Skip to content

Update rails to 6.0.4.6 and puma to 5.6.2#8817

Merged
andreslucena merged 2 commits intodecidim:developfrom
i-need-another-coffee:ale-security-upgrade
Feb 15, 2022
Merged

Update rails to 6.0.4.6 and puma to 5.6.2#8817
andreslucena merged 2 commits intodecidim:developfrom
i-need-another-coffee:ale-security-upgrade

Conversation

@alecslupu
Copy link
Copy Markdown
Contributor

@alecslupu alecslupu commented Feb 15, 2022

🎩 What? Why?

This PR locks rails to 6.0.4.6 and puma 5.6.2 to mitigate

📋 Checklist

🚨 Please review the guidelines for contributing to this repository.

  • CONSIDER adding a unit test if your PR resolves an issue.
  • ✔️ DO check open PR's to avoid duplicates.
  • ✔️ DO keep pull requests small so they can be easily reviewed.
  • ✔️ DO build locally before pushing.
  • ✔️ DO make sure tests pass.
  • ✔️ DO make sure any new changes are documented in docs/.
  • ✔️ DO add and modify seeds if necessary.
  • ✔️ DO add CHANGELOG upgrade notes if required.
  • ✔️ DO add to GraphQL API if there are new public fields.
  • ✔️ DO add link to MetaDecidim if it's a new feature.
  • AVOID breaking the continuous integration build.
  • AVOID making significant changes to the overall architecture.

📷 Screenshots

Please add screenshots of the changes you're proposing
Description

♥️ Thank you!

@alecslupu alecslupu added team: security type: internal PRs that aren't necessary to add to the CHANGELOG for implementers labels Feb 15, 2022
roxanaopr
roxanaopr previously approved these changes Feb 15, 2022
View reviewed changes
@andreslucena
Copy link
Copy Markdown
Member

andreslucena commented Feb 15, 2022

Thanks for taking care of this @alecslupu!

andreslucena
andreslucena reviewed Feb 15, 2022
View reviewed changes
@alecslupu alecslupu force-pushed the ale-security-upgrade branch from 253740f to 2d7d75c Compare February 15, 2022 09:41
@andreslucena
Copy link
Copy Markdown
Member

andreslucena commented Feb 15, 2022

Codeclimate says that there are some issues to fix:

image

But running bundle audit locally, I can't see any of those issues, so I'm merging this, so we can see if dependabot catches these. Thanks again for this one @alecslupu

@andreslucena andreslucena changed the title Upgrade Puma and Rails to fix information exposure vulnerability Update rails to 6.0.4.6 and puma to 5.6.2 Feb 15, 2022
@andreslucena andreslucena merged commit 502baeb into decidim:develop Feb 15, 2022
entantoencuanto added a commit that referenced this pull request Feb 18, 2022
@entantoencuanto
Merge branch 'develop' into feature/process_types
7131c5c 
* develop: (134 commits)
  Remove Rectify::Presenter references (#8758)
  Clarify the locales on the list of admins (#8838)
  Fix activity cell disappearing author images (#8826)
  Fix notifications when there is a note proposal in other spaces than processes (#8822)
  Fix accountability text search (#8831)
  Fix displaying hidden meetings in show process page (#8823)
  Fix docs for install-decidim.sh permissions (#8839)
  Fix report moderation for all the spaces (#8813)
  Clarify the comment at the resource search class (#8829)
  Fix displaying hidden related resources (#8812)
  Replace Decidim mentions in UI with 'the platform' (#8827)
  Add natively a .keep file to empty directory to include on git committing (#8830)
  Fix scope validation on initiative's creation (#8755)
  Replace `searchlight` with `ransack` which is already a core dependency (#8748)
  Fix characters not encoded in highlighted participatory process group title (#8820)
  Test ensuring the moderated comments are not computed in stats (#8816)
  Update rails to 6.0.4.6 and puma to 5.6.2 (#8817)
  Fix displaying hidden meetings in processes group's "upcoming meetings" content block (#8818)
  Fix displaying hidden meetings in homepage's "upcoming meetings" content block (#8809)
  Improve "Release Candidates" release docs (#8804)
  ...
@alecslupu alecslupu added this to the 0.27.0 milestone Jul 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andreslucena andreslucena andreslucena approved these changes

@ahukkanen ahukkanen Awaiting requested review from ahukkanen

+1 more reviewer

@roxanaopr roxanaopr roxanaopr left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

team: security type: internal PRs that aren't necessary to add to the CHANGELOG for implementers

Projects

None yet

Milestone

0.27.0

Development

Successfully merging this pull request may close these issues.

3 participants

@alecslupu @andreslucena @roxanaopr