Menu
I have been receiving messages that GitHub found known dependency vulnerability in my Gemfile.lock, this is loofah (2.0.3) and Nokogiri (1.7.0.1) but these gems are dependencies I did not specifically asked for (other gems do depend on them) in my Gemfile, so, what can I do?
277
In your Gemfile.lock, you can see which one of your dependencies pulls in those libraries, and what their version constraint is.
rails-html-sanitizer (1.0.3)
loofah (~> 2.0)
With Rails, loofah is required by rails-html-sanitizer and the version must just be greater than 2.0. If a version is locked, the Gemfile.lock will read = 2.0.
Since it is not locked, you can use bundle update loofah to install a more recent version that does not suffer from the security vulnerability. Or bundle update if you want to update all gems...
Should a version to locked, you have to check if the gem that declares the dependency has a newer version that updates its locked dependency (e.g. a new version of rails-html-sanitizier that updates loofah). With security issues, these updates normally happen pretty quickly. You would then update rails-html-sanitizier to get a new version of loofah.
151
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
