chore: resolve open dependabot security alerts#281
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #281 +/- ##
=======================================
Coverage 99.50% 99.50%
=======================================
Files 31 31
Lines 808 808
=======================================
Hits 804 804
Misses 4 4 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
5818064 to
b92eb57
Compare
- erb 6.0.2 -> 6.0.4 (high, alert #13) Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
b92eb57 to
ec66772
Compare
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
|
Important Review skippedReview was skipped due to path filters ⛔ Files ignored due to path filters (1)
CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
Comment |
Summary
erbfrom 6.0.2 to 6.0.4 to resolve a high-severity vulnerability (alert [CI/CD] Use reusable workflow #13): ERB has an @_init deserialization guard bypass via def_module / def_method / def_classBUNDLED WITH) from 4.0.6 to 4.0.12 to fix the failingRuby headCI jobNotes
The
Ruby headmatrix job was failing withNameError: uninitialized constant Pathname::SEPARATOR_PATduringbundle install. This is an upstream incompatibility, not a problem in this repo:Pathname::SEPARATOR_PATwas an internal constant accidentally left public, and Ruby 4.1-dev (ruby-head) made it private, which broke Bundler 4.0.6'sSource::Path#generate_bin. Fixed upstream in ruby/rubygems#9529 and shipped in Bundler 4.0.12, so the lockfile just needed the bump.Verified locally on Ruby 4.0.5 / Bundler 4.0.12:
bundle install,bundle exec rspec(420 examples, 0 failures), andbundle exec standardrball pass.