Revert "Revert "Merge pull request #34387 from yhirano55/rails_info_properties_json""

I reverted the wrong commit. Damn it. This reverts commit f66a977fc7ae30d2a07124ad91924c4ee638a703.
author: Kasper Timm Hansen <kaspth@gmail.com> 2019-01-08 22:19:22 +0100
committer: Kasper Timm Hansen <kaspth@gmail.com> 2019-01-08 22:19:22 +0100
commit: 647d7e61679ac4c28c081532ad0a0d7e1f80482b (patch)
tree: 45c2dc066c3268392e021cf71d65be9d09837d9a /guides
parent: f66a977fc7ae30d2a07124ad91924c4ee638a703 (diff)
download: rails-647d7e61679ac4c28c081532ad0a0d7e1f80482b.tar.gz
rails-647d7e61679ac4c28c081532ad0a0d7e1f80482b.tar.bz2
rails-647d7e61679ac4c28c081532ad0a0d7e1f80482b.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/guides/source/security.md b/guides/source/security.md
index bb996cc39c..dbec3cdd2d 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -1235,6 +1235,11 @@ version:
 Rails.application.credentials.some_api_key! # => raises KeyError: :some_api_key is blank
 ```
 
+Dependency Management and CVEs
+------------------------------
+
+We don’t bump dependencies just to encourage use of new versions, including for security issues. This is because application owners need to manually update their gems regardless of our efforts. Use `bundle update --conservative gem_name` to safely update vulnerable dependencies.
+
 Additional Resources
 --------------------
author	Kasper Timm Hansen <kaspth@gmail.com>	2019-01-08 22:19:22 +0100
committer	Kasper Timm Hansen <kaspth@gmail.com>	2019-01-08 22:19:22 +0100
commit	647d7e61679ac4c28c081532ad0a0d7e1f80482b (patch)
tree	45c2dc066c3268392e021cf71d65be9d09837d9a /guides
parent	f66a977fc7ae30d2a07124ad91924c4ee638a703 (diff)
download	rails-647d7e61679ac4c28c081532ad0a0d7e1f80482b.tar.gz rails-647d7e61679ac4c28c081532ad0a0d7e1f80482b.tar.bz2 rails-647d7e61679ac4c28c081532ad0a0d7e1f80482b.zip