From 77cf38e595de07938e847f0ea0000abc44ba9e80 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Tue, 4 Apr 2023 07:25:12 -0700 Subject: [PATCH 1/2] fix: Gemfile & Gemfile.lock to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-1290051 - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-1290052 - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-1290053 - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-1290054 - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-2320175 - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-2400638 - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-2803847 - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-3237231 - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-3237232 - https://snyk.io/vuln/SNYK-RUBY-ACTIONVIEW-2803851 - https://snyk.io/vuln/SNYK-RUBY-ACTIVERECORD-2960802 - https://snyk.io/vuln/SNYK-RUBY-ACTIVERECORD-3237236 - https://snyk.io/vuln/SNYK-RUBY-ACTIVERECORD-3237239 - https://snyk.io/vuln/SNYK-RUBY-ACTIVESTORAGE-2420035 - https://snyk.io/vuln/SNYK-RUBY-ACTIVESUPPORT-3237242 - https://snyk.io/vuln/SNYK-RUBY-ACTIVESUPPORT-3360028 - https://snyk.io/vuln/SNYK-RUBY-GLOBALID-3237234 - https://snyk.io/vuln/SNYK-RUBY-LOOFAH-3168317 - https://snyk.io/vuln/SNYK-RUBY-LOOFAH-3168318 - https://snyk.io/vuln/SNYK-RUBY-LOOFAH-3168649 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-1293239 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-1726792 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-2413994 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-2620374 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-2630623 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-2630898 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-2840634 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-3052880 - https://snyk.io/vuln/SNYK-RUBY-PUMA-1291014 - https://snyk.io/vuln/SNYK-RUBY-PUMA-1730572 - https://snyk.io/vuln/SNYK-RUBY-PUMA-2400629 - https://snyk.io/vuln/SNYK-RUBY-PUMA-2437090 - https://snyk.io/vuln/SNYK-RUBY-RACK-1061917 - https://snyk.io/vuln/SNYK-RUBY-RACK-2848599 - https://snyk.io/vuln/SNYK-RUBY-RACK-2848600 - https://snyk.io/vuln/SNYK-RUBY-RACK-3237233 - https://snyk.io/vuln/SNYK-RUBY-RACK-3237237 - https://snyk.io/vuln/SNYK-RUBY-RACK-3237240 - https://snyk.io/vuln/SNYK-RUBY-RACK-3356639 - https://snyk.io/vuln/SNYK-RUBY-RACK-3360233 - https://snyk.io/vuln/SNYK-RUBY-RAILS-1567785 - https://snyk.io/vuln/SNYK-RUBY-RAILS-5291540 - https://snyk.io/vuln/SNYK-RUBY-RAILSHTMLSANITIZER-2935879 - https://snyk.io/vuln/SNYK-RUBY-RAILSHTMLSANITIZER-3168316 - https://snyk.io/vuln/SNYK-RUBY-RAILSHTMLSANITIZER-3168646 - https://snyk.io/vuln/SNYK-RUBY-RAILSHTMLSANITIZER-3168647 - https://snyk.io/vuln/SNYK-RUBY-RAILSHTMLSANITIZER-3168648 --- Gemfile | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/Gemfile b/Gemfile index cf29c03..5e2c9d3 100644 --- a/Gemfile +++ b/Gemfile @@ -1,25 +1,25 @@ source 'https://rubygems.org' git_source(:github) { |repo| "https://github.com/#{repo}.git" } -gem 'twilio-ruby', '~> 5.46' -gem 'dotenv-rails', '~> 2.7.5' +gem 'twilio-ruby', '~> 5.50', '>= 5.50.0' +gem 'dotenv-rails', '~> 2.7.6' # Bundle edge Rails instead: gem 'rails', github: 'rails/rails' -gem 'rails', '~> 6.1.3' +gem 'rails', '~> 6.1.7', '>= 6.1.7.3' # Use sqlite3 as the database for Active Record gem 'sqlite3' # Use Puma as the app server -gem 'puma', '~> 5.0' +gem 'puma', '~> 5.6', '>= 5.6.4' # Use SCSS for stylesheets -gem 'sass-rails', '~> 6.0' +gem 'sass-rails', '~> 6.0', '>= 6.0.0' # Use Uglifier as compressor for JavaScript assets gem 'uglifier', '>= 4.2.0' # Use CoffeeScript for .coffee assets and views -gem 'coffee-rails', '~> 5.0' +gem 'coffee-rails', '~> 5.0', '>= 5.0.0' # Turbolinks makes navigating your web application faster. Read more: https://github.com/turbolinks/turbolinks gem 'turbolinks', '~> 5' # Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder -gem 'jbuilder', '~> 2.10' +gem 'jbuilder', '~> 2.11', '>= 2.11.2' # Use Redis adapter to run Action Cable in production # gem 'redis', '~> 4.0' # Use ActiveModel has_secure_password @@ -41,7 +41,7 @@ end group :development do # Access an interactive console on exception pages or by calling 'console' anywhere in the code. - gem 'web-console', '>= 4.0.1' + gem 'web-console', '>= 4.1.0' gem 'listen', '~> 3.3' # Spring speeds up development by keeping your application running in the background. Read more: https://github.com/rails/spring gem 'spring' From 4526cc06348e51787aa95d973ce3ee35c83f2ccb Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Tue, 4 Apr 2023 07:25:12 -0700 Subject: [PATCH 2/2] fix: Gemfile & Gemfile.lock to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-1290051 - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-1290052 - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-1290053 - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-1290054 - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-2320175 - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-2400638 - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-2803847 - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-3237231 - https://snyk.io/vuln/SNYK-RUBY-ACTIONPACK-3237232 - https://snyk.io/vuln/SNYK-RUBY-ACTIONVIEW-2803851 - https://snyk.io/vuln/SNYK-RUBY-ACTIVERECORD-2960802 - https://snyk.io/vuln/SNYK-RUBY-ACTIVERECORD-3237236 - https://snyk.io/vuln/SNYK-RUBY-ACTIVERECORD-3237239 - https://snyk.io/vuln/SNYK-RUBY-ACTIVESTORAGE-2420035 - https://snyk.io/vuln/SNYK-RUBY-ACTIVESUPPORT-3237242 - https://snyk.io/vuln/SNYK-RUBY-ACTIVESUPPORT-3360028 - https://snyk.io/vuln/SNYK-RUBY-GLOBALID-3237234 - https://snyk.io/vuln/SNYK-RUBY-LOOFAH-3168317 - https://snyk.io/vuln/SNYK-RUBY-LOOFAH-3168318 - https://snyk.io/vuln/SNYK-RUBY-LOOFAH-3168649 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-1293239 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-1726792 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-2413994 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-2620374 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-2630623 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-2630898 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-2840634 - https://snyk.io/vuln/SNYK-RUBY-NOKOGIRI-3052880 - https://snyk.io/vuln/SNYK-RUBY-PUMA-1291014 - https://snyk.io/vuln/SNYK-RUBY-PUMA-1730572 - https://snyk.io/vuln/SNYK-RUBY-PUMA-2400629 - https://snyk.io/vuln/SNYK-RUBY-PUMA-2437090 - https://snyk.io/vuln/SNYK-RUBY-RACK-1061917 - https://snyk.io/vuln/SNYK-RUBY-RACK-2848599 - https://snyk.io/vuln/SNYK-RUBY-RACK-2848600 - https://snyk.io/vuln/SNYK-RUBY-RACK-3237233 - https://snyk.io/vuln/SNYK-RUBY-RACK-3237237 - https://snyk.io/vuln/SNYK-RUBY-RACK-3237240 - https://snyk.io/vuln/SNYK-RUBY-RACK-3356639 - https://snyk.io/vuln/SNYK-RUBY-RACK-3360233 - https://snyk.io/vuln/SNYK-RUBY-RAILS-1567785 - https://snyk.io/vuln/SNYK-RUBY-RAILS-5291540 - https://snyk.io/vuln/SNYK-RUBY-RAILSHTMLSANITIZER-2935879 - https://snyk.io/vuln/SNYK-RUBY-RAILSHTMLSANITIZER-3168316 - https://snyk.io/vuln/SNYK-RUBY-RAILSHTMLSANITIZER-3168646 - https://snyk.io/vuln/SNYK-RUBY-RAILSHTMLSANITIZER-3168647 - https://snyk.io/vuln/SNYK-RUBY-RAILSHTMLSANITIZER-3168648 --- Gemfile.lock | 242 +++++++++++++++++++++++++++------------------------ 1 file changed, 130 insertions(+), 112 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 58f9cc8..a1246d6 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,60 +1,60 @@ GEM remote: https://rubygems.org/ specs: - actioncable (6.1.3.1) - actionpack (= 6.1.3.1) - activesupport (= 6.1.3.1) + actioncable (6.1.7.3) + actionpack (= 6.1.7.3) + activesupport (= 6.1.7.3) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailbox (6.1.3.1) - actionpack (= 6.1.3.1) - activejob (= 6.1.3.1) - activerecord (= 6.1.3.1) - activestorage (= 6.1.3.1) - activesupport (= 6.1.3.1) + actionmailbox (6.1.7.3) + actionpack (= 6.1.7.3) + activejob (= 6.1.7.3) + activerecord (= 6.1.7.3) + activestorage (= 6.1.7.3) + activesupport (= 6.1.7.3) mail (>= 2.7.1) - actionmailer (6.1.3.1) - actionpack (= 6.1.3.1) - actionview (= 6.1.3.1) - activejob (= 6.1.3.1) - activesupport (= 6.1.3.1) + actionmailer (6.1.7.3) + actionpack (= 6.1.7.3) + actionview (= 6.1.7.3) + activejob (= 6.1.7.3) + activesupport (= 6.1.7.3) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) - actionpack (6.1.3.1) - actionview (= 6.1.3.1) - activesupport (= 6.1.3.1) + actionpack (6.1.7.3) + actionview (= 6.1.7.3) + activesupport (= 6.1.7.3) rack (~> 2.0, >= 2.0.9) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.2.0) - actiontext (6.1.3.1) - actionpack (= 6.1.3.1) - activerecord (= 6.1.3.1) - activestorage (= 6.1.3.1) - activesupport (= 6.1.3.1) + actiontext (6.1.7.3) + actionpack (= 6.1.7.3) + activerecord (= 6.1.7.3) + activestorage (= 6.1.7.3) + activesupport (= 6.1.7.3) nokogiri (>= 1.8.5) - actionview (6.1.3.1) - activesupport (= 6.1.3.1) + actionview (6.1.7.3) + activesupport (= 6.1.7.3) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.1, >= 1.2.0) - activejob (6.1.3.1) - activesupport (= 6.1.3.1) + activejob (6.1.7.3) + activesupport (= 6.1.7.3) globalid (>= 0.3.6) - activemodel (6.1.3.1) - activesupport (= 6.1.3.1) - activerecord (6.1.3.1) - activemodel (= 6.1.3.1) - activesupport (= 6.1.3.1) - activestorage (6.1.3.1) - actionpack (= 6.1.3.1) - activejob (= 6.1.3.1) - activerecord (= 6.1.3.1) - activesupport (= 6.1.3.1) - marcel (~> 1.0.0) - mini_mime (~> 1.0.2) - activesupport (6.1.3.1) + activemodel (6.1.7.3) + activesupport (= 6.1.7.3) + activerecord (6.1.7.3) + activemodel (= 6.1.7.3) + activesupport (= 6.1.7.3) + activestorage (6.1.7.3) + actionpack (= 6.1.7.3) + activejob (= 6.1.7.3) + activerecord (= 6.1.7.3) + activesupport (= 6.1.7.3) + marcel (~> 1.0) + mini_mime (>= 1.1.0) + activesupport (6.1.7.3) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 1.6, < 2) minitest (>= 5.1) @@ -73,84 +73,100 @@ GEM coffee-script-source execjs coffee-script-source (1.12.2) - concurrent-ruby (1.1.8) + concurrent-ruby (1.2.2) crass (1.0.6) + date (3.3.3) dotenv (2.7.6) dotenv-rails (2.7.6) dotenv (= 2.7.6) railties (>= 3.2) - erubi (1.10.0) - execjs (2.7.0) - faraday (1.3.0) - faraday-net_http (~> 1.0) - multipart-post (>= 1.2, < 3) - ruby2_keywords - faraday-net_http (1.0.1) - ffi (1.15.0) - globalid (0.4.2) - activesupport (>= 4.2.0) - i18n (1.8.10) + erubi (1.12.0) + execjs (2.8.1) + faraday (2.7.4) + faraday-net_http (>= 2.0, < 3.1) + ruby2_keywords (>= 0.0.4) + faraday-net_http (3.0.2) + ffi (1.15.5) + globalid (1.1.0) + activesupport (>= 5.0) + i18n (1.12.0) concurrent-ruby (~> 1.0) - jbuilder (2.11.2) + jbuilder (2.11.5) + actionview (>= 5.0.0) activesupport (>= 5.0.0) - jwt (2.2.2) + jwt (2.7.0) listen (3.5.1) rb-fsevent (~> 0.10, >= 0.10.3) rb-inotify (~> 0.9, >= 0.9.10) - loofah (2.9.0) + loofah (2.20.0) crass (~> 1.0.2) nokogiri (>= 1.5.9) - mail (2.7.1) + mail (2.8.1) mini_mime (>= 0.1.1) - marcel (1.0.1) + net-imap + net-pop + net-smtp + marcel (1.0.2) method_source (1.0.0) - mini_mime (1.0.3) - minitest (5.14.4) + mini_mime (1.1.2) + mini_portile2 (2.8.1) + minitest (5.18.0) minitest-stub_any_instance (1.0.2) msgpack (1.4.2) - multipart-post (2.1.1) - nio4r (2.5.7) - nokogiri (1.11.2-x86_64-darwin) + net-imap (0.3.4) + date + net-protocol + net-pop (0.1.2) + net-protocol + net-protocol (0.2.1) + timeout + net-smtp (0.3.3) + net-protocol + nio4r (2.5.9) + nokogiri (1.14.2) + mini_portile2 (~> 2.8.0) + racc (~> 1.4) + nokogiri (1.14.2-x86_64-darwin) racc (~> 1.4) - puma (5.2.2) + puma (5.6.5) nio4r (~> 2.0) - racc (1.5.2) - rack (2.2.3) - rack-proxy (0.6.5) + racc (1.6.2) + rack (2.2.6.4) + rack-proxy (0.7.6) rack - rack-test (1.1.0) - rack (>= 1.0, < 3) - rails (6.1.3.1) - actioncable (= 6.1.3.1) - actionmailbox (= 6.1.3.1) - actionmailer (= 6.1.3.1) - actionpack (= 6.1.3.1) - actiontext (= 6.1.3.1) - actionview (= 6.1.3.1) - activejob (= 6.1.3.1) - activemodel (= 6.1.3.1) - activerecord (= 6.1.3.1) - activestorage (= 6.1.3.1) - activesupport (= 6.1.3.1) + rack-test (2.1.0) + rack (>= 1.3) + rails (6.1.7.3) + actioncable (= 6.1.7.3) + actionmailbox (= 6.1.7.3) + actionmailer (= 6.1.7.3) + actionpack (= 6.1.7.3) + actiontext (= 6.1.7.3) + actionview (= 6.1.7.3) + activejob (= 6.1.7.3) + activemodel (= 6.1.7.3) + activerecord (= 6.1.7.3) + activestorage (= 6.1.7.3) + activesupport (= 6.1.7.3) bundler (>= 1.15.0) - railties (= 6.1.3.1) + railties (= 6.1.7.3) sprockets-rails (>= 2.0.0) rails-dom-testing (2.0.3) activesupport (>= 4.2.0) nokogiri (>= 1.6) - rails-html-sanitizer (1.3.0) - loofah (~> 2.3) - railties (6.1.3.1) - actionpack (= 6.1.3.1) - activesupport (= 6.1.3.1) + rails-html-sanitizer (1.5.0) + loofah (~> 2.19, >= 2.19.1) + railties (6.1.7.3) + actionpack (= 6.1.7.3) + activesupport (= 6.1.7.3) method_source - rake (>= 0.8.7) + rake (>= 12.2) thor (~> 1.0) - rake (13.0.3) + rake (13.0.6) rb-fsevent (0.10.4) rb-inotify (0.10.1) ffi (~> 1.0) - ruby2_keywords (0.0.4) + ruby2_keywords (0.0.5) sass-rails (6.0.0) sassc-rails (~> 2.1, >= 2.1.1) sassc (2.4.0) @@ -166,66 +182,68 @@ GEM spring-watcher-listen (2.0.1) listen (>= 2.7, < 4.0) spring (>= 1.2, < 3.0) - sprockets (4.0.2) + sprockets (4.2.0) concurrent-ruby (~> 1.0) - rack (> 1, < 3) - sprockets-rails (3.2.2) - actionpack (>= 4.0) - activesupport (>= 4.0) + rack (>= 2.2.4, < 4) + sprockets-rails (3.4.2) + actionpack (>= 5.2) + activesupport (>= 5.2) sprockets (>= 3.0.0) sqlite3 (1.4.2) - thor (1.1.0) - tilt (2.0.10) + thor (1.2.1) + tilt (2.1.0) + timeout (0.3.2) turbolinks (5.2.1) turbolinks-source (~> 5.2) turbolinks-source (5.2.0) - twilio-ruby (5.50.0) - faraday (>= 0.9, < 2.0) - jwt (>= 1.5, <= 2.5) + twilio-ruby (5.75.0) + faraday (>= 0.9, < 3.0) + jwt (>= 1.5, < 3.0) nokogiri (>= 1.6, < 2.0) - tzinfo (2.0.4) + tzinfo (2.0.6) concurrent-ruby (~> 1.0) uglifier (4.2.0) execjs (>= 0.3.0, < 3) - web-console (4.1.0) + web-console (4.2.0) actionview (>= 6.0.0) activemodel (>= 6.0.0) bindex (>= 0.4.0) railties (>= 6.0.0) - webpacker (5.2.1) + webpacker (5.4.4) activesupport (>= 5.2) rack-proxy (>= 0.6.1) railties (>= 5.2) semantic_range (>= 2.3.0) - websocket-driver (0.7.3) + websocket-driver (0.7.5) websocket-extensions (>= 0.1.0) websocket-extensions (0.1.5) - zeitwerk (2.4.2) + zeitwerk (2.6.7) PLATFORMS + ruby x86_64-darwin-19 DEPENDENCIES bcrypt (~> 3.1.13) bootsnap (>= 1.4.6) byebug - coffee-rails (~> 5.0) - dotenv-rails (~> 2.7.5) - jbuilder (~> 2.10) + coffee-rails (~> 5.0, >= 5.0.0) + dotenv-rails (~> 2.7.6) + jbuilder (~> 2.11, >= 2.11.2) listen (~> 3.3) minitest-stub_any_instance - puma (~> 5.0) - rails (~> 6.1.3) - sass-rails (~> 6.0) + puma (~> 5.6, >= 5.6.4) + rails (~> 6.1.7, >= 6.1.7.3) + sass-rails (~> 6.0, >= 6.0.0) spring spring-watcher-listen (~> 2.0.1) sqlite3 turbolinks (~> 5) - twilio-ruby (~> 5.46) + twilio-ruby (~> 5.50, >= 5.50.0) tzinfo-data uglifier (>= 4.2.0) - web-console (>= 4.0.1) + web-console (>= 4.1.0) webpacker BUNDLED WITH - 2.2.13 + 2.1.4