Skip to content

Fix gem vulnerabilities: upgrade activesupport and rexml#294

Merged
stowingJunK merged 1 commit into
facebook:mainfrom
schwartzmx:ruby-gem-upgrade
Apr 2, 2026
Merged

Fix gem vulnerabilities: upgrade activesupport and rexml#294
stowingJunK merged 1 commit into
facebook:mainfrom
schwartzmx:ruby-gem-upgrade

Conversation

@schwartzmx

@schwartzmx schwartzmx commented Apr 2, 2026

Copy link
Copy Markdown
Member

Address security vulnerabilities in the react-native-testapp Gemfile:

  • activesupport: 6.1.7.10 → 7.2.3.1 (fixes 3 medium severity CVEs)
  • rexml: 3.4.1 → 3.4.4 (fixes 1 low severity CVE, >= 3.4.2 required)

This requires Ruby >= 3.2 (up from 2.6.10) since activesupport 7.2.x depends on connection_pool which needs Ruby 3.2+. Added .ruby-version for rbenv and updated the README with current setup instructions including rbenv-based Ruby installation and updated bundler commands.

Tested simulator working as expected after npm run build:ios && npm run ios
image

Address security vulnerabilities in the react-native-testapp Gemfile:
- activesupport: 6.1.7.10 → 7.2.3.1 (fixes 3 medium severity CVEs)
- rexml: 3.4.1 → 3.4.4 (fixes 1 low severity CVE, >= 3.4.2 required)

This requires Ruby >= 3.2 (up from 2.6.10) since activesupport 7.2.x
depends on connection_pool which needs Ruby 3.2+. Added .ruby-version
for rbenv and updated the README with current setup instructions
including rbenv-based Ruby installation and updated bundler commands.
@meta-cla meta-cla Bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Apr 2, 2026

@stowingJunK stowingJunK left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Ruby Gem upgrades!

@stowingJunK stowingJunK merged commit efe3702 into facebook:main Apr 2, 2026
2 checks passed
@schwartzmx schwartzmx deleted the ruby-gem-upgrade branch April 3, 2026 00:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants