action Pack & Active Storage
Description
Action Pack report: https://github.com/advisories/GHSA-wh98-p28r-vrc9
Active Storage report: https://github.com/advisories/GHSA-w749-p3v6-hccq
In the process, check if we really need Active Storage in our project (probably not) as it's a newish feature that seems we don't use.
Updated by Lucas Di Pentima almost 3 years ago
Updates at 05fed3ab8 - branch 18855-rails-upgrade
- developer-run-tests: #2955
- Upgrades RailsAPI & Workbench rails gems to 5.2.6.2
- Also upgrades all their dependencies but
sprockets
&sprockets-rails
(because they were needing some extra migration work)
Even though active_storage
is requested in the Gemfile.lock
, it isn't loaded (the same happens with action_cable
) so it wasn't really a security problem. The only way we could avoid having those listed on the Gemfile.lock
file is requesting the rest of the rails gems manually, and I'm not sure it's worth the effort.
Updated by Ward Vandewege almost 3 years ago
Lucas Di Pentima wrote:
Updates at 05fed3ab8 - branch
18855-rails-upgrade
- developer-run-tests: #2955
- Upgrades RailsAPI & Workbench rails gems to 5.2.6.2
- Also upgrades all their dependencies but
sprockets
&sprockets-rails
(because they were needing some extra migration work)Even though
active_storage
is requested in theGemfile.lock
, it isn't loaded (the same happens withaction_cable
) so it wasn't really a security problem. The only way we could avoid having those listed on theGemfile.lock
file is requesting the rest of the rails gems manually, and I'm not sure it's worth the effort.
LGTM, thanks!
Updated by Lucas Di Pentima almost 3 years ago
- Status changed from New to Resolved
Applied in changeset arvados-private:commit:arvados|a3522bb093bab34ce7d51d3cab23fcc44547cffc.