aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--actioncable/actioncable.gemspec3
-rw-r--r--actionmailer/actionmailer.gemspec3
-rw-r--r--actionpack/actionpack.gemspec3
-rw-r--r--actionview/actionview.gemspec3
-rw-r--r--activejob/activejob.gemspec3
-rw-r--r--activemodel/activemodel.gemspec3
-rw-r--r--activerecord/activerecord.gemspec3
-rw-r--r--activestorage/activestorage.gemspec3
-rw-r--r--activesupport/activesupport.gemspec3
-rw-r--r--guides/source/security.md5
-rw-r--r--railties/railties.gemspec3
11 files changed, 35 insertions, 0 deletions
diff --git a/actioncable/actioncable.gemspec b/actioncable/actioncable.gemspec
index 137fa64431..f4af0330d7 100644
--- a/actioncable/actioncable.gemspec
+++ b/actioncable/actioncable.gemspec
@@ -2,6 +2,9 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
+# NOTE: There's no need to update dependencies for CVEs in minor
+# releases when users can simply run `bundle update vulnerable_gem`.
+
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "actioncable"
diff --git a/actionmailer/actionmailer.gemspec b/actionmailer/actionmailer.gemspec
index f2fb160bdd..efcdcf019a 100644
--- a/actionmailer/actionmailer.gemspec
+++ b/actionmailer/actionmailer.gemspec
@@ -2,6 +2,9 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
+# NOTE: There's no need to update dependencies for CVEs in minor
+# releases when users can simply run `bundle update vulnerable_gem`.
+
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "actionmailer"
diff --git a/actionpack/actionpack.gemspec b/actionpack/actionpack.gemspec
index 1dc8abf746..4b9c729955 100644
--- a/actionpack/actionpack.gemspec
+++ b/actionpack/actionpack.gemspec
@@ -2,6 +2,9 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
+# NOTE: There's no need to update dependencies for CVEs in minor
+# releases when users can simply run `bundle update vulnerable_gem`.
+
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "actionpack"
diff --git a/actionview/actionview.gemspec b/actionview/actionview.gemspec
index 49ee1a292b..938d8b4b90 100644
--- a/actionview/actionview.gemspec
+++ b/actionview/actionview.gemspec
@@ -2,6 +2,9 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
+# NOTE: There's no need to update dependencies for CVEs in minor
+# releases when users can simply run `bundle update vulnerable_gem`.
+
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "actionview"
diff --git a/activejob/activejob.gemspec b/activejob/activejob.gemspec
index be6292f737..cc27deb338 100644
--- a/activejob/activejob.gemspec
+++ b/activejob/activejob.gemspec
@@ -2,6 +2,9 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
+# NOTE: There's no need to update dependencies for CVEs in minor
+# releases when users can simply run `bundle update vulnerable_gem`.
+
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "activejob"
diff --git a/activemodel/activemodel.gemspec b/activemodel/activemodel.gemspec
index 7be466dc4c..22ca37071c 100644
--- a/activemodel/activemodel.gemspec
+++ b/activemodel/activemodel.gemspec
@@ -2,6 +2,9 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
+# NOTE: There's no need to update dependencies for CVEs in minor
+# releases when users can simply run `bundle update vulnerable_gem`.
+
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "activemodel"
diff --git a/activerecord/activerecord.gemspec b/activerecord/activerecord.gemspec
index a857d00c05..2c049f21ea 100644
--- a/activerecord/activerecord.gemspec
+++ b/activerecord/activerecord.gemspec
@@ -2,6 +2,9 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
+# NOTE: There's no need to update dependencies for CVEs in minor
+# releases when users can simply run `bundle update vulnerable_gem`.
+
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "activerecord"
diff --git a/activestorage/activestorage.gemspec b/activestorage/activestorage.gemspec
index cb1bb00a25..0b879e270c 100644
--- a/activestorage/activestorage.gemspec
+++ b/activestorage/activestorage.gemspec
@@ -2,6 +2,9 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
+# NOTE: There's no need to update dependencies for CVEs in minor
+# releases when users can simply run `bundle update vulnerable_gem`.
+
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "activestorage"
diff --git a/activesupport/activesupport.gemspec b/activesupport/activesupport.gemspec
index aa695c98b2..75b38f3552 100644
--- a/activesupport/activesupport.gemspec
+++ b/activesupport/activesupport.gemspec
@@ -2,6 +2,9 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
+# NOTE: There's no need to update dependencies for CVEs in minor
+# releases when users can simply run `bundle update vulnerable_gem`.
+
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "activesupport"
diff --git a/guides/source/security.md b/guides/source/security.md
index bb996cc39c..66b922ea35 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -1235,6 +1235,11 @@ version:
Rails.application.credentials.some_api_key! # => raises KeyError: :some_api_key is blank
```
+Dependency Management and CVEs
+------------------------------
+
+Please note that we do not accept patches for CVE version bumps. This is because application owners need to manually update their gems regardless of our efforts. Use `bundle update --conservative gem_name` to safely update vulnerable dependencies.
+
Additional Resources
--------------------
diff --git a/railties/railties.gemspec b/railties/railties.gemspec
index 6fdb4648c2..98155a35e3 100644
--- a/railties/railties.gemspec
+++ b/railties/railties.gemspec
@@ -2,6 +2,9 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
+# NOTE: There's no need to update dependencies for CVEs in minor
+# releases when users can simply run `bundle update vulnerable_gem`.
+
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "railties"