Security: Rebuild to fix multiple vulnerabilities?

[meten-natuurlijk]

Hi,
I believe that the current build of Geminabox depends on some Ruby gems that contain security vulnerabilities, and that these can be fixed by bumping the versions of the gem dependancies.

NAME                   INSTALLED         FIXED-IN          TYPE  VULNERABILITY        SEVERITY 
rack                   2.2.6.2           2.2.6.3           gem   GHSA-3h57-hmj3-gj3p  High      
rack                   2.2.6.2           2.2.6.4           gem   GHSA-c6qg-cjj8-47qp  Low       
time                   0.2.1             0.2.2             gem   GHSA-fg7x-g82r-94qc  High      
uri                    0.12.0            0.12.1            gem   GHSA-hv5j-3h9f-99c2  High

[github-actions]

Could you update this issue?

[meten-natuurlijk]

Hello GitHub-actions-bot,
Thank you for the automated notification. 😉
But I believe this issue has not been fixed yet.

[github-actions]

Could you update this issue?

[tnir]

@meten-natuurlijk The team does not provide pre-built except for gem on RubyGems.org. Where can we find the build you are talking?

Once you will run the following commands,

$ bundle init
$ bundle add geminabox

you will see the below:

$ cat Gemfile.lock 
GEM
  remote: https://rubygems.org/
  specs:
    builder (3.2.4)
    faraday (2.7.10)
      faraday-net_http (>= 2.0, < 3.1)
      ruby2_keywords (>= 0.0.4)
    faraday-net_http (3.0.2)
    geminabox (2.1.0)
      builder
      faraday (> 1.0, < 3.0)
      httpclient (>= 2.2.7)
      nesty
      reentrant_flock
      sinatra (~> 2.0)
    httpclient (2.8.3)
    mustermann (2.0.2)
      ruby2_keywords (~> 0.0.1)
    nesty (1.0.2)
    rack (2.2.8)
    rack-protection (2.2.4)
      rack
    reentrant_flock (0.1.1)
    ruby2_keywords (0.0.5)
    sinatra (2.2.4)
      mustermann (~> 2.0)
      rack (~> 2.2)
      rack-protection (= 2.2.4)
      tilt (~> 2.0)
    tilt (2.2.0)

PLATFORMS
  aarch64-linux

DEPENDENCIES
  geminabox (~> 2.1)

BUNDLED WITH
   2.4.10

Closing.