Skip to content

Bump vulnerable gems flagged by bundler-audit#1495

Merged
maebeale merged 1 commit into
mainfrom
maebeale/bump-vulnerable-gems
May 15, 2026
Merged

Bump vulnerable gems flagged by bundler-audit#1495
maebeale merged 1 commit into
mainfrom
maebeale/bump-vulnerable-gems

Conversation

@maebeale
Copy link
Copy Markdown
Collaborator

@maebeale maebeale commented May 15, 2026

What is the goal of this PR and why is this important?

  • The scan_ruby CI job (bundler-audit) is failing on every branch because new CVE advisories have been published since main last ran CI
  • None of the flagged gems are direct dependencies we use heavily, but bundler-audit fails the build on any open advisory
  • Get CI green again so feature PRs can land

How did you approach the change?

  • Ran bundle update --conservative on each gem with an open advisory: addressable, net-imap, nokogiri, rack, rack-session
  • Verified locally with bundle exec bundler-audit check --update — "No vulnerabilities found"

Gems updated

Gem From To Why
addressable 2.8.8 2.9.0 CVE-2026-35611 (ReDoS)
net-imap 0.6.3 0.6.4 CVE-2026-42245/42246/42256/42257/42258
nokogiri 1.19.2 1.19.3 CSS tokenizer ReDoS + XSLT memory leak
rack 3.2.5 3.2.6 CVE-2026-26961/26962 (multipart parsing)
rack-session 2.1.1 2.1.2 Transitive bump

UI Testing Checklist

  • CI scan_ruby job passes
  • CI build-and-test job passes
  • No app-level regressions (gem updates are all patch-level)

Anything else to add?

  • Only Gemfile.lock is touched; no Gemfile constraints change

@maebeale @claude
Bump vulnerable gems flagged by bundler-audit
5a732ef 
Updates addressable, net-imap, nokogiri, rack, and rack-session to
patched versions to clear CVE advisories from the scan_ruby CI job.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@maebeale maebeale marked this pull request as ready for review May 15, 2026 13:51
@maebeale maebeale merged commit 1af8b74 into main May 15, 2026
3 checks passed
@maebeale maebeale deleted the maebeale/bump-vulnerable-gems branch May 15, 2026 14:13
jmilljr24 pushed a commit that referenced this pull request May 20, 2026
@maebeale @claude @jmilljr24
Bump vulnerable gems flagged by bundler-audit (#1495)
c48d1da 
Updates addressable, net-imap, nokogiri, rack, and rack-session to
patched versions to clear CVE advisories from the scan_ruby CI job.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@maebeale