Security vulnerability in one of the deps of selenium-webdriver (rubyzip)

[rhymes]

Bug Report

After I noticed my documentation only PR - #479 - broke the build I realized that actually the deploy was being blocked by bundle-audit

The reason why the build is failing is because there's a security vulnerability with (rubyzip 1.2.1)[https://nvd.nist.gov/vuln/detail/CVE-2018-1000544] which is in turn a dependency of selenium-webdriver.

This is the output of bundle-audit:

ruby-advisory-db: 321 advisories
Name: rubyzip
Version: 1.2.1
Advisory: CVE-2018-1000544
Criticality: Unknown
URL: https://github.com/rubyzip/rubyzip/issues/369
Title: Directory Traversal in rubyzip
Solution: remove or disable this gem until a patch is available!

Unfortunately there's no patch yet rubyzip/rubyzip#371 - I've also opened an issue ticket to Selenium SeleniumHQ/selenium#6330

Being a dependency only for the test environment, if this is blocking needed merges, someone could temporarily disable bundle-audit and make the builds go through, until the patch it's released.

Current Behavior

The build is broken for a security vulnerability

Expected Behavior

The build shouldn't have known security vulnerabilities

[benhalpern]

Thanks for the heads up. We'll see where this goes come Monday and make a choice about bundle-audit.

[maestromac]

This was resolved.