Add CVE note to security guide and gemspecs

[ci skip]

11 files changed, 35 insertions, 0 deletions

diff --git a/actioncable/actioncable.gemspec b/actioncable/actioncable.gemspec
index 137fa64431..f4af0330d7 100644
--- a/actioncable/actioncable.gemspec
+++ b/actioncable/actioncable.gemspec
@@ -2,6 +2,9 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
+# NOTE: There's no need to update dependencies for CVEs in minor
+# releases when users can simply run `bundle update vulnerable_gem`.
+
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "actioncable"
diff --git a/actionmailer/actionmailer.gemspec b/actionmailer/actionmailer.gemspec
index f2fb160bdd..efcdcf019a 100644
--- a/actionmailer/actionmailer.gemspec
+++ b/actionmailer/actionmailer.gemspec
@@ -2,6 +2,9 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
+# NOTE: There's no need to update dependencies for CVEs in minor
+# releases when users can simply run `bundle update vulnerable_gem`.
+
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "actionmailer"
diff --git a/actionpack/actionpack.gemspec b/actionpack/actionpack.gemspec
index 1dc8abf746..4b9c729955 100644
--- a/actionpack/actionpack.gemspec
+++ b/actionpack/actionpack.gemspec
@@ -2,6 +2,9 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
+# NOTE: There's no need to update dependencies for CVEs in minor
+# releases when users can simply run `bundle update vulnerable_gem`.
+
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "actionpack"
diff --git a/actionview/actionview.gemspec b/actionview/actionview.gemspec
index 49ee1a292b..938d8b4b90 100644
--- a/actionview/actionview.gemspec
+++ b/actionview/actionview.gemspec
@@ -2,6 +2,9 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
+# NOTE: There's no need to update dependencies for CVEs in minor
+# releases when users can simply run `bundle update vulnerable_gem`.
+
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "actionview"
diff --git a/activejob/activejob.gemspec b/activejob/activejob.gemspec
index be6292f737..cc27deb338 100644
--- a/activejob/activejob.gemspec
+++ b/activejob/activejob.gemspec
@@ -2,6 +2,9 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
+# NOTE: There's no need to update dependencies for CVEs in minor
+# releases when users can simply run `bundle update vulnerable_gem`.
+
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "activejob"
diff --git a/activemodel/activemodel.gemspec b/activemodel/activemodel.gemspec
index 7be466dc4c..22ca37071c 100644
--- a/activemodel/activemodel.gemspec
+++ b/activemodel/activemodel.gemspec
@@ -2,6 +2,9 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
+# NOTE: There's no need to update dependencies for CVEs in minor
+# releases when users can simply run `bundle update vulnerable_gem`.
+
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "activemodel"
diff --git a/activerecord/activerecord.gemspec b/activerecord/activerecord.gemspec
index a857d00c05..2c049f21ea 100644
--- a/activerecord/activerecord.gemspec
+++ b/activerecord/activerecord.gemspec
@@ -2,6 +2,9 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
+# NOTE: There's no need to update dependencies for CVEs in minor
+# releases when users can simply run `bundle update vulnerable_gem`.
+
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "activerecord"
diff --git a/activestorage/activestorage.gemspec b/activestorage/activestorage.gemspec
index cb1bb00a25..0b879e270c 100644
--- a/activestorage/activestorage.gemspec
+++ b/activestorage/activestorage.gemspec
@@ -2,6 +2,9 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
+# NOTE: There's no need to update dependencies for CVEs in minor
+# releases when users can simply run `bundle update vulnerable_gem`.
+
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "activestorage"
diff --git a/activesupport/activesupport.gemspec b/activesupport/activesupport.gemspec
index aa695c98b2..75b38f3552 100644
--- a/activesupport/activesupport.gemspec
+++ b/activesupport/activesupport.gemspec
@@ -2,6 +2,9 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
+# NOTE: There's no need to update dependencies for CVEs in minor
+# releases when users can simply run `bundle update vulnerable_gem`.
+
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "activesupport"
diff --git a/guides/source/security.md b/guides/source/security.md
index bb996cc39c..66b922ea35 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -1235,6 +1235,11 @@ version:
 Rails.application.credentials.some_api_key! # => raises KeyError: :some_api_key is blank
 ```
 
+Dependency Management and CVEs
+------------------------------
+
+Please note that we do not accept patches for CVE version bumps. This is because application owners need to manually update their gems regardless of our efforts. Use `bundle update --conservative gem_name` to safely update vulnerable dependencies.
+
 Additional Resources
 --------------------
 
diff --git a/railties/railties.gemspec b/railties/railties.gemspec
index 6fdb4648c2..98155a35e3 100644
--- a/railties/railties.gemspec
+++ b/railties/railties.gemspec
@@ -2,6 +2,9 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
+# NOTE: There's no need to update dependencies for CVEs in minor
+# releases when users can simply run `bundle update vulnerable_gem`.
+
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "railties"