rm Ruby 2.4 support to address rexml CVE

panorama-ed · Jun 3, 2024 · 8c1fa32 · 8c1fa32
1 parent e5f5790
commit 8c1fa32
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 6 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -14,7 +14,7 @@ jobs:
       matrix:
         # Due to https://github.com/actions/runner/issues/849, we have to use
         # quotes for '3.0' -- without quotes, CI sees '3' and runs the latest.
-        ruby: [2.4, 2.5, 2.6, 2.7, '3.0', 3.1, 3.2, jruby, truffleruby-head]
+        ruby: [2.5, 2.6, 2.7, '3.0', 3.1, 3.2, jruby, truffleruby-head]
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,12 +5,21 @@ follows a format inspired by [Keep a Changelog](https://keepachangelog.com/en/1.
 
 This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased](https://github.com/panorama-ed/memo_wise/compare/v1.8.0...HEAD)
+## [Unreleased](https://github.com/panorama-ed/memo_wise/compare/v1.9.0...HEAD)
+
+**Gem enhancements:**
+
+_No breaking changes!_
+
+**Project enhancements:**
+
+## [v1.9.0](https://github.com/panorama-ed/memo_wise/compare/v1.8.0...v1.9.0)
 
 **Gem enhancements:**
 
 - Fixed a bug that overwrote existing self.extended method definitions. [[#324]](https://github.com/panorama-ed/memo_wise/pull/314)
 - Fixed a bug that overwrote existing self.inherited method definitions. [[#325]](https://github.com/panorama-ed/memo_wise/pull/315)
+- Removed Ruby 2.4 (EOL) support to allow upgrading rexml dependency version from a version that includes a [CVE](https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/) [[#336]](https://github.com/panorama-ed/memo_wise/pull/336)
 
 _No breaking changes!_
 

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -11,7 +11,7 @@ GIT
 PATH
   remote: .
   specs:
-    memo_wise (1.8.0)
+    memo_wise (1.9.0)
 
 GEM
   remote: https://rubygems.org/
@@ -33,7 +33,8 @@ GEM
     rake (13.1.0)
     redcarpet (3.6.0)
     regexp_parser (2.8.0)
-    rexml (3.2.5)
+    rexml (3.2.8)
+      strscan (>= 3.0.9)
     rouge (4.1.0)
     rspec (3.13.0)
       rspec-core (~> 3.13.0)
@@ -82,6 +83,7 @@ GEM
     simplecov-html (0.12.3)
     simplecov_json_formatter (0.1.4)
     slop (3.6.0)
+    strscan (3.1.0)
     unicode-display_width (2.4.2)
     values (1.8.0)
     webrick (1.8.1)

diff --git a/lib/memo_wise/version.rb b/lib/memo_wise/version.rb
@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module MemoWise
-  VERSION = "1.8.0"
+  VERSION = "1.9.0"
 end
diff --git a/memo_wise.gemspec b/memo_wise.gemspec
@@ -23,7 +23,7 @@ Gem::Specification.new do |spec|
     "[email protected]",
   ]
 
-  spec.required_ruby_version = Gem::Requirement.new(">= 2.4.0")
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.5.0")
 
   # Specify which files should be added to the gem when it is released.
   # The `git ls-files -z` loads the files in the RubyGem that have been added