Update omniauth dependency

omniauth / omniauth-saml

A generic SAML strategy for OmniAuth

https://github.com/omniauth/omniauth-saml

Other

331 stars 205 forks source link

Update omniauth dependency #191

Open lafeber opened 4 years ago

lafeber commented 4 years ago

See https://github.com/omniauth/omniauth/pull/809 - about a CSRF vulnerability which affects OmniAuth (designated CVE-2015-9284)

What to do?

kriom commented 11 months ago

I have the same problem

Dependabot cannot update omniauth to a non-vulnerable version The latest possible version that can be installed is 1.9.2 because of the following conflicting dependencies:

omniauth-google-oauth2 (0.8.2) requires omniauth (~> 1.1) omniauth-salesforce (1.1.0) requires omniauth (~> 1.0) omniauth-saml (1.10.3) requires omniauth (~> 1.3, >= 1.3.2) <================

I'm surprised that it also affects 2 other gems that I use, the upgrade can't be easy I suppose.