Relax version constraints to allow Rails 7.1.6 update

pixeltrix · postmodern · commit 70fdfca8a79a · 2025-10-29T10:18:51.000-07:00
The ~&gt; operator on the revision triggers a false positive on the
latest patch update in the Rails 7.1.x release series.
diff --git a/gems/actionpack/CVE-2024-54133.yml b/gems/actionpack/CVE-2024-54133.yml
@@ -35,7 +35,7 @@ unaffected_versions:
   - "< 5.2.0"
 patched_versions:
   - "~> 7.0.8.7"
-  - "~> 7.1.5.1"
+  - "~> 7.1.5, >= 7.1.5.1"
   - "~> 7.2.2, >= 7.2.2.1"
   - ">= 8.0.0.1"
 related:
diff --git a/gems/activerecord/CVE-2025-55193.yml b/gems/activerecord/CVE-2025-55193.yml
@@ -24,7 +24,7 @@ description: |
   Thanks to [lio346](https://hackerone.com/lio346) for reporting
   this vulnerability.
 patched_versions:
-  - "~> 7.1.5.2"
+  - "~> 7.1.5, >= 7.1.5.2"
   - "~> 7.2.2, >= 7.2.2.2"
   - ">= 8.0.2.1"
 related:
diff --git a/gems/activestorage/CVE-2025-24293.yml b/gems/activestorage/CVE-2025-24293.yml
@@ -58,7 +58,7 @@ description: |
 unaffected_versions:
   - "< 5.20"
 patched_versions:
-  - "~> 7.1.5.2"
+  - "~> 7.1.5, >= 7.1.5.2"
   - "~> 7.2.2, >= 7.2.2.2"
   - ">= 8.0.2.1"
 related:
