It appears that to prevent a CVE issue with ActiveSupport < 5.2.5 we
added activesupport as a direct dependency to fake_idp and made some
decisions on which version to lock to.
Because activesupport is only a dependency of activemodel, and
activemodel is itself a dependency of xmlenc, we can lock promote the
use of activemodel >= 5.2.5 which would thereby promote avoidance of
that previous CVE but without preventing users from using Rails 6.
It appears that to prevent a CVE issue with ActiveSupport < 5.2.5 we added
activesupportas a direct dependency to fake_idp and made some decisions on which version to lock to.Because
activesupportis only a dependency ofactivemodel, and activemodel is itself a dependency ofxmlenc, we can lock promote the use of activemodel >= 5.2.5 which would thereby promote avoidance of that previous CVE but without preventing users from using Rails 6.