Sanitize 2.1.1 includes this fix, as per

rgrove/sanitize#176 (comment)

Author: reedloden

gems/sanitize/CVE-2018-3740.yml

@@ -5,7 +5,7 @@ date: 2018-03-19
 url: https://github.com/rgrove/sanitize/issues/176
 title: HTML injection/XSS in Sanitize
 description: |
-  When Sanitize <= 4.6.2 is used in combination with libxml2 >= 2.9.2,
+  When Sanitize gem is used in combination with libxml2 >= 2.9.2,
   a specially crafted HTML fragment can cause libxml2 to generate
   improperly escaped output, allowing non-whitelisted attributes to be
   used on whitelisted elements.
@@ -15,6 +15,7 @@ description: |
 unaffected_versions:
   - "< 1.1.0"
 patched_versions:
+  - "~> 2.1.1"
   - ">= 4.6.3"
 related:
   url: