gemfilelock-updates

[craiglondon]

sinatra@1.4.5 was using rack@1.5.2 which has vulnerabilities (DoS, arbitrary code execution, path traversal)

[samdark]

👍 Would you please add CHANGELOG line? Thanks.

[craiglondon]

@samdark I updated the CHANGELOG file. Sinatra should probably be updated to v4.1, but I am not a Ruby developer and I was having problems updating Sinatra to the higher version

$ /usr/local/Cellar/ruby/3.4.3/bin/bundle install
Bundler 2.6.8 is running, but your lockfile was generated with 1.17.2. Installing Bundler 1.17.2 and restarting using that version.
Fetching gem metadata from https://rubygems.org/.
Fetching bundler 1.17.2
Installing bundler 1.17.2
/Projects/Github/craiglondon--jquery-pjax/vendor/bundle/ruby/3.4.0/gems/bundler-1.17.2/lib/bundler/shared_helpers.rb:272:in 'Bundler::SharedHelpers#search_up': undefined method 'untaint' for an instance of String (NoMethodError)

      current  = File.expand_path(SharedHelpers.pwd).untaint
                                                    ^^^^^^^^
        from /Projects/Github/craiglondon--jquery-pjax/vendor/bundle/ruby/3.4.0/gems/bundler-1.17.2/lib/bundler/shared_helpers.rb:259:in 'Bundler::SharedHelpers#find_file'
        from /Projects/Github/craiglondon--jquery-pjax/vendor/bundle/ruby/3.4.0/gems/bundler-1.17.2/lib/bundler/shared_helpers.rb:251:in 'Bundler::SharedHelpers#find_gemfile'
        from /Projects/Github/craiglondon--jquery-pjax/vendor/bundle/ruby/3.4.0/gems/bundler-1.17.2/lib/bundler/shared_helpers.rb:27:in 'Bundler::SharedHelpers#root'
        from /Projects/Github/craiglondon--jquery-pjax/vendor/bundle/ruby/3.4.0/gems/bundler-1.17.2/lib/bundler.rb:234:in 'Bundler.root'
        from /Projects/Github/craiglondon--jquery-pjax/vendor/bundle/ruby/3.4.0/gems/bundler-1.17.2/lib/bundler.rb:246:in 'Bundler.app_config_path'
        from /Projects/Github/craiglondon--jquery-pjax/vendor/bundle/ruby/3.4.0/gems/bundler-1.17.2/lib/bundler.rb:273:in 'Bundler.settings'
        from /Projects/Github/craiglondon--jquery-pjax/vendor/bundle/ruby/3.4.0/gems/bundler-1.17.2/lib/bundler/feature_flag.rb:21:in 'block in Bundler::FeatureFlag#settings_method'
        from /Projects/Github/craiglondon--jquery-pjax/vendor/bundle/ruby/3.4.0/gems/bundler-1.17.2/lib/bundler/cli.rb:97:in '<class:CLI>'
        from /Projects/Github/craiglondon--jquery-pjax/vendor/bundle/ruby/3.4.0/gems/bundler-1.17.2/lib/bundler/cli.rb:7:in '<module:Bundler>'
        from /Projects/Github/craiglondon--jquery-pjax/vendor/bundle/ruby/3.4.0/gems/bundler-1.17.2/lib/bundler/cli.rb:6:in '<top (required)>'
        from <internal:/usr/local/Cellar/ruby/3.4.3/lib/ruby/3.4.0/rubygems/core_ext/kernel_require.rb>:136:in 'Kernel#require'
        from <internal:/usr/local/Cellar/ruby/3.4.3/lib/ruby/3.4.0/rubygems/core_ext/kernel_require.rb>:136:in 'Kernel#require'
        from /Projects/Github/craiglondon--jquery-pjax/vendor/bundle/ruby/3.4.0/gems/bundler-1.17.2/exe/bundle:23:in 'block in <top (required)>'
        from /Projects/Github/craiglondon--jquery-pjax/vendor/bundle/ruby/3.4.0/gems/bundler-1.17.2/lib/bundler/friendly_errors.rb:124:in 'Bundler.with_friendly_errors'
        from /Projects/Github/craiglondon--jquery-pjax/vendor/bundle/ruby/3.4.0/gems/bundler-1.17.2/exe/bundle:22:in '<top (required)>'
        from /usr/local/Cellar/ruby/3.4.3/bin/bundle:25:in 'Kernel#load'
        from /usr/local/Cellar/ruby/3.4.3/bin/bundle:25:in '<main>'

[samdark]

Thank you!

[Renkas]

could we get this released?

[Renkas]

@samdark can we please get a release with this fix?

Yii2 framework is requiring Pjax. And our container inspection tool is lighting up with a critical vulnerability because of the Rack version used in this package ...

[samdark]

Done.