aboutsummaryrefslogtreecommitdiffstats
path: root/guides/source/security.md
diff options
context:
space:
mode:
authorGannon McGibbon <gannon.mcgibbon@gmail.com>2018-11-06 14:17:23 -0500
committerGannon McGibbon <gannon.mcgibbon@gmail.com>2018-11-06 14:25:36 -0500
commit1c11688b5624394c3792d1bb37599fd1e3452c9c (patch)
treea269734b95d9c887f4c7d7ba441f2e8787852938 /guides/source/security.md
parent212c28ac86fec0f2baf57fbc21ceb8696092fe47 (diff)
downloadrails-1c11688b5624394c3792d1bb37599fd1e3452c9c.tar.gz
rails-1c11688b5624394c3792d1bb37599fd1e3452c9c.tar.bz2
rails-1c11688b5624394c3792d1bb37599fd1e3452c9c.zip
Add CVE note to security guide and gemspecs
[ci skip]
Diffstat (limited to 'guides/source/security.md')
-rw-r--r--guides/source/security.md5
1 files changed, 5 insertions, 0 deletions
diff --git a/guides/source/security.md b/guides/source/security.md
index bb996cc39c..66b922ea35 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -1235,6 +1235,11 @@ version:
Rails.application.credentials.some_api_key! # => raises KeyError: :some_api_key is blank
```
+Dependency Management and CVEs
+------------------------------
+
+Please note that we do not accept patches for CVE version bumps. This is because application owners need to manually update their gems regardless of our efforts. Use `bundle update --conservative gem_name` to safely update vulnerable dependencies.
+
Additional Resources
--------------------