[Snyk] Security upgrade rexml from 3.4.1 to 3.4.2#299
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-RUBY-REXML-12878608
There was a problem hiding this comment.
Pull Request Overview
This PR upgrades the rexml gem from version 3.4.1 to 3.4.2 to fix a medium-severity security vulnerability related to XML Entity Expansion (CVE SNYK-RUBY-REXML-12878608). The change prevents improper restriction of recursive entity references in DTDs.
- Updates the rexml gem version constraint to require version 3.4.2 or higher
- Addresses a security vulnerability with a score of 50/1000 related to XML parsing
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
🎉 Snyk checks have passed. No issues have been found so far.✅ security/snyk check is complete. No issues have been found. (View Details) ✅ code/snyk check is complete. No issues have been found. (View Details) |
github-actions
Bot
added
AnyChange
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
Codex Review: Here are some suggestions.
About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you open a pull request for review, mark a draft as ready, or comment "@codex review". If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex fix this CI failure" or "@codex address that feedback".
| gem 'resolv-replace' | ||
| gem 'rexml' | ||
| gem 'rexml', '>= 3.4.2' |
There was a problem hiding this comment.
[P1] Update Gemfile.lock alongside rexml version bump
The Gemfile now requires gem 'rexml', '>= 3.4.2' but the checked‑in Gemfile.lock still pins rexml (3.4.1). On any CI/deployment that installs gems with bundle install --deployment/--frozen, the version mismatch causes bundler to abort and the security upgrade is not actually applied. Regenerate and commit the lock file with rexml 3.4.2 so the dependency constraint and lock stay in sync.
Useful? React with 👍 / 👎.
|
Snyk has created this PR to fix 1 vulnerabilities in the rubygems dependencies of this project.
Snyk changed the following file(s):
GemfileVulnerabilities that will be fixed with an upgrade:
SNYK-RUBY-REXML-12878608
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.