Hi there,
I hope you're all well given the current situation with COVID-19. This mailing list seems more active the the GitHub project, so I thought I'd join in :-)
We recently ran `bundle update` on our beloved Lita instance to address CVE-2020-8184 and CVE-2020-8161.
The latest Lita version release is 4.7.1 (2016-09-17), which requires Rack ">= 1.5.2", "< 2.0.0" (
see litaio/lita@fda3a80) and prevents us from updating Rack to version `2.1.4` or later to address these CVEs. Taking the latest version from GitHub (
litaio/lita@312df73) comes with the trade-off that we have to downgrade Faraday to `0.15.4` from `1.0.1` and Thor from `1.0.1` to `0.20.3`. This version also fails CI (see
build 631295227).
I'd really like to upgrade these dependencies to ensure we don't have any known vulnerabilities.
I've opened two Pull Requests:
Could somebody please review these PRs? I'm keen to help get them into a state where the changes can be released.
Many thanks;
--paj