stable deps & assets

[danielpclark]

You can leave this open if you wish. I've updated Ruby to 2.3.3 and Rails to 4.2.7.1. Some gems have been locked to specific versions (with comments added) to avoid breaking changes.

[h-m-m]

Thanks, @danielpclark, I really like the comments here. Recording these notes on the work you've done is going to save a lot of effort later on.

At the moment, my main concern about dependency updates is patching vulnerabilities and other security issues. If you're aware of vulnerabilities in our current dependencies, whether they're covered by this patch or not, this PR is a good place for that.

[danielpclark]

@ruby should be fine as is but the current Rails used here (4.2.6) has two security issues. This PR upgrades to 4.2.7.1 and remedies these.

• CVE-2016-6317 5/10 Threat
  Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.
• CVE-2016-6316 4.3/10 Threat
  Cross-site scripting (XSS) vulnerability in Action View in Ruby on Rails 3.x before 3.2.22.3, 4.x before 4.2.7.1, and 5.x before 5.0.0.1 might allow remote attackers to inject arbitrary web script or HTML via text declared as "HTML safe" and used as attribute values in tag handlers.