diff --git a/CHANGELOG.md b/CHANGELOG.md index c408df8..1285fe6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,13 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [4.6.0] + +### Changed + +1. Relax patch-level dependency pins to minor-level to allow security patch updates. (ISG-92) +1. Remove transitive dependencies (logger, ostruct, rexml, thor) from gemspec; add rexml and thor as Gemfile security floor constraints. (ISG-92) + ## [4.5.0] ### Added diff --git a/Gemfile b/Gemfile index c4980cb..64e96d9 100644 --- a/Gemfile +++ b/Gemfile @@ -4,3 +4,8 @@ source "https://rubygems.org" # Specify your gem's dependencies in faithteams-api.gemspec gemspec + +# Security floors for transitive dependencies not declared in the gemspec. +# These are not upper-bounded — bundle audit is the ongoing security check. +gem "rexml", ">= 3.4.2" # webmock → crack → rexml +gem "thor", ">= 1.4.0" # guard-rspec → guard → thor diff --git a/Gemfile.lock b/Gemfile.lock index 1071155..95c4b10 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,18 +1,14 @@ PATH remote: . specs: - faithteams-api (4.5.0) - activesupport (~> 7.2.2) + faithteams-api (4.6.0) + activesupport (~> 7.2) http (~> 5.1) - logger (~> 1.6.1) - ostruct (~> 0.6.0) - rexml (~> 3.3.9) - thor (~> 1.4.0) GEM remote: https://rubygems.org/ specs: - activesupport (7.2.2.1) + activesupport (7.2.3.1) base64 benchmark (>= 0.3) bigdecimal @@ -21,34 +17,36 @@ GEM drb i18n (>= 1.6, < 2) logger (>= 1.4.2) - minitest (>= 5.1) + minitest (>= 5.1, < 6) securerandom (>= 0.3) tzinfo (~> 2.0, >= 2.0.5) - addressable (2.8.7) - public_suffix (>= 2.0.2, < 7.0) + addressable (2.8.9) + public_suffix (>= 2.0.2, < 8.0) ast (2.4.3) - base64 (0.2.0) - benchmark (0.4.0) - bigdecimal (3.1.8) + base64 (0.3.0) + benchmark (0.5.0) + bigdecimal (4.0.1) byebug (11.1.3) coderay (1.1.3) - concurrent-ruby (1.3.4) - connection_pool (2.4.1) - crack (1.0.0) + concurrent-ruby (1.3.6) + connection_pool (3.0.2) + crack (1.0.1) bigdecimal rexml - diff-lcs (1.5.1) + diff-lcs (1.6.2) docile (1.4.1) domain_name (0.6.20240107) - drb (2.2.1) - ffi (1.17.0) + drb (2.2.3) + ffi (1.17.4) ffi-compiler (1.3.2) ffi (>= 1.15.5) rake - formatador (1.1.0) - guard (2.19.0) + formatador (1.2.3) + reline + guard (2.20.1) formatador (>= 0.2.4) listen (>= 2.7, < 4.0) + logger (~> 1.6) lumberjack (>= 1.0.12, < 2.0) nenv (~> 0.1) notiffany (~> 0.0) @@ -60,67 +58,70 @@ GEM guard (~> 2.1) guard-compat (~> 1.1) rspec (>= 2.99.0, < 4.0) - hashdiff (1.1.2) - http (5.2.0) + hashdiff (1.2.1) + http (5.3.1) addressable (~> 2.8) - base64 (~> 0.1) http-cookie (~> 1.0) http-form_data (~> 2.2) llhttp-ffi (~> 0.5.0) - http-cookie (1.0.8) + http-cookie (1.1.0) domain_name (~> 0.5) http-form_data (2.3.0) - i18n (1.14.6) + i18n (1.14.8) concurrent-ruby (~> 1.0) - json (2.13.2) + io-console (0.8.2) + json (2.19.3) language_server-protocol (3.17.0.5) lint_roller (1.1.0) - listen (3.9.0) + listen (3.10.0) + logger rb-fsevent (~> 0.10, >= 0.10.3) rb-inotify (~> 0.9, >= 0.9.10) - llhttp-ffi (0.5.0) + llhttp-ffi (0.5.1) ffi-compiler (~> 1.0) rake (~> 13.0) - logger (1.6.3) - lumberjack (1.2.10) + logger (1.7.0) + lumberjack (1.4.2) method_source (1.1.0) - minitest (5.25.4) + minitest (5.27.0) nenv (0.3.0) notiffany (0.1.3) nenv (~> 0.1) shellany (~> 0.0) - ostruct (0.6.1) parallel (1.27.0) - parser (3.3.9.0) + parser (3.3.11.0) ast (~> 2.4.1) racc - prism (1.4.0) - pry (0.15.0) + prism (1.9.0) + pry (0.16.0) coderay (~> 1.1) method_source (~> 1.0) - public_suffix (6.0.1) + reline (>= 0.6.0) + public_suffix (7.0.5) racc (1.8.1) rainbow (3.1.1) - rake (13.2.1) + rake (13.3.1) rb-fsevent (0.11.2) rb-inotify (0.11.1) ffi (~> 1.0) - regexp_parser (2.11.2) - rexml (3.3.9) - rspec (3.13.0) + regexp_parser (2.11.3) + reline (0.6.3) + io-console (~> 0.5) + rexml (3.4.4) + rspec (3.13.2) rspec-core (~> 3.13.0) rspec-expectations (~> 3.13.0) rspec-mocks (~> 3.13.0) - rspec-core (3.13.2) + rspec-core (3.13.6) rspec-support (~> 3.13.0) - rspec-expectations (3.13.3) + rspec-expectations (3.13.5) diff-lcs (>= 1.2.0, < 2.0) rspec-support (~> 3.13.0) - rspec-mocks (3.13.2) + rspec-mocks (3.13.8) diff-lcs (>= 1.2.0, < 2.0) rspec-support (~> 3.13.0) - rspec-support (3.13.2) - rubocop (1.73.2) + rspec-support (3.13.7) + rubocop (1.86.0) json (~> 2.3) language_server-protocol (~> 3.17.0.2) lint_roller (~> 1.1.0) @@ -128,22 +129,22 @@ GEM parser (>= 3.3.0.2) rainbow (>= 2.2.2, < 4.0) regexp_parser (>= 2.9.3, < 3.0) - rubocop-ast (>= 1.38.0, < 2.0) + rubocop-ast (>= 1.49.0, < 2.0) ruby-progressbar (~> 1.7) unicode-display_width (>= 2.4.0, < 4.0) - rubocop-ast (1.46.0) + rubocop-ast (1.49.1) parser (>= 3.3.7.2) - prism (~> 1.4) - rubocop-performance (1.24.0) + prism (~> 1.7) + rubocop-performance (1.26.1) lint_roller (~> 1.1) - rubocop (>= 1.72.1, < 2.0) - rubocop-ast (>= 1.38.0, < 2.0) + rubocop (>= 1.75.0, < 2.0) + rubocop-ast (>= 1.47.1, < 2.0) rubocop-rake (0.7.1) lint_roller (~> 1.1) rubocop (>= 1.72.1) - rubocop-rspec (3.5.0) + rubocop-rspec (3.9.0) lint_roller (~> 1.1) - rubocop (~> 1.72, >= 1.72.1) + rubocop (~> 1.81) ruby-progressbar (1.13.0) securerandom (0.4.1) shellany (0.0.1) @@ -151,19 +152,19 @@ GEM docile (~> 1.1) simplecov-html (~> 0.11) simplecov_json_formatter (~> 0.1) - simplecov-html (0.13.1) + simplecov-html (0.13.2) simplecov_json_formatter (0.1.4) - thor (1.4.0) + thor (1.5.0) tzinfo (2.0.6) concurrent-ruby (~> 1.0) - unicode-display_width (3.1.5) - unicode-emoji (~> 4.0, >= 4.0.4) - unicode-emoji (4.0.4) - webmock (3.24.0) + unicode-display_width (3.2.0) + unicode-emoji (~> 4.1) + unicode-emoji (4.2.0) + webmock (3.26.2) addressable (>= 2.8.0) crack (>= 0.3.2) hashdiff (>= 0.4.0, < 2.0.0) - yard (0.9.37) + yard (0.9.38) PLATFORMS ruby @@ -173,14 +174,16 @@ DEPENDENCIES faithteams-api! guard-rspec (~> 4.7) rake (~> 13.0) + rexml (>= 3.4.2) rspec (~> 3.12) - rubocop (~> 1.73.2) - rubocop-performance (~> 1.24.0) - rubocop-rake (~> 0.7.1) - rubocop-rspec (~> 3.5.0) + rubocop (~> 1.73) + rubocop-performance (~> 1.24) + rubocop-rake (~> 0.7) + rubocop-rspec (~> 3.5) simplecov (~> 0.21) + thor (>= 1.4.0) webmock (~> 3.18) - yard (~> 0.9.36) + yard (~> 0.9) BUNDLED WITH - 2.5.7 + 4.0.9 diff --git a/faithteams-api.gemspec b/faithteams-api.gemspec index 8083a5e..919aa50 100644 --- a/faithteams-api.gemspec +++ b/faithteams-api.gemspec @@ -32,22 +32,18 @@ Gem::Specification.new do |spec| spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) } spec.require_paths = ["lib"] - spec.add_dependency "activesupport", "~> 7.2.2" + spec.add_dependency "activesupport", "~> 7.2" spec.add_dependency "http", "~> 5.1" - spec.add_dependency "logger", "~> 1.6.1" - spec.add_dependency "ostruct", "~> 0.6.0" - spec.add_dependency "rexml", "~> 3.3.9" # only needs to be specified to address security warning - spec.add_dependency "thor", "~> 1.4.0" spec.add_development_dependency "byebug", "~> 11.1" spec.add_development_dependency "guard-rspec", "~> 4.7" spec.add_development_dependency "simplecov", "~> 0.21" spec.add_development_dependency "rake", "~> 13.0" spec.add_development_dependency "rspec", "~> 3.12" - spec.add_development_dependency "rubocop", "~> 1.73.2" - spec.add_development_dependency "rubocop-performance", "~> 1.24.0" - spec.add_development_dependency "rubocop-rake", "~> 0.7.1" - spec.add_development_dependency "rubocop-rspec", "~> 3.5.0" + spec.add_development_dependency "rubocop", "~> 1.73" + spec.add_development_dependency "rubocop-performance", "~> 1.24" + spec.add_development_dependency "rubocop-rake", "~> 0.7" + spec.add_development_dependency "rubocop-rspec", "~> 3.5" spec.add_development_dependency "webmock", "~> 3.18" - spec.add_development_dependency "yard", "~> 0.9.36" + spec.add_development_dependency "yard", "~> 0.9" end diff --git a/lib/faithteams/version.rb b/lib/faithteams/version.rb index b58e227..12ddcff 100644 --- a/lib/faithteams/version.rb +++ b/lib/faithteams/version.rb @@ -2,5 +2,5 @@ module FaithTeams # Current version number. - VERSION = "4.5.0" + VERSION = "4.6.0" end