From 24dcff3c1deb3a5624167198fbfef09db1bca8d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javi=20Mart=C3=ADn?= Date: Fri, 15 Aug 2025 10:51:09 +0200 Subject: [PATCH] Relax Rails dependency to allow security updates Currently dependabot is failing to upgrade some gems that are part of Rails. For example, when there's a security issue in ActiveRecord or ActiveStorage, we get messages like: ``` Dependabot cannot update activestorage to a non-vulnerable version. The latest possible version that can be installed is 7.1.5.1 because of the following conflicting dependencies: rails (7.1.5.1) requires activestorage (= 7.1.5.1) via actionmailbox (7.1.5.1) rails (7.1.5.1) requires activestorage (= 7.1.5.1) via actiontext (7.1.5.1) rails (7.1.5.1) requires activestorage (= 7.1.5.1) The earliest fixed version is 7.1.5.2. ``` So we're relaxing the dependency in order to make it easier for dependabot to upgrade gems that are part of Rails. Note that, with this configuration, Dependabot wouldn't be able to upgrade to Rails 7.1.6 if this releases fixed a security issues in a gem that is part of Rails. We might still need to upgrade Rails manually in this case. --- Gemfile | 2 +- Gemfile.lock | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Gemfile b/Gemfile index e98a19c20..ca3705f83 100644 --- a/Gemfile +++ b/Gemfile @@ -2,7 +2,7 @@ source "https://rubygems.org" ruby file: ".ruby-version" -gem "rails", "7.1.5.1" +gem "rails", "~> 7.1.5.1" gem "acts-as-taggable-on", "~> 12.0.0" gem "acts_as_votable", "~> 0.14.0" diff --git a/Gemfile.lock b/Gemfile.lock index 996d328c3..82ec54af7 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -815,7 +815,7 @@ DEPENDENCIES pronto-rubocop (~> 0.11.6) pronto-stylelint (~> 0.11.1) puma (~> 6.6.0) - rails (= 7.1.5.1) + rails (~> 7.1.5.1) recipient_interceptor (~> 0.3.3) redcarpet (~> 3.6.1) responders (~> 3.1.1)