Upgrade yard to version 0.9.11 or later

[emma5678]

Yard vulnerability has been present in flex-commerce-api.gemspec since Dec 2017. We need to upgrade to 0.9.11 or later.

Issue also present in penthouse repo: shiftcommerce/penthouse#13

This needs to be complete by April 2019.

Due to time passed, I would suggest updating to the very latest version, if greater than 0.9.11, unless an issue is identified with doing so.

Vulnerability details:

lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files.

[emma5678]

@krisquigley @ryantownsend can this be addressed please.

[emma5678]

@ryantownsend @krisquigley can this be prioritised please

[emma5678]

@ryantownsend @krisquigley Can this be prioritised asap please

[ryantownsend]

@emma5678 this isn't actually executed in production so it's not really a major issue - it's a tool that runs a server to generate documentation, but we don't actually use it. Still, we should address it – I'll get it on the wall.

[emma5678]

@ryantownsend Does it actually need to be there then? Can we remove it if its never used?