Add CVE note to security guide and gemspecs

[ci skip]
author: Gannon McGibbon <gannon.mcgibbon@gmail.com> 2018-11-06 14:17:23 -0500
committer: Gannon McGibbon <gannon.mcgibbon@gmail.com> 2018-11-06 14:25:36 -0500
commit: 1c11688b5624394c3792d1bb37599fd1e3452c9c (patch)
tree: a269734b95d9c887f4c7d7ba441f2e8787852938 /activejob/activejob.gemspec
parent: 212c28ac86fec0f2baf57fbc21ceb8696092fe47 (diff)
download: rails-1c11688b5624394c3792d1bb37599fd1e3452c9c.tar.gz
rails-1c11688b5624394c3792d1bb37599fd1e3452c9c.tar.bz2
rails-1c11688b5624394c3792d1bb37599fd1e3452c9c.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/activejob/activejob.gemspec b/activejob/activejob.gemspec
index be6292f737..cc27deb338 100644
--- a/activejob/activejob.gemspec
+++ b/activejob/activejob.gemspec
@@ -2,6 +2,9 @@
 
 version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
 
+# NOTE: There's no need to update dependencies for CVEs in minor
+# releases when users can simply run `bundle update vulnerable_gem`.
+
 Gem::Specification.new do |s|
   s.platform    = Gem::Platform::RUBY
   s.name        = "activejob"
author	Gannon McGibbon <gannon.mcgibbon@gmail.com>	2018-11-06 14:17:23 -0500
committer	Gannon McGibbon <gannon.mcgibbon@gmail.com>	2018-11-06 14:25:36 -0500
commit	1c11688b5624394c3792d1bb37599fd1e3452c9c (patch)
tree	a269734b95d9c887f4c7d7ba441f2e8787852938 /activejob/activejob.gemspec
parent	212c28ac86fec0f2baf57fbc21ceb8696092fe47 (diff)
download	rails-1c11688b5624394c3792d1bb37599fd1e3452c9c.tar.gz rails-1c11688b5624394c3792d1bb37599fd1e3452c9c.tar.bz2 rails-1c11688b5624394c3792d1bb37599fd1e3452c9c.zip