Declare dependency only on protected versions of the gem

Question

My gem depends on ActiveSupport and has been tested successfully with ActiveSupport 3.2, 4.1 and 4.2.

Some versions of ActiveSupport have the CVE-2015-3227 vulnerability and I want to exclude these versions from my dependency declaration.

The dependency is currently declared like this:

spec.add_runtime_dependency 'activesupport', '>= 3.2.22', '< 5'

but this includes the insecure versions of ActiveSupport 4.1 and 4.2.

Is there a way to exclude these unsafe versions from the dependency?

+3

ruby dependency-management rubygems

Dominic Sayers Apr 27. 17 at 10:28

source to share

No one has answered this question yet

Check out similar questions:

918

How do I make --no-ri --no-rdoc the default for installing a gem?

663

Differences Between Dependencies and Management in Maven

646

Working with "Xerces hell" in Java / Maven?

608

How do I install a specific version of a ruby gem?

544

How to install a gem or update RubyGems if it doesn't work with a permission error

503

How do I uninstall RVM (Ruby Version Manager) from my system?

442

How do I install a gem from a GitHub source?

331

How to install local pearls?

1

update gem version specified in different gem dependency