Update Bundler version to 2.2.33
Context
For investigation: is there somewhere we define the version of bundler to be installed/used? If so, we might need to update it to resolve this CVE. At least according to the Gemfile.lock
, we have recently bundled with a version (2.1.4
) of bundler that is vulnerable to CVE-2020-36327:
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application
Solution
Upgrade the required Bundler version to >= 2.2.18
Closes gitlab-org/gitlab#332502
Edited by Gerard Hickey