Issue #19178 has been updated by Segaja (Andreas Schleifer). austin (Austin Ziegler) wrote in #note-5:
No, they can be upgraded independently.
That is interesting. The second sentence from https://rubyreferences.github.io/rubyref/stdlib/bundled.html says "Unlike standard library, these gems can be updated independently from Ruby itself." But your way of updating "json" as a normal gem over the default gem means that whenever ruby is used with `--disable-gems` then the updated version is not used and thus a CVE could still be exposed. Also doing such updates with a major version could break a lot of software which for example breaks with `psych` version 4.x as far as I know. But I think my question remains: If I (as Arch maintainer) don't update (package the gem as new package) the gem, then how long will it take for a CVE to be fixed in the default ruby release? ---------------------------------------- Misc #19178: How does CRuby handle CVE issues in stdlib gems which get patched? https://bugs.ruby-lang.org/issues/19178#change-100474 * Author: Segaja (Andreas Schleifer) * Status: Open * Priority: Normal ---------------------------------------- If there is a CVE issue in one of the stdlibs ( https://stdgems.org/ ) which gets patched, what is CRubys approach on how to push this critical fix to the users? As far as I know stdlibs get only updated for the users if CRuby releases a new version. So will CRuby always release a new version if there is a critical fix an stdlib "needs" to be updated? -- https://bugs.ruby-lang.org/