update to json 2.3.1 (#139)

* update json dep to 2.3.x to fix CVE

Author: apache-hb

Gemfile.lock

@@ -3,92 +3,81 @@ PATH
   specs:
     launchdarkly-server-sdk (5.8.0)
       concurrent-ruby (~> 1.0)
-      json (>= 1.8, < 3)
+      json (~> 2.3.1)
       ld-eventsource (= 1.0.3)
       semantic (~> 1.6)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    aws-eventstream (1.0.1)
-    aws-partitions (1.128.0)
-    aws-sdk-core (3.44.2)
-      aws-eventstream (~> 1.0)
-      aws-partitions (~> 1.0)
-      aws-sigv4 (~> 1.0)
+    aws-eventstream (1.1.0)
+    aws-partitions (1.388.0)
+    aws-sdk-core (3.109.1)
+      aws-eventstream (~> 1, >= 1.0.2)
+      aws-partitions (~> 1, >= 1.239.0)
+      aws-sigv4 (~> 1.1)
       jmespath (~> 1.0)
-    aws-sdk-dynamodb (1.19.0)
-      aws-sdk-core (~> 3, >= 3.39.0)
-      aws-sigv4 (~> 1.0)
-    aws-sigv4 (1.0.3)
-    codeclimate-test-reporter (0.6.0)
-      simplecov (>= 0.7.1, < 1.0.0)
-    concurrent-ruby (1.1.6)
-    connection_pool (2.2.1)
-    diff-lcs (1.3)
-    diplomat (2.0.2)
-      faraday (~> 0.9)
-      json
-    docile (1.1.5)
-    faraday (0.15.4)
+    aws-sdk-dynamodb (1.55.0)
+      aws-sdk-core (~> 3, >= 3.109.0)
+      aws-sigv4 (~> 1.1)
+    aws-sigv4 (1.2.2)
+      aws-eventstream (~> 1, >= 1.0.2)
+    concurrent-ruby (1.1.7)
+    connection_pool (2.2.3)
+    deep_merge (1.2.1)
+    diff-lcs (1.4.4)
+    diplomat (2.4.2)
+      deep_merge (~> 1.0, >= 1.0.1)
+      faraday (>= 0.9, < 1.1.0)
+    faraday (0.17.3)
       multipart-post (>= 1.2, < 3)
-    ffi (1.9.25)
-    ffi (1.9.25-java)
+    ffi (1.12.0)
     hitimes (1.3.1)
-    hitimes (1.3.1-java)
     http_tools (0.4.5)
     jmespath (1.4.0)
-    json (1.8.6)
-    json (1.8.6-java)
+    json (2.3.1)
     ld-eventsource (1.0.3)
       concurrent-ruby (~> 1.0)
       http_tools (~> 0.4.5)
       socketry (~> 0.5.1)
-    listen (3.1.5)
-      rb-fsevent (~> 0.9, >= 0.9.4)
-      rb-inotify (~> 0.9, >= 0.9.7)
-      ruby_dep (~> 1.2)
-    multipart-post (2.0.0)
-    rb-fsevent (0.10.3)
-    rb-inotify (0.9.10)
-      ffi (>= 0.5.0, < 2)
+    listen (3.2.1)
+      rb-fsevent (~> 0.10, >= 0.10.3)
+      rb-inotify (~> 0.9, >= 0.9.10)
+    multipart-post (2.1.1)
+    rb-fsevent (0.10.4)
+    rb-inotify (0.10.1)
+      ffi (~> 1.0)
     redis (3.3.5)
-    rspec (3.7.0)
-      rspec-core (~> 3.7.0)
-      rspec-expectations (~> 3.7.0)
-      rspec-mocks (~> 3.7.0)
-    rspec-core (3.7.1)
-      rspec-support (~> 3.7.0)
-    rspec-expectations (3.7.0)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.3)
+      rspec-support (~> 3.9.3)
+    rspec-expectations (3.9.3)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-mocks (3.7.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.1)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-support (3.7.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.4)
     rspec_junit_formatter (0.3.0)
       rspec-core (>= 2, < 4, != 2.12.0)
-    ruby_dep (1.5.0)
     semantic (1.6.1)
-    simplecov (0.15.1)
-      docile (~> 1.1.0)
-      json (>= 1.8, < 3)
-      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.2)
     socketry (0.5.1)
       hitimes (~> 1.2)
-    timecop (0.9.1)
+    timecop (0.9.2)
 
 PLATFORMS
-  java
   ruby
 
 DEPENDENCIES
   aws-sdk-dynamodb (~> 1.18)
-  bundler (~> 1.7)
-  codeclimate-test-reporter (~> 0)
+  bundler (~> 1.17)
   connection_pool (>= 2.1.2)
   diplomat (>= 2.0.2)
+  faraday (~> 0.17)
+  ffi (<= 1.12)
   launchdarkly-server-sdk!
   listen (~> 3.0)
   redis (~> 3.3.5)

launchdarkly-server-sdk.gemspec

@@ -21,18 +21,25 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_development_dependency "aws-sdk-dynamodb", "~> 1.18"
-  spec.add_development_dependency "bundler", "~> 1.7"
+  spec.add_development_dependency "bundler", "~> 1.17"
   spec.add_development_dependency "rspec", "~> 3.2"
-  spec.add_development_dependency "codeclimate-test-reporter", "~> 0"
   spec.add_development_dependency "diplomat", ">= 2.0.2"
   spec.add_development_dependency "redis", "~> 3.3.5"
   spec.add_development_dependency "connection_pool", ">= 2.1.2"
   spec.add_development_dependency "rspec_junit_formatter", "~> 0.3.0"
   spec.add_development_dependency "timecop", "~> 0.9.1"
   spec.add_development_dependency "listen", "~> 3.0" # see file_data_source.rb
+  # these are transitive dependencies of listen and consul respectively
+  # we constrain them here to make sure the ruby 2.2, 2.3, and 2.4 CI
+  # cases all pass
+  spec.add_development_dependency "ffi", "<= 1.12" # >1.12 doesnt support ruby 2.2
+  spec.add_development_dependency "faraday", "~> 0.17" # >=0.18 doesnt support ruby 2.2
 
-  spec.add_runtime_dependency "json", [">= 1.8", "< 3"]
   spec.add_runtime_dependency "semantic", "~> 1.6"
   spec.add_runtime_dependency "concurrent-ruby", "~> 1.0"
   spec.add_runtime_dependency "ld-eventsource", "1.0.3"
+
+  # lock json to 2.3.x as ruby libraries often remove
+  # support for older ruby versions in minor releases
+  spec.add_runtime_dependency "json", "~> 2.3.1"
 end

spec/spec_helper.rb

@@ -1,6 +1,3 @@
-require "codeclimate-test-reporter"
-CodeClimate::TestReporter.start
-
 require "ldclient-rb"
 
 $null_log = ::Logger.new($stdout)