Conversation
Update httparty to 0.24.0 or higher to fix vulnerabilty [https://nvd.nist.gov/vuln/detail/CVE-2025-68696](CVE-2025-68696)
There was a problem hiding this comment.
Pull request overview
This PR updates the httparty dependency from versions 0.20.0-0.22.x to 0.24.x to address a reported security vulnerability (CVE-2025-68696), and bumps the gem version from 0.1.9 to 0.1.10.
Changes:
- Updated httparty dependency constraint from
'>= 0.20.0', '< 0.23.0'to'~> 0.24.0'in prest.gemspec - Bumped prest version from 0.1.9 to 0.1.10 in lib/prest/version.rb
- Refreshed Gemfile.lock with httparty 0.24.2 and updated transitive dependencies
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| prest.gemspec | Updates httparty dependency to ~> 0.24.0 to address security vulnerability |
| lib/prest/version.rb | Bumps gem version to 0.1.10 for this release |
| Gemfile.lock | Locks httparty to 0.24.2 and updates all transitive and development dependencies |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| spec.require_paths = ['lib'] | ||
|
|
||
| spec.add_dependency 'httparty', '>= 0.20.0', '< 0.23.0' | ||
| spec.add_dependency 'httparty', '~> 0.24.0' |
There was a problem hiding this comment.
The CVE reference in the PR description appears to be malformed. CVE-2025-68696 is not a valid CVE identifier format (CVE IDs typically have at least 4 digits but this appears to be using an unconventional format). Please verify the correct CVE identifier for the httparty vulnerability you're trying to address. This is important for proper security tracking and documentation.
| spec.add_dependency 'httparty', '~> 0.24.0' | |
| spec.add_dependency 'httparty', '~> 0.24.1' |
| spec.require_paths = ['lib'] | ||
|
|
||
| spec.add_dependency 'httparty', '>= 0.20.0', '< 0.23.0' | ||
| spec.add_dependency 'httparty', '~> 0.24.0' |
There was a problem hiding this comment.
The version constraint change from '>= 0.20.0', '< 0.23.0' to '~> 0.24.0' represents a significant dependency upgrade that skips httparty versions 0.23.x entirely and restricts to 0.24.x. This could potentially introduce breaking changes for users of this gem. Consider whether this warrants a minor version bump (0.2.0) rather than a patch version (0.1.10), especially if httparty 0.24.0 contains breaking changes from the 0.20-0.22 series. If this is purely a security fix with no breaking changes, document this in the changelog for clarity.
| spec.add_dependency 'httparty', '~> 0.24.0' | |
| spec.add_dependency 'httparty', '>= 0.20.0', '< 0.25.0' |
There was a problem hiding this comment.
I agree with copilot here
There was a problem hiding this comment.
Since this was done for security reasons, and after checking the httparty changelog I didn’t see any breaking changes, I think its better to not allow the other versions
|
|
||
| module Prest | ||
| VERSION = '0.1.9' | ||
| VERSION = '0.1.10' |
There was a problem hiding this comment.
The CHANGELOG.md file should be updated to document this release. Previous releases (0.1.9, 0.1.0, 0.1.1, 0.1.2, 0.1.3, etc.) all have changelog entries. This release should include an entry documenting the httparty dependency update and the security vulnerability it addresses.
Update httparty to 0.24.0 or higher to fix vulnerabilty CVE-2025-68696