Bumps omniauth from 1.3.1 to 1.4.2. This update includes security fixes.
Vulnerabilities fixed
> **omniauth leaks authenticity token in callback params**
> In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase.
>
> Patched versions: [">= 1.3.2"]
> Unaffected versions: []
Release notes
*Sourced from omniauth's [releases](https://github.com/omniauth/omniauth/releases).*
> ## v1.4.2
> ## Fixes
> - Mitigate Hashie regressions
Commits
- [`9897127`](https://github.com/omniauth/omniauth/commit/9897127b321856451f0ee1a000bdc59ee014df37) Bump version to 1.4.2
- [`6abedb0`](https://github.com/omniauth/omniauth/commit/6abedb008cd02956b39882fc7f9a80c2c12fde17) Merge pull request [#880](https://github-redirect.dependabot.com/omniauth/omniauth/issues/880) from omniauth/hashie
- [`df7699d`](https://github.com/omniauth/omniauth/commit/df7699d17eac634b85e9142ee21581be7d04d5e8) Temporary Hashie Regression Fix
- [`2dccbb5`](https://github.com/omniauth/omniauth/commit/2dccbb560ffb2396bbd8b5b976a05b0d322483f8) Bump version to 1.4.1
- [`3c0f586`](https://github.com/omniauth/omniauth/commit/3c0f586eb416a86723b2ff113dffb7b439fc873d) Merge pull request [#878](https://github-redirect.dependabot.com/omniauth/omniauth/issues/878) from omniauth/dependency-updates
- [`c299e30`](https://github.com/omniauth/omniauth/commit/c299e302616b2e3e5fc565b6d00ea69a81762eb8) Gem updates CI tests
- [`949ffca`](https://github.com/omniauth/omniauth/commit/949ffca137836b24fe30e032ca0b13ed613f9bc6) Bump version to 1.4.0
- [`0edc7ec`](https://github.com/omniauth/omniauth/commit/0edc7ec1dbf609b491f3aa1aa3ca5d3904740e27) Merge pull request [#874](https://github-redirect.dependabot.com/omniauth/omniauth/issues/874) from michaelherold/silence-mash-logger
- [`00481a9`](https://github.com/omniauth/omniauth/commit/00481a9edc05fbe26519e037154f723f9fcd6d5d) Silence Hashie::Mash logger on Hashie 3.5.0+
- [`cb82bb4`](https://github.com/omniauth/omniauth/commit/cb82bb443e0dafeabf008dab0348921bfec1fb46) Merge pull request [#876](https://github-redirect.dependabot.com/omniauth/omniauth/issues/876) from omniauth/secure-asset-url
- Additional commits viewable in [compare view](https://github.com/omniauth/omniauth/compare/v1.3.1...v1.4.2)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot ignore this [minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use [this|these] label[s]` will set the current labels as the default for future PRs for this repo and language
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Out-of-range updates (receive only lockfile updates, if desired)
Finally, you can contact us by mentioning @dependabot.
Bumps omniauth from 1.3.1 to 1.4.2. This update includes security fixes.
Vulnerabilities fixed
> **omniauth leaks authenticity token in callback params** > In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase. > > Patched versions: [">= 1.3.2"] > Unaffected versions: []Release notes
*Sourced from omniauth's [releases](https://github.com/omniauth/omniauth/releases).* > ## v1.4.2 > ## Fixes > - Mitigate Hashie regressionsCommits
- [`9897127`](https://github.com/omniauth/omniauth/commit/9897127b321856451f0ee1a000bdc59ee014df37) Bump version to 1.4.2 - [`6abedb0`](https://github.com/omniauth/omniauth/commit/6abedb008cd02956b39882fc7f9a80c2c12fde17) Merge pull request [#880](https://github-redirect.dependabot.com/omniauth/omniauth/issues/880) from omniauth/hashie - [`df7699d`](https://github.com/omniauth/omniauth/commit/df7699d17eac634b85e9142ee21581be7d04d5e8) Temporary Hashie Regression Fix - [`2dccbb5`](https://github.com/omniauth/omniauth/commit/2dccbb560ffb2396bbd8b5b976a05b0d322483f8) Bump version to 1.4.1 - [`3c0f586`](https://github.com/omniauth/omniauth/commit/3c0f586eb416a86723b2ff113dffb7b439fc873d) Merge pull request [#878](https://github-redirect.dependabot.com/omniauth/omniauth/issues/878) from omniauth/dependency-updates - [`c299e30`](https://github.com/omniauth/omniauth/commit/c299e302616b2e3e5fc565b6d00ea69a81762eb8) Gem updates CI tests - [`949ffca`](https://github.com/omniauth/omniauth/commit/949ffca137836b24fe30e032ca0b13ed613f9bc6) Bump version to 1.4.0 - [`0edc7ec`](https://github.com/omniauth/omniauth/commit/0edc7ec1dbf609b491f3aa1aa3ca5d3904740e27) Merge pull request [#874](https://github-redirect.dependabot.com/omniauth/omniauth/issues/874) from michaelherold/silence-mash-logger - [`00481a9`](https://github.com/omniauth/omniauth/commit/00481a9edc05fbe26519e037154f723f9fcd6d5d) Silence Hashie::Mash logger on Hashie 3.5.0+ - [`cb82bb4`](https://github.com/omniauth/omniauth/commit/cb82bb443e0dafeabf008dab0348921bfec1fb46) Merge pull request [#876](https://github-redirect.dependabot.com/omniauth/omniauth/issues/876) from omniauth/secure-asset-url - Additional commits viewable in [compare view](https://github.com/omniauth/omniauth/compare/v1.3.1...v1.4.2)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot ignore this [minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use [this|these] label[s]` will set the current labels as the default for future PRs for this repo and language Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Out-of-range updates (receive only lockfile updates, if desired) Finally, you can contact us by mentioning @dependabot.