Fix remaining Dependabot security alerts by mikeland73 · Pull Request #2803 · jetify-com/devbox
- **Rails example**: Upgrade Rails 7.1.5 → 7.2.3, rack 2.2.14 → 3.2.5, nokogiri 1.18.9 → 1.19.2 (fixes Active Storage path traversal, Rack directory traversal, Active Support ReDoS/DoS/XSS, Action View XSS, and Active Storage glob injection/DoS/content type bypass) - **Django example**: Update sqlparse 0.5.0 → 0.5.3 (DoS fix) - **VS Code extension**: Add flatted resolution → 3.4.2 (prototype pollution fix) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The regenerated Gemfile.lock had BUNDLED WITH 2.6.9 and RUBY VERSION 3.4.4, but the Nix devbox.json pins bundler@2.5 and ruby@3.3. Bundler 2.5.5 refuses to run when the lockfile requires ~> 2.6, causing the stacks_rails_run_test CI job to fail. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The Rails 7.2 upgrade broke CI because rack 3.x requires config changes incompatible with the 7.1-era blog app. Instead, update within the 7.1.x line: - Rails 7.1.5.2 → 7.1.6 (latest security patches) - Rack 2.2.14 → 2.2.22 (fixes CVE-2025-27610 directory traversal) - Nokogiri 1.18.9 → 1.19.2 - Pin rack to ~> 2.2.15 to prevent accidental rack 3 resolution - Match BUNDLED WITH (2.5.5) and RUBY VERSION (3.3.0) to Nix env Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The Rails 7.2.3 upgrade pulls in psych 5.3.1 which requires yaml.h headers to build its native extension. Adding libyaml with dev output makes the headers available in the Devbox environment.
… mikeland73/fix-lint-issues
Lagoja
deleted the
mikeland73/fix-lint-issues
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters