From 3482754d179534fd1cf55372c7c2fa19b02b9791 Mon Sep 17 00:00:00 2001
From: Jeff Erbrecht <jefferbrecht@google.com>
Date: Thu, 28 Nov 2024 11:30:00 -0500
Subject: [PATCH] Pin rexml and activesupport

---
 fluent-plugin-google-cloud.gemspec | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/fluent-plugin-google-cloud.gemspec b/fluent-plugin-google-cloud.gemspec
index da25e732..8e80e0c4 100644
--- a/fluent-plugin-google-cloud.gemspec
+++ b/fluent-plugin-google-cloud.gemspec
@@ -34,6 +34,16 @@ Gem::Specification.new do |gem|
   gem.add_runtime_dependency 'opencensus', '0.5.0'
   gem.add_runtime_dependency 'opencensus-stackdriver', '0.4.1'
 
+  # CVE-2023-28120, CVE-2023-22796, CVE-2023-38037: activesupport is a
+  # transitive dependency of google-api-client, which has not been updated
+  # upstream to a non-vulnerable version, so we are pinning it here instead.
+  gem.add_runtime_dependency 'activesupport', '>= 6.1.7.5'
+
+  # CVE-2024-49761: rexml is a transitive dependency of google-api-client,
+  # which has not been updated upstream to a non-vulnerable version, so we
+  # are pinning it here instead.
+  gem.add_runtime_dependency 'rexml', '>= 3.3.9'
+
   gem.add_development_dependency 'mocha', '1.9.0'
   # Keep this the same as in
   # https://github.com/fluent/fluent-plugin-prometheus/blob/master/fluent-plugin-prometheus.gemspec