Update dependency for Kubeclient::Config vulnerability

See ManageIQ/kubeclient#554, I fixed an embarrasing vulnerability in Kubeclient::Config — it could wrongly set `VERIFY_NONE`, allowing man-in-the-middle attacks and stealing cluster credentials 😳 And I see this repo does use `Kubeclient::Config.read`. kubeclient generally obeys SemVer, so upgrading 4.6.z to 4.9.z should be safe. OTOH if you think upgrading is tricky, let us know on that kubeclient issue, we can backport the fix! @harshit-splunk @rockb1017 I see several of fluent-plugin-* gems depend on '~> 4.6.0', and more than one are maintained by Splunk — I'm not going to send PRs to them all, please spread the word.
cben · Mar 25, 2022 · 430e67f · 430e67f · hvaghani221 · Mar 25, 2022
1 parent 84600bc
commit 430e67f
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/fluent-plugin-kubernetes-metrics.gemspec b/fluent-plugin-kubernetes-metrics.gemspec
@@ -25,7 +25,7 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency 'test-unit', '~> 3.3.0'
   spec.add_development_dependency 'webmock', '~> 3.5.1'
   spec.add_runtime_dependency 'fluentd', '>= 1.9.1'
-  spec.add_runtime_dependency 'kubeclient', '~> 4.6.0'
+  spec.add_runtime_dependency 'kubeclient', '~> 4.9.3'
   spec.add_runtime_dependency 'multi_json', '~> 1.14.1'
   spec.add_runtime_dependency 'oj', '~> 3.10.2'
 end