Downgrade rails and do not bump redis (#918)

* Downgrade rails and do not bump redis * Add notes for future troubleshooting. * Downgrade faraday
pulibrary · May 25, 2021 · 539d96d · 539d96d
1 parent 5577fae
commit 539d96d
Show file tree

Hide file tree

Showing 2 changed files with 222 additions and 201 deletions.
diff --git a/Gemfile b/Gemfile
@@ -6,7 +6,9 @@ gem 'graphql-client'
 gem 'jbuilder', '~> 2.0'
 gem 'jquery-rails'
 gem 'rack', '>= 2.0.6'
-gem 'rails', '~> 5.2'
+# Locking rails at 5.2.4.5 until we can handle this upgrade: https://github.com/rails/rails/releases/tag/v5.2.4.6
+# The problem is CVE-2021-22885 and we should fix it upsteam.
+gem 'rails', '5.2.4.5'
 gem 'sass-rails', '~> 5.0'
 gem 'turbolinks'
 gem 'uglifier', '>= 1.3.0'
@@ -55,6 +57,7 @@ gem 'ddtrace'
 gem 'devise', '~> 4.7.1'
 gem 'devise-guests', '~> 0.3'
 gem 'devise_invitable'
+gem 'faraday', '< 1'
 gem 'iiif-presentation'
 gem 'iso-639'
 gem 'lograge'
@@ -63,6 +66,8 @@ gem 'omniauth', '~> 1.8.1'
 gem 'omniauth-cas'
 gem 'open_uri_redirections'
 gem 'redis-namespace'
+# Upgrading past redis 3.3.5 currently breaks deploy. Test any upgrades here carefully.
+gem 'redis', '3.3.5'
 gem 'riiif'
 gem 'rsolr', '~> 1.0.6'
 gem 'sidekiq', '< 6'