Unable to update gem to prevent vulnerability using dependabot.

[jalxp]

I've started to receive a warning from Dependabot about one of the dependencies of the project that has a known vulnerability. Namely this CVE — https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/

When I try to apply the automatic patch with Dependabot I receive the error "The latest possible version of rexml that can be installed is 3.2.8.", and the vulnerability is only fixed on > 3.3.3.

Are we enable to update REXML because of some other dependency that "caps" us at 3.2.8?