This PR fixes the following 'High' security vulnerability found in the current version of oauth (0.5.4):
Name: oauth
Version: 0.5.4
CVE: CVE-2016-11086
GHSA: GHSA-7359-3c6r-hfc2
Criticality: High
URL: https://github.com/advisories/GHSA-7359-3c6r-hfc2
Title: Improper Certificate Validation in oauth ruby gem
Solution: upgrade to '>= 0.5.5'
I was going to keep it conservative and update to the most recent version of 0.5.X , but after looking through the Changelog, I think it’s ok to upgrade to 1.1.0 since the only breaking changes between 0.5.X and 1.1.0 is the removal of support for old Ruby versions. The new dependencies that are added have to do with functionality that was extracted into other gems:
OAuth::CLI was extracted to the oauth-tty gem
OAuth::Comsumer#options was extracted to the snaky_hash gem
QA Notes:
Run bin/parallel_rspec to ensure there are no spec failures related to the update.
Install bundler-audit if it's not already installed: gem install bundler-audit.
Run bundler-audit and ensure that oauth is not included in the list of vulnerabilities.
This PR fixes the following 'High' security vulnerability found in the current version of
oauth(0.5.4):I was going to keep it conservative and update to the most recent version of 0.5.X , but after looking through the Changelog, I think it’s ok to upgrade to 1.1.0 since the only breaking changes between 0.5.X and 1.1.0 is the removal of support for old Ruby versions. The new dependencies that are added have to do with functionality that was extracted into other gems:
OAuth::CLIwas extracted to theoauth-ttygemOAuth::Comsumer#optionswas extracted to thesnaky_hashgemQA Notes:
bin/parallel_rspecto ensure there are no spec failures related to the update.bundler-auditif it's not already installed:gem install bundler-audit.bundler-auditand ensure thatoauthis not included in the list of vulnerabilities.