From a4ed734e2400a064e37ab781d062113b4368e099 Mon Sep 17 00:00:00 2001 From: Kaspar V Date: Sun, 22 Jan 2023 23:09:02 +0100 Subject: [PATCH] fix(pghero): update because CVE-2023-22626 (#23190) There is a vulnerability [CVE-2023-22626](https://github.com/advisories/GHSA-vf99-xw26-86g5) ``` Name: pghero Version: 2.8.3 CVE: CVE-2023-22626 GHSA: GHSA-vf99-xw26-86g5 Criticality: High URL: https://github.com/ankane/pghero/issues/439 Title: Information Disclosure Through EXPLAIN Feature Solution: upgrade to '>= 3.1.0' ``` --- Gemfile | 4 ++-- Gemfile.lock | 18 +++++++++--------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/Gemfile b/Gemfile index 54e616b1b9d04f..e4529c6a8d2635 100644 --- a/Gemfile +++ b/Gemfile @@ -15,8 +15,8 @@ gem 'rack', '~> 2.2.3' gem 'hamlit-rails', '~> 0.2' gem 'pg', '~> 1.3' gem 'makara', '~> 0.5' -gem 'pghero', '~> 2.8' -gem 'dotenv-rails', '~> 2.7' +gem 'pghero' +gem 'dotenv-rails', '~> 2.8' gem 'aws-sdk-s3', '~> 1.112', require: false gem 'fog-core', '<= 2.1.0' diff --git a/Gemfile.lock b/Gemfile.lock index 43f7143a0dcc56..32b03f9a604658 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -193,9 +193,9 @@ GEM unf (>= 0.0.5, < 1.0.0) doorkeeper (5.5.4) railties (>= 5) - dotenv (2.7.6) - dotenv-rails (2.7.6) - dotenv (= 2.7.6) + dotenv (2.8.1) + dotenv-rails (2.8.1) + dotenv (= 2.8.1) railties (>= 3.2) e2mmap (0.1.0) ed25519 (1.3.0) @@ -431,10 +431,10 @@ GEM parslet (2.0.0) pastel (0.8.0) tty-color (~> 0.5) - pg (1.3.1) - pghero (2.8.2) - activerecord (>= 5) - pkg-config (1.4.7) + pg (1.4.5) + pghero (3.1.0) + activerecord (>= 6) + pkg-config (1.5.1) posix-spawn (0.3.15) premailer (1.14.2) addressable @@ -727,7 +727,7 @@ DEPENDENCIES devise_pam_authenticatable2 (~> 9.2) discard (~> 1.2) doorkeeper (~> 5.5) - dotenv-rails (~> 2.7) + dotenv-rails (~> 2.8) ed25519 (~> 1.3) fabrication (~> 2.27) faker (~> 2.19) @@ -771,7 +771,7 @@ DEPENDENCIES ox (~> 2.14) parslet pg (~> 1.3) - pghero (~> 2.8) + pghero pkg-config (~> 1.4) posix-spawn premailer-rails