Critical and high-level dependabot-recommended security updates (December 2025) #162
Conversation
| nio4r (2.7.4) | ||
| nokogiri (1.16.4-arm64-darwin) | ||
| nio4r (2.7.5) | ||
| nokogiri (1.18.10-arm64-darwin) |
There was a problem hiding this comment.
Nokogiri needed to be upgraded to 1.18.4+ to resolve a couple of critical dependabot security warnings (listed below). Since nokogiri is not a direct dependency of decanter but a sub-dependency, I had to update a few other gems:
Changes made:
- Updated rails-html-sanitizer from >= 1.0.4 to >= 1.6.2
- rails-html-sanitizer 1.6.0 (bundled with Rails 7.1.3.2) constrains nokogiri to ~> 1.14, which blocks upgrading to 1.18.4+
- Version 1.6.2+ allows nokogiri >= 1.18.4
- Constrained Rails to ~> 7.1.3 (allows 7.1.6, latest 7.1.x)
- Keeps Rails 7.1.x compatibility while enabling nokogiri upgrade
There was a problem hiding this comment.
In the process, activestorage was upgraded to 7.1.6, which will resolve the active storage critical security alert which recommends upgrading to 7.1.5.2+.
| activesupport | ||
| rails (>= 7.1.3.2) | ||
| rails-html-sanitizer (>= 1.0.4) | ||
| rack (>= 3.1.18) |
There was a problem hiding this comment.
This update will address the following high-level security warnings for rack:
nicoledow
changed the title
kweingart08
left a comment
kweingart08
left a comment
There was a problem hiding this comment.
lgtm from a dependency standpoint — thanks for the thorough notes.
Just to sanity check: were you able to bundle + boot this version locally with the updated Rails/Rack/Nokogiri combo?
| nio4r (2.7.4) | ||
| nokogiri (1.16.4-arm64-darwin) | ||
| nio4r (2.7.5) | ||
| nokogiri (1.18.10-arm64-darwin) |
|
@kweingart08 Thanks! Yes, I tested bundling on a Rails 7 and a Rails 8 project. |
Items Addressed
These updates should address all "critical" and "high" severity dependabot alerts.
Author Checklist
version.rbfollowing versioning guidelines