Skip to content

Commit 298ec16

Browse files
dadachiclaude
andauthored
Ignore CVE-2026-40295 in bundler-audit (#67)
devise 5.0.4 fixes an Open Redirect in the Timeoutable session timeout handler, but devise_token_auth ~> 1.2 still pins devise < 5. The :timeoutable module isn't enabled on Shopkeeper, so the affected code path doesn't exist in this app. Same rationale as the existing CVE-2026-32700 entry. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 4b57aef commit 298ec16

1 file changed

Lines changed: 3 additions & 0 deletions

File tree

config/bundler-audit.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,3 +4,6 @@
44
ignore:
55
# devise 5.0.3+ fixes this, but devise_token_auth ~> 1.2 pins devise < 5
66
- CVE-2026-32700
7+
# devise 5.0.4+ fixes an Open Redirect in Timeoutable; we don't enable
8+
# :timeoutable on Shopkeeper, and devise_token_auth ~> 1.2 pins devise < 5
9+
- CVE-2026-40295

0 commit comments

Comments
 (0)