Update bullet_train-integrations-stripe's outdated omniauth dependency

[zackgilbert]

Is there any plan to update the bullet_train-integrations-stripe gem's dependencies, specifically the use of omniauth (which is currently stuck at 1.9.2)?

Would love to get this updates to help address a security concern that has been present for more than 2 years now:

The latest possible version that can be installed is 1.9.2 because of the following conflicting dependency:

bullet_train-integrations-stripe (1.12.3) requires omniauth (~> 1.3) via omniauth-stripe-connect (2.10.1)
The earliest fixed version is 2.0.0.

The request phase of the OmniAuth Ruby gem (1.9.2 and earlier) is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into the web application as the primary account.

As of v2 OmniAuth no longer has the vulnerable configuration by default, but it is still possible to configure OmniAuth in such a way that the web application becomes vulnerable to Cross-Site Request Forgery. There is a recommended remediation described here.

It doesn't look like the underlying gem (omniauth-stripe-connect) has been updated in a while and might not be maintained anymore, but it does look like there is a new gem (omniauth-stripe-connect-v2) that wouldn't be subject to the known issues.

Not sure how easy it would be to update things to use this, but wanted to make sure that it was on people's radar. Thanks!