mirror of https://github.com/rails/rails
Amend CVE note and security guide section wordings
Reword first sentence of dep management and CVE section of security guide. Also, reword and move gemspec notes above deps. [ci skip]
This commit is contained in:
Gannon McGibbon
parent
bb11a9acab
commit
e74fdbe00c
|
|
@ -2,9 +2,6 @@
|
|||
|
||||
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
|
||||
|
||||
# NOTE: There's no need to update dependencies for CVEs in minor
|
||||
# releases when users can simply run `bundle update vulnerable_gem`.
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.platform = Gem::Platform::RUBY
|
||||
s.name = "actioncable"
|
||||
|
|
@ -28,6 +25,9 @@ Gem::Specification.new do |s|
|
|||
"changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/actioncable/CHANGELOG.md"
|
||||
}
|
||||
|
||||
# NOTE: Please read our dependency guidelines before updating versions:
|
||||
# https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
|
||||
|
||||
s.add_dependency "actionpack", version
|
||||
|
||||
s.add_dependency "nio4r", "~> 2.0"
|
||||
|
|
|
|||
|
|
@ -2,9 +2,6 @@
|
|||
|
||||
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
|
||||
|
||||
# NOTE: There's no need to update dependencies for CVEs in minor
|
||||
# releases when users can simply run `bundle update vulnerable_gem`.
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.platform = Gem::Platform::RUBY
|
||||
s.name = "actionmailer"
|
||||
|
|
@ -29,6 +26,9 @@ Gem::Specification.new do |s|
|
|||
"changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/actionmailer/CHANGELOG.md"
|
||||
}
|
||||
|
||||
# NOTE: Please read our dependency guidelines before updating versions:
|
||||
# https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
|
||||
|
||||
s.add_dependency "actionpack", version
|
||||
s.add_dependency "actionview", version
|
||||
s.add_dependency "activejob", version
|
||||
|
|
|
|||
|
|
@ -2,9 +2,6 @@
|
|||
|
||||
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
|
||||
|
||||
# NOTE: There's no need to update dependencies for CVEs in minor
|
||||
# releases when users can simply run `bundle update vulnerable_gem`.
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.platform = Gem::Platform::RUBY
|
||||
s.name = "actionpack"
|
||||
|
|
@ -29,6 +26,9 @@ Gem::Specification.new do |s|
|
|||
"changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/actionpack/CHANGELOG.md"
|
||||
}
|
||||
|
||||
# NOTE: Please read our dependency guidelines before updating versions:
|
||||
# https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
|
||||
|
||||
s.add_dependency "activesupport", version
|
||||
|
||||
s.add_dependency "rack", "~> 2.0"
|
||||
|
|
|
|||
|
|
@ -2,9 +2,6 @@
|
|||
|
||||
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
|
||||
|
||||
# NOTE: There's no need to update dependencies for CVEs in minor
|
||||
# releases when users can simply run `bundle update vulnerable_gem`.
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.platform = Gem::Platform::RUBY
|
||||
s.name = "actionview"
|
||||
|
|
@ -29,6 +26,9 @@ Gem::Specification.new do |s|
|
|||
"changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/actionview/CHANGELOG.md"
|
||||
}
|
||||
|
||||
# NOTE: Please read our dependency guidelines before updating versions:
|
||||
# https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
|
||||
|
||||
s.add_dependency "activesupport", version
|
||||
|
||||
s.add_dependency "builder", "~> 3.1"
|
||||
|
|
|
|||
|
|
@ -2,9 +2,6 @@
|
|||
|
||||
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
|
||||
|
||||
# NOTE: There's no need to update dependencies for CVEs in minor
|
||||
# releases when users can simply run `bundle update vulnerable_gem`.
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.platform = Gem::Platform::RUBY
|
||||
s.name = "activejob"
|
||||
|
|
@ -28,6 +25,9 @@ Gem::Specification.new do |s|
|
|||
"changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/activejob/CHANGELOG.md"
|
||||
}
|
||||
|
||||
# NOTE: Please read our dependency guidelines before updating versions:
|
||||
# https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
|
||||
|
||||
s.add_dependency "activesupport", version
|
||||
s.add_dependency "globalid", ">= 0.3.6"
|
||||
end
|
||||
|
|
|
|||
|
|
@ -2,9 +2,6 @@
|
|||
|
||||
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
|
||||
|
||||
# NOTE: There's no need to update dependencies for CVEs in minor
|
||||
# releases when users can simply run `bundle update vulnerable_gem`.
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.platform = Gem::Platform::RUBY
|
||||
s.name = "activemodel"
|
||||
|
|
@ -28,5 +25,8 @@ Gem::Specification.new do |s|
|
|||
"changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/activemodel/CHANGELOG.md"
|
||||
}
|
||||
|
||||
# NOTE: Please read our dependency guidelines before updating versions:
|
||||
# https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
|
||||
|
||||
s.add_dependency "activesupport", version
|
||||
end
|
||||
|
|
|
|||
|
|
@ -2,9 +2,6 @@
|
|||
|
||||
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
|
||||
|
||||
# NOTE: There's no need to update dependencies for CVEs in minor
|
||||
# releases when users can simply run `bundle update vulnerable_gem`.
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.platform = Gem::Platform::RUBY
|
||||
s.name = "activerecord"
|
||||
|
|
@ -31,6 +28,9 @@ Gem::Specification.new do |s|
|
|||
"changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/activerecord/CHANGELOG.md"
|
||||
}
|
||||
|
||||
# NOTE: Please read our dependency guidelines before updating versions:
|
||||
# https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
|
||||
|
||||
s.add_dependency "activesupport", version
|
||||
s.add_dependency "activemodel", version
|
||||
end
|
||||
|
|
|
|||
|
|
@ -2,9 +2,6 @@
|
|||
|
||||
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
|
||||
|
||||
# NOTE: There's no need to update dependencies for CVEs in minor
|
||||
# releases when users can simply run `bundle update vulnerable_gem`.
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.platform = Gem::Platform::RUBY
|
||||
s.name = "activestorage"
|
||||
|
|
@ -28,6 +25,9 @@ Gem::Specification.new do |s|
|
|||
"changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/activestorage/CHANGELOG.md"
|
||||
}
|
||||
|
||||
# NOTE: Please read our dependency guidelines before updating versions:
|
||||
# https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
|
||||
|
||||
s.add_dependency "actionpack", version
|
||||
s.add_dependency "activerecord", version
|
||||
|
||||
|
|
|
|||
|
|
@ -2,9 +2,6 @@
|
|||
|
||||
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
|
||||
|
||||
# NOTE: There's no need to update dependencies for CVEs in minor
|
||||
# releases when users can simply run `bundle update vulnerable_gem`.
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.platform = Gem::Platform::RUBY
|
||||
s.name = "activesupport"
|
||||
|
|
@ -30,6 +27,9 @@ Gem::Specification.new do |s|
|
|||
"changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/activesupport/CHANGELOG.md"
|
||||
}
|
||||
|
||||
# NOTE: Please read our dependency guidelines before updating versions:
|
||||
# https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
|
||||
|
||||
s.add_dependency "i18n", ">= 0.7", "< 2"
|
||||
s.add_dependency "tzinfo", "~> 1.1"
|
||||
s.add_dependency "minitest", "~> 5.1"
|
||||
|
|
|
|||
|
|
@ -1238,7 +1238,7 @@ Rails.application.credentials.some_api_key! # => raises KeyError: :some_api_key
|
|||
Dependency Management and CVEs
|
||||
------------------------------
|
||||
|
||||
Please note that we do not accept patches for CVE version bumps. This is because application owners need to manually update their gems regardless of our efforts. Use `bundle update --conservative gem_name` to safely update vulnerable dependencies.
|
||||
We don’t bump dependencies just to encourage use of new versions, including for security issues. This is because application owners need to manually update their gems regardless of our efforts. Use `bundle update --conservative gem_name` to safely update vulnerable dependencies.
|
||||
|
||||
Additional Resources
|
||||
--------------------
|
||||
|
|
|
|||
|
|
@ -2,9 +2,6 @@
|
|||
|
||||
version = File.read(File.expand_path("../RAILS_VERSION", __dir__)).strip
|
||||
|
||||
# NOTE: There's no need to update dependencies for CVEs in minor
|
||||
# releases when users can simply run `bundle update vulnerable_gem`.
|
||||
|
||||
Gem::Specification.new do |s|
|
||||
s.platform = Gem::Platform::RUBY
|
||||
s.name = "railties"
|
||||
|
|
@ -33,6 +30,9 @@ Gem::Specification.new do |s|
|
|||
"changelog_uri" => "https://github.com/rails/rails/blob/v#{version}/railties/CHANGELOG.md"
|
||||
}
|
||||
|
||||
# NOTE: Please read our dependency guidelines before updating versions:
|
||||
# https://edgeguides.rubyonrails.org/security.html#dependency-management-and-cves
|
||||
|
||||
s.add_dependency "activesupport", version
|
||||
s.add_dependency "actionpack", version
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue