From 1c11688b5624394c3792d1bb37599fd1e3452c9c Mon Sep 17 00:00:00 2001 From: Gannon McGibbon Date: Tue, 6 Nov 2018 14:17:23 -0500 Subject: Add CVE note to security guide and gemspecs [ci skip] --- activestorage/activestorage.gemspec | 3 +++ 1 file changed, 3 insertions(+) (limited to 'activestorage/activestorage.gemspec') diff --git a/activestorage/activestorage.gemspec b/activestorage/activestorage.gemspec index cb1bb00a25..0b879e270c 100644 --- a/activestorage/activestorage.gemspec +++ b/activestorage/activestorage.gemspec @@ -2,6 +2,9 @@ version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip +# NOTE: There's no need to update dependencies for CVEs in minor +# releases when users can simply run `bundle update vulnerable_gem`. + Gem::Specification.new do |s| s.platform = Gem::Platform::RUBY s.name = "activestorage" -- cgit v1.2.3 From e74fdbe00cd0f403d34f2bc83eb09e7a5bc56109 Mon Sep 17 00:00:00 2001 From: Gannon McGibbon Date: Tue, 6 Nov 2018 18:05:40 -0500 Subject: Amend CVE note and security guide section wordings Reword first sentence of dep management and CVE section of security guide. Also, reword and move gemspec notes above deps. [ci skip] --- activestorage/activestorage.gemspec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'activestorage/activestorage.gemspec') diff --git a/activestorage/activestorage.gemspec b/activestorage/activestorage.gemspec index 0b879e270c..2c8816df25 100644 --- a/activestorage/activestorage.gemspec +++ b/activestorage/activestorage.gemspec @@ -2,9 +2,6 @@ version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip -# NOTE: There's no need to update dependencies for CVEs in minor -# releases when users can simply run `bundle update vulnerable_gem`. - Gem::Specification.new do |s| s.platform = Gem::Platform::RUBY s.name = "activestorage" @@ -28,6 +25,9 @@ Gem::Specification.new do |s| "changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/activestorage/CHANGELOG.md" } + # NOTE: Please read our dependency guidelines before updating versions: + # https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves + s.add_dependency "actionpack", version s.add_dependency "activerecord", version -- cgit v1.2.3