[Snyk] Security upgrade thor from 0.19.4 to 1.4.0

[Nick2bad4u]

Snyk has created this PR to fix 1 vulnerabilities in the rubygems dependencies of this project.

Snyk changed the following file(s):

• Gemfile

⚠️ Warning

Failed to update the Gemfile.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	OS Command Injection SNYK-RUBY-THOR-10843853	641

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 OS Command Injection

[Copilot]

Pull Request Overview

This PR upgrades the thor gem from version 0.19.4 to 1.4.0 to address a high-severity OS Command Injection vulnerability (SNYK-RUBY-THOR-10843853) with a score of 641. The upgrade represents a major version change that may introduce breaking changes requiring manual testing and potential code updates.

• Security fix for OS Command Injection vulnerability in thor gem
• Major version upgrade from 0.x to 1.x series
• Gemfile.lock update failure requires manual intervention

[Copilot]

The version constraint '>= 1.4.0' allows any future version of thor, which could introduce breaking changes in major version upgrades. Consider using a more restrictive constraint like '~> 1.4.0' to limit to compatible patch/minor versions within the 1.x series.

Suggested change

	gem 'thor', '>= 1.4.0'
	gem 'thor', '~> 1.4.0'

[github-actions]

Greetings, thanks for opening a pull request, I'll look when I can.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

# npm audit report

@octokit/plugin-paginate-rest  <=9.2.1
Severity: moderate
@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-h5c3-5r3r-rr8q
fix available via `npm audit fix`
node_modules/@actions/artifact/node_modules/@octokit/plugin-paginate-rest
  @actions/github  3.0.0 - 5.1.1
  Depends on vulnerable versions of @octokit/core
  Depends on vulnerable versions of @octokit/plugin-paginate-rest
  node_modules/@actions/artifact/node_modules/@actions/github

@octokit/request  <=8.4.0
Severity: moderate
Depends on vulnerable versions of @octokit/request-error
@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-rmvr-2pp2-xj38
fix available via `npm audit fix --force`
Will install @actions/[email protected], which is a breaking change
node_modules/@actions/artifact/node_modules/@octokit/request
  @octokit/core  <=5.0.0-beta.5
  Depends on vulnerable versions of @octokit/graphql
  Depends on vulnerable versions of @octokit/request
  Depends on vulnerable versions of @octokit/request-error
  node_modules/@actions/artifact/node_modules/@octokit/core
    @actions/artifact  >=2.0.0
    Depends on vulnerable versions of @actions/github
    Depends on vulnerable versions of @octokit/core
    node_modules/@actions/artifact
  @octokit/graphql  <=2.1.3 || 3.0.0 - 6.0.1
  Depends on vulnerable versions of @octokit/request
  node_modules/@actions/artifact/node_modules/@octokit/graphql

@octokit/request-error  <=5.1.0
Severity: moderate
@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking - https://github.com/advisories/GHSA-xx4v-prfh-6cgc
fix available via `npm audit fix --force`
Will install @actions/[email protected], which is a breaking change
node_modules/@actions/artifact/node_modules/@octokit/core/node_modules/@octokit/request-error
node_modules/@actions/artifact/node_modules/@octokit/request/node_modules/@octokit/request-error

brace-expansion  1.0.0 - 1.1.11 || 2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/@actions/cache/node_modules/brace-expansion
node_modules/@actions/glob/node_modules/brace-expansion
node_modules/@eslint/eslintrc/node_modules/brace-expansion
node_modules/@humanwhocodes/config-array/node_modules/brace-expansion
node_modules/archiver-utils/node_modules/brace-expansion
node_modules/cacache/node_modules/brace-expansion
node_modules/editorconfig/node_modules/brace-expansion
node_modules/eslint-plugin-react/node_modules/brace-expansion
node_modules/eslint/node_modules/brace-expansion
node_modules/filelist/node_modules/brace-expansion
node_modules/glob/node_modules/brace-expansion
node_modules/jake/node_modules/brace-expansion
node_modules/js-beautify/node_modules/brace-expansion
node_modules/mem-fs-editor/node_modules/brace-expansion
node_modules/mocha/node_modules/brace-expansion
node_modules/multimatch/node_modules/brace-expansion
node_modules/prettier-eslint/node_modules/@eslint/eslintrc/node_modules/brace-expansion
node_modules/prettier-eslint/node_modules/brace-expansion
node_modules/prettier-eslint/node_modules/eslint/node_modules/brace-expansion
node_modules/readdir-glob/node_modules/brace-expansion

form-data  <2.5.4
Severity: critical
form-data uses unsafe random function in form-data for choosing boundary - https://github.com/advisories/GHSA-fjxv-7rqg-78g4
fix available via `npm audit fix`
node_modules/form-data

9 vulnerabilities (1 low, 7 moderate, 1 critical)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force