Bump rexml to v3.3.2 #139

rajraj · 2024-07-17T16:43:37Z

The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as <, 0 and %>.

The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities.

GHSA-4xqq-m2hx-25v8

stevenharman · 2024-07-17T18:54:33Z

letter_opener_web.gemspec

@@ -22,7 +22,7 @@ Gem::Specification.new do |gem|
  gem.add_dependency 'actionmailer', '>= 6.1'
  gem.add_dependency 'letter_opener', '~> 1.9'
  gem.add_dependency 'railties', '>= 6.1'
-  gem.add_dependency 'rexml'
+  gem.add_dependency 'rexml', '~> 3.3.2'


This will lock us to the 3.3.x line, meaning if/when 3.4.x is released, this constraint won't allow folks to upgrade to it. So I think something like this might be better:

Suggested change

gem.add_dependency 'rexml', '~> 3.3.2'

gem.add_dependency 'rexml', '>= 3.3.2'

Though, I also wonder if this is more of a thing that users of this gem should worry about, since they might have specific version needs/constraints for rexml.

🤔💭

Bump rexml to v3.3.2

2ec1aba

stevenharman reviewed Jul 17, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump rexml to v3.3.2 #139

Bump rexml to v3.3.2 #139

rajraj commented Jul 17, 2024

stevenharman Jul 17, 2024

	gem.add_dependency 'rexml', '~> 3.3.2'
	gem.add_dependency 'rexml', '>= 3.3.2'

Bump rexml to v3.3.2 #139

Are you sure you want to change the base?

Bump rexml to v3.3.2 #139

Conversation

rajraj commented Jul 17, 2024

stevenharman Jul 17, 2024

Choose a reason for hiding this comment