In your ruby gem that you maintain at omniauth-auth0 it makes use of a 3rd party library where a vulnerability fix has now been made to resolve CVE-2015-9284
As your the ruby gem ‘omniauth-auth0’ that you maintain makes use of the old version where the vulnerability is present and you provide a workaround by the way of using the ‘omniauth-rails_csrf_protection’ patch. Will you be updating your own gem so that it uses the new version of omniauth where the vulnerability is no longer present?
In this case it seems like it would be best if you can handle that directly with the repo maintainers, can you take that conversation via GitHub issue to talk directly with our repo maintainers? I think with me as a middleman it would only slow things down.