diff --git a/Gemfile b/Gemfile index f58bec0..4d8c7f1 100644 --- a/Gemfile +++ b/Gemfile @@ -4,4 +4,10 @@ gemspec group :development, :test do gem 'rake', '~> 12.3.3' + # Security pins for transitive dev/test dependencies (Dependabot RP-6332). + # ffi >= 1.9.24 fixes GHSA-2gw2-8q9w-cw8p; cap below 1.17 to keep + # compatibility with the project's Ruby 2.6 toolchain. + gem 'ffi', '>= 1.9.24', '< 1.17' + # addressable >= 2.9.0 fixes GHSA-h27x-rffw-24p4 / GHSA-jxhc-q857-3j6g. + gem 'addressable', '>= 2.9.0' end diff --git a/Gemfile.lock b/Gemfile.lock index fb99e1c..0ea19c4 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -8,7 +8,8 @@ PATH GEM remote: https://rubygems.org/ specs: - addressable (2.4.0) + addressable (2.9.0) + public_suffix (>= 2.0.2, < 8.0) autotest (5.0.0) minitest-autotest (~> 1.0) autotest-fsevent (0.2.14) @@ -20,9 +21,9 @@ GEM diff-lcs (1.3) ethon (0.12.0) ffi (>= 1.3.0) - ffi (1.9.18) + ffi (1.16.3) hashdiff (0.3.6) - json (2.1.0) + json (2.7.6) minitest (5.11.3) minitest-autotest (1.1.1) minitest-server (~> 1.0) @@ -30,6 +31,7 @@ GEM minitest-server (1.0.5) minitest (~> 5.0) path_expander (1.0.4) + public_suffix (5.1.1) rake (12.3.3) rspec (3.8.0) rspec-core (~> 3.8.0) @@ -59,11 +61,13 @@ PLATFORMS ruby DEPENDENCIES + addressable (>= 2.9.0) autotest (~> 5.0, >= 4.4.6) autotest-fsevent (~> 0.2, >= 0.2.12) autotest-growl (~> 0.2, >= 0.2.16) autotest-rails-pure (~> 4.1, >= 4.1.2) clever-ruby! + ffi (>= 1.9.24, < 1.17) rake (~> 12.3.3) rspec (~> 3.6, >= 3.6.0) vcr (~> 5.0, >= 3.0.1)