Skip to content
Permalink
Browse files

Upgrade nokogiri and puma for security (#5820)

* Upgrade nokogiri and puma for security

Solve puma's GHSA-84j7-475p-hp8v vulnerability.
Solve nokogiri's CVE-2020-7595 vulnerability.

* Add changelog entry

* Update CHANGELOG.md

solve double point

Co-Authored-By: Marc Riera <mrc2407@gmail.com>

Co-authored-by: Marc Riera <mrc2407@gmail.com>
  • Loading branch information
tramuntanal and mrcasals committed Mar 4, 2020
1 parent 4fca1d5 commit d32d482b5bae78ab221e37811c117c6fcde0236f
@@ -91,6 +91,7 @@ Thanks to [#5342](https://github.com/decidim/decidim/pull/5342), Decidim now sup

**Fixed**:

- **decidim-core** and **decidim-dev**: Solve puma's GHSA-84j7-475p-hp8v vulnerability, and nokogiri's CVE-2020-7595 vulnerability. [\#5820](https://github.com/decidim/decidim/pull/5820)
- **decidim-core**: Do not allow invited users to sign up. [\#5803](https://github.com/decidim/decidim/pull/5803)
- **decidim-initiatives**: Fix initiative state bug [\#5805](https://github.com/decidim/decidim/pull/5805)
- **decidim-admin**, **decidim-proposals**: Fix proposal card layout. [\#5783](https://github.com/decidim/decidim/pull/5783)
@@ -11,7 +11,7 @@ gem "decidim-initiatives", path: "."

gem "bootsnap", "~> 1.4"

gem "puma", "~> 3.12.2"
gem "puma", "~> 4.3.3"
gem "uglifier", "~> 4.1"

gem "faker", "~> 1.9"
@@ -139,8 +139,8 @@ PATH
factory_bot_rails (~> 4.8)
i18n-tasks (~> 0.9.18)
mdl (~> 0.5.0)
nokogiri (>= 1.10.4)
puma (>= 3.12)
nokogiri (>= 1.10.8)
puma (>= 4.3)
rails-controller-testing (~> 1.0)
rspec-cells (~> 0.3.4)
rspec-html-matchers (~> 0.9.1)
@@ -505,7 +505,7 @@ GEM
netrc (0.11.0)
nio4r (2.5.2)
nobspw (0.6.1)
nokogiri (1.10.5)
nokogiri (1.10.9)
mini_portile2 (~> 2.4.0)
oauth (0.5.4)
oauth2 (1.4.4)
@@ -542,7 +542,7 @@ GEM
activerecord (>= 4.2)
request_store (~> 1.1)
parallel (1.19.1)
parser (2.7.0.2)
parser (2.7.0.4)
ast (~> 2.4.0)
pg (1.1.4)
pg_search (2.3.2)
@@ -556,7 +556,8 @@ GEM
actionmailer (>= 3)
premailer (~> 1.7, >= 1.7.9)
public_suffix (3.1.0)
puma (3.12.2)
puma (4.3.3)
nio4r (~> 2.0)
rack (2.0.8)
rack-attack (6.2.2)
rack (>= 1.0, < 3)
@@ -613,7 +614,7 @@ GEM
wisper (>= 1.6.1)
redcarpet (3.5.0)
redis (4.1.3)
regexp_parser (1.6.0)
regexp_parser (1.7.0)
request_store (1.5.0)
rack (>= 1.4)
responders (3.0.0)
@@ -780,7 +781,7 @@ DEPENDENCIES
faker (~> 1.9)
letter_opener_web (~> 1.3)
listen (~> 3.1)
puma (~> 3.12.2)
puma (~> 4.3.3)
spring (~> 2.0)
spring-watcher-listen (~> 2.0)
uglifier (~> 4.1)
@@ -29,8 +29,8 @@ Gem::Specification.new do |s|
s.add_dependency "erb_lint", "~> 0.0.28"
s.add_dependency "i18n-tasks", "~> 0.9.18"
s.add_dependency "mdl", "~> 0.5.0"
s.add_dependency "nokogiri", ">= 1.10.4"
s.add_dependency "puma", ">= 3.12"
s.add_dependency "nokogiri", ">= 1.10.8"
s.add_dependency "puma", ">= 4.3"
s.add_dependency "rails-controller-testing", "~> 1.0"
s.add_dependency "rspec-cells", "~> 0.3.4"
s.add_dependency "rspec-html-matchers", "~> 0.9.1"
@@ -10,7 +10,7 @@ gem "decidim-initiatives", path: ".."

gem "bootsnap", "~> 1.3"

gem "puma", "~> 3.12.2"
gem "puma", "~> 4.3.3"
gem "uglifier", "~> 4.1"

gem "faker", "~> 1.9"
@@ -134,8 +134,8 @@ PATH
factory_bot_rails (~> 4.8)
i18n-tasks (~> 0.9.18)
mdl (~> 0.5.0)
nokogiri (>= 1.10.4)
puma (>= 3.12)
nokogiri (>= 1.10.8)
puma (>= 4.3)
rails-controller-testing (~> 1.0)
rspec-cells (~> 0.3.4)
rspec-html-matchers (~> 0.9.1)
@@ -500,7 +500,7 @@ GEM
netrc (0.11.0)
nio4r (2.5.2)
nobspw (0.6.1)
nokogiri (1.10.5)
nokogiri (1.10.9)
mini_portile2 (~> 2.4.0)
oauth (0.5.4)
oauth2 (1.4.4)
@@ -537,7 +537,7 @@ GEM
activerecord (>= 4.2)
request_store (~> 1.1)
parallel (1.19.1)
parser (2.7.0.2)
parser (2.7.0.4)
ast (~> 2.4.0)
pg (1.1.4)
pg_search (2.3.2)
@@ -551,7 +551,8 @@ GEM
actionmailer (>= 3)
premailer (~> 1.7, >= 1.7.9)
public_suffix (3.1.0)
puma (3.12.2)
puma (4.3.3)
nio4r (~> 2.0)
rack (2.0.8)
rack-attack (6.2.2)
rack (>= 1.0, < 3)
@@ -608,7 +609,7 @@ GEM
wisper (>= 1.6.1)
redcarpet (3.5.0)
redis (4.1.3)
regexp_parser (1.6.0)
regexp_parser (1.7.0)
request_store (1.5.0)
rack (>= 1.4)
responders (3.0.0)
@@ -774,7 +775,7 @@ DEPENDENCIES
faker (~> 1.9)
letter_opener_web (~> 1.3)
listen (~> 3.1)
puma (~> 3.12.2)
puma (~> 4.3.3)
spring (~> 2.0)
spring-watcher-listen (~> 2.0)
uglifier (~> 4.1)
@@ -139,8 +139,8 @@ PATH
factory_bot_rails (~> 4.8)
i18n-tasks (~> 0.9.18)
mdl (~> 0.5.0)
nokogiri (>= 1.10.4)
puma (>= 3.12)
nokogiri (>= 1.10.8)
puma (>= 4.3)
rails-controller-testing (~> 1.0)
rspec-cells (~> 0.3.4)
rspec-html-matchers (~> 0.9.1)
@@ -505,7 +505,7 @@ GEM
netrc (0.11.0)
nio4r (2.5.2)
nobspw (0.6.1)
nokogiri (1.10.5)
nokogiri (1.10.9)
mini_portile2 (~> 2.4.0)
oauth (0.5.4)
oauth2 (1.4.4)
@@ -542,7 +542,7 @@ GEM
activerecord (>= 4.2)
request_store (~> 1.1)
parallel (1.19.1)
parser (2.7.0.2)
parser (2.7.0.4)
ast (~> 2.4.0)
pg (1.1.4)
pg_search (2.3.2)
@@ -556,7 +556,8 @@ GEM
actionmailer (>= 3)
premailer (~> 1.7, >= 1.7.9)
public_suffix (3.1.0)
puma (3.12.2)
puma (4.3.3)
nio4r (~> 2.0)
rack (2.0.8)
rack-attack (6.2.2)
rack (>= 1.0, < 3)
@@ -613,7 +614,7 @@ GEM
wisper (>= 1.6.1)
redcarpet (3.5.0)
redis (4.1.3)
regexp_parser (1.6.0)
regexp_parser (1.7.0)
request_store (1.5.0)
rack (>= 1.4)
responders (3.0.0)
@@ -780,7 +781,7 @@ DEPENDENCIES
faker (~> 1.9)
letter_opener_web (~> 1.3)
listen (~> 3.1)
puma (~> 3.12.2)
puma (~> 4.3.3)
spring (~> 2.0)
spring-watcher-listen (~> 2.0)
uglifier (~> 4.1)

0 comments on commit d32d482

Please sign in to comment.
You can’t perform that action at this time.