Upgrade json dependency in view of CVE-2020-10663

[francois]

Require JSON 2.3.0, to mitigate https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

[killthekitten]

Hey @francois, thanks for the patch! I believe this is only a mirror that hasn't been updated in a while. Could you send the PR to the original repo? https://bitbucket.org/mailchimp/mandrill-api-ruby/src/master/

[makstaks]

Unfortunately, the gem is no longer supported see: https://bitbucket.org/mailchimp/mandrill-api-ruby/pull-requests/8/fix-json-version/diff

Thank you for writing in, I apologize for the delay in getting back to you. Currently, we do not have any official support for those public libraries any longer. We are more than happy to pass along the feedback to our developers, but I can not make promises that there will be any updates. However, as the code is public, you are entirely welcome to manipulate and edit it as needed to work with newer version of Python. I understand that this is not the ideal situation, but I am not privy to any information of upcoming updates to our Ruby wrappers.

[killthekitten]

@makstaks that's a pitty. I would recommend to move away from using mailchimp if that's possible, or use @francois patch as a github dependency in your Gemfile.

[1wilber]

@killthekitten the repository was deleted, what version of json are compatible with this gem? i want fork this repo and upgrade de json version

[killthekitten]

@NotB0T not sure exactly, but judging from the gemspec anything fresh should work (also without requiring an upgrade):

s.add_dependency 'json', '>= 1.7.7'