Insecure dependencies actionpack / activerecord / activesupport 5.2.8.1 in hyrax-v3.5.0

[hardfalcon]

Hi, I've run bundle install against the Gemfile in a git checkout of hyrax-v3.5.0, and then bundle-audit check against the resulting Gemfile.lock. The result is the following list:

Name: actionpack
Version: 5.2.8.1
CVE: CVE-2023-22792
GHSA: GHSA-p84v-45xj-wwqj
Criticality: Unknown
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Title: ReDoS based DoS vulnerability in Action Dispatch
Solution: upgrade to '~> 5.2.8, >= 5.2.8.15', '~> 6.1.7, >= 6.1.7.1', '>= 7.0.4.1'

Name: actionpack
Version: 5.2.8.1
CVE: CVE-2023-22795
GHSA: GHSA-8xww-x3g3-6jcv
Criticality: Unknown
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Title: ReDoS based DoS vulnerability in Action Dispatch
Solution: upgrade to '~> 5.2.8, >= 5.2.8.15', '~> 6.1.7, >= 6.1.7.1', '>= 7.0.4.1'

Name: activerecord
Version: 5.2.8.1
CVE: CVE-2022-44566
GHSA: GHSA-579w-22j4-4749
Criticality: High
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Title: Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
Solution: upgrade to '~> 5.2.8, >= 5.2.8.15', '~> 6.1.7, >= 6.1.7.1', '>= 7.0.4.1'

Name: activesupport
Version: 5.2.8.1
CVE: CVE-2023-22796
GHSA: GHSA-j6gc-792m-qgm2
Criticality: Unknown
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Title: ReDoS based DoS vulnerability in Active Support’s underscore
Solution: upgrade to '~> 5.2.8, >= 5.2.8.15', '~> 6.1.7, >= 6.1.7.1', '>= 7.0.4.1'

Name: activesupport
Version: 5.2.8.1
CVE: CVE-2023-28120
GHSA: GHSA-pj73-v5mw-pm9j
Criticality: Unknown
URL: https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469
Title: Possible XSS Security Vulnerability in SafeBuffer#bytesplice
Solution: upgrade to '~> 6.1.7, >= 6.1.7.3', '>= 7.0.4.3'

Vulnerabilities found!

Tbh, I don't have a clue about Ruby or Rails, but it seems that at least CVE-2023-28120 is due to hyrax-v3.5.0 depending on rails ~> 5.0 in hyrax.gemfile.