Closed sameerchachiya closed 7 months ago
I would be happy to accept a PR for this work, but I haven't written significant Ruby in years and so I'm not confident that I know how to update something across major versions.
IMO, no work is needed here. The current constraint does not prevent downstream projects from using a patched and secure version of Rack.
It's not the request_store
gem's responsibility to ensure downstream projects are free from security vulnerabilities. Rather there is a responsibility not to force an insecure version.
It's not forcing an insecure version of Rack.
I have decided to bump this up anyway, this is in the 1.6 release https://github.com/steveklabnik/request_store/commit/65e0efd247b89dc76f4e86cba741e7bf8ae45c7b
Hello 👋🏻
Rack version < 2 is causing vulnerabilities . There are included dependencies in this gem that have published CVEs
In particular, It is vulnerable to CVE-2011-5036 and CVE-2022-30123
Please resolve this to version above >2.
Expected Behavior
rack version greater than 2
Actual Behavior
fetching version less than 2