Require fugit >= 1.11.1 #1468
Require fugit >= 1.11.1 #1468
Conversation
floraison/fugit#104 Prevent Fugit::Nat.parse choking on large input, peg at 256 chars ```ruby spec.add_dependency "fugit", "~> 1.11", ">= 1.11.1" ``` Which requires fugit from 1.11.0 to 2.x not included and at least 1.11.1
|
I don't think this is a dependent gem's responsibility to pin this in their gemspec. I'm open if you can share documentation/policies somewhere that would recommend that gem's pin secure versions of dependencies. (for example, Rails frequently releases security patches, but I don't pin those in GoodJob's gemsepc) Specifically for GoodJob, cron-schedules are intentionally designed not to accept user input, so I don't think GoodJob would be effected by malicious values. |
Good for you, your project can't be affected then. I'm closing this request. Thanks for your time. |
|
thanks for the heads up though! Are you planning to publish a CVE on it? That'd be my recommendation because then automated tooling will pick it up and report it. |
|
Thanks for the recommendation, I will try to do it. |
|
There's some details at the bottom of: https://guides.rubygems.org/security/ (disclosure: I work at GitHub) You can do so pretty easily through your GitHub project: https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/about-repository-security-advisories#cve-identification-numbers |
|
Thanks! Very kind of you, I was actually looking at https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory |
|
CVE drafted and requested. That was slick so far. Thanks for your guidance. |
floraison/fugit#104
Prevent Fugit::Nat.parse choking on large input, peg at 256 chars
Which requires fugit from 1.11.0 to 2.x not included and at least 1.11.1