downgrade required ruby version to 2.6.6 for smart alerts

[GregRockPS]

No description provided.

[sferik]

Hi Greg,

Ruby 2.6 is past its end of life and is now unsupported, meaning it has not received bug fixes or critical security updates since April 12, 2022.

Specifically, Ruby 2.6.6 has known security bugs that were patched in 2.6.7, 2.6.8, 2.6.9, and 2.6.10:

• CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick
• CVE-2021-28965: XML round-trip vulnerability in REXML
• CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
• CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
• CVE-2021-31799: A command injection vulnerability in RDoc
• CVE-2021-41817: Regular Expression Denial of Service Vulnerability of Date Parsing Methods
• CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse
• CVE-2022-28739: Buffer overrun in String-to-Float conversion

Running Ruby 2.6.6 in production means you are unnecessarily exposing yourself (and your customers) to these vulnerabilities and others that have been discovered since Ruby 2.6 fell out of maintenance.

I strongly advise that you upgrade to Ruby 3 immediately—ideally version 3.2 or 3.1, since 3.0 will stop receiving critical security updates on March 31, 2024—instead of modifying this gem to work with Ruby 2.6.6.

---

I noticed you are a Staff Software Engineer at ParentSquare. I actually use ParentSquare on a daily basis to send and receive private communications to and from my children’s preschool. I would be very disappointed to learn that ParentSquare is running a known vulnerable Ruby version in production, given the sensitive data stored and transmitted by your company.

I would also kindly request that if ParentSquare is using this gem, they consider sponsoring my work on it. For as little as $1/month, the ParentSquare logo could appear here and I would prioritize your bug reports and feature requests.