[Snyk] Security upgrade fastlane from 2.216.0 to 2.217.0

[lean-sunny-paul]

Snyk has created this PR to fix 1 vulnerabilities in the rubygems dependencies of this project.

Snyk changed the following file(s):

• Gemfile
• Gemfile.lock

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Server-side Request Forgery (SSRF) SNYK-RUBY-FARADAY-15253521	631

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Server-side Request Forgery (SSRF)

[gemini-code-assist]

Summary of Changes

Hello @lean-sunny-paul, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on enhancing the project's security posture by upgrading the fastlane dependency to a version that mitigates a known Server-side Request Forgery (SSRF) vulnerability. The update ensures that the project benefits from the latest security patches and maintains a robust dependency chain. The changes are primarily confined to dependency management files, reflecting a standard security update process.

Highlights

• Security Upgrade: Upgraded the fastlane dependency from version 2.216.0 to 2.217.0 to address a critical security vulnerability.
• Vulnerability Fixed: This upgrade fixes a Server-side Request Forgery (SSRF) vulnerability (SNYK-RUBY-FARADAY-15253521) which had a score of 631.
• Dependency Updates: The Gemfile.lock was extensively updated, reflecting changes in fastlane and numerous transitive dependencies, including faraday (upgraded from 1.10.3 to 1.10.5), cocoapods, and various AWS and Google Cloud SDK components.

Changelog

• Gemfile
  • Updated the fastlane gem dependency to require version >= 2.217.0.
• Gemfile.lock
  • Updated fastlane from 2.216.0 to 2.230.0.
  • Updated faraday from 1.10.3 to 1.10.5.
  • Updated CFPropertyList from 3.0.6 to 3.0.9.
  • Added abbrev at 0.1.2.
  • Updated addressable from 2.8.5 to 2.8.8.
  • Updated artifactory from 3.0.15 to 3.0.17.
  • Updated aws-eventstream from 1.2.0 to 1.3.2.
  • Updated aws-partitions from 1.831.0 to 1.1109.0.
  • Updated aws-sdk-core from 3.185.0 to 3.224.1 and added base64 and logger dependencies.
  • Updated aws-sdk-kms from 1.72.0 to 1.101.0.
  • Updated aws-sdk-s3 from 1.136.0 to 1.188.0.
  • Updated aws-sigv4 from 1.6.0 to 1.11.0.
  • Added base64 at 0.2.0.
  • Updated cocoapods from 1.12.1 to 1.16.2.
  • Updated cocoapods-core from 1.12.1 to 1.16.2.
  • Updated cocoapods-downloader from 1.6.3 to 2.1.
  • Added csv at 3.3.5.
  • Updated digest-crc from 0.6.5 to 0.7.0.
  • Updated ethon from 0.16.0 to 0.15.0.
  • Updated excon from 0.104.0 to 0.109.0.
  • Updated faraday-cookie_jar from 0.0.7 to 0.0.8.
  • Updated faraday-em_synchrony from 1.0.0 to 1.0.1.
  • Updated faraday-multipart from 1.0.4 to 1.2.0.
  • Updated faraday-net_http from 1.0.1 to 1.0.2.
  • Updated faraday_middleware from 1.2.0 to 1.2.1.
  • Updated fastimage from 2.2.7 to 2.4.0.
  • Added fastlane-sirp at 1.0.0.
  • Updated ffi from 1.15.5 to 1.17.3.
  • Updated google-apis-androidpublisher_v3 from 0.50.0 to 0.54.0.
  • Updated google-apis-core from 0.11.1 to 0.11.3 and removed webrick dependency.
  • Updated google-apis-storage_v1 from 0.19.0 to 0.29.0.
  • Updated google-cloud-core from 1.6.0 to 1.6.1.
  • Updated http-cookie from 1.0.5 to 1.0.8.
  • Updated httpclient from 2.8.3 to 2.9.0 and added mutex_m dependency.
  • Updated json from 2.6.3 to 2.7.6.
  • Updated jwt from 2.7.1 to 2.10.2 and added base64 dependency.
  • Added logger at 1.7.0.
  • Updated mini_magick from 4.12.0 to 4.13.2.
  • Updated multipart-post from 2.3.0 to 2.4.1.
  • Added mutex_m at 0.3.0.
  • Updated nanaimo from 0.3.0 to 0.4.0.
  • Updated naturally from 2.2.1 to 2.3.0.
  • Added nkf at 0.2.0.
  • Updated optparse from 0.1.1 to 0.8.1.
  • Updated plist from 3.7.0 to 3.7.2.
  • Updated rake from 13.0.6 to 13.3.1.
  • Updated rexml from 3.2.6 to 3.4.4.
  • Updated rouge from 2.0.7 to 3.28.0.
  • Updated rubyzip from 2.3.2 to 2.4.1.
  • Updated security from 0.1.3 to 0.1.5.
  • Added sysrandom at 1.0.5.
  • Updated tty-screen from 0.8.1 to 0.8.2.
  • Updated typhoeus from 1.4.0 to 1.5.0.
  • Updated unf from 0.1.4 to 0.2.0 and removed unf_ext.
  • Updated unicode-display_width from 2.5.0 to 2.6.0.
  • Updated xcodeproj from 1.23.0 to 1.27.0.
  • Updated xcpretty from 0.3.0 to 0.4.1.
  • Updated BUNDLED WITH version from 2.1.4 to 1.17.2.
  • Updated DEPENDENCIES section to include activesupport and cocoapods with specific version constraints.

Activity

• Snyk automatically created this pull request to address 1 identified vulnerability.
• The vulnerability fixed is a Server-side Request Forgery (SSRF) with a score of 631.
• The PR includes important notes to check for potential issues and acknowledges that the vulnerability score may have changed.
• This pull request was automatically generated by Snyk using the credentials of a real user.
• Links are provided for viewing the latest project report, customizing PR templates, adjusting project settings, and understanding Snyk's upgrade logic.
• An interactive lesson on Server-side Request Forgery (SSRF) is linked for educational purposes.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request, automatically generated by Snyk, upgrades the fastlane gem to address a security vulnerability. The changes correctly update Gemfile to enforce a minimum version for fastlane and update the Gemfile.lock with the resolved dependencies. I've suggested a small improvement to the version constraint in Gemfile to use the optimistic ~> operator, which is a best practice that will help prevent pulling in future major versions with potentially breaking changes.

[gemini-code-assist]

For better dependency management and to avoid accidentally pulling in breaking changes from future major versions, it's recommended to use an optimistic version constraint. The ~> operator is ideal for this, as it will allow updates to new patch and minor versions but not major versions.

~> 2.217.0 is equivalent to >= 2.217.0 and < 3.0.0.

gem 'fastlane', '~> 2.217.0'