bump loofah to 2.2.3 #73
Conversation
|
Thanks for the pull request, and welcome! The Rails team is excited to review your changes, and you should hear from @rafaelfranca (or someone else) soon. If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes. Please see the contribution instructions for more information. |
ruby advisory fails on ``` Name: loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 ``` Once rails/rails-html-sanitizer#73 is merged, we can remove this exception.
|
Thanks, but we prefer not to bump our dependencies just to force upgrades of other libraries. This change is not needed for applications to begin using the new updated version. |
|
For those who get here, in case it wasn't clear, here's all you need to do to update to non-vulnerable dependency in your rails app: You don't need to "wait for Rails to fix it", it's already fixed in loofah, you just need to update loofah. Even if rails or rails-html-sanitizer had a new release with tighter loofah version restrictions -- you'd have to take the action to update your dependencies anyway, so it wouldn't give you much. Just update your loofah dependency. |
Loofah recently had a security patch: https://github.com/flavorjones/loofah/blob/v2.2.3/CHANGELOG.md#223--2018-10-30