Add a gem w/ a known security vulnerability #1
Conversation
pdobb
force-pushed
the
introduce_a_gem_security_vulnerability
branch
2 times, most recently
from
f6119fe
to
3d267da
Compare
pdobb
force-pushed
the
introduce_a_gem_security_vulnerability
branch
6 times, most recently
from
1eda32c
to
a4434b1
Compare
pdobb
force-pushed
the
introduce_a_gem_security_vulnerability
branch
2 times, most recently
from
d97bdbc
to
85a1173
Compare
pdobb
force-pushed
the
introduce_a_gem_security_vulnerability
branch
from
85a1173
to
ce8fff0
Compare
pdobb
force-pushed
the
introduce_a_gem_security_vulnerability
branch
from
ce8fff0
to
5436a78
Compare
pdobb
force-pushed
the
introduce_a_gem_security_vulnerability
branch
2 times, most recently
from
75876d2
to
a8a6a88
Compare
| @@ -170,6 +170,7 @@ GEM | |||
| websocket-driver (0.7.1) | |||
| websocket-extensions (>= 0.1.0) | |||
| websocket-extensions (0.1.4) | |||
| yard (0.9.19) | |||
There was a problem hiding this comment.
Name: yard
Version: 0.9.19
Advisory:
Criticality: Unknown
URL: GHSA-xfhh-rx56-rxcr
Title: Possible arbitrary path traversal and file access via yard server
Solution: Upgrade to >= 0.9.20.
pdobb
force-pushed
the
introduce_a_gem_security_vulnerability
branch
from
a8a6a88
to
b3ed463
Compare
Yard v0.9.19 has a known security vulnerability. Making a pull request on this commit should invoke the needed test. Update pronto-bundler_audit version as well to try to get working functionality.
pdobb
force-pushed
the
introduce_a_gem_security_vulnerability
branch
from
b3ed463
to
429cbd9
Compare
| @@ -170,6 +176,7 @@ GEM | |||
| websocket-driver (0.7.1) | |||
| websocket-extensions (>= 0.1.0) | |||
| websocket-extensions (0.1.4) | |||
There was a problem hiding this comment.
Name: loofah
Version: 2.2.3
Advisory: CVE-2019-15587
Criticality: Unknown
URL: flavorjones/loofah#171
Title: Loofah XSS Vulnerability
Solution: Upgrade to >= 2.3.1.
| @@ -170,6 +176,7 @@ GEM | |||
| websocket-driver (0.7.1) | |||
| websocket-extensions (>= 0.1.0) | |||
| websocket-extensions (0.1.4) | |||
| yard (0.9.19) | |||
|
|
|||
There was a problem hiding this comment.
Name: nokogiri
Version: 1.10.3
Advisory: CVE-2019-5477
Criticality: High
URL: sparklemotion/nokogiri#1915
Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Solution: Upgrade to >= 1.10.4.
| @@ -170,6 +176,7 @@ GEM | |||
| websocket-driver (0.7.1) | |||
| websocket-extensions (>= 0.1.0) | |||
| websocket-extensions (0.1.4) | |||
| yard (0.9.19) | |||
There was a problem hiding this comment.
Name: yard
Version: 0.9.19
Advisory: CVE-2019-1020001
Criticality: Unknown
URL: GHSA-xfhh-rx56-rxcr
Title: Arbitrary path traversal and file access via yard server
Solution: Upgrade to >= 0.9.20.
|
Merged because to do a proper test I need a commit that doesn't, itself, include any changes to Gemfile.lock. |
Yard v0.9.19 has a known security vulnerability.
Making a pull request on this commit should invoke the needed
test.