We had been on an old version of Omniauth with some outstanding alerts, along with some aged plugins. This updates everything to latest, and switches to a different stale bitbucket integration, but one that actually uses oauth2 now.
This does introduce a new (silenced) warning about allowing oauth requests by GET, and this is in fact insecure. But it's also something the app has been doing the whole time. So, while it's something to resolve, it shouldn't block other fixes.
We had been on an old version of Omniauth with some outstanding alerts, along with some aged plugins. This updates everything to latest, and switches to a different stale bitbucket integration, but one that actually uses oauth2 now.
This does introduce a new (silenced) warning about allowing oauth requests by GET, and this is in fact insecure. But it's also something the app has been doing the whole time. So, while it's something to resolve, it shouldn't block other fixes.