[RAILS] Response to Github vulnerability alerts

Purpose of the article

Since I am a beginner, I would appreciate it if you could point out any mistakes. I am posting it for the purpose of memorandum and output. Even though I am a beginner, I have a desire to help even a little.

Notification from Github (by email)

7d5e164d16c659f78495edebd0a4a08c.png

Set actionview to 6.0.3.3, which is vulnerable to security. Notification with. It is important to note here that Gemfile.lock is written, but since Gemfile.lock is a file that Bundler automatically creates and updates, developers should not edit it on their own. (Quoted from Cherry book P430). If you want to change it, it's a gemfile.

Alert information on Github

719c7944626cdcd0c51db76d40092759.png

Again, I'm telling you to set the actionview to 6.0.3.3.

Coping

I will refer to this article. https://qiita.com/Nash-BETA/items/0d4e876cf9460778b985 However, the actionview is not in the gemfile. I can't fix it. ..

I will refer to this article. https://reasonable-code.com/github-security-alert/ It is said that even if you follow the instructions and update as follows, the version remains the same as below. I can't change it to 6.0.3.3. ..

$ bundle update actionview Bundler attempted to update actionview but its version stayed the same Bundle updated!
https://reasonable-code.com/github-security-alert/

Please refer to the answer of teratail below. https://teratail.com/questions/249997  https://teratail.com/questions/240417 It says that to change the actionview, you need to change the gem of rails itself.

Here is a hint for the solution! !! Raise the version of Rails that depends on actionview.

gem 'rails', '~> 6.0.3', '>= 6.0.3.2'

From

gem 'rails', '~> 6.0.3', '>= 6.0.3.3'

Change to bundle update.

$ bundle update
Fetching gem metadata from https://rubygems.org/............
Fetching gem metadata from https://rubygems.org/.
Resolving dependencies...........
Using actionview 6.0.3.3 (was 6.0.3.2)

It seems that it can be changed to 6.0.3.3. .. Check gemfile.lock.

actionview (= 6.0.3.3)

I was able to change it safely! !! The alert information on github has also disappeared.

Recommended Posts

Response to Github vulnerability alerts
Until you push to Github
GitHub Actions Introduction to self-made actions
How to push from Tarminal to GitHub
Send a pull request to GitHub
Addicted to project imports from GitHub
What to do if you get a MiniMagick vulnerability alert on GitHub