Update required version of addressable to 2.8

[yidingww]

@flavorjones

There is high severity security issue about addressable 2.7.0 and below: GHSA-jxhc-q857-3j6g

So update required addressable to 2.8

[flavorjones]

@yidingww Thank you for this pull request! I'm going to look into why Dependabot didn't catch this before now.

[flavorjones]

I've enabled dependabot updates in 3f046bd and just now turned on security alerts as well. I'm going to give that a bit of time to see if it catches the vulnerable addressable versions.

[yidingww]

@flavorjones Helloo, any plans to merge this soon and do a new release? :)

[flavorjones]

Dependabot hasn't raised an alert about Addressable, and I don't understand why. Sigh.

Merging now.

[flavorjones]

@yidingww I'm not sure this change requires a release. The vulnerability in Addressable is in Addressable::Template#match which Mechanize doesn't use, so there's no attack vector in Mechanize.

[yidingww]

@flavorjones Ah I see.

But we have a security scanning at our organisation that force us to use packaged rely on addressable 2.8 and above. So i would appreciate a lot if you could make a new release if it's convenient for you 😉

[flavorjones]

@yidingww OK, released v2.8.2: https://github.com/sparklemotion/mechanize/releases/tag/v2.8.2

[yidingww]

@flavorjones Thank you!!! ❤️