-
Notifications
You must be signed in to change notification settings - Fork 0
Add a gem w/ a known security vulnerability #1
Conversation
f6119fe
to
3d267da
Compare
1eda32c
to
a4434b1
Compare
d97bdbc
to
85a1173
Compare
85a1173
to
ce8fff0
Compare
ce8fff0
to
5436a78
Compare
75876d2
to
a8a6a88
Compare
@@ -170,6 +170,7 @@ GEM | |||
websocket-driver (0.7.1) | |||
websocket-extensions (>= 0.1.0) | |||
websocket-extensions (0.1.4) | |||
yard (0.9.19) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Name: yard
Version: 0.9.19
Advisory:
Criticality: Unknown
URL: GHSA-xfhh-rx56-rxcr
Title: Possible arbitrary path traversal and file access via yard server
Solution: Upgrade to >= 0.9.20.
a8a6a88
to
b3ed463
Compare
Yard v0.9.19 has a known security vulnerability. Making a pull request on this commit should invoke the needed test. Update pronto-bundler_audit version as well to try to get working functionality.
b3ed463
to
429cbd9
Compare
@@ -170,6 +176,7 @@ GEM | |||
websocket-driver (0.7.1) | |||
websocket-extensions (>= 0.1.0) | |||
websocket-extensions (0.1.4) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Name: loofah
Version: 2.2.3
Advisory: CVE-2019-15587
Criticality: Unknown
URL: flavorjones/loofah#171
Title: Loofah XSS Vulnerability
Solution: Upgrade to >= 2.3.1.
@@ -170,6 +176,7 @@ GEM | |||
websocket-driver (0.7.1) | |||
websocket-extensions (>= 0.1.0) | |||
websocket-extensions (0.1.4) | |||
yard (0.9.19) | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Name: nokogiri
Version: 1.10.3
Advisory: CVE-2019-5477
Criticality: High
URL: sparklemotion/nokogiri#1915
Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Solution: Upgrade to >= 1.10.4.
@@ -170,6 +176,7 @@ GEM | |||
websocket-driver (0.7.1) | |||
websocket-extensions (>= 0.1.0) | |||
websocket-extensions (0.1.4) | |||
yard (0.9.19) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Name: yard
Version: 0.9.19
Advisory: CVE-2019-1020001
Criticality: Unknown
URL: GHSA-xfhh-rx56-rxcr
Title: Arbitrary path traversal and file access via yard server
Solution: Upgrade to >= 0.9.20.
Merged because to do a proper test I need a commit that doesn't, itself, include any changes to Gemfile.lock. |
Yard v0.9.19 has a known security vulnerability.
Making a pull request on this commit should invoke the needed
test.