Investigate upgrade path to OmniAuth v2.0+
https://gitlab.com/gitlab-org/gitlab/-/issues/30073
Our current version of Omniauth, v1.8, has a known CVE CVE-2015-9284. Although we are not currently vulnerable, as a security best practice we should upgrade to the latest version. The use of a gem with a known vulnerability is also causing concern for some of our customers.
The upgrade path to OmniAuth v2.0+ looks fairly reasonable, but the dependencies are the concern. We will have to review each dependency and ensure there's an upgrade path, or consider an alternative approach (e.g. contribute to the gem, roll our own strategy, or remove support for the integration).
The purpose of this issue is to review each dependency and recommend a strategy to migrate it to be compatible with OmniAuth v2.0+.
| Gem | Current Version | Proposed Version | Solution |
|---|---|---|---|
omniauth-auth0 |
n |
m |
upgrade|fork|deprecate|etc |
| ... | ... | ... | ... |