Skip to content

Bump dependencies: resolve Mend HIGH concurrent-ruby CVE (opennlp blocked by Lucene 9.x)#1962

Open
odosk wants to merge 1 commit into
masterfrom
fix/cve-deps-2026-06-21
Open

Bump dependencies: resolve Mend HIGH concurrent-ruby CVE (opennlp blocked by Lucene 9.x)#1962
odosk wants to merge 1 commit into
masterfrom
fix/cve-deps-2026-06-21

Conversation

@odosk

@odosk odosk commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

⚠️ This PR was created by an AI assistant (Claude). Please review all changes carefully before merging.

Once approved, please merge it — this is an automated dependency-update PR and merging is the final step that closes out the linked Mend findings.

Summary

Regenerated the docs Gemfile.lock to bump the transitive concurrent-ruby gem past HIGH-severity CVE-2026-54904. The three opennlp-tools CVEs flagged in the lucene-linguistics/going-crazy example are not fixable in this scope — see below.

Changed Files

Gemfile.lock — regenerated via bundle lock --update (Bundler 4.0.6) in an isolated container:

  • concurrent-ruby: 1.3.61.3.7 (fixes CVE-2026-54904)
  • side-effect upgrades: google-protobuf 4.35.0→4.35.1, i18n 1.14.8→1.15.2, io-event 1.16.1→1.16.2, json 2.19.8→2.19.9

CVEs Addressed

Verified against the GitHub Advisory Database / OSV.dev:

Package CVE(s) Severity Fix version reached
concurrent-ruby CVE-2026-54904 high 1.3.7

⚠️ Cannot fix in this PR

Project Package CVE Reason
examples/lucene-linguistics/going-crazy opennlp-tools @ 1.9.4 CVE-2026-42027 (CRIT), CVE-2026-40682 (CRIT), CVE-2026-42440 (HIGH) opennlp-tools is a transitive dependency of lucene-analysis-opennlp, whose version is pinned to the Vespa platform's Lucene (${lucene.vespa.version} → Lucene 9.12.3). The CVEs are first fixed in opennlp-tools 2.5.9 (verified via OSV: GHSA-4v8g-86x5-3vrc / -659w-93r5-9j6m / -cx4m-2p55-rw7j). Lucene 9.x's lucene-analysis-opennlp is compiled against the opennlp 1.9 API; force-overriding opennlp to 2.5.x via dependencyManagement compiles but fails at runtime with NoSuchMethodError. The supported path is a platform Lucene 10 upgrade (Lucene 10 ships lucene-analysis-opennlp built against opennlp 2.x). This example app cannot independently bump Lucene since it tracks the platform version.

Implementation Notes

  • concurrent-ruby is transitive (pulled by jekyll with ~> 1.0); regenerating the lock floats it to 1.3.7 without a Gemfile change.
  • No downgrades; BUNDLED WITH (4.0.6) and CHECKSUMS preserved.

Verification

  • grep concurrent-ruby Gemfile.lock confirms 1.3.7.
  • Re-run the Mend scan after merge: CVE-2026-54904 clears; the three opennlp CVEs persist until the platform moves to Lucene 10.

🤖 Generated with Claude Code

@odosk @claude
chore: bump Ruby deps to latest (sweeps Mend HIGH concurrent-ruby CVE)
4482f30 
Regenerated Gemfile.lock via bundle lock --update (Bundler 4.0.6) in an isolated
container. Bumps concurrent-ruby 1.3.6 -> 1.3.7 (CVE-2026-54904), plus floating
transitive deps to latest. The opennlp-tools CVEs in the lucene-linguistics
example cannot be fixed in this scope (transitive via Lucene 9.x); see PR body.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@odosk odosk added the auto security Automated security created PRs label Jun 21, 2026
@odosk odosk marked this pull request as ready for review June 22, 2026 09:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@kkraune kkraune

Labels

auto security Automated security created PRs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@odosk @kkraune