Skip to content

Critical and high-level dependabot-recommended security updates (December 2025) #162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nicoledow merged 5 commits into from
Dec 23, 2025
Merged

Critical and high-level dependabot-recommended security updates (December 2025) #162

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
de3c942
update version
nicoledow Dec 19, 2025
37ba0f7
ensure nokogiri >= 1.18.4
nicoledow Dec 19, 2025
33fadf4
rack security warnings
nicoledow Dec 19, 2025
110ab91
revert rails version change
nicoledow Dec 19, 2025
d7149be
actionpack version change
nicoledow Dec 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
220 changes: 122 additions & 98 deletions Gemfile.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,123 +1,136 @@
PATH
remote: .
specs:
decanter (5.1.0)
actionpack (>= 7.1.3.2)
decanter (5.1.1)
actionpack (>= 7.1.3)
activesupport
rack (>= 3.1.18)
Copy link
Contributor Author

@nicoledow nicoledow Dec 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This update will address the following high-level security warnings for rack:

  1. https://github.com/LaunchPadLab/decanter/security/dependabot/92
  2. https://github.com/LaunchPadLab/decanter/security/dependabot/95
  3. https://github.com/LaunchPadLab/decanter/security/dependabot/104

rails (>= 7.1.3.2)
rails-html-sanitizer (>= 1.0.4)
rails-html-sanitizer (>= 1.6.2)

GEM
remote: https://rubygems.org/
specs:
actioncable (7.1.3.2)
actionpack (= 7.1.3.2)
activesupport (= 7.1.3.2)
actioncable (7.1.6)
actionpack (= 7.1.6)
activesupport (= 7.1.6)
nio4r (~> 2.0)
websocket-driver (>= 0.6.1)
zeitwerk (~> 2.6)
actionmailbox (7.1.3.2)
actionpack (= 7.1.3.2)
activejob (= 7.1.3.2)
activerecord (= 7.1.3.2)
activestorage (= 7.1.3.2)
activesupport (= 7.1.3.2)
actionmailbox (7.1.6)
actionpack (= 7.1.6)
activejob (= 7.1.6)
activerecord (= 7.1.6)
activestorage (= 7.1.6)
activesupport (= 7.1.6)
mail (>= 2.7.1)
net-imap
net-pop
net-smtp
actionmailer (7.1.3.2)
actionpack (= 7.1.3.2)
actionview (= 7.1.3.2)
activejob (= 7.1.3.2)
activesupport (= 7.1.3.2)
actionmailer (7.1.6)
actionpack (= 7.1.6)
actionview (= 7.1.6)
activejob (= 7.1.6)
activesupport (= 7.1.6)
mail (~> 2.5, >= 2.5.4)
net-imap
net-pop
net-smtp
rails-dom-testing (~> 2.2)
actionpack (7.1.3.2)
actionview (= 7.1.3.2)
activesupport (= 7.1.3.2)
actionpack (7.1.6)
actionview (= 7.1.6)
activesupport (= 7.1.6)
cgi
nokogiri (>= 1.8.5)
racc
rack (>= 2.2.4)
rack-session (>= 1.0.1)
rack-test (>= 0.6.3)
rails-dom-testing (~> 2.2)
rails-html-sanitizer (~> 1.6)
actiontext (7.1.3.2)
actionpack (= 7.1.3.2)
activerecord (= 7.1.3.2)
activestorage (= 7.1.3.2)
activesupport (= 7.1.3.2)
actiontext (7.1.6)
actionpack (= 7.1.6)
activerecord (= 7.1.6)
activestorage (= 7.1.6)
activesupport (= 7.1.6)
globalid (>= 0.6.0)
nokogiri (>= 1.8.5)
actionview (7.1.3.2)
activesupport (= 7.1.3.2)
actionview (7.1.6)
activesupport (= 7.1.6)
builder (~> 3.1)
cgi
erubi (~> 1.11)
rails-dom-testing (~> 2.2)
rails-html-sanitizer (~> 1.6)
activejob (7.1.3.2)
activesupport (= 7.1.3.2)
activejob (7.1.6)
activesupport (= 7.1.6)
globalid (>= 0.3.6)
activemodel (7.1.3.2)
activesupport (= 7.1.3.2)
activerecord (7.1.3.2)
activemodel (= 7.1.3.2)
activesupport (= 7.1.3.2)
activemodel (7.1.6)
activesupport (= 7.1.6)
activerecord (7.1.6)
activemodel (= 7.1.6)
activesupport (= 7.1.6)
timeout (>= 0.4.0)
activestorage (7.1.3.2)
actionpack (= 7.1.3.2)
activejob (= 7.1.3.2)
activerecord (= 7.1.3.2)
activesupport (= 7.1.3.2)
activestorage (7.1.6)
actionpack (= 7.1.6)
activejob (= 7.1.6)
activerecord (= 7.1.6)
activesupport (= 7.1.6)
marcel (~> 1.0)
activesupport (7.1.3.2)
activesupport (7.1.6)
base64
benchmark (>= 0.3)
bigdecimal
concurrent-ruby (~> 1.0, >= 1.0.2)
connection_pool (>= 2.2.5)
drb
i18n (>= 1.6, < 2)
logger (>= 1.4.2)
minitest (>= 5.1)
mutex_m
securerandom (>= 0.3)
tzinfo (~> 2.0)
base64 (0.2.0)
bigdecimal (3.1.7)
builder (3.2.4)
concurrent-ruby (1.2.3)
connection_pool (2.4.1)
base64 (0.3.0)
benchmark (0.5.0)
bigdecimal (4.0.1)
builder (3.3.0)
cgi (0.5.1)
concurrent-ruby (1.3.6)
connection_pool (3.0.2)
crass (1.0.6)
date (3.4.1)
diff-lcs (1.5.1)
date (3.5.1)
diff-lcs (1.6.2)
docile (1.1.5)
dotenv (3.1.1)
drb (2.2.1)
erubi (1.12.0)
globalid (1.2.1)
dotenv (3.2.0)
drb (2.2.3)
erb (6.0.1)
erubi (1.13.1)
globalid (1.3.0)
activesupport (>= 6.1)
i18n (1.14.4)
i18n (1.14.7)
concurrent-ruby (~> 1.0)
io-console (0.7.2)
irb (1.13.0)
io-console (0.8.2)
irb (1.16.0)
pp (>= 0.6.0)
rdoc (>= 4.0.0)
reline (>= 0.4.2)
json (2.7.2)
loofah (2.22.0)
json (2.18.0)
logger (1.7.0)
loofah (2.25.0)
crass (~> 1.0.2)
nokogiri (>= 1.12.0)
mail (2.8.1)
mail (2.9.0)
logger
mini_mime (>= 0.1.1)
net-imap
net-pop
net-smtp
marcel (1.0.4)
marcel (1.1.0)
mini_mime (1.1.5)
minitest (5.22.3)
mutex_m (0.2.0)
net-imap (0.5.6)
minitest (6.0.0)
prism (~> 1.5)
mutex_m (0.3.0)
net-imap (0.6.2)
date
net-protocol
net-pop (0.1.2)
Expand All @@ -126,55 +139,64 @@ GEM
timeout
net-smtp (0.5.1)
net-protocol
nio4r (2.7.4)
nokogiri (1.16.4-arm64-darwin)
nio4r (2.7.5)
nokogiri (1.18.10-arm64-darwin)
Copy link
Contributor Author

@nicoledow nicoledow Dec 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nokogiri needed to be upgraded to 1.18.4+ to resolve a couple of critical dependabot security warnings (listed below). Since nokogiri is not a direct dependency of decanter but a sub-dependency, I had to update a few other gems:

  1. Warning 1
  2. Warning 2

Changes made:

  • Updated rails-html-sanitizer from >= 1.0.4 to >= 1.6.2
    • rails-html-sanitizer 1.6.0 (bundled with Rails 7.1.3.2) constrains nokogiri to ~> 1.14, which blocks upgrading to 1.18.4+
    • Version 1.6.2+ allows nokogiri >= 1.18.4
  • Constrained Rails to ~> 7.1.3 (allows 7.1.6, latest 7.1.x)
    • Keeps Rails 7.1.x compatibility while enabling nokogiri upgrade

Copy link
Contributor Author

@nicoledow nicoledow Dec 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the process, activestorage was upgraded to 7.1.6, which will resolve the active storage critical security alert which recommends upgrading to 7.1.5.2+.

Copy link

@kweingart08 kweingart08 Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉

racc (~> 1.4)
nokogiri (1.16.4-x86_64-linux)
nokogiri (1.18.10-x86_64-linux-gnu)
racc (~> 1.4)
psych (5.1.2)
pp (0.6.3)
prettyprint
prettyprint (0.2.0)
prism (1.7.0)
psych (5.3.1)
date
stringio
racc (1.7.3)
rack (3.0.10)
rack-session (2.0.0)
racc (1.8.1)
rack (3.2.4)
rack-session (2.1.1)
base64 (>= 0.1.0)
rack (>= 3.0.0)
rack-test (2.1.0)
rack-test (2.2.0)
rack (>= 1.3)
rackup (2.1.0)
rackup (2.3.1)
rack (>= 3)
webrick (~> 1.8)
rails (7.1.3.2)
actioncable (= 7.1.3.2)
actionmailbox (= 7.1.3.2)
actionmailer (= 7.1.3.2)
actionpack (= 7.1.3.2)
actiontext (= 7.1.3.2)
actionview (= 7.1.3.2)
activejob (= 7.1.3.2)
activemodel (= 7.1.3.2)
activerecord (= 7.1.3.2)
activestorage (= 7.1.3.2)
activesupport (= 7.1.3.2)
rails (7.1.6)
actioncable (= 7.1.6)
actionmailbox (= 7.1.6)
actionmailer (= 7.1.6)
actionpack (= 7.1.6)
actiontext (= 7.1.6)
actionview (= 7.1.6)
activejob (= 7.1.6)
activemodel (= 7.1.6)
activerecord (= 7.1.6)
activestorage (= 7.1.6)
activesupport (= 7.1.6)
bundler (>= 1.15.0)
railties (= 7.1.3.2)
rails-dom-testing (2.2.0)
railties (= 7.1.6)
rails-dom-testing (2.3.0)
activesupport (>= 5.0.0)
minitest
nokogiri (>= 1.6)
rails-html-sanitizer (1.6.0)
rails-html-sanitizer (1.6.2)
loofah (~> 2.21)
nokogiri (~> 1.14)
railties (7.1.3.2)
actionpack (= 7.1.3.2)
activesupport (= 7.1.3.2)
nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
railties (7.1.6)
actionpack (= 7.1.6)
activesupport (= 7.1.6)
cgi
irb
rackup (>= 1.0.0)
rake (>= 12.2)
thor (~> 1.0, >= 1.2.2)
tsort (>= 0.2)
zeitwerk (~> 2.6)
rake (12.3.3)
rdoc (6.6.3.1)
rdoc (7.0.1)
erb
psych (>= 4.0.0)
reline (0.5.5)
tsort
reline (0.6.3)
io-console (~> 0.5)
rspec-core (3.9.3)
rspec-support (~> 3.9.3)
Expand All @@ -193,26 +215,28 @@ GEM
rspec-mocks (~> 3.9.0)
rspec-support (~> 3.9.0)
rspec-support (3.9.4)
securerandom (0.4.1)
simplecov (0.15.1)
docile (~> 1.1.0)
json (>= 1.8, < 3)
simplecov-html (~> 0.10.0)
simplecov-html (0.10.2)
stringio (3.1.0)
thor (1.3.1)
timeout (0.4.3)
stringio (3.2.0)
thor (1.4.0)
timeout (0.6.0)
tsort (0.2.0)
tzinfo (2.0.6)
concurrent-ruby (~> 1.0)
webrick (1.8.1)
websocket-driver (0.7.7)
websocket-driver (0.8.0)
base64
websocket-extensions (>= 0.1.0)
websocket-extensions (0.1.5)
zeitwerk (2.6.13)
zeitwerk (2.7.4)

PLATFORMS
arm64-darwin-22
arm64-darwin-23
arm64-darwin-24
x86_64-linux

DEPENDENCIES
Expand Down
5 changes: 3 additions & 2 deletions decanter.gemspec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,9 +26,10 @@ Gem::Specification.new do |spec|
spec.require_paths = ['lib']

spec.add_dependency 'rails', '>= 7.1.3.2'
spec.add_dependency 'actionpack', '>= 7.1.3.2'
spec.add_dependency 'actionpack', '>= 7.1.3'
spec.add_dependency 'activesupport'
spec.add_dependency 'rails-html-sanitizer', '>= 1.0.4'
spec.add_dependency 'rack', '>= 3.1.18'
spec.add_dependency 'rails-html-sanitizer', '>= 1.6.2'

spec.add_development_dependency 'bundler', '~> 2.4.22'
spec.add_development_dependency 'dotenv'
Expand Down
2 changes: 1 addition & 1 deletion lib/decanter/version.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
module Decanter
VERSION = '5.1.0'.freeze
VERSION = '5.1.1'.freeze
end