From 377cdceb0ecdb075317bdfde79731cb8163d9d12 Mon Sep 17 00:00:00 2001 From: "snyk-io[bot]" <141718529+snyk-io[bot]@users.noreply.github.com> Date: Tue, 29 Jul 2025 08:07:24 +0000 Subject: [PATCH] fix: Gemfile to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-10674179 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-10674176 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-10674184 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-10674192 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-10674188 --- Gemfile | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/Gemfile b/Gemfile index 5e3fb6ba9ed5..8875aca55687 100644 --- a/Gemfile +++ b/Gemfile @@ -37,16 +37,16 @@ ruby File.read(File.expand_path(".ruby-version", __dir__)).strip gem "actionpack-xml_parser", "~> 2.0.0" gem "activemodel-serializers-xml", "~> 1.0.1" gem "activerecord-import", "~> 1.7.0" -gem "activerecord-session_store", "~> 2.1.0" +gem "activerecord-session_store", "~> 2.2.0" gem "ox" -gem "rails", "~> 7.1.3" +gem "rails", "~> 7.1.4", ">= 7.1.4.1" gem "responders", "~> 3.0" gem "ffi", "~> 1.15" gem "rdoc", ">= 2.4.2" -gem "doorkeeper", "~> 5.7.0" +gem "doorkeeper", "~> 5.8.0" # Maintain our own omniauth due to relative URL root issues # see upstream PR: https://github.com/omniauth/omniauth/pull/903 gem "omniauth", git: "https://github.com/opf/omniauth", ref: "fe862f986b2e846e291784d2caa3d90a658c67f0" @@ -95,7 +95,7 @@ gem "escape_utils", "~> 1.3" # Syntax highlighting used in html-pipeline with rouge gem "rouge", "~> 4.4.0" # HTML sanitization used for html-pipeline -gem "sanitize", "~> 6.1.0" +gem "sanitize", "~> 7.0.0" # HTML autolinking for mails and urls (replaces autolink) gem "rinku", "~> 2.0.4", require: %w[rinku rails_rinku] # Version parsing with semver @@ -126,7 +126,7 @@ gem "multi_json", "~> 1.15.0" gem "oj", "~> 3.16.0" gem "daemons" -gem "good_job", "= 3.26.2" # update should be done manually in sync with saas-openproject version. +gem "good_job", "= 3.27.0" # update should be done manually in sync with saas-openproject version. gem "rack-protection", "~> 3.2.0" @@ -179,7 +179,7 @@ group :production do end gem "i18n-js", "~> 4.2.3" -gem "rails-i18n", "~> 7.0.0" +gem "rails-i18n", "~> 7.0.10" gem "sprockets", "~> 3.7.2" # lock sprockets below 4.0 gem "sprockets-rails", "~> 3.5.1" @@ -188,11 +188,11 @@ gem "puma", "~> 6.4" gem "puma-plugin-statsd", "~> 2.0" gem "rack-timeout", "~> 0.7.0", require: "rack/timeout/base" -gem "nokogiri", "~> 1.16.0" +gem "nokogiri", "~> 1.18.9" gem "carrierwave", "~> 1.3.4" -gem "carrierwave_direct", "~> 2.1.0" -gem "fog-aws" +gem "carrierwave_direct", "~> 3.0.0" +gem "fog-aws", ">= 3.28.0" gem "aws-sdk-core", "~> 3.107" # File upload via fog + screenshots on travis @@ -222,15 +222,15 @@ gem "appsignal", "~> 3.10.0", require: false gem "view_component" # Lookbook -gem "lookbook", "~> 2.3.0" +gem "lookbook", "~> 2.3.3" # Require factory_bot for usage with openproject plugins testing gem "factory_bot", "~> 6.5.0", require: false # require factory_bot_rails for convenience in core development -gem "factory_bot_rails", "~> 6.4.0", require: false +gem "factory_bot_rails", "~> 6.4.4", require: false -gem "turbo_power", "~> 0.6.2" -gem "turbo-rails", "~> 2.0.0" +gem "turbo_power", "~> 0.7.0" +gem "turbo-rails", "~> 2.0.11" gem "httpx" @@ -247,7 +247,7 @@ group :test do gem "rack_session_access" gem "rspec", "~> 3.13.0" # also add to development group, so 'spec' rake task gets loaded - gem "rspec-rails", "~> 7.0.0", group: :development + gem "rspec-rails", "~> 7.0.2", group: :development # Retry failures within the same environment gem "retriable", "~> 3.1.1" @@ -271,7 +271,7 @@ group :test do gem "capybara", "~> 3.40.0" gem "capybara_accessible_selectors", git: "https://github.com/citizensadvice/capybara_accessible_selectors", branch: "main" gem "capybara-screenshot", "~> 1.0.17" - gem "cuprite", "~> 0.15.0" + gem "cuprite", "~> 0.16.0" gem "rspec-wait" gem "selenium-devtools" gem "selenium-webdriver", "~> 4.20" @@ -315,7 +315,7 @@ group :development do end group :development, :test do - gem "dotenv-rails" + gem "dotenv-rails", ">= 3.1.5" # Tracing and profiling gems gem "flamegraph", require: false @@ -345,14 +345,14 @@ group :development, :test do gem "rubocop-rspec_rails", require: false # erb linting - gem "erb_lint", require: false + gem "erb_lint", ">= 0.7.0", require: false gem "erblint-github", require: false # Brakeman scanner gem "brakeman", "~> 6.2.0" # i18n-tasks helps find and manage missing and unused translations. - gem "i18n-tasks", "~> 1.0.13", require: false + gem "i18n-tasks", "~> 1.0.15", require: false end gem "bootsnap", "~> 1.18.0", require: false @@ -398,5 +398,5 @@ gemfiles.each do |file| end gem "openproject-octicons", "~>19.18.0" -gem "openproject-octicons_helper", "~>19.18.0" -gem "openproject-primer_view_components", "~>0.48.0" +gem "openproject-octicons_helper", "~> 19.18.1" +gem "openproject-primer_view_components", "~> 0.48.1"