We're getting this with our Rails app, with the brand new loofah 2.10:

Confidence: Medium
Category: Cross-Site Scripting
Check: SanitizeMethods
Message: loofah gem 2.10.0 is vulnerable (CVE-2018-8048). Upgrade to 2.2.1
File: Gemfile.lock
Line: 503

However, the CVE is from 2018, and 2.10.0 is clearly > 2.2.1. Can it be that the "10" is somehow detected as smaller than "2" (perhaps sorting as a string instead of a number)?