From 96e1d2f1c1c938f394ccc585bf6b80c62b736545 Mon Sep 17 00:00:00 2001 From: Colt Borg Date: Wed, 15 Sep 2021 13:06:28 -0500 Subject: [PATCH 1/2] Update gem dependencies that have security risks --- Gemfile.lock | 221 ++++++++++++++++++++++++----------------- cfa-styleguide.gemspec | 4 +- 2 files changed, 134 insertions(+), 91 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 229a1ac..834c412 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -10,53 +10,71 @@ PATH GEM remote: https://rubygems.org/ specs: - actioncable (5.2.4.5) - actionpack (= 5.2.4.5) + actioncable (5.2.4.6) + actionpack (= 5.2.4.6) nio4r (~> 2.0) websocket-driver (>= 0.6.1) - actionmailer (5.2.4.5) - actionpack (= 5.2.4.5) - actionview (= 5.2.4.5) - activejob (= 5.2.4.5) + actionmailer (5.2.4.6) + actionpack (= 5.2.4.6) + actionview (= 5.2.4.6) + activejob (= 5.2.4.6) mail (~> 2.5, >= 2.5.4) rails-dom-testing (~> 2.0) - actionpack (5.2.4.5) - actionview (= 5.2.4.5) - activesupport (= 5.2.4.5) + actionpack (5.2.4.6) + actionview (= 5.2.4.6) + activesupport (= 5.2.4.6) rack (~> 2.0, >= 2.0.8) rack-test (>= 0.6.3) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.2) - actionview (5.2.4.5) - activesupport (= 5.2.4.5) + actionview (5.2.4.6) + activesupport (= 5.2.4.6) builder (~> 3.1) erubi (~> 1.4) rails-dom-testing (~> 2.0) rails-html-sanitizer (~> 1.0, >= 1.0.3) - activejob (5.2.4.5) - activesupport (= 5.2.4.5) + activejob (5.2.4.6) + activesupport (= 5.2.4.6) globalid (>= 0.3.6) - activemodel (5.2.4.5) - activesupport (= 5.2.4.5) - activerecord (5.2.4.5) - activemodel (= 5.2.4.5) - activesupport (= 5.2.4.5) + activemodel (5.2.4.6) + activesupport (= 5.2.4.6) + activerecord (5.2.4.6) + activemodel (= 5.2.4.6) + activesupport (= 5.2.4.6) arel (>= 9.0) - activestorage (5.2.4.5) - actionpack (= 5.2.4.5) - activerecord (= 5.2.4.5) + activestorage (5.2.4.6) + actionpack (= 5.2.4.6) + activerecord (= 5.2.4.6) marcel (~> 0.3.1) - activesupport (5.2.4.5) + activesupport (5.2.4.6) concurrent-ruby (~> 1.0, >= 1.0.2) i18n (>= 0.7, < 2) minitest (~> 5.1) tzinfo (~> 1.1) - addressable (2.7.0) + addressable (2.8.0) public_suffix (>= 2.0.2, < 5.0) arel (9.0.0) - ast (2.4.1) - autoprefixer-rails (10.2.4.0) - execjs + ast (2.4.2) + async (1.30.1) + console (~> 1.10) + nio4r (~> 2.3) + timers (~> 4.1) + async-http (0.56.5) + async (>= 1.25) + async-io (>= 1.28) + async-pool (>= 0.2) + protocol-http (~> 0.22.0) + protocol-http1 (~> 0.14.0) + protocol-http2 (~> 0.14.0) + async-http-faraday (0.11.0) + async-http (~> 0.42) + faraday + async-io (1.32.2) + async + async-pool (0.3.8) + async (>= 1.25) + autoprefixer-rails (10.3.3.0) + execjs (~> 2) axe-core-api (4.2.1) capybara dumb_delegator @@ -71,17 +89,17 @@ GEM descendants_tracker (~> 0.0.4) ice_nine (~> 0.11.0) thread_safe (~> 0.3, >= 0.3.1) - bourbon (6.0.0) - thor (~> 0.19) + bourbon (7.0.0) + thor (~> 1.0) builder (3.2.4) byebug (11.1.3) - capybara (3.33.0) + capybara (3.35.3) addressable mini_mime (>= 0.1.3) nokogiri (~> 1.8) rack (>= 1.6.0) rack-test (>= 0.6.3) - regexp_parser (~> 1.5) + regexp_parser (>= 1.5, < 3.0) xpath (~> 3.2) capybara-selenium (0.0.6) capybara @@ -90,7 +108,9 @@ GEM coderay (1.1.3) coercible (1.0.0) descendants_tracker (~> 0.0.1) - concurrent-ruby (1.1.8) + concurrent-ruby (1.1.9) + console (1.13.1) + fiber-local crass (1.0.6) descendants_tracker (0.0.4) thread_safe (~> 0.3, >= 0.3.1) @@ -98,26 +118,42 @@ GEM dotenv (2.7.6) dumb_delegator (1.0.0) erubi (1.10.0) - execjs (2.7.0) - faraday (1.3.0) + execjs (2.8.1) + faraday (1.7.2) + faraday-em_http (~> 1.0) + faraday-em_synchrony (~> 1.0) + faraday-excon (~> 1.1) + faraday-httpclient (~> 1.0.1) faraday-net_http (~> 1.0) + faraday-net_http_persistent (~> 1.1) + faraday-patron (~> 1.0) + faraday-rack (~> 1.0) multipart-post (>= 1.2, < 3) - ruby2_keywords + ruby2_keywords (>= 0.0.4) + faraday-em_http (1.0.0) + faraday-em_synchrony (1.0.0) + faraday-excon (1.1.0) faraday-http-cache (2.2.0) faraday (>= 0.8) + faraday-httpclient (1.0.1) faraday-net_http (1.0.1) - ffi (1.13.1) - gem-release (2.2.1) - github_changelog_generator (1.15.2) + faraday-net_http_persistent (1.2.0) + faraday-patron (1.0.0) + faraday-rack (1.0.0) + ffi (1.15.4) + fiber-local (1.0.0) + gem-release (2.2.2) + github_changelog_generator (1.16.4) activesupport + async (>= 1.25.0) + async-http-faraday faraday-http-cache multi_json octokit (~> 4.6) rainbow (>= 2.2.1) rake (>= 10.0) - retriable (~> 3.0) - globalid (0.4.2) - activesupport (>= 4.2.0) + globalid (0.5.2) + activesupport (>= 5.0) i18n (1.8.10) concurrent-ruby (~> 1.0) ice_nine (0.11.2) @@ -126,7 +162,7 @@ GEM rails-dom-testing (>= 1, < 3) railties (>= 4.2.0) thor (>= 0.14, < 2.0) - loofah (2.9.0) + loofah (2.12.0) crass (~> 1.0.2) nokogiri (>= 1.5.9) mail (2.7.1) @@ -137,24 +173,31 @@ GEM mimemagic (0.3.10) nokogiri (~> 1) rake - mini_mime (1.0.3) - mini_portile2 (2.5.0) + mini_mime (1.1.1) + mini_portile2 (2.6.1) minitest (5.14.4) multi_json (1.15.0) multipart-post (2.1.1) - nio4r (2.5.7) - nokogiri (1.11.2) - mini_portile2 (~> 2.5.0) + nio4r (2.5.8) + nokogiri (1.12.4) + mini_portile2 (~> 2.6.1) racc (~> 1.4) - octokit (4.20.0) + octokit (4.21.0) faraday (>= 0.9) sawyer (~> 0.8.0, >= 0.5.3) - parallel (1.20.0) - parser (2.7.2.0) + parallel (1.21.0) + parser (3.0.2.0) ast (~> 2.4.1) percy-capybara (5.0.0) capybara (>= 3) - powerpack (0.1.2) + powerpack (0.1.3) + protocol-hpack (1.4.2) + protocol-http (0.22.5) + protocol-http1 (0.14.2) + protocol-http (~> 0.22) + protocol-http2 (0.14.2) + protocol-hpack (~> 1.4) + protocol-http (~> 0.18) pry (0.13.1) coderay (~> 1.1) method_source (~> 1.0) @@ -166,58 +209,57 @@ GEM rack (2.2.3) rack-test (1.1.0) rack (>= 1.0, < 3) - rails (5.2.4.5) - actioncable (= 5.2.4.5) - actionmailer (= 5.2.4.5) - actionpack (= 5.2.4.5) - actionview (= 5.2.4.5) - activejob (= 5.2.4.5) - activemodel (= 5.2.4.5) - activerecord (= 5.2.4.5) - activestorage (= 5.2.4.5) - activesupport (= 5.2.4.5) + rails (5.2.4.6) + actioncable (= 5.2.4.6) + actionmailer (= 5.2.4.6) + actionpack (= 5.2.4.6) + actionview (= 5.2.4.6) + activejob (= 5.2.4.6) + activemodel (= 5.2.4.6) + activerecord (= 5.2.4.6) + activestorage (= 5.2.4.6) + activesupport (= 5.2.4.6) bundler (>= 1.3.0) - railties (= 5.2.4.5) + railties (= 5.2.4.6) sprockets-rails (>= 2.0.0) rails-dom-testing (2.0.3) activesupport (>= 4.2.0) nokogiri (>= 1.6) - rails-html-sanitizer (1.3.0) + rails-html-sanitizer (1.4.2) loofah (~> 2.3) - railties (5.2.4.5) - actionpack (= 5.2.4.5) - activesupport (= 5.2.4.5) + railties (5.2.4.6) + actionpack (= 5.2.4.6) + activesupport (= 5.2.4.6) method_source rake (>= 0.8.7) thor (>= 0.19.0, < 2.0) rainbow (3.0.0) - rake (13.0.3) - rb-fsevent (0.10.4) + rake (13.0.6) + rb-fsevent (0.11.0) rb-inotify (0.10.1) ffi (~> 1.0) - regexp_parser (1.8.2) - retriable (3.1.2) + regexp_parser (2.1.1) rspec (3.10.0) rspec-core (~> 3.10.0) rspec-expectations (~> 3.10.0) rspec-mocks (~> 3.10.0) - rspec-core (3.10.0) + rspec-core (3.10.1) rspec-support (~> 3.10.0) - rspec-expectations (3.10.0) + rspec-expectations (3.10.1) diff-lcs (>= 1.2.0, < 2.0) rspec-support (~> 3.10.0) - rspec-mocks (3.10.0) + rspec-mocks (3.10.2) diff-lcs (>= 1.2.0, < 2.0) rspec-support (~> 3.10.0) - rspec-rails (4.0.1) - actionpack (>= 4.2) - activesupport (>= 4.2) - railties (>= 4.2) - rspec-core (~> 3.9) - rspec-expectations (~> 3.9) - rspec-mocks (~> 3.9) - rspec-support (~> 3.9) - rspec-support (3.10.0) + rspec-rails (5.0.2) + actionpack (>= 5.2) + activesupport (>= 5.2) + railties (>= 5.2) + rspec-core (~> 3.10) + rspec-expectations (~> 3.10) + rspec-mocks (~> 3.10) + rspec-support (~> 3.10) + rspec-support (3.10.2) rspec_junit_formatter (0.4.1) rspec-core (>= 2, < 4, != 2.12.0) rubocop (0.64.0) @@ -228,9 +270,9 @@ GEM rainbow (>= 2.2.2, < 4.0) ruby-progressbar (~> 1.7) unicode-display_width (~> 1.4.0) - ruby-progressbar (1.10.1) - ruby2_keywords (0.0.4) - rubyzip (2.3.0) + ruby-progressbar (1.11.0) + ruby2_keywords (0.0.5) + rubyzip (2.3.2) sass (3.7.4) sass-listen (~> 4.0.0) sass-listen (4.0.0) @@ -257,9 +299,10 @@ GEM actionpack (>= 4.0) activesupport (>= 4.0) sprockets (>= 3.0.0) - thor (0.20.3) + thor (1.1.0) thread_safe (0.3.6) tilt (2.0.10) + timers (4.3.3) tzinfo (1.2.9) thread_safe (~> 0.1) uglifier (4.2.0) @@ -272,7 +315,7 @@ GEM watir (6.19.1) regexp_parser (>= 1.2, < 3) selenium-webdriver (>= 3.142.7) - websocket-driver (0.7.3) + websocket-driver (0.7.5) websocket-extensions (>= 0.1.0) websocket-extensions (0.1.5) xpath (3.2.0) @@ -283,7 +326,7 @@ PLATFORMS DEPENDENCIES axe-core-rspec (~> 4.2.1) - bundler (~> 1.16) + bundler (~> 2.2.19) capybara capybara-selenium cfa-styleguide! @@ -293,7 +336,7 @@ DEPENDENCIES percy-capybara (~> 5.0.0) pry-byebug rack (>= 2.0.8) - rails (~> 5.2.4.5) + rails (~> 5.2.4.6) rake (>= 12.3.3) rspec rspec-rails @@ -307,4 +350,4 @@ RUBY VERSION ruby 2.5.3p105 BUNDLED WITH - 1.17.3 + 2.2.19 diff --git a/cfa-styleguide.gemspec b/cfa-styleguide.gemspec index bcc0b80..dfaf1c8 100644 --- a/cfa-styleguide.gemspec +++ b/cfa-styleguide.gemspec @@ -37,7 +37,7 @@ Gem::Specification.new do |spec| spec.add_runtime_dependency "jquery-rails" spec.add_runtime_dependency "sass" spec.add_development_dependency "axe-core-rspec", "~> 4.2.1" - spec.add_development_dependency "bundler", "~> 1.16" + spec.add_development_dependency "bundler", "~> 2.2.19" spec.add_development_dependency "capybara" spec.add_development_dependency "capybara-selenium" spec.add_development_dependency "dotenv" @@ -45,7 +45,7 @@ Gem::Specification.new do |spec| spec.add_development_dependency "github_changelog_generator" spec.add_development_dependency "percy-capybara", "~> 5.0.0" spec.add_development_dependency "pry-byebug" - spec.add_development_dependency "rails", "~> 5.2.4.5" + spec.add_development_dependency "rails", "~> 5.2.4.6" spec.add_development_dependency "rake", ">= 12.3.3" spec.add_development_dependency "rspec" spec.add_development_dependency "rspec-rails" From 8f415e69a0429fca8342d6b8090a78cfa6e25035 Mon Sep 17 00:00:00 2001 From: Colt Borg Date: Wed, 15 Sep 2021 15:54:53 -0500 Subject: [PATCH 2/2] Make circleci use bundler from gemlock file --- .circleci/config.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.circleci/config.yml b/.circleci/config.yml index 20b9e2a..0b3fe94 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -19,6 +19,12 @@ jobs: command: | curl -sSL "https://nodejs.org/dist/v14.15.0/node-v14.15.0-linux-x64.tar.xz" | sudo tar --strip-components=2 -xJ -C /usr/local/bin/ node-v14.15.0-linux-x64/bin/node curl https://www.npmjs.com/install.sh | sudo bash + - run: + name: "Configure Bundler" + command: | + echo 'export BUNDLER_VERSION=$(cat Gemfile.lock | tail -1 | tr -d " ")' >> $BASH_ENV + source $BASH_ENV + gem install bundler - restore_cache: keys: - v1-bundler-{{ checksum "Gemfile.lock" }} @@ -43,6 +49,12 @@ jobs: <<: *defaults steps: - checkout + - run: + name: "Configure Bundler" + command: | + echo 'export BUNDLER_VERSION=$(cat Gemfile.lock | tail -1 | tr -d " ")' >> $BASH_ENV + source $BASH_ENV + gem install bundler - restore_cache: keys: - v1-bundler-{{ checksum "Gemfile.lock" }} @@ -61,6 +73,12 @@ jobs: command: | curl -sSL "https://nodejs.org/dist/v14.15.0/node-v14.15.0-linux-x64.tar.xz" | sudo tar --strip-components=2 -xJ -C /usr/local/bin/ node-v14.15.0-linux-x64/bin/node curl https://www.npmjs.com/install.sh | sudo bash + - run: + name: "Configure Bundler" + command: | + echo 'export BUNDLER_VERSION=$(cat Gemfile.lock | tail -1 | tr -d " ")' >> $BASH_ENV + source $BASH_ENV + gem install bundler - restore_cache: keys: - v1-bundler-{{ checksum "Gemfile.lock" }}