search

omniauth / omniauth-oauth2

An abstract OAuth2 strategy for OmniAuth.
MIT License
502 stars 304 forks source link

Use omniauth 2.x to ensure latest security updates #152

Closed lucas-aragno closed 2 years ago

lucas-aragno commented 2 years ago

My team have been working on some security updates on our app and we noticed omniauth-oauth2 was listing any version from omniauth between 1.9 and 3 as a valid dependency. bc of that we kept running on this security issue. We manually enforced omniauth 2.x on our Gemfile to solve it, but I thought it may be useful to bump the version directly on the gem since the issue seems to exist on all 1.9.x versions

coveralls commented 2 years ago

Pull Request Test Coverage Report for Build 2397096803

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

Totals Coverage Status
Change from base Build 1747006164: 0.0%
Covered Lines: 77
Relevant Lines: 91
💛 - Coveralls
BobbyMcWho commented 2 years ago

So, the reason I left it flexible was that omniauth 2 had some breaking changes, and not all 3rd party omniauth strategies that inherit from this gem had updated and tested against the new omniauth. I'm not opposed to being stricter on this, but it would likely be a major version bump for this gem.

Also, prefer '~> 2.0' to ['>= 2.0', '< 3']

lucas-aragno commented 2 years ago

I see, yeah I thought that may be the case. I agree this would require a major bump on the gem.

I think '~> 2.0' makes sense

lucas-aragno commented 2 years ago

@BobbyMcWho Any updates on this? I'm happy to close this PR for now if this isn't something we wanna get it atm

BobbyMcWho commented 2 years ago

Leave it open, it's just low priority for me at the moment

BobbyMcWho commented 2 years ago

This has been released in v1.8.0 release notes rubygems