You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There's a security issue in rubyzip ~> 1.0, which is mitigated in rubyzip >= 2.0.0. See rubyzip/rubyzip#403 for full details. webdrivers has a runtime dependency on rubyzip ~> 1.0.
I'm not sure if webdrivers' usage of rubyzip is vulnerable but locking to rubyzip ~> 1.0 is problematic for us as 1.x is insecure by default.
It looks like the only other breaking change in rubyzip 2.0.0 is dropping support for EOL ruby versions so hopefully bumping the dep to rubyzip ~> 2.0 is pretty painless.
Alternatively, webdrivers could opt-in to the new checks available in rubyzip >= 1.3.0 as outlined in rubyzip/rubyzip#403.
❤️
The text was updated successfully, but these errors were encountered:
There's a security issue in
rubyzip ~> 1.0
, which is mitigated inrubyzip >= 2.0.0
. See rubyzip/rubyzip#403 for full details. webdrivers has a runtime dependency onrubyzip ~> 1.0
.I'm not sure if webdrivers' usage of rubyzip is vulnerable but locking to
rubyzip ~> 1.0
is problematic for us as 1.x is insecure by default.It looks like the only other breaking change in rubyzip 2.0.0 is dropping support for EOL ruby versions so hopefully bumping the dep to
rubyzip ~> 2.0
is pretty painless.Alternatively, webdrivers could opt-in to the new checks available in
rubyzip >= 1.3.0
as outlined in rubyzip/rubyzip#403.❤️
The text was updated successfully, but these errors were encountered: