Merge branch 'rs-gem-security' into 'master'

Gem updates for security issues

- sprockets (rails dependency, but we need to specify a version to pull
  in fixes)
- sass-rails (no security issues, but required an update to meet new
  sprockets version requirement)
- rest-client (coveralls dependency)

See merge request !915

1 files changed, 11 insertions, 1 deletions

diff --git a/Gemfile b/Gemfile
index ec63c7eef84..f2cd20ada73 100644
--- a/Gemfile
+++ b/Gemfile
@@ -2,6 +2,10 @@ source "https://rubygems.org"
 
 gem 'rails', '4.1.11'
 
+# Specify a sprockets version due to security issue
+# See https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY
+gem 'sprockets', '~> 2.12.3'
+
 # Default values for AR models
 gem "default_value_for", "~> 3.0.0"
 
@@ -181,7 +185,7 @@ gem 'mousetrap-rails'
 # Detect and convert string character encoding
 gem 'charlock_holmes'
 
-gem "sass-rails", '~> 4.0.2'
+gem "sass-rails", '~> 4.0.5'
 gem "coffee-rails"
 gem "uglifier"
 gem 'turbolinks', '~> 2.5.0'
@@ -234,6 +238,12 @@ group :development, :test do
   gem 'rubocop', '0.28.0', require: false
   gem 'spinach-rails'
 
+  # rest-client is a coveralls dependency and not used directly in GitLab, but
+  # we specify a version here to pick up some security fixes.
+  # See https://github.com/rest-client/rest-client/issues/369
+  # and http://www.osvdb.org/show/osvdb/117461
+  gem 'rest-client', '~> 1.8.0'
+
   # Prevent occasions where minitest is not bundled in packaged versions of ruby (see #3826)
   gem 'minitest', '~> 5.3.0'