Bug #18855
closed
Upgrade to rails 5.2.6.3 to fix security issues on Action Pack & Active Storage
Description
Action Pack report: https://github.com/advisories/GHSA-wh98-p28r-vrc9
Active Storage report: https://github.com/advisories/GHSA-w749-p3v6-hccq
In the process, check if we really need Active Storage in our project (probably not) as it's a newish feature that seems we don't use.
Updated by Lucas Di Pentima about 2 years ago
Updates at 05fed3ab8 - branch 18855-rails-upgrade - developer-run-tests: #2955
- Upgrades RailsAPI & Workbench rails gems to 5.2.6.2
- Also upgrades all their dependencies but
sprockets&sprockets-rails(because they were needing some extra migration work)
Even though active_storage is requested in the Gemfile.lock, it isn't loaded (the same happens with action_cable) so it wasn't really a security problem. The only way we could avoid having those listed on the Gemfile.lock file is requesting the rest of the rails gems manually, and I'm not sure it's worth the effort.
Updated by Ward Vandewege about 2 years ago
Lucas Di Pentima wrote:
Updates at 05fed3ab8 - branch
18855-rails-upgrade- developer-run-tests: #2955
- Upgrades RailsAPI & Workbench rails gems to 5.2.6.2
- Also upgrades all their dependencies but
sprockets&sprockets-rails(because they were needing some extra migration work)Even though
active_storageis requested in theGemfile.lock, it isn't loaded (the same happens withaction_cable) so it wasn't really a security problem. The only way we could avoid having those listed on theGemfile.lockfile is requesting the rest of the rails gems manually, and I'm not sure it's worth the effort.
LGTM, thanks!
Updated by Lucas Di Pentima about 2 years ago
- Status changed from New to Resolved
Applied in changeset arvados-private:commit:arvados|a3522bb093bab34ce7d51d3cab23fcc44547cffc.
Updated by