[Ruby] How to resolve when MiniMagick vulnerability alert appears on GitHub

less than 1 minute read

Phenomenon

When I pushed the Rails app to GitHub, I received an alarm email about a vulnerability related to mini_magick. Keep it as a memorandum until resolution.

Problems and causes

image.png The version of mini_magick is old and the fetched remote image file name may cause remote command execution. The solution seems to be to upgrade the version.

Edit GemFile

Gemfile


gem'mini_magick', '3.8.0'

The current MiniMagick version was 3.8 Fix to install 4.9.4 or later as suggested in the alert.

Gemfile


gem'mini_magick','>= 4.9.4'

Edit as above and it should upgrade to 4.9.4 or later.

bundle install

``


bundle install

The version should have changed with this, so check the operation and if there is no problem OK. After that, if you push it, the alert disappeared!