Skip to content

Update Rails dependencies to patch vulnerabilities#12433

Merged
mitchellhenke merged 1 commit intomainfrom
mitchellhenke/update-rails7
Aug 15, 2025
Merged

Update Rails dependencies to patch vulnerabilities#12433
mitchellhenke merged 1 commit intomainfrom
mitchellhenke/update-rails7

Conversation

@mitchellhenke
Copy link
Contributor

@mitchellhenke mitchellhenke commented Aug 15, 2025

🛠 Summary of changes

Addresses:

Name: activerecord
Version: 8.0.2
CVE: CVE-2025-55193
GHSA: GHSA-76r7-hhxj-r776
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-76r7-hhxj-r776
Title: Active Record logging vulnerable to ANSI escape injection
Solution: update to '~> 7.1.5.2', '~> 7.2.2.2', '>= 8.0.2.1'

Name: activestorage
Version: 8.0.2
CVE: CVE-2025-24293
GHSA: GHSA-r4mg-4433-c7g3
Criticality: Unknown
URL: https://github.com/rails/rails/security/advisories/GHSA-r4mg-4433-c7g3
Title: Active Storage allowed transformation methods that were potentially unsafe
Solution: update to '~> 7.1.5.2', '~> 7.2.2.2', '>= 8.0.2.1'

Vulnerabilities found!

Update Rails dependencies to patch vulnerabilities
dbaa8d2 
changelog: Internal, Maintenance, Update Rails dependencies to patch vulnerabilities
@mitchellhenke mitchellhenke requested a review from a team August 15, 2025 12:59
@mitchellhenke mitchellhenke merged commit f3f0d24 into main Aug 15, 2025
1 check passed
@mitchellhenke mitchellhenke deleted the mitchellhenke/update-rails7 branch August 15, 2025 13:25
@mitchellhenke mitchellhenke mentioned this pull request Aug 19, 2025
Merged
mitchellhenke pushed a commit that referenced this pull request Aug 19, 2025
@mdiarra3 @Sgtpluck @dependabot
Deploy RC 505 to Production (#12437)
e87f369 
* LG-16538: sms one account notifications (#12408)

* changelog: Upcoming Features, One Account, Notify users via text message

* add changes

* fix translation error and rubocop

* Reset cookie when validating HTML markup in accessibility test to improve reliability (#12428)

changelog: Internal, Testing, Reset cookie when validating HTML markup in accessibility test to improve reliability

Co-authored-by: Davi (she/they) <davida.marion@gsa.gov>

* Bump libphonenumber-js from 1.12.10 to 1.12.12 (#12431)

Bumps [libphonenumber-js](https://gitlab.com/catamphetamine/libphonenumber-js) from 1.12.10 to 1.12.12.
- [Changelog](https://gitlab.com/catamphetamine/libphonenumber-js/blob/master/CHANGELOG.md)
- [Commits](https://gitlab.com/catamphetamine/libphonenumber-js/compare/v1.12.10...v1.12.12)

---
updated-dependencies:
- dependency-name: libphonenumber-js
  dependency-version: 1.12.12
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* Update Rails dependencies to patch vulnerabilities (#12433)

changelog: Internal, Maintenance, Update Rails dependencies to patch vulnerabilities

* Update rubyzip (#12435)

changelog: Internal, Maintenance, Update rubyzip

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Malick Diarra <malick.diarra@gsa.gov>
Co-authored-by: Davi (she/they) <davida.marion@gsa.gov>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Sgtpluck Sgtpluck Sgtpluck approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mitchellhenke @Sgtpluck