From f07159cbf073eb742b31963df6d492f5cd990808 Mon Sep 17 00:00:00 2001 From: "A. Wilcox" Date: Tue, 2 Jun 2026 15:11:10 -0500 Subject: [PATCH 1/2] Dockerfile: Fixes and enhancements * Since the Gemfile declares the Ruby patchlevel, we need to use that same patchlevel for our Docker base image. * Update the repository indexes in the development stage as well; elsewise, we can sometimes run into stale packages that cause 404 errors. * Drop the git.lib.berkeley.edu TLS verification workaround; it isn't used any more, and we want to verify TLS on all connections. --- Dockerfile | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 075b682..8601995 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,7 +4,7 @@ # The base stage scaffolds elements which are common to building and running # the application, such as installing ca-certificates, creating the app user, # and installing runtime system dependencies. -FROM ruby:3.3-slim AS base +FROM ruby:3.3.11-slim AS base # ------------------------------------------------------------ # Declarative metadata @@ -93,7 +93,7 @@ FROM base AS development USER root # Install system packages needed to build gems with C extensions. -RUN apt-get install -y --no-install-recommends \ +RUN apt-get update -qq && apt-get install -y --no-install-recommends \ g++ \ make @@ -103,9 +103,6 @@ RUN apt-get install -y --no-install-recommends \ # Drop back to $APP_USER. USER $APP_USER -# Workaround for certificate issue pulling av_core gem from git.lib.berkeley.edu -ENV GIT_SSL_NO_VERIFY=1 - # Install gems. We don't enforce the validity of the Gemfile.lock until the # final (production) stage. COPY --chown=$APP_USER:$APP_USER Gemfile* .ruby-version ./ From 12125c84d31e1038c9564393c032c827e62c42ec Mon Sep 17 00:00:00 2001 From: "A. Wilcox" Date: Tue, 2 Jun 2026 15:12:47 -0500 Subject: [PATCH 2/2] Gemfile: Updates for security fixes --- Gemfile | 5 +++-- Gemfile.lock | 26 ++++++++++++++------------ 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/Gemfile b/Gemfile index eee18d0..679b5f1 100644 --- a/Gemfile +++ b/Gemfile @@ -16,9 +16,10 @@ gem 'non-stupid-digest-assets', '~> 1.0' # Allow static pages (e.g. 404.html) to gem 'okcomputer', '~> 1.19' gem 'omniauth-cas', '~> 3.0' gem 'omniauth-rails_csrf_protection', '~> 1.0' -gem 'puma', '~> 5.3', '>= 5.3.1' +gem 'puma', '~> 5.6', '>= 5.6.8' gem 'puma-plugin-delayed_stop', '~> 0.1.2' -gem 'rails', '~> 8.0.4' +gem 'rack', '~> 2.2', '>= 2.2.23' +gem 'rails', '~> 8.0.5' gem 'rest-client', '~> 2.1' gem 'sassc-rails', '~> 2.1' gem 'sprockets', '~> 4.0' diff --git a/Gemfile.lock b/Gemfile.lock index 84328f5..88c989f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -72,7 +72,7 @@ GEM securerandom (>= 0.3) tzinfo (~> 2.0, >= 2.0.5) uri (>= 0.13.1) - addressable (2.8.8) + addressable (2.9.0) public_suffix (>= 2.0.2, < 8.0) amazing_print (1.5.0) ast (2.4.3) @@ -135,7 +135,7 @@ GEM dotenv (= 2.8.1) railties (>= 3.2) drb (2.2.3) - erb (6.0.2) + erb (6.0.4) erubi (1.13.1) ffi (1.16.3) globalid (1.3.0) @@ -190,7 +190,7 @@ GEM drb (~> 2.0) prism (~> 1.5) mutex_m (0.3.0) - net-imap (0.6.3) + net-imap (0.6.4) date net-protocol net-pop (0.1.2) @@ -201,13 +201,13 @@ GEM net-protocol netrc (0.11.0) nio4r (2.7.5) - nokogiri (1.19.2-aarch64-linux-gnu) + nokogiri (1.19.3-aarch64-linux-gnu) racc (~> 1.4) - nokogiri (1.19.2-arm64-darwin) + nokogiri (1.19.3-arm64-darwin) racc (~> 1.4) - nokogiri (1.19.2-x86_64-darwin) + nokogiri (1.19.3-x86_64-darwin) racc (~> 1.4) - nokogiri (1.19.2-x86_64-linux-gnu) + nokogiri (1.19.3-x86_64-linux-gnu) racc (~> 1.4) non-stupid-digest-assets (1.0.11) sprockets (>= 2.0) @@ -240,13 +240,13 @@ GEM psych (5.3.1) date stringio - public_suffix (7.0.0) - puma (5.6.7) + public_suffix (7.0.5) + puma (5.6.9) nio4r (~> 2.0) puma-plugin-delayed_stop (0.1.2) puma (>= 5.0, < 8) racc (1.8.1) - rack (2.2.22) + rack (2.2.23) rack-protection (3.2.0) base64 (>= 0.1.0) rack (~> 2.2, >= 2.2.4) @@ -426,6 +426,7 @@ PLATFORMS arm64-darwin-21 arm64-darwin-22 arm64-darwin-23 + arm64-darwin-24 arm64-darwin-25 x86_64-darwin-19 x86_64-linux @@ -449,9 +450,10 @@ DEPENDENCIES okcomputer (~> 1.19) omniauth-cas (~> 3.0) omniauth-rails_csrf_protection (~> 1.0) - puma (~> 5.3, >= 5.3.1) + puma (~> 5.6, >= 5.6.8) puma-plugin-delayed_stop (~> 0.1.2) - rails (~> 8.0.4) + rack (~> 2.2, >= 2.2.23) + rails (~> 8.0.5) rest-client (~> 2.1) rspec (~> 3.10) rspec-rails (~> 8.0)