Support rack >= 2.1.4
benbergstein-lumoslabs opened this issue · 3 comments
Motivation
The rack< 2.1.4 gem contains a security vulnerability. Updating to 2.1.4 or higher is the recommended remediation, and many applications will want to pursue.
Overview
The apple_id gem has rack-oauth2 as a dependency, pinned at ~> 1.12. The rack-oauth2gem begins support for rack>=2.1.4 at version ~> 1.13. Bumping this gem's dependency on rack-oauth2 will add support for rack>2.1.4.
$ git diff
diff --git a/apple_id.gemspec b/apple_id.gemspec
index f4c4781..0372ad6 100644
--- a/apple_id.gemspec
+++ b/apple_id.gemspec
@@ -18,7 +18,7 @@ Gem::Specification.new do |spec|
spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
spec.require_paths = ['lib']
- spec.add_runtime_dependency 'rack-oauth2', '~> 1.12'
+ spec.add_runtime_dependency 'rack-oauth2', '~> 1.13'
spec.add_runtime_dependency 'openid_connect', '~> 1.1.7'
spec.add_development_dependency 'bundler'
spec.add_development_dependency 'rake'
$ cat Gemfile.lock | grep " rack"
rack-oauth2 (~> 1.13)
rack-oauth2 (>= 1.6.1)
rack (2.2.3)
rack-oauth2 (1.16.0)
rack (>= 2.1.0)Thanks!
Bumped into this one since I'm working on a related update and I don't know if you have resolved this on your side.
Since apple_id.gemspec specifies rack-oauth2 with ~> 1.12', it should be okay to upgrade rack-oatuh2` directly.
As my tested result, with a new project with apple_id required, the installed rack-oauth2 will be 1.16.
For existing project, you can specify the version in your Gemfile or gemspec.
gem `rack-oauth2`, `~> 1.16'
Then run bundle update rack-oauth2 or bundle update if you want to update all your gems.
This should install and update your Gemfile.lock with rack-oauth2 version: 2.16.