Update Rails 6.0 to 6.0.4.6

[vladimir-mencl-eresearch]

Hi,

I've just pulled in the recent updates (#249) and got to Rails 6.0.4.4 ... but still get a dependabot alert for CVE-2022-23633 / GHSA-wh98-p28r-vrc9 against actionpack, because for Rails 6.0, it's only fixed in 6.0.4.6.

Not sure whether you already got this alert - if not, might possibly be because the Rails version selector in Gemfile explicitly pins it to 6.0.4.4 - shouldn't that rather be:

 gem 'rails', '>= 6, '< 6.0'

?

Just guessing based on prior use ....

Cheers,
Vlad

[waldofouche]

Hi @vladimir-mencl-eresearch, I have checked our dependabot alerts and we did not receive any alerts for those that you mentioned, However I have fixed up the versioning in #254 and also removed therubyracer gem as recommended.

Let me know if there are any other changes you recommend, thanks

[vladimir-mencl-eresearch]

Hi @waldofouche ,

Thanks, just looking at #254 . I can see that it relaxes the pinning to <6.1 (and removes therubyracer), but does not actually update Rails. When I tried manually running bundler update (actually, on saml-service, not reporting-service, but should not matter) after changing the pinning, it bumped all rails packages from 6.0.4.4 to 6.0.4.6.

Not sure why you don't get the dependabot alert - but the version info in GHSA-wh98-p28r-vrc9 marks 6.0.4.4 as vulnerable and 6.0.4.6 as fixing CVE-2022-23633.

Cheers,
Vlad

[waldofouche]

Ah sorry about that! I ran our bin/setup and incorrectly assumed that it would update the gems. I will go back and manually run that to bump all the gems to the correct version!

Thanks for catching that!

[vladimir-mencl-eresearch]

Thanks, all good!