[Security] [SCA] Critical vulnerabilities found in dependencies

[flaviomeira]

I analyzed the dependencies used by Fastlane and found some security issues: 2 criticals and 1 high.
The bundle-audit was used in this analysis. bundle-audit check.

Name: git
Version: 1.8.1
CVE: CVE-2022-25648
GHSA: GHSA-69p6-wvmq-27gg
Criticality: Critical
URL: https://github.com/ruby-git/ruby-git/pull/569
Description:

  The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts
  = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags
  can be used to perform a command injection.

Solution: upgrade to '>= 1.11.0'

Name: kramdown
Version: 2.3.0
CVE: CVE-2021-28834
GHSA: GHSA-52p9-v744-mwjj
Criticality: Critical
URL: https://github.com/advisories/GHSA-52p9-v744-mwjj
Description:

  Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

Solution: upgrade to '>= 2.3.1'

Name: sinatra
Version: 2.0.8.1
CVE: CVE-2022-29970
GHSA: GHSA-qp49-3pvw-x4m5
Criticality: High
URL: https://github.com/sinatra/sinatra/pull/1683
Description:

  Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.

Solution: upgrade to '>= 2.2.0'

Expected: Update the dependencies with known vulnerabilities in order to solve security issues.

Thanks!