2 files changed, 41 insertions, 22 deletions

diff --git a/Gemfile b/Gemfile
index ec63c7eef84..f2cd20ada73 100644
--- a/Gemfile
+++ b/Gemfile
@@ -2,6 +2,10 @@ source "https://rubygems.org"
 
 gem 'rails', '4.1.11'
 
+# Specify a sprockets version due to security issue
+# See https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY
+gem 'sprockets', '~> 2.12.3'
+
 # Default values for AR models
 gem "default_value_for", "~> 3.0.0"
 
@@ -181,7 +185,7 @@ gem 'mousetrap-rails'
 # Detect and convert string character encoding
 gem 'charlock_holmes'
 
-gem "sass-rails", '~> 4.0.2'
+gem "sass-rails", '~> 4.0.5'
 gem "coffee-rails"
 gem "uglifier"
 gem 'turbolinks', '~> 2.5.0'
@@ -234,6 +238,12 @@ group :development, :test do
   gem 'rubocop', '0.28.0', require: false
   gem 'spinach-rails'
 
+  # rest-client is a coveralls dependency and not used directly in GitLab, but
+  # we specify a version here to pick up some security fixes.
+  # See https://github.com/rest-client/rest-client/issues/369
+  # and http://www.osvdb.org/show/osvdb/117461
+  gem 'rest-client', '~> 1.8.0'
+
   # Prevent occasions where minitest is not bundled in packaged versions of ruby (see #3826)
   gem 'minitest', '~> 5.3.0'
 
diff --git a/Gemfile.lock b/Gemfile.lock
index 718236ec39c..7641d908131 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -113,12 +113,12 @@ GEM
     colorize (0.5.8)
     columnize (0.9.0)
     connection_pool (2.1.0)
-    coveralls (0.7.0)
-      multi_json (~> 1.3)
-      rest-client
-      simplecov (>= 0.7)
-      term-ansicolor
-      thor
+    coveralls (0.8.2)
+      json (~> 1.8)
+      rest-client (>= 1.6.8, < 2)
+      simplecov (~> 0.10.0)
+      term-ansicolor (~> 1.3)
+      thor (~> 0.19.1)
     crack (0.4.2)
       safe_yaml (~> 1.0.0)
     creole (0.3.8)
@@ -149,6 +149,8 @@ GEM
     diff-lcs (1.2.5)
     diffy (3.0.3)
     docile (1.1.5)
+    domain_name (0.5.24)
+      unf (>= 0.0.5, < 1.0.0)
     doorkeeper (2.1.3)
       railties (>= 3.2)
     dotenv (0.9.0)
@@ -322,6 +324,8 @@ GEM
     html-pipeline (1.11.0)
       activesupport (>= 2)
       nokogiri (~> 1.4)
+    http-cookie (1.0.2)
+      domain_name (~> 0.5)
     http_parser.rb (0.5.3)
     httparty (0.13.3)
       json (~> 1.8)
@@ -377,6 +381,7 @@ GEM
     net-scp (1.2.1)
       net-ssh (>= 2.6.5)
     net-ssh (2.9.2)
+    netrc (0.10.3)
     newrelic_rpm (3.9.4.245)
     nokogiri (1.6.6.2)
       mini_portile (~> 0.6.0)
@@ -525,8 +530,10 @@ GEM
     request_store (1.0.5)
     rerun (0.10.0)
       listen (~> 2.7, >= 2.7.3)
-    rest-client (1.6.7)
-      mime-types (>= 1.16)
+    rest-client (1.8.0)
+      http-cookie (>= 1.0.2, < 2.0)
+      mime-types (>= 1.16, < 3.0)
+      netrc (~> 0.7)
     rinku (1.7.3)
     rotp (1.6.1)
     rouge (1.7.7)
@@ -577,10 +584,10 @@ GEM
     sanitize (2.1.0)
       nokogiri (>= 1.4.4)
     sass (3.2.19)
-    sass-rails (4.0.3)
+    sass-rails (4.0.5)
       railties (>= 4.0.0, < 5.0)
-      sass (~> 3.2.0)
-      sprockets (~> 2.8, <= 2.11.0)
+      sass (~> 3.2.2)
+      sprockets (~> 2.8, < 3.0)
       sprockets-rails (~> 2.0)
     sawyer (0.6.0)
       addressable (~> 2.3.5)
@@ -608,11 +615,11 @@ GEM
       ice_cube (= 0.11.1)
       sidekiq (>= 3.0.0)
     simple_oauth (0.1.9)
-    simplecov (0.9.0)
+    simplecov (0.10.0)
       docile (~> 1.1.0)
-      multi_json
-      simplecov-html (~> 0.8.0)
-    simplecov-html (0.8.0)
+      json (~> 1.8)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.0)
     sinatra (1.4.4)
       rack (~> 1.4)
       rack-protection (~> 1.4)
@@ -637,12 +644,12 @@ GEM
       spring (>= 0.9.1)
     spring-commands-teaspoon (0.0.2)
       spring (>= 0.9.1)
-    sprockets (2.11.0)
+    sprockets (2.12.4)
       hike (~> 1.2)
       multi_json (~> 1.0)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
-    sprockets-rails (2.3.1)
+    sprockets-rails (2.3.2)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       sprockets (>= 2.8, < 4.0)
@@ -657,8 +664,8 @@ GEM
     teaspoon-jasmine (2.2.0)
       teaspoon (>= 1.0.0)
     temple (0.6.7)
-    term-ansicolor (1.2.2)
-      tins (~> 0.8)
+    term-ansicolor (1.3.2)
+      tins (~> 1.0)
     terminal-table (1.4.5)
     test_after_commit (0.2.2)
     thin (1.6.1)
@@ -680,7 +687,7 @@ GEM
       mime-types (~> 1.19)
       multi_json (~> 1.7)
       twitter-stream (~> 0.1)
-    tins (0.13.1)
+    tins (1.5.4)
     trollop (2.1.2)
     turbolinks (2.5.3)
       coffee-rails
@@ -826,12 +833,13 @@ DEPENDENCIES
   redis-rails
   request_store
   rerun (~> 0.10.0)
+  rest-client (~> 1.8.0)
   rqrcode-rails3
   rspec-rails (~> 3.3.0)
   rubocop (= 0.28.0)
   rugments (~> 1.0.0.beta8)
   sanitize (~> 2.0)
-  sass-rails (~> 4.0.2)
+  sass-rails (~> 4.0.5)
   sdoc
   seed-fu
   select2-rails
@@ -849,6 +857,7 @@ DEPENDENCIES
   spring-commands-rspec (~> 1.0.0)
   spring-commands-spinach (~> 1.0.0)
   spring-commands-teaspoon (~> 0.0.2)
+  sprockets (~> 2.12.3)
   stamp
   state_machine
   task_list (= 1.0.2)