Skip to content

[Snyk] Fix for 6 vulnerabilities #722

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Snyk] Fix for 6 vulnerabilities #722

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 15 additions & 15 deletions play-with-docker/Portus/Portus.1/Gemfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,27 +1,27 @@
source "https://rubygems.org"

gem "rails", "~> 5.2.7", ">= 5.2.7.1"
gem "sass-rails", ">= 5.0.5"
gem "rails", "~> 4.2.9"
Copy link
Preview

Copilot AI Jul 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Downgrading Rails from 5.2.7 to 4.2.9 introduces significant security risks. Rails 4.2.9 was released in 2017 and lacks years of security patches. This change contradicts the security goals of the PR.

Suggested change
gem "rails", "~> 4.2.9"
gem "rails", "~> 5.2.7"

Copilot uses AI. Check for mistakes.

gem "sass-rails", ">= 5.0.4"
gem "bootstrap-sass", "~> 3.3.4"
gem "slim"
gem "pundit"
gem "sprockets", "~> 2.12.3"
gem "jwt"
gem "base32"
gem "active_model_serializers"
gem "devise", ">= 4.4.2"
gem "devise", ">= 3.5.2"
Copy link
Preview

Copilot AI Jul 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Downgrading Devise from 4.4.2 to 3.5.2 removes critical security fixes. Devise 3.x has known vulnerabilities that were addressed in later versions.

Suggested change
gem "devise", ">= 3.5.2"
gem "devise", ">= 4.4.2"

Copilot uses AI. Check for mistakes.

gem "gravatar_image_tag"
gem "public_activity"
gem "public_activity", ">= 1.4.3"
gem "active_record_union"
gem "mysql2"
gem "search_cop"
gem "kaminari"
gem "crono"
gem "net-ldap"
gem "redcarpet"
gem "font-awesome-rails", ">= 4.7.0.4"
gem "font-awesome-rails", ">= 4.5.0.0"
Copy link
Preview

Copilot AI Jul 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Downgrading font-awesome-rails from 4.7.0.4 to 4.5.0.0 reduces the minimum version unnecessarily, potentially missing bug fixes and icon updates.

Suggested change
gem "font-awesome-rails", ">= 4.5.0.0"
gem "font-awesome-rails", ">= 4.7.0.4"

Copilot uses AI. Check for mistakes.

gem "rails_stdout_logging", "~> 0.0.5", group: [:development, :staging, :production]
gem "webpack-rails"
gem "webpack-rails", ">= 0.9.11"

# Pinning these specific versions because that's what we have on OBS.
gem "ethon", "~> 0.9.0"
Expand All @@ -31,7 +31,7 @@ gem "typhoeus", "~> 1.0.2"
gem "bcrypt"

# This is already a Rails dependency, but we use it to run portusctl
gem "thor"
gem "thor", ">= 1.4.0"

# Assets group.
#
Expand Down Expand Up @@ -68,20 +68,20 @@ unless packaging?
gem "pry-rails"
gem "git-review", require: false
gem "rack-mini-profiler", require: false
gem "guard", require: false
gem "guard-rubocop", require: false
gem "guard-rspec", require: false
gem "guard", ">= 2.14.0", require: false
gem "guard-rubocop", ">= 1.3.0", require: false
gem "guard-rspec", ">= 4.7.0", require: false
end

group :development, :test do
gem "rspec-rails", ">= 3.5.0"
gem "rspec-rails", ">= 3.3.2"
Copy link
Preview

Copilot AI Jul 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Downgrading rspec-rails from 3.5.0 to 3.3.2 reduces the minimum version requirement unnecessarily. This removes access to bug fixes and improvements available in newer versions.

Suggested change
gem "rspec-rails", ">= 3.3.2"
gem "rspec-rails", ">= 3.5.0"

Copilot uses AI. Check for mistakes.

gem "byebug"
gem "web-console", "~> 2.1.3"
gem "web-console", "~> 2.2.0"
gem "awesome_print"
gem "hirb"
gem "wirb"
gem "wirble"
gem "factory_girl_rails"
gem "factory_girl_rails", ">= 4.6.0"
gem "ffaker"
gem "rubocop", "~> 0.41.2", require: false
gem "brakeman", require: false
Expand All @@ -96,8 +96,8 @@ unless packaging?
gem "vcr"
gem "webmock", "~> 2.3.2", require: false
gem "simplecov", require: false
gem "capybara"
gem "poltergeist", require: false
gem "capybara", ">= 2.5.0"
gem "poltergeist", ">= 1.7.0", require: false
gem "json-schema"
gem "timecop"
gem "codeclimate-test-reporter", group: :test, require: nil
Expand Down
Loading