diff --git a/Gemfile b/Gemfile
index cecacca..ef3db8e 100644
--- a/Gemfile
+++ b/Gemfile
@@ -43,7 +43,7 @@ gem 'jwt'
 gem 'oydid'
 
 # update for security fixes
-gem 'loofah', '~> 2.3', '>= 2.3.1'
+gem 'loofah', '~> 2.19'
 
 
 group :development, :test do
diff --git a/Gemfile.lock b/Gemfile.lock
index 2916006..4654a77 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -122,7 +122,7 @@ GEM
       rb-fsevent (~> 0.9, >= 0.9.4)
       rb-inotify (~> 0.9, >= 0.9.7)
       ruby_dep (~> 1.2)
-    loofah (2.18.0)
+    loofah (2.19.1)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     mail (2.7.1)
@@ -161,7 +161,7 @@ GEM
     popper_js (2.9.3)
     public_suffix (4.0.7)
     puma (3.12.6)
-    racc (1.6.0)
+    racc (1.6.1)
     rack (2.2.3.1)
     rack-cors (1.1.1)
       rack (>= 2.0.0)
@@ -312,7 +312,7 @@ DEPENDENCIES
   jwt
   leaflet-rails
   listen (>= 3.0.5, < 3.2)
-  loofah (~> 2.3, >= 2.3.1)
+  loofah (~> 2.19)
   merkle-hash-tree
   nokogiri
   oydid