ashkan18
commented
7 years ago 👍 looks good to me, and yes we may want to fix it in artsy-auth.
Closed jonallured closed 7 years ago
ashkan18
commented
7 years ago 👍 looks good to me, and yes we may want to fix it in artsy-auth.
starsirius
commented
7 years ago Context: The security issue was alerted by Github automatically.
jonallured
commented
7 years ago I'm going to go ahead and merge this - feel free to comment if you've got something to add!
Unless I'm missing something, my only option here is to lock to a newer
omniauth-oauth2version (1.4.0 is the latest) and allowjwtto be downgraded. Untangling these dependencies can be tricky, but from what I can tell, the problem with using a newerjwtis actually intridea/oauth2:https://github.com/intridea/oauth2/blob/v1.4.0/oauth2.gemspec#L9
I found there are a few PRs trying to address some dependency issues there:
https://github.com/intridea/oauth2/pull/326 https://github.com/intridea/oauth2/pull/318 https://github.com/intridea/oauth2/pull/317
Skimming those issues makes it appear that Intridea isn't putting dev resources into the project anymore. The last commit was about 6 months ago. Open source, amiright?
Anyway, open to other ideas, but this seems like the right way to address the security warning.