ISG-92 - Address security vulnerabilities

CHANGELOG.md

@@ -7,6 +7,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [4.6.0]
+
+### Changed
+
+1. Relax patch-level dependency pins to minor-level to allow security patch updates. (ISG-92)
+1. Remove transitive dependencies (logger, ostruct, rexml, thor) from gemspec; add rexml and thor as Gemfile security floor constraints. (ISG-92)
+
 ## [4.5.0]
 
 ### Added

Gemfile

@@ -4,3 +4,8 @@ source "https://rubygems.org"
 
 # Specify your gem's dependencies in faithteams-api.gemspec
 gemspec
+
+# Security floors for transitive dependencies not declared in the gemspec.
+# These are not upper-bounded — bundle audit is the ongoing security check.
+gem "rexml", ">= 3.4.2" # webmock → crack → rexml
+gem "thor", ">= 1.4.0"  # guard-rspec → guard → thor

Gemfile.lock

@@ -1,18 +1,14 @@
 PATH
   remote: .
   specs:
-    faithteams-api (4.5.0)
-      activesupport (~> 7.2.2)
+    faithteams-api (4.6.0)
+      activesupport (~> 7.2)
       http (~> 5.1)
-      logger (~> 1.6.1)
-      ostruct (~> 0.6.0)
-      rexml (~> 3.3.9)
-      thor (~> 1.4.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    activesupport (7.2.2.1)
+    activesupport (7.2.3.1)
       base64
       benchmark (>= 0.3)
       bigdecimal
@@ -21,34 +17,36 @@ GEM
       drb
       i18n (>= 1.6, < 2)
       logger (>= 1.4.2)
-      minitest (>= 5.1)
+      minitest (>= 5.1, < 6)
       securerandom (>= 0.3)
       tzinfo (~> 2.0, >= 2.0.5)
-    addressable (2.8.7)
-      public_suffix (>= 2.0.2, < 7.0)
+    addressable (2.8.9)
+      public_suffix (>= 2.0.2, < 8.0)
     ast (2.4.3)
-    base64 (0.2.0)
-    benchmark (0.4.0)
-    bigdecimal (3.1.8)
+    base64 (0.3.0)
+    benchmark (0.5.0)
+    bigdecimal (4.0.1)
     byebug (11.1.3)
     coderay (1.1.3)
-    concurrent-ruby (1.3.4)
-    connection_pool (2.4.1)
-    crack (1.0.0)
+    concurrent-ruby (1.3.6)
+    connection_pool (3.0.2)
+    crack (1.0.1)
       bigdecimal
       rexml
-    diff-lcs (1.5.1)
+    diff-lcs (1.6.2)
     docile (1.4.1)
     domain_name (0.6.20240107)
-    drb (2.2.1)
-    ffi (1.17.0)
+    drb (2.2.3)
+    ffi (1.17.4)
     ffi-compiler (1.3.2)
       ffi (>= 1.15.5)
       rake
-    formatador (1.1.0)
-    guard (2.19.0)
+    formatador (1.2.3)
+      reline
+    guard (2.20.1)
       formatador (>= 0.2.4)
       listen (>= 2.7, < 4.0)
+      logger (~> 1.6)
       lumberjack (>= 1.0.12, < 2.0)
       nenv (~> 0.1)
       notiffany (~> 0.0)
@@ -60,110 +58,113 @@ GEM
       guard (~> 2.1)
       guard-compat (~> 1.1)
       rspec (>= 2.99.0, < 4.0)
-    hashdiff (1.1.2)
-    http (5.2.0)
+    hashdiff (1.2.1)
+    http (5.3.1)
       addressable (~> 2.8)
-      base64 (~> 0.1)
       http-cookie (~> 1.0)
       http-form_data (~> 2.2)
       llhttp-ffi (~> 0.5.0)
-    http-cookie (1.0.8)
+    http-cookie (1.1.0)
       domain_name (~> 0.5)
     http-form_data (2.3.0)
-    i18n (1.14.6)
+    i18n (1.14.8)
       concurrent-ruby (~> 1.0)
-    json (2.13.2)
+    io-console (0.8.2)
+    json (2.19.3)
     language_server-protocol (3.17.0.5)
     lint_roller (1.1.0)
-    listen (3.9.0)
+    listen (3.10.0)
+      logger
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
-    llhttp-ffi (0.5.0)
+    llhttp-ffi (0.5.1)
       ffi-compiler (~> 1.0)
       rake (~> 13.0)
-    logger (1.6.3)
-    lumberjack (1.2.10)
+    logger (1.7.0)
+    lumberjack (1.4.2)
     method_source (1.1.0)
-    minitest (5.25.4)
+    minitest (5.27.0)
     nenv (0.3.0)
     notiffany (0.1.3)
       nenv (~> 0.1)
       shellany (~> 0.0)
-    ostruct (0.6.1)
     parallel (1.27.0)
-    parser (3.3.9.0)
+    parser (3.3.11.0)
       ast (~> 2.4.1)
       racc
-    prism (1.4.0)
-    pry (0.15.0)
+    prism (1.9.0)
+    pry (0.16.0)
       coderay (~> 1.1)
       method_source (~> 1.0)
-    public_suffix (6.0.1)
+      reline (>= 0.6.0)
+    public_suffix (7.0.5)
     racc (1.8.1)
     rainbow (3.1.1)
-    rake (13.2.1)
+    rake (13.3.1)
     rb-fsevent (0.11.2)
     rb-inotify (0.11.1)
       ffi (~> 1.0)
-    regexp_parser (2.11.2)
-    rexml (3.3.9)
-    rspec (3.13.0)
+    regexp_parser (2.11.3)
+    reline (0.6.3)
+      io-console (~> 0.5)
+    rexml (3.4.4)
+    rspec (3.13.2)
       rspec-core (~> 3.13.0)
       rspec-expectations (~> 3.13.0)
       rspec-mocks (~> 3.13.0)
-    rspec-core (3.13.2)
+    rspec-core (3.13.6)
       rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.3)
+    rspec-expectations (3.13.5)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.2)
+    rspec-mocks (3.13.8)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-support (3.13.2)
-    rubocop (1.73.2)
+    rspec-support (3.13.7)
+    rubocop (1.86.0)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
       parallel (~> 1.10)
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 2.9.3, < 3.0)
-      rubocop-ast (>= 1.38.0, < 2.0)
+      rubocop-ast (>= 1.49.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 4.0)
-    rubocop-ast (1.46.0)
+    rubocop-ast (1.49.1)
       parser (>= 3.3.7.2)
-      prism (~> 1.4)
-    rubocop-performance (1.24.0)
+      prism (~> 1.7)
+    rubocop-performance (1.26.1)
       lint_roller (~> 1.1)
-      rubocop (>= 1.72.1, < 2.0)
-      rubocop-ast (>= 1.38.0, < 2.0)
+      rubocop (>= 1.75.0, < 2.0)
+      rubocop-ast (>= 1.47.1, < 2.0)
     rubocop-rake (0.7.1)
       lint_roller (~> 1.1)
       rubocop (>= 1.72.1)
-    rubocop-rspec (3.5.0)
+    rubocop-rspec (3.9.0)
       lint_roller (~> 1.1)
-      rubocop (~> 1.72, >= 1.72.1)
+      rubocop (~> 1.81)
     ruby-progressbar (1.13.0)
     securerandom (0.4.1)
     shellany (0.0.1)
     simplecov (0.22.0)
       docile (~> 1.1)
       simplecov-html (~> 0.11)
       simplecov_json_formatter (~> 0.1)
-    simplecov-html (0.13.1)
+    simplecov-html (0.13.2)
     simplecov_json_formatter (0.1.4)
-    thor (1.4.0)
+    thor (1.5.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    unicode-display_width (3.1.5)
-      unicode-emoji (~> 4.0, >= 4.0.4)
-    unicode-emoji (4.0.4)
-    webmock (3.24.0)
+    unicode-display_width (3.2.0)
+      unicode-emoji (~> 4.1)
+    unicode-emoji (4.2.0)
+    webmock (3.26.2)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
-    yard (0.9.37)
+    yard (0.9.38)
 
 PLATFORMS
   ruby
@@ -173,14 +174,16 @@ DEPENDENCIES
   faithteams-api!
   guard-rspec (~> 4.7)
   rake (~> 13.0)
+  rexml (>= 3.4.2)
   rspec (~> 3.12)
-  rubocop (~> 1.73.2)
-  rubocop-performance (~> 1.24.0)
-  rubocop-rake (~> 0.7.1)
-  rubocop-rspec (~> 3.5.0)
+  rubocop (~> 1.73)
+  rubocop-performance (~> 1.24)
+  rubocop-rake (~> 0.7)
+  rubocop-rspec (~> 3.5)
   simplecov (~> 0.21)
+  thor (>= 1.4.0)
   webmock (~> 3.18)
-  yard (~> 0.9.36)
+  yard (~> 0.9)
 
 BUNDLED WITH
-   2.5.7
+  4.0.9

faithteams-api.gemspec

@@ -32,22 +32,18 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
   spec.require_paths = ["lib"]
 
-  spec.add_dependency "activesupport", "~> 7.2.2"
+  spec.add_dependency "activesupport", "~> 7.2"
   spec.add_dependency "http", "~> 5.1"
-  spec.add_dependency "logger", "~> 1.6.1"
-  spec.add_dependency "ostruct", "~> 0.6.0"
-  spec.add_dependency "rexml", "~> 3.3.9" # only needs to be specified to address security warning
-  spec.add_dependency "thor", "~> 1.4.0"
 
   spec.add_development_dependency "byebug", "~> 11.1"
   spec.add_development_dependency "guard-rspec", "~> 4.7"
   spec.add_development_dependency "simplecov", "~> 0.21"
   spec.add_development_dependency "rake", "~> 13.0"
   spec.add_development_dependency "rspec", "~> 3.12"
-  spec.add_development_dependency "rubocop", "~> 1.73.2"
-  spec.add_development_dependency "rubocop-performance", "~> 1.24.0"
-  spec.add_development_dependency "rubocop-rake", "~> 0.7.1"
-  spec.add_development_dependency "rubocop-rspec", "~> 3.5.0"
+  spec.add_development_dependency "rubocop", "~> 1.73"
+  spec.add_development_dependency "rubocop-performance", "~> 1.24"
+  spec.add_development_dependency "rubocop-rake", "~> 0.7"
+  spec.add_development_dependency "rubocop-rspec", "~> 3.5"
   spec.add_development_dependency "webmock", "~> 3.18"
-  spec.add_development_dependency "yard", "~> 0.9.36"
+  spec.add_development_dependency "yard", "~> 0.9"
 end

lib/faithteams/version.rb

@@ -2,5 +2,5 @@
 
 module FaithTeams
   # Current version number.
-  VERSION = "4.5.0"
+  VERSION = "4.6.0"
 end