This PR fixes the following 'High' security vulnerability found in the current version of oauth (0.5.4):
Name: oauth
Version: 0.5.4
CVE: CVE-2016-11086
GHSA: GHSA-7359-3c6r-hfc2
Criticality: High
URL: https://github.com/advisories/GHSA-7359-3c6r-hfc2
Title: Improper Certificate Validation in oauth ruby gem
Solution: upgrade to '>= 0.5.5'
I was going to keep it conservative and update to the most recent version of 0.5.X , but after looking through the Changelog, I think it’s ok to upgrade to 1.1.0 since the only breaking changes between 0.5.X and 1.1.0 is the removal of support for old Ruby versions. The new dependencies that are added have to do with functionality that was extracted into other gems:
OAuth::CLI was extracted to the oauth-tty gem
OAuth::Comsumer#options was extracted to the snaky_hash gem
QA Notes:
Run bin/parallel_rspec to ensure there are no spec failures related to the update.
Install bundler-audit if it's not already installed: gem install bundler-audit.
Run bundler-audit and ensure that oauth is not included in the list of vulnerabilities.
This PR fixes the following 'High' security vulnerability found in the current version of
oauth
(0.5.4):I was going to keep it conservative and update to the most recent version of 0.5.X , but after looking through the Changelog, I think it’s ok to upgrade to 1.1.0 since the only breaking changes between 0.5.X and 1.1.0 is the removal of support for old Ruby versions. The new dependencies that are added have to do with functionality that was extracted into other gems:
OAuth::CLI
was extracted to theoauth-tty
gemOAuth::Comsumer#options
was extracted to thesnaky_hash
gemQA Notes:
bin/parallel_rspec
to ensure there are no spec failures related to the update.bundler-audit
if it's not already installed:gem install bundler-audit
.bundler-audit
and ensure thatoauth
is not included in the list of vulnerabilities.