enroll/.bundler-audit.yml at trunk · ideacrew/enroll · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
ignore:
  - CVE-2024-21510
  # ignore security advisory https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v which does not impact us.
  # futher information is available in the SECURITY.md file
  - CVE-2024-54133
  # Ignore security advisory https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m
  # as it does not impact this particular application.
  # Further information available in the SECURITY.md file.
  - GHSA-vvfq-8hwr-qm4m
  # Ignore security advisory  https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v
  # as it does not impact this particular application.
  # Further information available in the SECURITY.md file.
  - GHSA-8cgq-6mh2-7j6v
  # Ignore security advisory  https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-r95h-9x8f-r3f7
  # as it does not impact this particular application.
  # Further information available in the SECURITY.md file.
  - GHSA-r95h-9x8f-r3f7
  # Mitigated via initializer backports in PR <https://github.com/ideacrew/enroll/pull/5567>, pending Rails upgrade to 7.1.5.2+
  # should be removed when we upgrade rails version to ~> 7.1.5.2', '~> 7.2.2.2', '>= 8.0.2.1'
  - GHSA-76r7-hhxj-r776  # CVE-2025-55193 – Active Record logging ANSI escape injection
  - GHSA-r4mg-4433-c7g3  # CVE-2025-24293 – Active Storage unsafe transforms
  - GHSA-wx95-c6cv-8532  # (no CVE assigned) - nokogiri fails to raise exception when canonicalization fails
  # CKEditor4 vulnerabilities that affect sample/demo files not used in production
  # Further information available in the SECURITY.md file
  - CVE-2023-4771   # GHSA-wh5w-82f3-wrxh – XSS in AJAX sample
  - CVE-2024-24815  # GHSA-fq6h-4g8v-qqvm – XSS in CDATA detection
  - CVE-2024-24816  # GHSA-mw2c-vx6j-mg76 – XSS in preview feature sample
  - CVE-2024-43407  # GHSA-7r32-vfj5-c2jv – XSS in GeSHi plugin sample
  - CVE-2024-43411  # GHSA-6v96-m24v-f58j – Low-risk XSS via domain takeover
  - CVE-2025-61921  # GHSA-mr3q-g2mv-mr4q - Sinatra ReDoS via ETag header
  - CVE-2026-25765 # GHSA-33mh-2634-fwr2 - faraday
  - GHSA-57hq-95w6-v4fc
  # CVE-2026-32700: patched version (5.0.3) requires Rails >= 7.0; project is on Rails 6.1.7.10.
  # Resolve by upgrading Rails to >= 7.0 and then devise to 5.0.3.
  # CVE-2026-33658: patched versions require Rails >= 7.2.3.1; project is on Rails 6.1.7.10.
  # Resolve by upgrading Rails to ~> 7.2.3.1, ~> 8.0.4.1, or >= 8.1.2.1.
  - CVE-2026-33658  # GHSA-p9fm-f462-ggrg – Active Storage DoS via multi-range requests in proxy mode