Bundler update; move audit ignore list to file

.bundler-audit.yml

@@ -0,0 +1,6 @@
+---
+ignore:
+  - CVE-2019-16676
+  - CVE-2017-1002201
+  - CVE-2024-26143
+  - CVE-2024-6531

.github/workflows/asset_compilation.yml

@@ -79,7 +79,7 @@ jobs:
         echo "postgres:5432:*:postgres:postgres" > ~/.pgpass
         chmod 600 ~/.pgpass
 
-        gem install bundler --version=2.4.14
+        gem install bundler --version=2.5.17
 
     # According to https://www.jessesquires.com/blog/2021/08/23/caching-bundler-on-github-actions/
     # this is fragile and failure prone, but the step they recommend using instead (ruby/ruby-setup)

.github/workflows/build_images.yml

@@ -37,7 +37,7 @@ jobs:
             target: prod-build
             build-args: |
               BUILD_TAG=3.1.6-alpine3.20
-              BUNDLER_VERSION=2.4.13
+              BUNDLER_VERSION=2.5.17
               USER_ID=1000
               GROUP_ID=1000
             tags: |

.github/workflows/ci.yml

@@ -77,7 +77,7 @@ jobs:
 
       - name: Run bundle-audit
         run: |
-          bundle exec bundle-audit check --update --ignore CVE-2019-16676 CVE-2017-1002201 CVE-2024-26143
+          bundle exec bundle-audit check --update
       - name: Run brakeman
         run: |
           bundle exec brakeman -q --no-pager --except PermitAttributes,Render

Gemfile.lock

@@ -877,4 +877,4 @@ DEPENDENCIES
   yabeda-rails
 
 BUNDLED WITH
-   2.4.13
+   2.5.17

docker/app/Dockerfile

@@ -24,7 +24,7 @@ ARG BUILD_TAG
 FROM ruby:${BUILD_TAG} AS base
 ARG USER_ID=10000
 ARG GROUP_ID=10000
-ARG BUNDLER_VERSION=2.4.13
+ARG BUNDLER_VERSION=2.5.17
 
 LABEL "app"=open-path-cas
 LABEL "ruby-version"=3.1.6

docker/docker-compose.yml

@@ -11,7 +11,7 @@ x-app: &app
       PG_MAJOR: '12'
       NODE_MAJOR: '12'
       YARN_VERSION: '1.17.3'
-      BUNDLER_VERSION: '2.4.14'
+      BUNDLER_VERSION: '2.5.17'
       USER_ID: ${USER_ID:-10000}
       GROUP_ID: ${GROUP_ID:-10000}
   environment: &env