Address rubyzip CVE-2019-16892

[nfm]

There's a security issue in rubyzip ~> 1.0, which is mitigated in rubyzip >= 2.0.0. See https://github.com/rubyzip/rubyzip/pull/403 for full details. webdrivers has a runtime dependency on rubyzip ~> 1.0.

I'm not sure if webdrivers' usage of rubyzip is vulnerable but locking to rubyzip ~> 1.0 is problematic for us as 1.x is insecure by default.

It looks like the only other breaking change in rubyzip 2.0.0 is dropping support for EOL ruby versions so hopefully bumping the dep to rubyzip ~> 2.0 is pretty painless.

Alternatively, webdrivers could opt-in to the new checks available in rubyzip >= 1.3.0 as outlined in https://github.com/rubyzip/rubyzip/pull/403.

:heart:

[nfm]

Sorry, I didn't see https://github.com/titusfortner/webdrivers/pull/153 before opening this issue.

Will leave this open for now until that merges in case anyone else goes to open an issue to track this.

[kapoorlakshya]

@nfm I have released v4.1.3 with the fix for this.