From 23272d8de12d5b4bc43661b2c1e08ef351ac09fe Mon Sep 17 00:00:00 2001 From: Tyler Willingham Date: Fri, 16 Apr 2021 14:56:56 -0600 Subject: [PATCH] =?UTF-8?q?=E2=AC=86=EF=B8=8F=20Allow=20ActiveSupport=20ve?= =?UTF-8?q?rsions=20<=207.0=20(#47)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * 🔥 Remove explicit `activesupport` dependency It appears that to prevent a CVE issue with ActiveSupport < 5.2.5 we added `activesupport` as a direct dependency to fake_idp and made some decisions on which version to lock to. That decision was overly prescriptive. Because `activesupport` is only a dependency of `activemodel`, and activemodel is itself a dependency of `xmlenc`, we can lock promote the use of activemodel >= 5.2.5 which would thereby promote avoidance of that previous CVE but without preventing users from using Rails 6. * Bump version to 1.0.2 Co-authored-by: Kevin Peek --- Gemfile.lock | 25 +++++++++++++------------ fake_idp.gemspec | 2 +- lib/fake_idp/version.rb | 2 +- 3 files changed, 15 insertions(+), 14 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index 5f7f7b1..2f9c0c2 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -8,8 +8,8 @@ GIT PATH remote: . specs: - fake_idp (1.0.1) - activesupport (~> 5.2.5) + fake_idp (1.0.2) + activemodel (>= 5.2.5, < 7.0) builder (>= 3.2.2) nokogiri (>= 1.10.5) ruby-saml (~> 1.11.0) @@ -20,13 +20,14 @@ PATH GEM remote: https://rubygems.org/ specs: - activemodel (5.2.5) - activesupport (= 5.2.5) - activesupport (5.2.5) + activemodel (6.1.3.1) + activesupport (= 6.1.3.1) + activesupport (6.1.3.1) concurrent-ruby (~> 1.0, >= 1.0.2) - i18n (>= 0.7, < 2) - minitest (~> 5.1) - tzinfo (~> 1.1) + i18n (>= 1.6, < 2) + minitest (>= 5.1) + tzinfo (~> 2.0) + zeitwerk (~> 2.3) builder (3.2.4) coderay (1.1.2) concurrent-ruby (1.1.8) @@ -41,7 +42,7 @@ GEM minitest (5.14.4) mustermann (1.1.1) ruby2_keywords (~> 0.0.1) - nokogiri (1.11.2) + nokogiri (1.11.3) mini_portile2 (~> 2.5.0) racc (~> 1.4) pry (0.12.2) @@ -74,10 +75,9 @@ GEM rack-protection (= 2.0.8.1) tilt (~> 2.0) systemu (2.6.5) - thread_safe (0.3.6) tilt (2.0.10) - tzinfo (1.2.9) - thread_safe (~> 0.1) + tzinfo (2.0.4) + concurrent-ruby (~> 1.0) uuid (2.3.8) macaddr (~> 1.0) xmlenc (0.7.1) @@ -87,6 +87,7 @@ GEM xmlmapper (>= 0.7.3) xmlmapper (0.7.3) nokogiri (~> 1.5) + zeitwerk (2.4.2) PLATFORMS ruby diff --git a/fake_idp.gemspec b/fake_idp.gemspec index 839a18d..9119b35 100644 --- a/fake_idp.gemspec +++ b/fake_idp.gemspec @@ -24,7 +24,7 @@ Gem::Specification.new do |spec| spec.add_dependency "nokogiri", ">= 1.10.5" spec.add_dependency "builder", ">= 3.2.2" - spec.add_dependency "activesupport", "~> 5.2.5" + spec.add_dependency "activemodel", ">= 5.2.5", "< 7.0" spec.add_dependency "xmlenc", ">= 0.7.1" spec.add_development_dependency "bundler", "~> 2" diff --git a/lib/fake_idp/version.rb b/lib/fake_idp/version.rb index 05d230f..94dbeb3 100644 --- a/lib/fake_idp/version.rb +++ b/lib/fake_idp/version.rb @@ -1,3 +1,3 @@ module FakeIdp - VERSION = "1.0.1" + VERSION = "1.0.2" end