OmniAuth
| Upstream URL | Security Risk | Abandonment Risk |
|---|---|---|
| https://github.com/omniauth/omniauth | High | Very Low |
External contacts
The OmniAuth team is reachable by their public GitHub issue tracker. Security reports are taken via Tidelift.
Security posture
OmniAuth is used to authenticate both external customers and administrators. Any security vulnerability in OmniAuth or any of the plugins that we use (termed strategies upstream) could allow unauthorised access to the administrator panel, or customer order history. This makes OmniAuth one of the most critical dependencies for the security of MoR.
Abandonment risk
OmniAuth is a mature gem with support via Tidelift and private sponsors. It is used by GitHub, GitLab, dev.to, FreeRADIUS, and others. It is very unlikely to be abandoned, and it is very likely that (at least) one of the Git forges would take up maintenance if it was required.
Versioning policy
Minor / point releases will be picked up by bundle during our monthly updates.
If a major release (3.0) is released, evaluation shall take place within one week of the release. This must include determination of compatibility with our used strategies, our error handling code, and test of flows for each strategy.