Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolves gem vulnerability issues with Nokogiri #2989

Merged
merged 2 commits into from Apr 22, 2019
Merged

Resolves gem vulnerability issues with Nokogiri #2989

merged 2 commits into from Apr 22, 2019

Conversation

hpjaj
Copy link
Contributor

@hpjaj hpjaj commented Apr 22, 2019
edited

Description of change

Resolves gem vulnerability issues with Nokogiri that stems from a CVE for Nokogiri:

sparklemotion/nokogiri#1892

Testing done

Testing planned

Acceptance Criteria (Definition of Done)

Unique to this PR

  • Upgrades nokogiri gem
  • Upgrades bundler-audit, which is required when upgrading nokogiri gem

Applies to all PRs

  • Appropriate logging
  • Swagger docs have been updated, if applicable
  • Provide link to originating GitHub issue, or connected to it via ZenHub
  • Does not contain any sensitive information (i.e. PII/credentials/internal URLs/etc., in logging, hardcoded, or in specs)
  • Provide which alerts would indicate a problem with this functionality (if applicable)

@hpjaj
Resolves gem vulnerability issues
ce1b0bb 
Stems from:

A CVE for Nokogiri and all vets-api builds will fail until we upgrade nokogiri:

sparklemotion/nokogiri#1892
@hpjaj hpjaj requested review from annaswims, kfrz and kreek April 22, 2019 20:18
kreek
kreek approved these changes Apr 22, 2019
View reviewed changes
Copy link
Contributor

@kreek kreek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@hpjaj hpjaj merged commit 8bb1e0d into master Apr 22, 2019
@hpjaj hpjaj deleted the updates-nokogiri-vulnerability branch April 22, 2019 20:34
annaswims
annaswims reviewed Apr 22, 2019
View reviewed changes
Gemfile
@@ -54,7 +54,7 @@ gem 'mail', '2.6.6'
gem 'memoist'
gem 'mini_magick'
gem 'net-sftp'
gem 'nokogiri', '1.8.5'
gem 'nokogiri', '~> 1.10', '>= 1.10.3'
Copy link
Contributor

@annaswims annaswims Apr 22, 2019
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is strange to me, but probably fine. '~> 1.10.3' is the same as >= 1.10.3 and < 1.11

https://bundler.io/gemfile.html

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@annaswims As noted, ~> 1.10.3 is the same as >= 1.10.3 and < 1.11.
But, '~> 1.10', '>= 1.10.3' means >= 1.10.3 and < 2.0.
(It is a subset of just ~> 1.10)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@annaswims annaswims annaswims left review comments

@ashmaroli ashmaroli ashmaroli left review comments

@kreek kreek kreek approved these changes

@kfrz kfrz Awaiting requested review from kfrz

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@hpjaj @annaswims @kreek @ashmaroli