I have an error saying I have a vulnerability and I need to update activejob and activestorage to >= 5.2.1.1 in my rails application
So in my Gemfile I have
gem 'activejob', '<= 5.2.1.1'
gem 'activestorage', '<= 5.2.1.1'
And I ran
bundle update activejob
bundle update activestorage
I used <= because I have some dependencies that rely on an older version of activejob and activestorage. It doesn't work with the 5.2.1.1 version. And I'm unable to update those gems because it can cause my application to break at this time.
When I ran bundle audit --update it still says that I have the same vulnerabilities and that I should upgrade.
After running bundle install this is what I have in my Gemfile.lock
GEM
specs:
activejob (5.2.0)
activesupport (= 5.2.0)
globalid (>= 0.3.6)
activestorage (5.2.0)
actionpack (= 5.2.0)
activerecord (= 5.2.0)
marcel (~> 0.3.1)
DEPENDENCIES
activejob (<= 5.2.1.1)
activestorage (<= 5.2.1.1)
I can't delete my Gemfile.lock and run bundle install. I also can't run bundle update because I have gems that I don't want to update. It can break the application. Any suggestions?
ActiveJob and ActiveSupport are dependent on your rails version.
If your rails (or any other gem that places limitations on AJ and AS for that matter) version (perhaps 5.0) is locked down and is constraining the versions of ActiveJob and ActiveStorage, then it will override your version requirements set in your gemfile for those two gems.
I'd hazard a guess that you need to update rails to 5.1 and bundle update, but it's hard to say without seeing your full gemfile/gemfile.lock