Skip to content

Bump action_text-trix 2.1.17 → 2.1.18 (GHSA-53p3-c7vp-4mcc)#1559

Draft
Copilot wants to merge 2 commits into
masterfrom
copilot/update-action-text-trix-gem
Draft

Bump action_text-trix 2.1.17 → 2.1.18 (GHSA-53p3-c7vp-4mcc)#1559
Copilot wants to merge 2 commits into
masterfrom
copilot/update-action-text-trix-gem

Conversation

Copy link
Copy Markdown

Copilot AI commented Apr 7, 2026
edited
Loading

action_text-trix 2.1.17 carries an XSS vulnerability (GHSA-53p3-c7vp-4mcc) via JSON deserialization bypass in Trix's drag-and-drop handler, causing bundle-audit CI to fail.

Changes

  • Gemfile.lock — pin action_text-trix to 2.1.18 (single line bump)

No Gemfile change required; actiontext 8.1.2.1 already constrains action_text-trix (~> 2.1.15), which permits 2.1.18.

Original prompt

Fix CI bundle-audit failure caused by vulnerable gem action_text-trix (2.1.17) requiring update to >= 2.1.18.

Context:

  • Repo: internetee/auction_center
  • Branch: master
  • Workflow file referenced: .github/workflows/add-new-issues-to-ee-project.yml (GitHub Actions workflow adding opened issues to org Project V2).
  • bundle-audit output:
    • Name: action_text-trix
    • Version: 2.1.17
    • Advisory: GHSA-53p3-c7vp-4mcc
    • Solution: update to '>= 2.1.18'

Task:

  1. Update dependencies so that action_text-trix is >= 2.1.18 (prefer minimal change). This likely means updating Rails/actiontext or adjusting Gemfile/Gemfile.lock.
  2. Ensure bundle exec bundle-audit check --update passes.
  3. Keep changes as small as possible; prefer updating Gemfile.lock via bundle update action_text-trix (or actiontext/rails if required) rather than broad upgrades.
  4. If pinning is necessary, add explicit constraint in Gemfile with explanation comment.
  5. Run/update tests if any CI steps require it; ensure workflow(s) still succeed.

Files likely to change:

  • Gemfile
  • Gemfile.lock

Provide a PR with a concise title and description referencing the advisory and the version bump.

Reference file content (no change required unless you find workflow issues):
image1

Additional notes:

  • The workflow shown uses actions/github-script@v7 with GraphQL mutations.
  • The CI failure is in bundle_audit job (not shown here).

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: bundle_audit fails for this script. this is the reports: "Run bundle exec bundle-audit check --update
Download ruby-advisory-db ...
Cloning into '/home/runner/.local/share/ruby-advisory-db'...
ruby-advisory-db:
advisories: 1078 advisories
last updated: 2026-03-30 08:43:42 -0700
commit: b1e3c15af5cc5c1058c6db9a876a082685f4a3f8
Name: action_text-trix
Version: 2.1.17
GHSA: GHSA-53p3-c7vp-4mcc
Criticality: Unknown
URL: GHSA-53p3-c7vp-4mcc
Title: Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop (Level0InputController)
Solution: update to '>= 2.1.18'

Vulnerabilities found!
Error: Process completed with exit code 1." how to fix this?

Assistant: Update the gem action_text-trix from 2.1.17 to >= 2.1.18 (and then re-lock), because bundle-audit is failing on GHSA-53p3-c7vp-4mcc with the recommended fix “update to '>= 2.1.18'”.

What to change (typical Rails setup)

  1. Find where action_text-trix is coming from

    • It’s usually a transitive dependency of actiontext / Rails, not something you explicitly listed.

  2. Bump the dependency and regenerate Gemfile.lock
    Run:

    bundle update action_text-trix
bundle install

    Commit the updated Gemfile.lock.

  3. If Bundler won’t upgrade it
    That usually means another gem is constraining it. Try one of these (in order):

    A) Update Rails (recommended if possible)

    bundle update rails

    (or update the specific Rails components you use)

    B) Update both actiontext + trix together

    bundle update actiontext action_text-trix

    C) As a temporary workaround, pin it in your Gemfile
    Add:

    gem "action_text-trix", ">= 2.1.18"

    Then:

    bundle install

    This works only if it doesn’t violate other constraints.

Verify the fix

After updating:

bundle exec bundle-audit check --update
bundle exec ruby -v
bundle list | grep action_text-trix

If you paste your Gemfile + the Gemfile.lock section for action_text-trix (and actiontext/rails), I can tell you exactly which dependency is holding it back and the smallest safe bundle update ... to run.

User: can you fix this?

Assistant: I’ve queued up the fix as a change, but I can’t apply it until you approve the pending action prompt—once you accept, I’ll update the dependency to action_text-trix >= 2.1.18 (via the lockfile/Gem updates) and open the PR.

This pull request was created from Copilot chat.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Apr 7, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Copilot AI changed the title [WIP] Fix CI bundle-audit failure for vulnerable gem action_text-trix Bump action_text-trix 2.1.17 → 2.1.18 (GHSA-53p3-c7vp-4mcc) Apr 7, 2026
Copilot AI requested a review from vohmar April 7, 2026 15:02
@vohmar vohmar requested review from OlegPhenomenon and removed request for vohmar April 7, 2026 15:04
Copilot AI mentioned this pull request Apr 7, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@OlegPhenomenon OlegPhenomenon Awaiting requested review from OlegPhenomenon

At least 1 approving review is required to merge this pull request.

Assignees

@vohmar vohmar

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vohmar