diff options
| author | Kasper Timm Hansen <kaspth@gmail.com> | 2018-11-06 22:42:07 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-11-06 22:42:07 +0100 |
| commit | bb11a9acab15b87d6074fb6af9405287942a7eee (patch) | |
| tree | a269734b95d9c887f4c7d7ba441f2e8787852938 /guides | |
| parent | 212c28ac86fec0f2baf57fbc21ceb8696092fe47 (diff) | |
| parent | 1c11688b5624394c3792d1bb37599fd1e3452c9c (diff) | |
| download | rails-bb11a9acab15b87d6074fb6af9405287942a7eee.tar.gz rails-bb11a9acab15b87d6074fb6af9405287942a7eee.tar.bz2 rails-bb11a9acab15b87d6074fb6af9405287942a7eee.zip | |
Merge pull request #34388 from gmcgibbon/gem_security_note
Add CVE note to security guide and gemspecs
Diffstat (limited to 'guides')
| -rw-r--r-- | guides/source/security.md | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/guides/source/security.md b/guides/source/security.md index bb996cc39c..66b922ea35 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -1235,6 +1235,11 @@ version: Rails.application.credentials.some_api_key! # => raises KeyError: :some_api_key is blank ``` +Dependency Management and CVEs +------------------------------ + +Please note that we do not accept patches for CVE version bumps. This is because application owners need to manually update their gems regardless of our efforts. Use `bundle update --conservative gem_name` to safely update vulnerable dependencies. + Additional Resources -------------------- |