Vulnerability review.

[kfogel]

Any vulnerabilities currently displayed by the GitHub automagic vulnerability detection system should be examined and handled if necessary.

(And we need to do an independent vulnerability review soon after that, but for the moment let's use the information right in front of us courtesy of GitHub.)

@pjsier and @pmacaluso3, you should both be seeing the vulnerability report when you are logged into GitHub and go to the front page of this repository. Let me know if you have any trouble seeing it.

[pjsier]

Updating based on conversations on the call today:

Many of the initial vulnerabilities were fixed by merging #127, but there are still a few left, most of which involve upgrading to Rails 4.2 which introduces challenges described in #126. For now we should upgrade nokogiri and rest_api if possible, and after that we can reduce the priority of this issue

[bnazari]

Nokogiri is heavily used in the syntonization with Volunteer Connection. We definitely need to test this prior to rolling out a patch as any interruptions would effect system functionality.

…

On Jan 9, 2018, at 2:07 PM, Patrick Sier ***@***.***> wrote: Updating based on conversations on the call today: Many of the initial vulnerabilities were fixed by merging #127 <#127>, but there are still a few left, most of which involve upgrading to Rails 4.2 which introduces challenges described in #126 <#126>. For now we should upgrade nokogiri and rest_api if possible, and after that we can reduce the priority of this issue — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#119 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAT00TcpCRsmap-Ldr9M85zowA7kA6jFks5tI-MYgaJpZM4QqTPV>.

[kfogel]

@bnazari thanks for noticing that. @pjsier and @pmacaluso3, let's isolate the nokogiri change to its own commit, deployed separately from any other upgrades, so that we can deploy it cautiously and roll back right away if needed.

[kfogel]

How's progress on this issue, @pjsier and @pmacaluso3? We're getting another vulnerability warning from GitHub now, I'm sure you've noticed (let me know if you can't see it when you log in to GitHub and view this repository).

[pjsier]

@kfogel I've got #139 open for nokogiri, and I was waiting to merge and deploy that until we finish #120. We can do that sooner though if that works.

I can open up another PR for the new warning, and then it was my impression that we're lowering the priority of this issue. The other vulnerabilities all relate more to #126 and moving to Rails 4.2

[pjsier]

Paperclip is one dependency we'll need to update, but it's blocked by #126 as well. Flagging it here for now