From 15babcf763356217a7e6a8ab3327fa91ff0a00f5 Mon Sep 17 00:00:00 2001
From: Jeff Erbrecht <jefferbrecht@google.com>
Date: Thu, 28 Nov 2024 11:30:00 -0500
Subject: [PATCH] Pin rexml and activesupport

---
 fluent-plugin-google-cloud.gemspec | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/fluent-plugin-google-cloud.gemspec b/fluent-plugin-google-cloud.gemspec
index da25e732..16dc161f 100644
--- a/fluent-plugin-google-cloud.gemspec
+++ b/fluent-plugin-google-cloud.gemspec
@@ -34,6 +34,16 @@ Gem::Specification.new do |gem|
   gem.add_runtime_dependency 'opencensus', '0.5.0'
   gem.add_runtime_dependency 'opencensus-stackdriver', '0.4.1'
 
+  # CVE-2023-28120, CVE-2023-22796, CVE-2023-38037: activesupport is a
+  # transitive dependency of google-api-client, which has not been updated
+  # upstream to a patched version, so we are pinning it here instead.
+  gem.add_runtime_dependency 'activesupport', '~> 6.1', '>= 6.1.7.5'
+
+  # CVE-2024-49761: rexml is a transitive dependency of google-api-client,
+  # which has not been updated upstream to a patched version, so we are
+  # pinning it here instead.
+  gem.add_runtime_dependency 'rexml', '~> 3.3', '>= 3.3.9'
+
   gem.add_development_dependency 'mocha', '1.9.0'
   # Keep this the same as in
   # https://github.com/fluent/fluent-plugin-prometheus/blob/master/fluent-plugin-prometheus.gemspec