upgrade rubyzip to >= 1.3.0

unning bundle-audit to check for insecure dependencies... Updating ruby-advisory-db ... From https://github.com/rubysec/ruby-advisory-db * branch master -> FETCH_HEAD Already up to date. Updated ruby-advisory-db ruby-advisory-db: 406 advisories Name: rubyzip Version: 1.2.3 Advisory: CVE-2019-16892 Criticality: Unknown URL: rubyzip/rubyzip#403 Title: Denial of Service in rubyzip ("zip bombs") Solution: upgrade to >= 1.3.0 Vulnerabilities found! Failed. Security vulnerabilities were found.
department-of-veterans-affairs · Sep 30, 2019 · 3df7fd7 · 3df7fd7
1 parent e6b3e61
commit 3df7fd7
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/Gemfile b/Gemfile
@@ -26,7 +26,7 @@ gem 'govdelivery-tms', '2.8.4', require: 'govdelivery/tms/mail/delivery_method'
 gem 'pg', '~> 0.15'
 
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
-gem 'rubyzip', '~> 1.2', '>= 1.2.1'
+gem 'rubyzip', '>= 1.3.0'
 
 gem 'sentry-raven', '~> 2.3.0'
 

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -312,7 +312,7 @@ GEM
     ruby-saml (1.11.0)
       nokogiri (>= 1.5.10)
     ruby_dep (1.5.0)
-    rubyzip (1.2.3)
+    rubyzip (1.3.0)
     sass (3.7.4)
       sass-listen (~> 4.0.0)
     sass-listen (4.0.0)
@@ -420,7 +420,7 @@ DEPENDENCIES
   rspec-rails
   rubocop (~> 0.53.0)
   ruby-saml
-  rubyzip (~> 1.2, >= 1.2.1)
+  rubyzip (>= 1.3.0)
   sass-rails (~> 5.0)
   scss_lint
   sdoc (~> 0.4.0)