From cc891e466133a7f2ff2d8460869de8d203e1fb2a Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Wed, 14 Dec 2022 08:49:32 -0800 Subject: [PATCH 1/2] fix: Gemfile & Gemfile.lock to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-RUBY-LOOFAH-3168317 - https://snyk.io/vuln/SNYK-RUBY-LOOFAH-3168318 - https://snyk.io/vuln/SNYK-RUBY-LOOFAH-3168649 - https://snyk.io/vuln/SNYK-RUBY-RAILSHTMLSANITIZER-3168316 - https://snyk.io/vuln/SNYK-RUBY-RAILSHTMLSANITIZER-3168646 - https://snyk.io/vuln/SNYK-RUBY-RAILSHTMLSANITIZER-3168647 - https://snyk.io/vuln/SNYK-RUBY-RAILSHTMLSANITIZER-3168648 --- Gemfile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/Gemfile b/Gemfile index cf29c03..c99595b 100644 --- a/Gemfile +++ b/Gemfile @@ -2,20 +2,20 @@ source 'https://rubygems.org' git_source(:github) { |repo| "https://github.com/#{repo}.git" } gem 'twilio-ruby', '~> 5.46' -gem 'dotenv-rails', '~> 2.7.5' +gem 'dotenv-rails', '~> 2.7.6' # Bundle edge Rails instead: gem 'rails', github: 'rails/rails' -gem 'rails', '~> 6.1.3' +gem 'rails', '~> 6.1.3', '>= 6.1.3.1' # Use sqlite3 as the database for Active Record gem 'sqlite3' # Use Puma as the app server gem 'puma', '~> 5.0' # Use SCSS for stylesheets -gem 'sass-rails', '~> 6.0' +gem 'sass-rails', '~> 6.0', '>= 6.0.0' # Use Uglifier as compressor for JavaScript assets gem 'uglifier', '>= 4.2.0' # Use CoffeeScript for .coffee assets and views -gem 'coffee-rails', '~> 5.0' +gem 'coffee-rails', '~> 5.0', '>= 5.0.0' # Turbolinks makes navigating your web application faster. Read more: https://github.com/turbolinks/turbolinks gem 'turbolinks', '~> 5' # Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder @@ -41,7 +41,7 @@ end group :development do # Access an interactive console on exception pages or by calling 'console' anywhere in the code. - gem 'web-console', '>= 4.0.1' + gem 'web-console', '>= 4.1.0' gem 'listen', '~> 3.3' # Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring gem 'spring' From ed07f25adabf2ae940d0681c42df6223f6b97c86 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Wed, 14 Dec 2022 08:49:33 -0800 Subject: [PATCH 2/2] fix: Gemfile & Gemfile.lock to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-RUBY-LOOFAH-3168317 - https://snyk.io/vuln/SNYK-RUBY-LOOFAH-3168318 - https://snyk.io/vuln/SNYK-RUBY-LOOFAH-3168649 - https://snyk.io/vuln/SNYK-RUBY-RAILSHTMLSANITIZER-3168316 - https://snyk.io/vuln/SNYK-RUBY-RAILSHTMLSANITIZER-3168646 - https://snyk.io/vuln/SNYK-RUBY-RAILSHTMLSANITIZER-3168647 - https://snyk.io/vuln/SNYK-RUBY-RAILSHTMLSANITIZER-3168648 --- Gemfile.lock | 209 ++++++++++++++++++++++++++++----------------------- 1 file changed, 114 insertions(+), 95 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 58f9cc8..cd1c8e9 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,60 +1,60 @@ GEM remote: https://rubygems.org/ specs: - actioncable (6.1.3.1) - actionpack (= 6.1.3.1) - activesupport (= 6.1.3.1) + actioncable (6.1.7) + actionpack (= 6.1.7) + activesupport (= 6.1.7) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailbox (6.1.3.1) - actionpack (= 6.1.3.1) - activejob (= 6.1.3.1) - activerecord (= 6.1.3.1) - activestorage (= 6.1.3.1) - activesupport (= 6.1.3.1) + actionmailbox (6.1.7) + actionpack (= 6.1.7) + activejob (= 6.1.7) + activerecord (= 6.1.7) + activestorage (= 6.1.7) + activesupport (= 6.1.7) mail (>= 2.7.1) - actionmailer (6.1.3.1) - actionpack (= 6.1.3.1) - actionview (= 6.1.3.1) - activejob (= 6.1.3.1) - activesupport (= 6.1.3.1) + actionmailer (6.1.7) + actionpack (= 6.1.7) + actionview (= 6.1.7) + activejob (= 6.1.7) + activesupport (= 6.1.7) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) - actionpack (6.1.3.1) - actionview (= 6.1.3.1) - activesupport (= 6.1.3.1) + actionpack (6.1.7) + actionview (= 6.1.7) + activesupport (= 6.1.7) rack (~> 2.0, >= 2.0.9) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.2.0) - actiontext (6.1.3.1) - actionpack (= 6.1.3.1) - activerecord (= 6.1.3.1) - activestorage (= 6.1.3.1) - activesupport (= 6.1.3.1) + actiontext (6.1.7) + actionpack (= 6.1.7) + activerecord (= 6.1.7) + activestorage (= 6.1.7) + activesupport (= 6.1.7) nokogiri (>= 1.8.5) - actionview (6.1.3.1) - activesupport (= 6.1.3.1) + actionview (6.1.7) + activesupport (= 6.1.7) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.1, >= 1.2.0) - activejob (6.1.3.1) - activesupport (= 6.1.3.1) + activejob (6.1.7) + activesupport (= 6.1.7) globalid (>= 0.3.6) - activemodel (6.1.3.1) - activesupport (= 6.1.3.1) - activerecord (6.1.3.1) - activemodel (= 6.1.3.1) - activesupport (= 6.1.3.1) - activestorage (6.1.3.1) - actionpack (= 6.1.3.1) - activejob (= 6.1.3.1) - activerecord (= 6.1.3.1) - activesupport (= 6.1.3.1) - marcel (~> 1.0.0) - mini_mime (~> 1.0.2) - activesupport (6.1.3.1) + activemodel (6.1.7) + activesupport (= 6.1.7) + activerecord (6.1.7) + activemodel (= 6.1.7) + activesupport (= 6.1.7) + activestorage (6.1.7) + actionpack (= 6.1.7) + activejob (= 6.1.7) + activerecord (= 6.1.7) + activesupport (= 6.1.7) + marcel (~> 1.0) + mini_mime (>= 1.1.0) + activesupport (6.1.7) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 1.6, < 2) minitest (>= 5.1) @@ -73,23 +73,24 @@ GEM coffee-script-source execjs coffee-script-source (1.12.2) - concurrent-ruby (1.1.8) + concurrent-ruby (1.1.10) crass (1.0.6) + date (3.3.1) dotenv (2.7.6) dotenv-rails (2.7.6) dotenv (= 2.7.6) railties (>= 3.2) - erubi (1.10.0) - execjs (2.7.0) + erubi (1.11.0) + execjs (2.8.1) faraday (1.3.0) faraday-net_http (~> 1.0) multipart-post (>= 1.2, < 3) ruby2_keywords faraday-net_http (1.0.1) - ffi (1.15.0) - globalid (0.4.2) - activesupport (>= 4.2.0) - i18n (1.8.10) + ffi (1.15.5) + globalid (1.0.0) + activesupport (>= 5.0) + i18n (1.12.0) concurrent-ruby (~> 1.0) jbuilder (2.11.2) activesupport (>= 5.0.0) @@ -97,56 +98,72 @@ GEM listen (3.5.1) rb-fsevent (~> 0.10, >= 0.10.3) rb-inotify (~> 0.9, >= 0.9.10) - loofah (2.9.0) + loofah (2.19.1) crass (~> 1.0.2) nokogiri (>= 1.5.9) - mail (2.7.1) + mail (2.8.0) mini_mime (>= 0.1.1) - marcel (1.0.1) + net-imap + net-pop + net-smtp + marcel (1.0.2) method_source (1.0.0) - mini_mime (1.0.3) - minitest (5.14.4) + mini_mime (1.1.2) + mini_portile2 (2.8.0) + minitest (5.16.3) minitest-stub_any_instance (1.0.2) msgpack (1.4.2) multipart-post (2.1.1) - nio4r (2.5.7) - nokogiri (1.11.2-x86_64-darwin) + net-imap (0.3.2) + date + net-protocol + net-pop (0.1.2) + net-protocol + net-protocol (0.2.1) + timeout + net-smtp (0.3.3) + net-protocol + nio4r (2.5.8) + nokogiri (1.13.10) + mini_portile2 (~> 2.8.0) + racc (~> 1.4) + nokogiri (1.13.10-x86_64-darwin) racc (~> 1.4) puma (5.2.2) nio4r (~> 2.0) - racc (1.5.2) - rack (2.2.3) - rack-proxy (0.6.5) + racc (1.6.1) + rack (2.2.4) + rack-proxy (0.7.4) rack - rack-test (1.1.0) - rack (>= 1.0, < 3) - rails (6.1.3.1) - actioncable (= 6.1.3.1) - actionmailbox (= 6.1.3.1) - actionmailer (= 6.1.3.1) - actionpack (= 6.1.3.1) - actiontext (= 6.1.3.1) - actionview (= 6.1.3.1) - activejob (= 6.1.3.1) - activemodel (= 6.1.3.1) - activerecord (= 6.1.3.1) - activestorage (= 6.1.3.1) - activesupport (= 6.1.3.1) + rack-test (2.0.2) + rack (>= 1.3) + rails (6.1.7) + actioncable (= 6.1.7) + actionmailbox (= 6.1.7) + actionmailer (= 6.1.7) + actionpack (= 6.1.7) + actiontext (= 6.1.7) + actionview (= 6.1.7) + activejob (= 6.1.7) + activemodel (= 6.1.7) + activerecord (= 6.1.7) + activestorage (= 6.1.7) + activesupport (= 6.1.7) bundler (>= 1.15.0) - railties (= 6.1.3.1) + railties (= 6.1.7) sprockets-rails (>= 2.0.0) rails-dom-testing (2.0.3) activesupport (>= 4.2.0) nokogiri (>= 1.6) - rails-html-sanitizer (1.3.0) - loofah (~> 2.3) - railties (6.1.3.1) - actionpack (= 6.1.3.1) - activesupport (= 6.1.3.1) + rails-html-sanitizer (1.4.4) + loofah (~> 2.19, >= 2.19.1) + railties (6.1.7) + actionpack (= 6.1.7) + activesupport (= 6.1.7) method_source - rake (>= 0.8.7) + rake (>= 12.2) thor (~> 1.0) - rake (13.0.3) + rake (13.0.6) rb-fsevent (0.10.4) rb-inotify (0.10.1) ffi (~> 1.0) @@ -166,16 +183,17 @@ GEM spring-watcher-listen (2.0.1) listen (>= 2.7, < 4.0) spring (>= 1.2, < 3.0) - sprockets (4.0.2) + sprockets (4.1.1) concurrent-ruby (~> 1.0) rack (> 1, < 3) - sprockets-rails (3.2.2) - actionpack (>= 4.0) - activesupport (>= 4.0) + sprockets-rails (3.4.2) + actionpack (>= 5.2) + activesupport (>= 5.2) sprockets (>= 3.0.0) sqlite3 (1.4.2) - thor (1.1.0) - tilt (2.0.10) + thor (1.2.1) + tilt (2.0.11) + timeout (0.3.1) turbolinks (5.2.1) turbolinks-source (~> 5.2) turbolinks-source (5.2.0) @@ -183,40 +201,41 @@ GEM faraday (>= 0.9, < 2.0) jwt (>= 1.5, <= 2.5) nokogiri (>= 1.6, < 2.0) - tzinfo (2.0.4) + tzinfo (2.0.5) concurrent-ruby (~> 1.0) uglifier (4.2.0) execjs (>= 0.3.0, < 3) - web-console (4.1.0) + web-console (4.2.0) actionview (>= 6.0.0) activemodel (>= 6.0.0) bindex (>= 0.4.0) railties (>= 6.0.0) - webpacker (5.2.1) + webpacker (5.4.3) activesupport (>= 5.2) rack-proxy (>= 0.6.1) railties (>= 5.2) semantic_range (>= 2.3.0) - websocket-driver (0.7.3) + websocket-driver (0.7.5) websocket-extensions (>= 0.1.0) websocket-extensions (0.1.5) - zeitwerk (2.4.2) + zeitwerk (2.6.6) PLATFORMS + ruby x86_64-darwin-19 DEPENDENCIES bcrypt (~> 3.1.13) bootsnap (>= 1.4.6) byebug - coffee-rails (~> 5.0) - dotenv-rails (~> 2.7.5) + coffee-rails (~> 5.0, >= 5.0.0) + dotenv-rails (~> 2.7.6) jbuilder (~> 2.10) listen (~> 3.3) minitest-stub_any_instance puma (~> 5.0) - rails (~> 6.1.3) - sass-rails (~> 6.0) + rails (~> 6.1.3, >= 6.1.3.1) + sass-rails (~> 6.0, >= 6.0.0) spring spring-watcher-listen (~> 2.0.1) sqlite3 @@ -224,8 +243,8 @@ DEPENDENCIES twilio-ruby (~> 5.46) tzinfo-data uglifier (>= 4.2.0) - web-console (>= 4.0.1) + web-console (>= 4.1.0) webpacker BUNDLED WITH - 2.2.13 + 2.1.4