Patching vulnerabilities | esbuild, net-imap #450
Conversation
GeorgeCodes19
changed the title
app/Dockerfile
Outdated
| gem uninstall -i /usr/local/lib/ruby/gems/3.3.0 rexml | ||
| gem uninstall -i /usr/local/lib/ruby/gems/3.3.0 rexml && \ | ||
| gem uninstall -i /usr/local/lib/ruby/gems/3.3.0 net-imap || true && \ | ||
| gem install net-imap -v 0.4.19 |
There was a problem hiding this comment.
I wonder if it works without the gem install here?
There was a problem hiding this comment.
I think we can do away with all of this.
app/Gemfile
Outdated
| @@ -72,6 +72,7 @@ gem "stackprof" | |||
| gem "rexml", "~> 3.3.9" | |||
| gem "gpgme", "~> 2.0", ">= 2.0.12" | |||
| gem "pdf-reader", "~> 2.12.0" | |||
| gem "net-imap", "~> 0.4.19" # Fixing CVE-2025-25186 | |||
There was a problem hiding this comment.
Probably shouldn't need to do this - the updated version in the lock file should be sufficient.
There was a problem hiding this comment.
Okay interesting. So the net-imap entry here doesn't result in the Gemfile.lock being updated? I thought the lock file was dependent on the contents of the Gemfile.
There was a problem hiding this comment.
I think Gemfile.lock will bump for version drift at the moment bundle install is run. ~> I believe implies minor version drift.
There was a problem hiding this comment.
Gotcha! Yeah, let's pin this version.
There was a problem hiding this comment.
bundle update will update every gem in the lockfile to the most recent version that satisfies all constraints. Since there wasn't previously a constraint for this gem, I would have expected bundle update net-imap to have upgraded its version to 0.4.19 in the lockfile. (Sometimes, there are constraints in the dependencies of other gems that may prevent bundler from doing an upgrade like that, though.)
Also, side note, but when upgrading for security reasons, we should use >= rather than ~> since ~> 0.4.19 means "allow versions 0.4.x". We don't have the need to actually prevent an upgrade to 0.5 of this gem, hence >= 0.4.19 being slightly preferable.
…e actually not using since the current ruby version is 3.3.5
…ow-use-new-database * origin/main: FFS-2408: Rename site_id to client_agency_id (#446) FFS-2351: Change calculation of account_count to be correct in filed events (#445) Patching vulnerabilities | esbuild, net-imap (#450) Address vulnerability (#443) fix: upgrade postcss from 8.5.0 to 8.5.1 (#441) fix: upgrade sass from 1.83.2 to 1.83.4 (#440) 2401: Use different syntax (#437) updated tests for clarity fixed typo cleaned up based on PR comments removed trailing whitespace/rubocop fixes wrapped token creation for users.rake in a transaction, added test assertion to assure that the user api_access_tokens.count only changes by a factor of 1 updated vitest to v 3.0.5 address failed security scan rename vitest add github action fixed postcss build error added .vitest to git ignore updated package.json to use module setup project to work with vitest and debugging remove employer_search.spec comment out test write test scripts for pinwheel.js update apiservice to fetchInternalApiService for clarity refactored fetch into its own file refactored code to be a little more self evident remove outdated snapshots comment refactored api calls with tests added tests for trackUserAction api call move trackUserAction out of pinwheel into analytics file minor changes stub for employersearch test installed vitest
Ticket
Resolves FFS-XXXX.
Changes
Context for reviewers
Acceptance testing
:alert: Deploy block! @ffs-eng I just merged PR [#123] and will be doing acceptance testing in demo - please don't deploy until I'm finished!)