Arvados

Reported https://github.com/arvados/arvados/security/dependabot/79 as #20336

Handling https://github.com/arvados/arvados/security/dependabot/97 by upgrading the rack gem on RailsAPI & WB1.

Update: 1cb23beff - branch 20325-rack-upgrade
Test run: developer-run-tests: #3587

Dismissed https://github.com/arvados/arvados/security/dependabot/107 as we're not using the vulnerable code.

Dismissed https://github.com/arvados/arvados/security/dependabot/2 & https://github.com/arvados/arvados/security/dependabot/5 as the risk is tolerable because is related to doc generation and doesn't affect running clusters.

Handling https://github.com/arvados/arvados/security/dependabot/96 by upgrading the golang.org/x/net module.

Updates at ee9e02d91 - branch 20325-go-x-net-upgrade
Test run: developer-run-tests: #3588

Handling https://github.com/arvados/arvados/security/dependabot/109 by upgrading nokogiri on both RailsAPI & WB1.

Updates at a56ec3ec5 - branch 20325-nokogiri-upgrade
Test run: developer-run-tests: #3589

Dismissed https://github.com/arvados/arvados/security/dependabot/105 & https://github.com/arvados/arvados/security/dependabot/106 as we're not using the vulnerable code.

Dismissed https://github.com/arvados/arvados/security/dependabot/101,https://github.com/arvados/arvados/security/dependabot/102 & https://github.com/arvados/arvados/security/dependabot/103 as we're not using the vulnerable code. (vulnerability may appear when using ruby 3.2 onwards)

Handling https://github.com/arvados/arvados/security/dependabot/92, https://github.com/arvados/arvados/security/dependabot/95, https://github.com/arvados/arvados/security/dependabot/94 & https://github.com/arvados/arvados/security/dependabot/93 by upgrading the github.com/containerd/containerd module.

Updates at ddf2c60df - branch 20325-go-containerd-upgrade
Test run: developer-run-tests: #3596
WB1 re-run: developer-run-tests-apps-workbench-integration: #3882

Handling https://github.com/arvados/arvados/security/dependabot/64 & https://github.com/arvados/arvados/security/dependabot/65 by upgrading globalid gem on RailsAPI & WB1

Updates at a6775c492 - branch 20325-globalid-gem-upgrade
Test run: developer-run-tests: #3599

Handling https://github.com/arvados/arvados/security/dependabot/91 by upgrading github.com/docker/distribution to version 2.8.1

Updates at b3c7d9bbf - branch 20325-go-docker-distribution-upgrade
Test run: developer-run-tests: #3603

Dismissed https://github.com/arvados/arvados/security/dependabot/81 & https://github.com/arvados/arvados/security/dependabot/82 as we don't seem to use the underscore method on user provided input.

Handling https://github.com/arvados/arvados/security/dependabot/110 & https://github.com/arvados/arvados/security/dependabot/111 by upgrading jquery-rails and its dependencies on RailsAPI & WB1

Updates at ab72becc8 - branch 20325-jquery-rails-upgrade
Test run: developer-run-tests: #3649
WB1 integration re-run: developer-run-tests-apps-workbench-integration: #3940

Handling https://github.com/arvados/arvados/security/dependabot/112 by upgrading the github.com/docker/distribution module to version v2.8.2+incompatible.

Updates at ee1e494c0 - branch 20325-go-docker-distribution-upgrade2
Test run: developer-run-tests: #3651

Looking at the following reports:

• https://github.com/arvados/arvados/security/dependabot/77
• https://github.com/arvados/arvados/security/dependabot/78
• https://github.com/arvados/arvados/security/dependabot/83
• https://github.com/arvados/arvados/security/dependabot/84

Seems that the patch could be applied to rails 5.2.8.x too:
https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118#patches-5