Support rack >= 2.1.4

[benbergstein-lumoslabs]

Motivation

The rack< 2.1.4 gem contains a security vulnerability. Updating to 2.1.4 or higher is the recommended remediation, and many applications will want to pursue.

Overview

The apple_id gem has rack-oauth2 as a dependency, pinned at ~> 1.12. The rack-oauth2gem begins support for rack>=2.1.4 at version ~> 1.13. Bumping this gem's dependency on rack-oauth2 will add support for rack>2.1.4.

[benbergstein-lumoslabs]

$ git diff
diff --git a/apple_id.gemspec b/apple_id.gemspec
index f4c4781..0372ad6 100644
--- a/apple_id.gemspec
+++ b/apple_id.gemspec
@@ -18,7 +18,7 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']

-  spec.add_runtime_dependency 'rack-oauth2', '~> 1.12'
+  spec.add_runtime_dependency 'rack-oauth2', '~> 1.13'
   spec.add_runtime_dependency 'openid_connect', '~> 1.1.7'
   spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'rake'
$ cat Gemfile.lock | grep " rack"
      rack-oauth2 (~> 1.13)
      rack-oauth2 (>= 1.6.1)
    rack (2.2.3)
    rack-oauth2 (1.16.0)
      rack (>= 2.1.0)

[benbergstein-lumoslabs]

Thanks!

[jimytc]

Hi @benbergstein-lumoslabs

Bumped into this one since I'm working on a related update and I don't know if you have resolved this on your side. Since apple_id.gemspec specifies rack-oauth2 with ~> 1.12', it should be okay to upgraderack-oatuh2` directly.

As my tested result, with a new project with apple_id required, the installed rack-oauth2 will be 1.16.

For existing project, you can specify the version in your Gemfile or gemspec.

gem `rack-oauth2`, `~> 1.16'

Then run bundle update rack-oauth2 or bundle update if you want to update all your gems. This should install and update your Gemfile.lock with rack-oauth2 version: 2.16.