Skip to content

Commit cb20e66

Browse files
stephenyearginstephenyeargin
authored
Merge pull request #127 from transitnownash/CVE-2025-55193
Updates for CVE-2025-55193
2 parents 7a082dc + c650830 commit cb20e66

File tree

5 files changed

+131
-94
lines changed

5 files changed

+131
-94
lines changed

.github/workflows/ci.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ jobs:
1818

1919
strategy:
2020
matrix:
21-
ruby-version: ['3.1', '3.2', '3.3']
21+
ruby-version: ['3.2', '3.3', '3.4']
2222

2323
steps:
2424
- uses: actions/checkout@v2

Gemfile

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,13 +6,16 @@ git_source(:github) { |repo| "https://github.com/#{repo}.git" }
66
ruby '>= 2.7.0'
77

88
# Bundle edge Rails instead: gem "rails", github: "rails/rails", branch: "main"
9-
gem 'rails', '~> 7.0.8'
9+
# Bump Rails to include patched ActiveRecord for CVE-2025-55193
10+
# Use Rails 7.1 with a minimum of 7.1.5.2 (first patched release)
11+
gem 'rails', '~> 7.1', '>= 7.1.5.2'
1012

1113
# Use mysql as the database for Active Record
1214
gem 'mysql2', '~> 0.5'
1315

1416
# Use the Puma web server [https://github.com/puma/puma]
15-
gem 'puma', '~> 5.6'
17+
# Puma 6+ is required for Rack 3 (Rails 7.1)
18+
gem 'puma', '~> 6.4'
1619

1720
# Build JSON APIs with ease [https://github.com/rails/jbuilder]
1821
# gem "jbuilder"
@@ -57,6 +60,7 @@ gem 'dotenv-rails', groups: %i[development test]
5760
gem 'webmock', groups: %i[development test]
5861

5962
# Parse schedule
63+
gem 'csv'
6064
gem 'gtfs'
6165

6266
# GTFS Realtime

Gemfile.lock

Lines changed: 117 additions & 90 deletions
Original file line numberDiff line numberDiff line change
@@ -1,77 +1,91 @@
11
GEM
22
remote: https://rubygems.org/
33
specs:
4-
actioncable (7.0.8.7)
5-
actionpack (= 7.0.8.7)
6-
activesupport (= 7.0.8.7)
4+
actioncable (7.1.5.2)
5+
actionpack (= 7.1.5.2)
6+
activesupport (= 7.1.5.2)
77
nio4r (~> 2.0)
88
websocket-driver (>= 0.6.1)
9-
actionmailbox (7.0.8.7)
10-
actionpack (= 7.0.8.7)
11-
activejob (= 7.0.8.7)
12-
activerecord (= 7.0.8.7)
13-
activestorage (= 7.0.8.7)
14-
activesupport (= 7.0.8.7)
9+
zeitwerk (~> 2.6)
10+
actionmailbox (7.1.5.2)
11+
actionpack (= 7.1.5.2)
12+
activejob (= 7.1.5.2)
13+
activerecord (= 7.1.5.2)
14+
activestorage (= 7.1.5.2)
15+
activesupport (= 7.1.5.2)
1516
mail (>= 2.7.1)
1617
net-imap
1718
net-pop
1819
net-smtp
19-
actionmailer (7.0.8.7)
20-
actionpack (= 7.0.8.7)
21-
actionview (= 7.0.8.7)
22-
activejob (= 7.0.8.7)
23-
activesupport (= 7.0.8.7)
20+
actionmailer (7.1.5.2)
21+
actionpack (= 7.1.5.2)
22+
actionview (= 7.1.5.2)
23+
activejob (= 7.1.5.2)
24+
activesupport (= 7.1.5.2)
2425
mail (~> 2.5, >= 2.5.4)
2526
net-imap
2627
net-pop
2728
net-smtp
28-
rails-dom-testing (~> 2.0)
29-
actionpack (7.0.8.7)
30-
actionview (= 7.0.8.7)
31-
activesupport (= 7.0.8.7)
32-
rack (~> 2.0, >= 2.2.4)
29+
rails-dom-testing (~> 2.2)
30+
actionpack (7.1.5.2)
31+
actionview (= 7.1.5.2)
32+
activesupport (= 7.1.5.2)
33+
nokogiri (>= 1.8.5)
34+
racc
35+
rack (>= 2.2.4)
36+
rack-session (>= 1.0.1)
3337
rack-test (>= 0.6.3)
34-
rails-dom-testing (~> 2.0)
35-
rails-html-sanitizer (~> 1.0, >= 1.2.0)
36-
actiontext (7.0.8.7)
37-
actionpack (= 7.0.8.7)
38-
activerecord (= 7.0.8.7)
39-
activestorage (= 7.0.8.7)
40-
activesupport (= 7.0.8.7)
38+
rails-dom-testing (~> 2.2)
39+
rails-html-sanitizer (~> 1.6)
40+
actiontext (7.1.5.2)
41+
actionpack (= 7.1.5.2)
42+
activerecord (= 7.1.5.2)
43+
activestorage (= 7.1.5.2)
44+
activesupport (= 7.1.5.2)
4145
globalid (>= 0.6.0)
4246
nokogiri (>= 1.8.5)
43-
actionview (7.0.8.7)
44-
activesupport (= 7.0.8.7)
47+
actionview (7.1.5.2)
48+
activesupport (= 7.1.5.2)
4549
builder (~> 3.1)
46-
erubi (~> 1.4)
47-
rails-dom-testing (~> 2.0)
48-
rails-html-sanitizer (~> 1.1, >= 1.2.0)
49-
activejob (7.0.8.7)
50-
activesupport (= 7.0.8.7)
50+
erubi (~> 1.11)
51+
rails-dom-testing (~> 2.2)
52+
rails-html-sanitizer (~> 1.6)
53+
activejob (7.1.5.2)
54+
activesupport (= 7.1.5.2)
5155
globalid (>= 0.3.6)
52-
activemodel (7.0.8.7)
53-
activesupport (= 7.0.8.7)
54-
activerecord (7.0.8.7)
55-
activemodel (= 7.0.8.7)
56-
activesupport (= 7.0.8.7)
56+
activemodel (7.1.5.2)
57+
activesupport (= 7.1.5.2)
58+
activerecord (7.1.5.2)
59+
activemodel (= 7.1.5.2)
60+
activesupport (= 7.1.5.2)
61+
timeout (>= 0.4.0)
5762
activerecord-import (1.7.0)
5863
activerecord (>= 4.2)
59-
activestorage (7.0.8.7)
60-
actionpack (= 7.0.8.7)
61-
activejob (= 7.0.8.7)
62-
activerecord (= 7.0.8.7)
63-
activesupport (= 7.0.8.7)
64+
activestorage (7.1.5.2)
65+
actionpack (= 7.1.5.2)
66+
activejob (= 7.1.5.2)
67+
activerecord (= 7.1.5.2)
68+
activesupport (= 7.1.5.2)
6469
marcel (~> 1.0)
65-
mini_mime (>= 1.1.0)
66-
activesupport (7.0.8.7)
70+
activesupport (7.1.5.2)
71+
base64
72+
benchmark (>= 0.3)
73+
bigdecimal
6774
concurrent-ruby (~> 1.0, >= 1.0.2)
75+
connection_pool (>= 2.2.5)
76+
drb
6877
i18n (>= 1.6, < 2)
78+
logger (>= 1.4.2)
6979
minitest (>= 5.1)
80+
mutex_m
81+
securerandom (>= 0.3)
7082
tzinfo (~> 2.0)
7183
addressable (2.8.6)
7284
public_suffix (>= 2.0.2, < 6.0)
7385
ast (2.4.2)
74-
bigdecimal (3.2.1)
86+
base64 (0.3.0)
87+
benchmark (0.4.1)
88+
bigdecimal (3.2.3)
7589
bootsnap (1.17.0)
7690
msgpack (~> 1.2)
7791
builder (3.3.0)
@@ -80,10 +94,12 @@ GEM
8094
bullet (8.0.8)
8195
activesupport (>= 3.0.0)
8296
uniform_notifier (~> 1.11)
83-
concurrent-ruby (1.3.4)
97+
concurrent-ruby (1.3.5)
98+
connection_pool (2.5.4)
8499
crack (0.4.5)
85100
rexml
86101
crass (1.0.6)
102+
csv (3.3.5)
87103
date (3.4.1)
88104
debug (1.9.0)
89105
irb (~> 1.10)
@@ -92,7 +108,8 @@ GEM
92108
dotenv-rails (2.8.1)
93109
dotenv (= 2.8.1)
94110
railties (>= 3.2)
95-
erubi (1.13.0)
111+
drb (2.2.3)
112+
erubi (1.13.1)
96113
fast_jsonapi (1.5)
97114
activesupport (>= 4.2)
98115
geokit (1.14.0)
@@ -108,50 +125,51 @@ GEM
108125
gtfs-realtime-bindings (0.0.5)
109126
protobuf (>= 3.0)
110127
hashdiff (1.1.0)
111-
i18n (1.14.6)
128+
i18n (1.14.7)
112129
concurrent-ruby (~> 1.0)
113130
io-console (0.7.0)
114131
irb (1.10.1)
115132
rdoc
116133
reline (>= 0.3.8)
117134
json (2.7.1)
118135
language_server-protocol (3.17.0.3)
119-
loofah (2.23.1)
136+
logger (1.7.0)
137+
loofah (2.24.1)
120138
crass (~> 1.0.2)
121139
nokogiri (>= 1.12.0)
122140
mail (2.8.1)
123141
mini_mime (>= 0.1.1)
124142
net-imap
125143
net-pop
126144
net-smtp
127-
marcel (1.0.4)
128-
method_source (1.0.0)
145+
marcel (1.1.0)
129146
middleware (0.1.0)
130147
mini_mime (1.1.5)
131-
minitest (5.25.4)
148+
minitest (5.25.5)
132149
msgpack (1.7.2)
133150
multi_json (1.15.0)
151+
mutex_m (0.3.0)
134152
mysql2 (0.5.5)
135-
net-imap (0.4.20)
153+
net-imap (0.5.10)
136154
date
137155
net-protocol
138156
net-pop (0.1.2)
139157
net-protocol
140158
net-protocol (0.2.2)
141159
timeout
142-
net-smtp (0.4.0.1)
160+
net-smtp (0.5.1)
143161
net-protocol
144-
nio4r (2.7.3)
145-
nokogiri (1.18.9-arm64-darwin)
162+
nio4r (2.7.4)
163+
nokogiri (1.18.10-arm64-darwin)
146164
racc (~> 1.4)
147-
nokogiri (1.18.9-x86_64-darwin)
165+
nokogiri (1.18.10-x86_64-darwin)
148166
racc (~> 1.4)
149-
nokogiri (1.18.9-x86_64-linux-gnu)
167+
nokogiri (1.18.10-x86_64-linux-gnu)
150168
racc (~> 1.4)
151169
oj (3.16.11)
152170
bigdecimal (>= 3.0)
153171
ostruct (>= 0.2)
154-
ostruct (0.6.1)
172+
ostruct (0.6.3)
155173
parallel (1.23.0)
156174
parser (3.2.2.4)
157175
ast (~> 2.4.1)
@@ -164,46 +182,52 @@ GEM
164182
psych (5.1.2)
165183
stringio
166184
public_suffix (5.0.4)
167-
puma (5.6.9)
185+
puma (6.6.1)
168186
nio4r (~> 2.0)
169187
racc (1.8.1)
170-
rack (2.2.14)
188+
rack (3.2.1)
171189
rack-cors (2.0.2)
172190
rack (>= 2.0.0)
173191
rack-mini-profiler (3.3.1)
174192
rack (>= 1.2.0)
175-
rack-test (2.1.0)
193+
rack-session (2.1.1)
194+
base64 (>= 0.1.0)
195+
rack (>= 3.0.0)
196+
rack-test (2.2.0)
176197
rack (>= 1.3)
177-
rails (7.0.8.7)
178-
actioncable (= 7.0.8.7)
179-
actionmailbox (= 7.0.8.7)
180-
actionmailer (= 7.0.8.7)
181-
actionpack (= 7.0.8.7)
182-
actiontext (= 7.0.8.7)
183-
actionview (= 7.0.8.7)
184-
activejob (= 7.0.8.7)
185-
activemodel (= 7.0.8.7)
186-
activerecord (= 7.0.8.7)
187-
activestorage (= 7.0.8.7)
188-
activesupport (= 7.0.8.7)
198+
rackup (2.2.1)
199+
rack (>= 3)
200+
rails (7.1.5.2)
201+
actioncable (= 7.1.5.2)
202+
actionmailbox (= 7.1.5.2)
203+
actionmailer (= 7.1.5.2)
204+
actionpack (= 7.1.5.2)
205+
actiontext (= 7.1.5.2)
206+
actionview (= 7.1.5.2)
207+
activejob (= 7.1.5.2)
208+
activemodel (= 7.1.5.2)
209+
activerecord (= 7.1.5.2)
210+
activestorage (= 7.1.5.2)
211+
activesupport (= 7.1.5.2)
189212
bundler (>= 1.15.0)
190-
railties (= 7.0.8.7)
191-
rails-dom-testing (2.2.0)
213+
railties (= 7.1.5.2)
214+
rails-dom-testing (2.3.0)
192215
activesupport (>= 5.0.0)
193216
minitest
194217
nokogiri (>= 1.6)
195-
rails-html-sanitizer (1.6.1)
218+
rails-html-sanitizer (1.6.2)
196219
loofah (~> 2.21)
197220
nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
198-
railties (7.0.8.7)
199-
actionpack (= 7.0.8.7)
200-
activesupport (= 7.0.8.7)
201-
method_source
221+
railties (7.1.5.2)
222+
actionpack (= 7.1.5.2)
223+
activesupport (= 7.1.5.2)
224+
irb
225+
rackup (>= 1.0.0)
202226
rake (>= 12.2)
203-
thor (~> 1.0)
204-
zeitwerk (~> 2.5)
227+
thor (~> 1.0, >= 1.2.2)
228+
zeitwerk (~> 2.6)
205229
rainbow (3.1.1)
206-
rake (13.1.0)
230+
rake (13.3.0)
207231
rdoc (6.6.3.1)
208232
psych (>= 4.0.0)
209233
regexp_parser (2.8.3)
@@ -230,23 +254,25 @@ GEM
230254
rubocop-ast (>= 1.30.0, < 2.0)
231255
ruby-progressbar (1.13.0)
232256
rubyzip (1.3.0)
257+
securerandom (0.4.1)
233258
stringio (3.1.0)
234259
thor (1.4.0)
235260
thread_safe (0.3.6)
236261
timeout (0.4.3)
237262
tzinfo (2.0.6)
238263
concurrent-ruby (~> 1.0)
239264
unicode-display_width (2.5.0)
240-
uniform_notifier (1.17.0)
265+
uniform_notifier (1.18.0)
241266
webmock (3.19.1)
242267
addressable (>= 2.8.0)
243268
crack (>= 0.3.2)
244269
hashdiff (>= 0.4.0, < 2.0.0)
245-
websocket-driver (0.7.6)
270+
websocket-driver (0.8.0)
271+
base64
246272
websocket-extensions (>= 0.1.0)
247273
websocket-extensions (0.1.5)
248274
will_paginate (3.3.1)
249-
zeitwerk (2.6.13)
275+
zeitwerk (2.7.3)
250276

251277
PLATFORMS
252278
arm64-darwin-22
@@ -260,6 +286,7 @@ DEPENDENCIES
260286
bootsnap
261287
bulk_insert (~> 1.9)
262288
bullet (~> 8.0)
289+
csv
263290
debug
264291
dotenv-rails
265292
fast_jsonapi (~> 1.5)
@@ -268,10 +295,10 @@ DEPENDENCIES
268295
gtfs-realtime-bindings
269296
mysql2 (~> 0.5)
270297
oj (~> 3.16)
271-
puma (~> 5.6)
298+
puma (~> 6.4)
272299
rack-cors
273300
rack-mini-profiler (~> 3.3)
274-
rails (~> 7.0.8)
301+
rails (~> 7.1, >= 7.1.5.2)
275302
rexml (~> 3.4)
276303
rubocop (~> 1.34)
277304
rubocop-rails (~> 2.15)

db/schema.rb

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)