Open lafeber opened 4 years ago
I have the same problem
Dependabot cannot update omniauth to a non-vulnerable version The latest possible version that can be installed is 1.9.2 because of the following conflicting dependencies:
omniauth-google-oauth2 (0.8.2) requires omniauth (~> 1.1)
omniauth-salesforce (1.1.0) requires omniauth (~> 1.0)
omniauth-saml (1.10.3) requires omniauth (~> 1.3, >= 1.3.2)
<================
I'm surprised that it also affects 2 other gems that I use, the upgrade can't be easy I suppose.
See https://github.com/omniauth/omniauth/pull/809 - about a CSRF vulnerability which affects OmniAuth (designated CVE-2015-9284)
What to do?