Skip to content

Commit 08b2a23

Browse files
Fix Dependabot security update for concurrent-ruby in react-native (#57355)
Summary: The Dependabot GitHub Action on `react/react-native` `main` has been failing repeatedly because of `concurrent-ruby`. A security advisory marks `concurrent-ruby < 1.3.7` as affected (patched in `1.3.7`), but all three RN Gemfiles pin `gem 'concurrent-ruby', '<= 1.3.4'`. Dependabot cannot satisfy the advisory under that pin, so it opens a security PR to bump to `1.3.7` and then, on every subsequent run, reports `pull_request_exists_for_latest_version` as a hard error — failing the check and regenerating the internal CI task. The `<= 1.3.4` upper bound was originally added because `concurrent-ruby 1.3.5` dropped its `logger` dependency, which broke older `activesupport`/CocoaPods setups. That cause is already mitigated: every Gemfile now explicitly lists `gem 'logger'`. The upper-bound pin is therefore obsolete. This change relaxes the constraint from `<= 1.3.4` to `>= 1.3.7` in all three Gemfiles (root, `private/helloworld`, `packages/rn-tester`) and updates the two corresponding `Gemfile.lock` files to resolve `concurrent-ruby 1.3.7`. `1.3.7` introduces no new transitive dependencies over `1.3.4`, so no other lockfile entries change. With the advisory satisfied on `main`, Dependabot stops recreating the security PR and the recurring check failure stops. Differential Revision: D109967250
1 parent 54b88d9 commit 08b2a23

5 files changed

Lines changed: 7 additions & 7 deletions

File tree

Gemfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ ruby ">= 2.6.10"
66
gem 'cocoapods', '~> 1.13', '!= 1.15.0', '!= 1.15.1'
77
gem 'activesupport', '>= 6.1.7.5', '< 7.1.0'
88
gem 'xcodeproj', '< 1.26.0'
9-
gem 'concurrent-ruby', '<= 1.3.4'
9+
gem 'concurrent-ruby', '>= 1.3.7'
1010

1111
# Ruby 3.4.0 has removed some libraries from the standard library.
1212
gem 'bigdecimal'

Gemfile.lock

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -55,7 +55,7 @@ GEM
5555
netrc (~> 0.11)
5656
cocoapods-try (1.2.0)
5757
colored2 (3.1.2)
58-
concurrent-ruby (1.2.2)
58+
concurrent-ruby (1.3.7)
5959
escape (0.0.4)
6060
ethon (0.16.0)
6161
ffi (>= 1.15.0)
@@ -97,7 +97,7 @@ DEPENDENCIES
9797
benchmark
9898
bigdecimal
9999
cocoapods (~> 1.13, != 1.15.1, != 1.15.0)
100-
concurrent-ruby (<= 1.3.4)
100+
concurrent-ruby (>= 1.3.7)
101101
logger
102102
mutex_m
103103
xcodeproj (< 1.26.0)

packages/rn-tester/Gemfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ gem 'cocoapods', '~> 1.13', '!= 1.15.0', '!= 1.15.1'
99
gem 'rexml'
1010
gem 'activesupport', '>= 6.1.7.5', '< 7.1.0'
1111
gem 'xcodeproj', '< 1.26.0'
12-
gem 'concurrent-ruby', '<= 1.3.4'
12+
gem 'concurrent-ruby', '>= 1.3.7'
1313

1414
# Ruby 3.4.0 has removed some libraries from the standard library.
1515
gem 'bigdecimal'

private/helloworld/Gemfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ ruby ">= 2.6.10"
55
gem 'cocoapods', '~> 1.13', '!= 1.15.0', '!= 1.15.1'
66
gem 'activesupport', '>= 6.1.7.5', '< 7.1.0'
77
gem 'xcodeproj', '< 1.26.0'
8-
gem 'concurrent-ruby', '<= 1.3.4'
8+
gem 'concurrent-ruby', '>= 1.3.7'
99

1010
# Ruby 3.4.0 has removed some libraries from the standard library.
1111
gem 'bigdecimal'

private/helloworld/Gemfile.lock

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,7 @@ GEM
5858
netrc (~> 0.11)
5959
cocoapods-try (1.2.0)
6060
colored2 (3.1.2)
61-
concurrent-ruby (1.3.4)
61+
concurrent-ruby (1.3.7)
6262
escape (0.0.4)
6363
ethon (0.16.0)
6464
ffi (>= 1.15.0)
@@ -101,7 +101,7 @@ DEPENDENCIES
101101
benchmark
102102
bigdecimal
103103
cocoapods (~> 1.13, != 1.15.1, != 1.15.0)
104-
concurrent-ruby (<= 1.3.4)
104+
concurrent-ruby (>= 1.3.7)
105105
ffi (>= 1.17.2)
106106
logger
107107
mutex_m

0 commit comments

Comments
 (0)