wice_grid icon indicating copy to clipboard operation
wice_grid copied to clipboard

Published 20 hours ago verified publisher icon patricklindsay

Kaminari gem version is still locked at 1.1.x despite known vulnerability

Open djmolny opened this issue 2 years ago • 1 comments

A cross-site vulnerability in kaminari was identified more than two years ago.

Despite (closed) issues #78, #80, and commit 39e301c349bff5db271dec3222c5ca91d4bfcbd4, the gemspec still limits the kaminari version to 1.1.x: s.add_dependency 'kaminari', ['~> 1.1']

djmolny avatar Sep 28 '22 20:09 djmolny

This is fixed in master, but not released on RubyGems yet. I doubt a new RubyGems version will be released soon, since the only ones with access haven't maintained this project in a long time. In the mean time you can use the master branch of this repo, see https://github.com/patricklindsay/wice_grid/issues/78#issuecomment-738754025 for more information.

Or you can use my fork with some other fixes/improvements as well, like Rails 6(.1) support: https://github.com/patricklindsay/wice_grid/issues/74#issuecomment-1056805353

kreintjes avatar Sep 29 '22 07:09 kreintjes