ruby on rails - What can be done about an unsafe/outdated gem dependency of a required gem? -

i have bundler-audit (a check known vulnerable gems) included pre-commit , in ci. comes known vulnerability in previous version of nokogiri gem , recommends upgrade.

but here's rub: vulnerable gem among transitive dependencies of rails , few other gems can't strip out. of them use pessimistic version specifier explicitly precludes version of nokogiri i'd need upgrade.

what 1 in situation this? advice?

if current rails 4.x gem has dependency, file bug against rails.

i'd surprised if current 4.x version of rails has dependency on insecure version of gem, though.