ruby on rails - What can be done about an unsafe/outdated gem dependency of a required gem? -


i have bundler-audit (a check known vulnerable gems) included pre-commit , in ci. comes known vulnerability in previous version of nokogiri gem , recommends upgrade.

but here's rub: vulnerable gem among transitive dependencies of rails , few other gems can't strip out. of them use pessimistic version specifier explicitly precludes version of nokogiri i'd need upgrade.

what 1 in situation this? advice?

if current rails 4.x gem has dependency, file bug against rails.

i'd surprised if current 4.x version of rails has dependency on insecure version of gem, though.


Comments

Popular posts from this blog

mongodb - Struggling to get ordered results from the last retrieved article, given array of elements to search in -

c# - Pausing a storyboard on TabItem mouse over -

c# - Attribute value in root node of xml Linq to XML -