Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork223
Remove Rails LTS versions#847
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Conversation
Please checkhttps://makandracards.com/railslts/474590-list-cves-addressed-rails-lts for all CVEs addressed by Rails LTS and detailed information.
First, I will need some kind of confirmation that this is indeed Niklas Häusele speaking on behalf of Rails LTS / Makandra, and not some random GitHub account possibly posing as Niklas Häusele. Second, the Rails LTS patched versions were added by PR#538. If we remove the Rails LTS specific patched versions, then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Looks good, but also needs a note added to the README instructing Rails LTS users to check the official Rails LTS CVE list, and to add those CVEs to their.bundler-audit.yml file underignore:.
Monitoring PR and will make changes to my GHSA SYNC scripts after the merge. |
NiklasHae commentedFeb 17, 2025 • edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
Thank you@postmodern for taking a look. I sent you an email to your linked GitHub profile address regarding verification. I'll update the PR accordingly 👍 |
05ea8d8 intorubysec:masterUh oh!
There was an error while loading.Please reload this page.
Added a note to the README ineb74560. |
We (the Rails LTS team) noticed that some CVEs are marked as fixed by Rails LTS in the ruby-advisory-db. While we appreciate and are grateful for the effort, we would prefer not to list our commercial versions in the official database as fixed versions.
Currently, we do not have the capacity to actively monitor all versions listed in the ruby-advisory-db, verify their accuracy, and ensure correctness. Additionally, some fixes require extra context or additional information that may not be adequately reflected in the database. Most Rails LTS versions are a commercial offering, and we maintain a comprehensive list of all CVEs we have addressed—along with the necessary details—athttps://makandracards.com/railslts/474590-list-cves-addressed-rails-lts. Every Rails LTS customer also receives a newsletter with updates and additional information for all patches.
We would prefer to keep our own documentation as the single source of truth for Rails LTS related fixes. Thank you for your understanding.