Skip to content

chore: resolve open dependabot security alerts#281

Open
jonathannorris wants to merge 3 commits into
mainfrom
chore/dependabot-alerts
Open

chore: resolve open dependabot security alerts#281
jonathannorris wants to merge 3 commits into
mainfrom
chore/dependabot-alerts

Conversation

@jonathannorris

@jonathannorris jonathannorris commented May 11, 2026

Copy link
Copy Markdown
Member

Summary

  • Bumped erb from 6.0.2 to 6.0.4 to resolve a high-severity vulnerability (alert [CI/CD] Use reusable workflow #13): ERB has an @_init deserialization guard bypass via def_module / def_method / def_class
  • Bumped Bundler (BUNDLED WITH) from 4.0.6 to 4.0.12 to fix the failing Ruby head CI job

Notes

The Ruby head matrix job was failing with NameError: uninitialized constant Pathname::SEPARATOR_PAT during bundle install. This is an upstream incompatibility, not a problem in this repo: Pathname::SEPARATOR_PAT was an internal constant accidentally left public, and Ruby 4.1-dev (ruby-head) made it private, which broke Bundler 4.0.6's Source::Path#generate_bin. Fixed upstream in ruby/rubygems#9529 and shipped in Bundler 4.0.12, so the lockfile just needed the bump.

Verified locally on Ruby 4.0.5 / Bundler 4.0.12: bundle install, bundle exec rspec (420 examples, 0 failures), and bundle exec standardrb all pass.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the erb gem version from 6.0.2 to 6.0.4 in the Gemfile.lock. I have no feedback to provide as there are no review comments.

@codecov

codecov Bot commented May 11, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.50%. Comparing base (0e986fd) to head (d49a1de).

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #281   +/-   ##
=======================================
  Coverage   99.50%   99.50%           
=======================================
  Files          31       31           
  Lines         808      808           
=======================================
  Hits          804      804           
  Misses          4        4           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@jonathannorris jonathannorris force-pushed the chore/dependabot-alerts branch from 5818064 to b92eb57 Compare May 19, 2026 15:09
- erb 6.0.2 -> 6.0.4 (high, alert #13)

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@jonathannorris jonathannorris force-pushed the chore/dependabot-alerts branch from b92eb57 to ec66772 Compare May 25, 2026 14:06
@jonathannorris jonathannorris marked this pull request as ready for review May 25, 2026 14:07
@jonathannorris jonathannorris requested a review from a team as a code owner May 25, 2026 14:07
Copilot AI review requested due to automatic review settings May 25, 2026 14:07
@jonathannorris jonathannorris enabled auto-merge (squash) May 25, 2026 14:07

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
- concurrent-ruby 1.3.6 -> 1.3.7 (high/low, alerts #13, #14, #15, #16)

Signed-off-by: Jonathan Norris <jonathan.norris@dynatrace.com>
@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • Gemfile.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: cbfdf54d-0171-4881-b64e-c66156d16b9d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants