Bump puma to 3.12.6 or higher
andytinkham opened this issue · comments
Andy Tinkham commented
Puma has a CVE that affects versions prior to 3.12.6. I don't believe we're directly impacted but we should bump versions to close the CVE.
However, simply bumping the version results in test failures that need to be investigated further.
Geri Jennings commented
Note: see this issue comment for why we will not bump Puma to 3.12.6 for now: #178 (comment)
Geri Jennings commented
See also: #188
Andy Tinkham commented
The linked issues in puma have been fixed, but bumping puma to 3.12.6 still causes test failures.