[Snyk] Security upgrade faraday-retry from 2.3.2 to 2.4.0 #381
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-RUBY-FARADAY-15253521
There was a problem hiding this comment.
Pull request overview
This PR upgrades the faraday-retry gem from version 2.3.2 to 2.4.0 to address a Server-Side Request Forgery (SSRF) vulnerability (SNYK-RUBY-FARADAY-15253521) with a severity score of 631. The faraday-retry gem is a transitive dependency in the project, likely pulled in through the danger gem used for PR checks.
Changes:
- Updated version constraint for
faraday-retryfrom no constraint to>= 2.4.0in the development/test group
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| gem 'factory_bot_rails' | ||
| gem 'faker' | ||
| gem 'faraday-retry' | ||
| gem 'faraday-retry', '>= 2.4.0' |
There was a problem hiding this comment.
The Gemfile.lock file still contains faraday-retry version 2.3.2 (the vulnerable version) and needs to be updated to reflect the new constraint. Run bundle update faraday-retry to update the lockfile. Additionally, the CI matrix gemfiles in the gemfiles/ directory (rails_7_2.gemfile.lock, rails_8_0.gemfile.lock, and rails_edge.gemfile.lock) also contain faraday-retry 2.3.2 and will need to be updated separately using the BUNDLE_GEMFILE environment variable for each.
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the rubygems dependencies of this project.
Snyk changed the following file(s):
mat_views/GemfileVulnerabilities that will be fixed with an upgrade:
SNYK-RUBY-FARADAY-15253521
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Server-side Request Forgery (SSRF)