LIBSCHOLAR-63 Update .bundler-audit.yml file to current vulnerabilities by Janell-Huyck · Pull Request #1194 · uclibs/ucrate

Janell-Huyck · 2026-02-04T21:11:38Z

Update bundler-audit ignore list for current vulnerabilities

Updates .bundler-audit.yml so the current bundler-audit findings are explicitly ignored, allowing PRs to merge while the team plans gem upgrades.

New ignore entries — Added all CVEs and GHSAs reported by the latest bundler-audit run (Rails 5.2, nokogiri, rack, puma, httparty, carrierwave, devise, and others).
New gem sections — Added ignore blocks for: actionmailer, activesupport, aws-sdk-s3, carrierwave, devise, globalid, httparty, jquery-ui-rails, puma, sidekiq, thor.
Existing sections — Kept existing ignores and merged in any new advisories for: actionpack, actionview, activerecord, activestorage, loofah, nokogiri, omniauth, rack, rails-html-sanitizer, rexml, webrick.
Comments — Section comments now include the affected version (where known) and the recommended fix version(s) from advisories (e.g. fix: >= 1.4.4) so future upgrades are easier to plan.
Organization — Sections are grouped by gem and sorted alphabetically; both CVE and GHSA IDs are listed so the ignore list matches bundler-audit output.

This is a temporary measure so CI (and PRs) can pass; the comments in the file document the versions needed to actually fix each finding.
Addressing these will require upgrading gems (notably Rails and related stack) to the versions noted in the comments; that should be tracked and done in a follow-up.
Bjorg has been notified of this action.