[security] release updated version of padrino-mailer which requires mail ~> 2.4.4 or higher

[postmodern]

padrino-mailer is locked to mail ~> 2.3.0. Versions below 2.4.4 of the mail gem are vulnerable to CVE-2012-2139 and CVE-2012-2140.

[DAddYE]

Thanks man! I'll take care of it

[postmodern]

Caught by bundler-audit :)

[hooopo]

@postmodern Awesome!

[postmodern]

I highly suggest using ~> X.Y dependencies, otherwise you'll constantly have to bump the version requirements. Also you can specify multiple version requirements:

s.add_dependency 'mail', '~> 2.4', '>= 2.4.4'

[DAddYE]

Thanks @postmodern starred ;) I've tried to use >= but several times minor version bump breaks compatibility. So I start to lock on patch-level since my hope was that is enough to fix security problems ...

[nesquena]

Alright, the dependency for mail was fixed. Going to close this, glad we got that updated.

[postmodern]

Will there be a patch-level release or is the Padrino team aiming for 1.0.0?

[postmodern]

Ah nevermind, looks like you are targeting 0.11.0.

[nesquena]

We are aiming right now for 0.11.0. I know we are not currently following semver perfectly but that will improve when we hit 1.0. Right now a 0.X.0 means is reserved for substantial or breaking releases.

[nesquena]

In my mind I see the roadmap as 0.11.0, 0.11.X and then a 0.12.X series which will be the bridge towards our 1.0 prerelease. Obviously open to discussion, but that's how I am currently hoping to see it play out. We have come a long way in 0.11.0 (probably too far without a release). I am updating the changelog and preparing a blog post for it now.