inaturalist / iNaturalistAPI / #1296

79%

main: 80%

push

Switch to safe-squel

squel has a known vulnerability
(https://github.com/advisories/GHSA-4qhx-g9wp-g9m6) that doesn't technically
affect us because we don't use the relevant feature, but since it's possible
we might use it and/or forget about this vulnerability, it seems safer to
switch to safe-squel which patches the problem. This was the approach taken
by Kibana in https://github.com/elastic/kibana/issues/94199. squel is not
actively maintained, and it's not clear if safe-squel is either, so it might
be better to switch to another query builder in the long term.

Note that this does change the way potential injections get handled during the
parameter interpolation we do use. Previously something like a single quote
would raise an error, and now it gets replaced with a blank string.

2266 of 3341 branches covered (67.82%)

4312 of 5424 relevant lines covered (79.5%)

52.35 hits per line