aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--actioncable/actioncable.gemspec6
-rw-r--r--actionmailer/actionmailer.gemspec6
-rw-r--r--actionpack/actionpack.gemspec6
-rw-r--r--actionview/actionview.gemspec6
-rw-r--r--activejob/activejob.gemspec6
-rw-r--r--activemodel/activemodel.gemspec6
-rw-r--r--activerecord/activerecord.gemspec6
-rw-r--r--activestorage/activestorage.gemspec6
-rw-r--r--activesupport/activesupport.gemspec6
-rw-r--r--guides/source/security.md2
-rw-r--r--railties/railties.gemspec6
11 files changed, 31 insertions, 31 deletions
diff --git a/actioncable/actioncable.gemspec b/actioncable/actioncable.gemspec
index f4af0330d7..31c6fb41f2 100644
--- a/actioncable/actioncable.gemspec
+++ b/actioncable/actioncable.gemspec
@@ -2,9 +2,6 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "actioncable"
@@ -28,6 +25,9 @@ Gem::Specification.new do |s|
"changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/actioncable/CHANGELOG.md"
}
+ # NOTE: Please read our dependency guidelines before updating versions:
+ # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
s.add_dependency "actionpack", version
s.add_dependency "nio4r", "~> 2.0"
diff --git a/actionmailer/actionmailer.gemspec b/actionmailer/actionmailer.gemspec
index efcdcf019a..6f8d6d0699 100644
--- a/actionmailer/actionmailer.gemspec
+++ b/actionmailer/actionmailer.gemspec
@@ -2,9 +2,6 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "actionmailer"
@@ -29,6 +26,9 @@ Gem::Specification.new do |s|
"changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/actionmailer/CHANGELOG.md"
}
+ # NOTE: Please read our dependency guidelines before updating versions:
+ # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
s.add_dependency "actionpack", version
s.add_dependency "actionview", version
s.add_dependency "activejob", version
diff --git a/actionpack/actionpack.gemspec b/actionpack/actionpack.gemspec
index 4b9c729955..ec56de18f1 100644
--- a/actionpack/actionpack.gemspec
+++ b/actionpack/actionpack.gemspec
@@ -2,9 +2,6 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "actionpack"
@@ -29,6 +26,9 @@ Gem::Specification.new do |s|
"changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/actionpack/CHANGELOG.md"
}
+ # NOTE: Please read our dependency guidelines before updating versions:
+ # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
s.add_dependency "activesupport", version
s.add_dependency "rack", "~> 2.0"
diff --git a/actionview/actionview.gemspec b/actionview/actionview.gemspec
index 938d8b4b90..5f1e746421 100644
--- a/actionview/actionview.gemspec
+++ b/actionview/actionview.gemspec
@@ -2,9 +2,6 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "actionview"
@@ -29,6 +26,9 @@ Gem::Specification.new do |s|
"changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/actionview/CHANGELOG.md"
}
+ # NOTE: Please read our dependency guidelines before updating versions:
+ # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
s.add_dependency "activesupport", version
s.add_dependency "builder", "~> 3.1"
diff --git a/activejob/activejob.gemspec b/activejob/activejob.gemspec
index cc27deb338..cd7ac210ec 100644
--- a/activejob/activejob.gemspec
+++ b/activejob/activejob.gemspec
@@ -2,9 +2,6 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "activejob"
@@ -28,6 +25,9 @@ Gem::Specification.new do |s|
"changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/activejob/CHANGELOG.md"
}
+ # NOTE: Please read our dependency guidelines before updating versions:
+ # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
s.add_dependency "activesupport", version
s.add_dependency "globalid", ">= 0.3.6"
end
diff --git a/activemodel/activemodel.gemspec b/activemodel/activemodel.gemspec
index 22ca37071c..493fca698a 100644
--- a/activemodel/activemodel.gemspec
+++ b/activemodel/activemodel.gemspec
@@ -2,9 +2,6 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "activemodel"
@@ -28,5 +25,8 @@ Gem::Specification.new do |s|
"changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/activemodel/CHANGELOG.md"
}
+ # NOTE: Please read our dependency guidelines before updating versions:
+ # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
s.add_dependency "activesupport", version
end
diff --git a/activerecord/activerecord.gemspec b/activerecord/activerecord.gemspec
index 2c049f21ea..bcdd82052c 100644
--- a/activerecord/activerecord.gemspec
+++ b/activerecord/activerecord.gemspec
@@ -2,9 +2,6 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "activerecord"
@@ -31,6 +28,9 @@ Gem::Specification.new do |s|
"changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/activerecord/CHANGELOG.md"
}
+ # NOTE: Please read our dependency guidelines before updating versions:
+ # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
s.add_dependency "activesupport", version
s.add_dependency "activemodel", version
end
diff --git a/activestorage/activestorage.gemspec b/activestorage/activestorage.gemspec
index 0b879e270c..2c8816df25 100644
--- a/activestorage/activestorage.gemspec
+++ b/activestorage/activestorage.gemspec
@@ -2,9 +2,6 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "activestorage"
@@ -28,6 +25,9 @@ Gem::Specification.new do |s|
"changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/activestorage/CHANGELOG.md"
}
+ # NOTE: Please read our dependency guidelines before updating versions:
+ # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
s.add_dependency "actionpack", version
s.add_dependency "activerecord", version
diff --git a/activesupport/activesupport.gemspec b/activesupport/activesupport.gemspec
index 75b38f3552..448a2eeebb 100644
--- a/activesupport/activesupport.gemspec
+++ b/activesupport/activesupport.gemspec
@@ -2,9 +2,6 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "activesupport"
@@ -30,6 +27,9 @@ Gem::Specification.new do |s|
"changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/activesupport/CHANGELOG.md"
}
+ # NOTE: Please read our dependency guidelines before updating versions:
+ # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
s.add_dependency "i18n", ">= 0.7", "< 2"
s.add_dependency "tzinfo", "~> 1.1"
s.add_dependency "minitest", "~> 5.1"
diff --git a/guides/source/security.md b/guides/source/security.md
index 66b922ea35..dbec3cdd2d 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -1238,7 +1238,7 @@ Rails.application.credentials.some_api_key! # => raises KeyError: :some_api_key
Dependency Management and CVEs
------------------------------
-Please note that we do not accept patches for CVE version bumps. This is because application owners need to manually update their gems regardless of our efforts. Use `bundle update --conservative gem_name` to safely update vulnerable dependencies.
+We don’t bump dependencies just to encourage use of new versions, including for security issues. This is because application owners need to manually update their gems regardless of our efforts. Use `bundle update --conservative gem_name` to safely update vulnerable dependencies.
Additional Resources
--------------------
diff --git a/railties/railties.gemspec b/railties/railties.gemspec
index 98155a35e3..4e4a504c97 100644
--- a/railties/railties.gemspec
+++ b/railties/railties.gemspec
@@ -2,9 +2,6 @@
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
-# NOTE: There's no need to update dependencies for CVEs in minor
-# releases when users can simply run `bundle update vulnerable_gem`.
-
Gem::Specification.new do |s|
s.platform = Gem::Platform::RUBY
s.name = "railties"
@@ -33,6 +30,9 @@ Gem::Specification.new do |s|
"changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/railties/CHANGELOG.md"
}
+ # NOTE: Please read our dependency guidelines before updating versions:
+ # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
+
s.add_dependency "activesupport", version
s.add_dependency "actionpack", version