omniauth-rails_csrf_protection
| Upstream URL | Security Risk | Abandonment Risk |
|---|---|---|
| https:// | Very High | Low |
External contacts
The developers behind this gem are contactable at the project's public GitHub issue tracker.
Security posture
This gem prevents an active CVE (CVE-2015-9284) from being exploited in any Rails project that uses OmniAuth. This would allow CSRF attacks on OAuth2 strategies, which includes the Facebook strategy we use. Therefore, this gem is a critical dependency for security in MoR.
Abandonment risk
This project has been maintained for 11 years by mostly the same team that works on OmniAuth. Additionally, the codebase is under 100 lines (not including tests and fixtures), so maintaining our own copy in the event of sudden abandonment would be feasible.
Versioning policy
Any updates will be pulled in via bundle during our monthly update.
If a new version of OmniAuth is released, we may need to temporarily pin this gem so that we can evaulate compatibility with the old version vs new version.