Hi @postmodern, GHSA-hw46-3hmr-x9xv is an advisory in which the maintainers of omniauth-saml discussed how the GHSA-4vc4-m8qh-g8jm, GHSA-754f-8gm6-c4r2, and GHSA-92rq-c8cf-prrq vulnerabilities from ruby-saml affected their product. There aren't duplicate alerts because GHSA-4vc4-m8qh-g8jm, GHSA-754f-8gm6-c4r2, and GHSA-92rq-c8cf-prrq issue alerts for ruby-saml and GHSA-hw46-3hmr-x9xv issues alerts for omniauth-saml, so it's OK for the maintainers of omniauth-saml to have a separate advisory to discuss how three vulnerabilities affect their product. Thanks for your interest in GHSA-hw46-3hmr-x9xv and have a good weekend!

Hi @shelbyc, the three mentioned ruby-saml vulnerabilities can easily be fixed by upgrading the ruby-saml dependency of the omniauth-saml gem by running gem update ruby-saml or bundle update ruby-saml since omniauth-saml uses an up-ended ~> X.Y version constraint for ruby-saml. There is no need to upgrade omniauth-saml or issue a separate advisory due to an issue with one of it's dependencies that can be upgraded separately.

GHSA and CVE advisories should be created for specific vulnerable software versions, not other software which may use another vulnerable piece of software as dependencies, otherwise we would have an explosion of new advisories which simply reference other advisories.