Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump addressable version per CVE-2021-32740 #276

Merged
merged 1 commit into from
Jul 13, 2021

Conversation

lostapathy
Copy link
Contributor

@lostapathy lostapathy commented Jul 12, 2021

This bumps the dependency version on the addressable gem, as version 2.7 is covered by CVE-2021-32740

Also covered by a GHSA at GHSA-jxhc-q857-3j6g

Once this passes, we should probably bump the gem version and release an updated gem so that users of this gem can upgrade addressable.

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

  • This change has been tested on the latest version of Ruby

Checklist

@lostapathy lostapathy requested a review from a team as a code owner July 12, 2021 17:45
@jakesorce
Copy link

@lostapathy - thanks for updating this so quickly. Would love an update from the team when a new version is on RubyGems.

@jakesorce
Copy link

I have submitted an Auth0 ticket to see if we can get this in quicker.

Copy link
Contributor

@Widcket Widcket left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@Widcket Widcket merged commit 0d14c61 into auth0:master Jul 13, 2021
@lostapathy lostapathy deleted the bump_addressable branch July 13, 2021 21:31
@jakesorce
Copy link

@Widcket - any updates on when a new Gem version is being cut for this?

@lbalmaceda lbalmaceda added this to the vnext milestone Jul 14, 2021
@joshbuker joshbuker mentioned this pull request Jul 14, 2021
@Widcket
Copy link
Contributor

Widcket commented Jul 15, 2021

@jakesorce we'll be doing a patch release later today.

@Widcket Widcket changed the title bump addressable version per CVE-2021-32740 Bump addressable version per CVE-2021-32740 Jul 15, 2021
@Widcket Widcket mentioned this pull request Jul 15, 2021
@Widcket
Copy link
Contributor

Widcket commented Jul 15, 2021

The v5.1.2 release is out now.

@davidpatrick davidpatrick modified the milestones: vnext, v5.1.2 Jul 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants