From 00230a5e55c2cf0a5a6a9d0d0f47bc73277965e1 Mon Sep 17 00:00:00 2001
From: Nigel Brookes-Thomas <nigel.brookes-thomas@dvla.gov.uk>
Date: Tue, 9 Apr 2024 12:52:25 +0100
Subject: [PATCH] chore: AB-5678: remove unused gems and add explicit rack
 dependency to avoid known vulnerabilities in 2.x versions

---
 Gemfile                       |   6 --
 Gemfile.lock                  | 126 +++++++++++++++++-----------------
 dvla-dataverse-helper.gemspec |   2 +
 3 files changed, 66 insertions(+), 68 deletions(-)

diff --git a/Gemfile b/Gemfile
index 81d24f2..44f3f1a 100644
--- a/Gemfile
+++ b/Gemfile
@@ -9,10 +9,4 @@ gem "rake", "~> 13.0"
 
 gem "rspec", "~> 3.0"
 
-gem "oauth2", "~> 2.0"
-
-gem "config", "~> 4.0"
-
 gem "rest-client", "~> 2.1"
-
-gem "colorize", "~> 0.8.1"
diff --git a/Gemfile.lock b/Gemfile.lock
index 7315e05..c723a51 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -1,69 +1,75 @@
 PATH
   remote: .
   specs:
-    dvla-dataverse-helper (0.1.2)
+    dvla-dataverse-helper (0.1.3)
       colorize
       config
       oauth2 (~> 2.0)
+      rack (~> 3.0)
       rest-client (~> 2.1)
 
 GEM
   remote: https://rubygems.org/
   specs:
+    base64 (0.2.0)
+    bigdecimal (3.1.7)
     colorize (0.8.1)
-    concurrent-ruby (1.1.10)
-    config (4.1.0)
+    concurrent-ruby (1.2.3)
+    config (4.2.1)
       deep_merge (~> 1.2, >= 1.2.1)
       dry-validation (~> 1.0, >= 1.0.0)
     deep_merge (1.2.2)
-    diff-lcs (1.5.0)
-    domain_name (0.5.20190701)
-      unf (>= 0.0.5, < 1.0.0)
-    dry-configurable (0.13.0)
+    diff-lcs (1.5.1)
+    domain_name (0.6.20240107)
+    dry-configurable (1.1.0)
+      dry-core (~> 1.0, < 2)
+      zeitwerk (~> 2.6)
+    dry-core (1.0.1)
       concurrent-ruby (~> 1.0)
-      dry-core (~> 0.6)
-    dry-container (0.9.0)
+      zeitwerk (~> 2.6)
+    dry-inflector (1.0.0)
+    dry-initializer (3.1.1)
+    dry-logic (1.5.0)
       concurrent-ruby (~> 1.0)
-      dry-configurable (~> 0.13, >= 0.13.0)
-    dry-core (0.7.1)
+      dry-core (~> 1.0, < 2)
+      zeitwerk (~> 2.6)
+    dry-schema (1.13.3)
       concurrent-ruby (~> 1.0)
-    dry-inflector (0.2.1)
-    dry-initializer (3.0.4)
-    dry-logic (1.2.0)
-      concurrent-ruby (~> 1.0)
-      dry-core (~> 0.5, >= 0.5)
-    dry-schema (1.8.0)
-      concurrent-ruby (~> 1.0)
-      dry-configurable (~> 0.13, >= 0.13.0)
-      dry-core (~> 0.5, >= 0.5)
+      dry-configurable (~> 1.0, >= 1.0.1)
+      dry-core (~> 1.0, < 2)
       dry-initializer (~> 3.0)
-      dry-logic (~> 1.0)
-      dry-types (~> 1.5)
-    dry-types (1.5.1)
+      dry-logic (>= 1.4, < 2)
+      dry-types (>= 1.7, < 2)
+      zeitwerk (~> 2.6)
+    dry-types (1.7.2)
+      bigdecimal (~> 3.0)
       concurrent-ruby (~> 1.0)
-      dry-container (~> 0.3)
-      dry-core (~> 0.5, >= 0.5)
-      dry-inflector (~> 0.1, >= 0.1.2)
-      dry-logic (~> 1.0, >= 1.0.2)
-    dry-validation (1.7.0)
+      dry-core (~> 1.0)
+      dry-inflector (~> 1.0)
+      dry-logic (~> 1.4)
+      zeitwerk (~> 2.6)
+    dry-validation (1.10.0)
       concurrent-ruby (~> 1.0)
-      dry-container (~> 0.7, >= 0.7.1)
-      dry-core (~> 0.5, >= 0.5)
+      dry-core (~> 1.0, < 2)
       dry-initializer (~> 3.0)
-      dry-schema (~> 1.8, >= 1.8.0)
-    faraday (2.7.4)
-      faraday-net_http (>= 2.0, < 3.1)
-      ruby2_keywords (>= 0.0.4)
-    faraday-net_http (3.0.2)
+      dry-schema (>= 1.12, < 2)
+      zeitwerk (~> 2.6)
+    faraday (2.9.0)
+      faraday-net_http (>= 2.0, < 3.2)
+    faraday-net_http (3.1.0)
+      net-http
     hashie (5.0.0)
     http-accept (1.7.0)
     http-cookie (1.0.5)
       domain_name (~> 0.5)
-    jwt (2.7.0)
-    mime-types (3.4.1)
+    jwt (2.8.1)
+      base64
+    mime-types (3.5.2)
       mime-types-data (~> 3.2015)
-    mime-types-data (3.2022.0105)
+    mime-types-data (3.2024.0305)
     multi_xml (0.6.0)
+    net-http (0.4.1)
+      uri
     netrc (0.11.0)
     oauth2 (2.0.9)
       faraday (>= 0.17.3, < 3.0)
@@ -72,47 +78,43 @@ GEM
       rack (>= 1.2, < 4)
       snaky_hash (~> 2.0)
       version_gem (~> 1.1)
-    rack (2.2.6.4)
-    rake (13.0.6)
+    rack (3.0.10)
+    rake (13.2.1)
     rest-client (2.1.0)
       http-accept (>= 1.7.0, < 2.0)
       http-cookie (>= 1.0.2, < 2.0)
       mime-types (>= 1.16, < 4.0)
       netrc (~> 0.8)
-    rspec (3.11.0)
-      rspec-core (~> 3.11.0)
-      rspec-expectations (~> 3.11.0)
-      rspec-mocks (~> 3.11.0)
-    rspec-core (3.11.0)
-      rspec-support (~> 3.11.0)
-    rspec-expectations (3.11.1)
+    rspec (3.13.0)
+      rspec-core (~> 3.13.0)
+      rspec-expectations (~> 3.13.0)
+      rspec-mocks (~> 3.13.0)
+    rspec-core (3.13.0)
+      rspec-support (~> 3.13.0)
+    rspec-expectations (3.13.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.11.0)
-    rspec-mocks (3.11.2)
+      rspec-support (~> 3.13.0)
+    rspec-mocks (3.13.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.11.0)
-    rspec-support (3.11.0)
-    ruby2_keywords (0.0.5)
-    snaky_hash (2.0.0)
+      rspec-support (~> 3.13.0)
+    rspec-support (3.13.1)
+    snaky_hash (2.0.1)
       hashie
-      version_gem (~> 1.1)
-    unf (0.1.4)
-      unf_ext
-    unf_ext (0.0.8.2)
-    version_gem (1.1.0)
+      version_gem (~> 1.1, >= 1.1.1)
+    uri (0.13.0)
+    version_gem (1.1.4)
+    zeitwerk (2.6.13)
 
 PLATFORMS
+  arm64-darwin-23
   x86_64-darwin-21
   x86_64-linux
 
 DEPENDENCIES
-  colorize (~> 0.8.1)
-  config (~> 4.0)
   dvla-dataverse-helper!
-  oauth2 (~> 2.0)
   rake (~> 13.0)
   rest-client (~> 2.1)
   rspec (~> 3.0)
 
 BUNDLED WITH
-   2.3.20
+   2.5.7
diff --git a/dvla-dataverse-helper.gemspec b/dvla-dataverse-helper.gemspec
index c290076..f89fe65 100644
--- a/dvla-dataverse-helper.gemspec
+++ b/dvla-dataverse-helper.gemspec
@@ -26,6 +26,8 @@ Gem::Specification.new do |spec|
 
   spec.add_dependency 'oauth2', '~> 2.0'
   spec.add_dependency "rest-client", "~> 2.1"
+  # explicit rack dependency to avoid known vulns in 2.x versions
+  spec.add_dependency 'rack', "~> 3.0"
 
   spec.add_dependency 'colorize'
   spec.add_dependency 'config'