Reputation:
Github found dependency vulnerability in Gemfile.lock
I have been receiving messages that GitHub found known dependency vulnerability in my Gemfile.lock, this is loofah (2.0.3) and Nokogiri (1.7.0.1) but these gems are dependencies I did not specifically asked for (other gems do depend on them) in my Gemfile, so, what can I do?
Upvotes: 7
Views: 2789
Answers (2)
Reputation: 4364
In your Gemfile.lock, you can see which one of your dependencies pulls in those libraries, and what their version constraint is.
rails-html-sanitizer (1.0.3)
loofah (~> 2.0)
With Rails, loofah is required by rails-html-sanitizer and the version must just be greater than 2.0. If a version is locked, the Gemfile.lock will read = 2.0.
Since it is not locked, you can use bundle update loofah to install a more recent version that does not suffer from the security vulnerability. Or bundle update if you want to update all gems...
Should a version to locked, you have to check if the gem that declares the dependency has a newer version that updates its locked dependency (e.g. a new version of rails-html-sanitizier that updates loofah). With security issues, these updates normally happen pretty quickly. You would then update rails-html-sanitizier to get a new version of loofah.
Upvotes: 7
Reputation: 3285
You can go into your gemfile.lock and see which libraries are requiring these gems a dependencies. Then you can proceed to update replace or remove those libraries until you no longer have vulnerabilities.
Upvotes: 0
Related Questions
- Github Dependabot recommending Gemfile.lock PLATFORMS change from ruby to x86_64-linux. Nokogiri 1.13.1 -> 1.13.9
- Git will not ignore Gemfile.lock
- Gemfile.lock is corrupt, gem missing from the DEPENDENCIES section
- gem install nokogiri -v '1.6.8.1' fails
- Merge conflict Gemfile.lock
- Nokogiri gem failing to install
- GitHub Import: Could not locate Gemfile
- "modified: Gemfile.lock", Why?
- Warning: Gem::Dependency
- Gem Loading Error, installed from Github