From 68235243e1285a72e52b5514f840cb0c2ad045d1 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sat, 4 Apr 2026 12:31:15 +0000 Subject: [PATCH 1/3] fix: Gemfile & Gemfile.lock to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-RUBY-ACTIVESUPPORT-15762697 - https://snyk.io/vuln/SNYK-RUBY-ACTIVESUPPORT-15762331 - https://snyk.io/vuln/SNYK-RUBY-ACTIVESUPPORT-15762701 --- Gemfile | 2 +- Gemfile.lock | 39 ++++++++++----------------------------- 2 files changed, 11 insertions(+), 30 deletions(-) diff --git a/Gemfile b/Gemfile index 4a74f5363ad2..2c89f021d804 100644 --- a/Gemfile +++ b/Gemfile @@ -4,7 +4,7 @@ source "https://rubygems.org" ruby ">= 3.3.4" gem "cocoapods", "= 1.16.2" -gem 'activesupport', '>= 6.1.7.5', '!= 7.1.0' +gem 'activesupport', '>= 7.2.3.1' gem 'xcodeproj', '~> 1.27' gem "fastlane", "~> 2", ">= 2.229.0" gem "xcpretty", "~> 0" diff --git a/Gemfile.lock b/Gemfile.lock index 769319b16842..86f0e4515b19 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -3,7 +3,7 @@ GEM specs: CFPropertyList (3.0.8) abbrev (0.1.2) - activesupport (7.2.3) + activesupport (7.2.3.1) base64 benchmark (>= 0.3) bigdecimal @@ -12,7 +12,7 @@ GEM drb i18n (>= 1.6, < 2) logger (>= 1.4.2) - minitest (>= 5.1) + minitest (>= 5.1, < 6) securerandom (>= 0.3) tzinfo (~> 2.0, >= 2.0.5) addressable (2.8.8) @@ -20,8 +20,6 @@ GEM algoliasearch (1.27.5) httpclient (~> 2.8, >= 2.8.3) json (>= 1.5.1) - apktools (0.7.5) - rubyzip (~> 2.0) artifactory (3.0.17) atomos (0.1.3) aws-eventstream (1.4.0) @@ -45,8 +43,8 @@ GEM aws-eventstream (~> 1, >= 1.0.2) babosa (1.0.4) base64 (0.3.0) - benchmark (0.3.0) - bigdecimal (4.0.1) + benchmark (0.5.0) + bigdecimal (4.1.0) claide (1.1.0) cocoapods (1.16.2) addressable (~> 2.8) @@ -89,8 +87,8 @@ GEM colored2 (3.1.2) commander (4.6.0) highline (~> 2.0.0) - concurrent-ruby (1.3.5) - connection_pool (2.5.4) + concurrent-ruby (1.3.6) + connection_pool (3.0.2) csv (3.3.5) declarative (0.0.20) digest-crc (0.7.0) @@ -177,13 +175,6 @@ GEM xcodeproj (>= 1.13.0, < 2.0.0) xcpretty (~> 0.4.1) xcpretty-travis-formatter (>= 0.0.3, < 2.0.0) - fastlane-plugin-aws_s3 (2.1.0) - apktools (~> 0.7) - aws-sdk-s3 (~> 1) - mime-types (~> 3.3) - fastlane-plugin-firebase_app_distribution (0.10.1) - google-apis-firebaseappdistribution_v1 (~> 0.3.0) - google-apis-firebaseappdistribution_v1alpha (~> 0.2.0) fastlane-sirp (1.0.0) sysrandom (~> 1.0) ffi (1.17.2) @@ -203,10 +194,6 @@ GEM representable (~> 3.0) retriable (>= 2.0, < 4.a) rexml - google-apis-firebaseappdistribution_v1 (0.3.0) - google-apis-core (>= 0.11.0, < 2.a) - google-apis-firebaseappdistribution_v1alpha (0.2.0) - google-apis-core (>= 0.11.0, < 2.a) google-apis-iamcredentials_v1 (0.17.0) google-apis-core (>= 0.11.0, < 2.a) google-apis-playcustomapp_v1 (0.13.0) @@ -238,20 +225,16 @@ GEM domain_name (~> 0.5) httpclient (2.9.0) mutex_m - i18n (1.14.7) + i18n (1.14.8) concurrent-ruby (~> 1.0) jmespath (1.6.2) json (2.18.0) jwt (2.10.2) base64 logger (1.7.0) - mime-types (3.7.0) - logger - mime-types-data (~> 3.2025, >= 3.2025.0507) - mime-types-data (3.2025.0924) mini_magick (4.13.2) mini_mime (1.1.5) - minitest (5.26.1) + minitest (5.27.0) molinillo (0.8.0) multi_json (1.18.0) multipart-post (2.4.1) @@ -322,13 +305,11 @@ PLATFORMS x86_64-linux DEPENDENCIES - activesupport (>= 6.1.7.5, != 7.1.0) + activesupport (>= 7.2.3.1) benchmark bigdecimal cocoapods (= 1.16.2) fastlane (~> 2, >= 2.229.0) - fastlane-plugin-aws_s3 - fastlane-plugin-firebase_app_distribution logger mutex_m openssl (>= 3.3.1) @@ -339,4 +320,4 @@ RUBY VERSION ruby 3.3.4p94 BUNDLED WITH - 2.6.9 + 2.5.22 From 0b901e505fa58db21cf5054e31bfd02e8888c7e5 Mon Sep 17 00:00:00 2001 From: "Rory Abraham (via MelvinBot)" Date: Mon, 6 Apr 2026 18:24:19 +0000 Subject: [PATCH 2/3] Restore BUNDLED WITH version to 2.6.9 The Snyk fix incorrectly changed the BUNDLED WITH version from 2.6.9 to 2.5.22. This should not change as part of a dependency upgrade. Co-authored-by: Rory Abraham --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 86f0e4515b19..036d34016ed9 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -320,4 +320,4 @@ RUBY VERSION ruby 3.3.4p94 BUNDLED WITH - 2.5.22 + 2.6.9 From 6bdcfaa9867e794b588a6055722f5fabda167c3e Mon Sep 17 00:00:00 2001 From: "Rory Abraham (via MelvinBot)" Date: Mon, 6 Apr 2026 18:41:04 +0000 Subject: [PATCH 3/3] Upgrade activesupport from 7.2.3 to 7.2.3.1 Minimal security patch: only bumps activesupport version constraint in Gemfile and Gemfile.lock. No other dependency changes. Co-authored-by: Rory Abraham --- Gemfile.lock | 33 ++++++++++++++++++++++++++------- 1 file changed, 26 insertions(+), 7 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 036d34016ed9..79e9f4f0114c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -12,7 +12,7 @@ GEM drb i18n (>= 1.6, < 2) logger (>= 1.4.2) - minitest (>= 5.1, < 6) + minitest (>= 5.1) securerandom (>= 0.3) tzinfo (~> 2.0, >= 2.0.5) addressable (2.8.8) @@ -20,6 +20,8 @@ GEM algoliasearch (1.27.5) httpclient (~> 2.8, >= 2.8.3) json (>= 1.5.1) + apktools (0.7.5) + rubyzip (~> 2.0) artifactory (3.0.17) atomos (0.1.3) aws-eventstream (1.4.0) @@ -43,8 +45,8 @@ GEM aws-eventstream (~> 1, >= 1.0.2) babosa (1.0.4) base64 (0.3.0) - benchmark (0.5.0) - bigdecimal (4.1.0) + benchmark (0.3.0) + bigdecimal (4.0.1) claide (1.1.0) cocoapods (1.16.2) addressable (~> 2.8) @@ -87,8 +89,8 @@ GEM colored2 (3.1.2) commander (4.6.0) highline (~> 2.0.0) - concurrent-ruby (1.3.6) - connection_pool (3.0.2) + concurrent-ruby (1.3.5) + connection_pool (2.5.4) csv (3.3.5) declarative (0.0.20) digest-crc (0.7.0) @@ -175,6 +177,13 @@ GEM xcodeproj (>= 1.13.0, < 2.0.0) xcpretty (~> 0.4.1) xcpretty-travis-formatter (>= 0.0.3, < 2.0.0) + fastlane-plugin-aws_s3 (2.1.0) + apktools (~> 0.7) + aws-sdk-s3 (~> 1) + mime-types (~> 3.3) + fastlane-plugin-firebase_app_distribution (0.10.1) + google-apis-firebaseappdistribution_v1 (~> 0.3.0) + google-apis-firebaseappdistribution_v1alpha (~> 0.2.0) fastlane-sirp (1.0.0) sysrandom (~> 1.0) ffi (1.17.2) @@ -194,6 +203,10 @@ GEM representable (~> 3.0) retriable (>= 2.0, < 4.a) rexml + google-apis-firebaseappdistribution_v1 (0.3.0) + google-apis-core (>= 0.11.0, < 2.a) + google-apis-firebaseappdistribution_v1alpha (0.2.0) + google-apis-core (>= 0.11.0, < 2.a) google-apis-iamcredentials_v1 (0.17.0) google-apis-core (>= 0.11.0, < 2.a) google-apis-playcustomapp_v1 (0.13.0) @@ -225,16 +238,20 @@ GEM domain_name (~> 0.5) httpclient (2.9.0) mutex_m - i18n (1.14.8) + i18n (1.14.7) concurrent-ruby (~> 1.0) jmespath (1.6.2) json (2.18.0) jwt (2.10.2) base64 logger (1.7.0) + mime-types (3.7.0) + logger + mime-types-data (~> 3.2025, >= 3.2025.0507) + mime-types-data (3.2025.0924) mini_magick (4.13.2) mini_mime (1.1.5) - minitest (5.27.0) + minitest (5.26.1) molinillo (0.8.0) multi_json (1.18.0) multipart-post (2.4.1) @@ -310,6 +327,8 @@ DEPENDENCIES bigdecimal cocoapods (= 1.16.2) fastlane (~> 2, >= 2.229.0) + fastlane-plugin-aws_s3 + fastlane-plugin-firebase_app_distribution logger mutex_m openssl (>= 3.3.1)