commit b8edbd2fa928feea11fe0088ffad63ab9d00fd6e
Author: Robert Rothenberg <perl@rhizomnic.com>
Date:   Fri Jun 19 17:07:09 2026 +0100

    CVE-2026-9733 use a secure state generator
    
    This requires Mojolicious 9.46, which adds the random_bytes utility
    function.
    
    This also upgrades the minimum version of Net::OAuth to ensure a
    security issue with that module is fixed.

diff --git a/META.json b/META.json
index 4fd9be4..c4009cb 100644
--- a/META.json
+++ b/META.json
@@ -43,8 +43,8 @@
       "runtime" : {
          "requires" : {
             "IO::Socket::SSL" : "1.77",
-            "Mojolicious" : "7.13",
-            "Net::OAuth" : "0.28",
+            "Mojolicious" : "9.46",
+            "Net::OAuth" : "0.30",
             "perl" : "5.010001"
          }
       },
diff --git a/cpanfile b/cpanfile
index d1bf13d..2f99b52 100644
--- a/cpanfile
+++ b/cpanfile
@@ -1,8 +1,8 @@
 requires 'perl', '5.010001';
 
 # requires 'Some::Module', 'VERSION';
-requires 'Mojolicious',     '>= 7.13';
-requires 'Net::OAuth',      '>= 0.28';
+requires 'Mojolicious',     '>= 9.46';
+requires 'Net::OAuth',      '>= 0.30';
 requires 'IO::Socket::SSL', '>= 1.77';
 
 on test => sub {
diff --git a/lib/Mojolicious/Plugin/Web/Auth/OAuth2.pm b/lib/Mojolicious/Plugin/Web/Auth/OAuth2.pm
index ca9b586..5bc6722 100644
--- a/lib/Mojolicious/Plugin/Web/Auth/OAuth2.pm
+++ b/lib/Mojolicious/Plugin/Web/Auth/OAuth2.pm
@@ -2,6 +2,7 @@ package Mojolicious::Plugin::Web::Auth::OAuth2;
 
 use Mojo::Base 'Mojolicious::Plugin::Web::Auth::Base';
 use Mojo::URL;
+use Mojo::Util 'random_bytes';
 use Mojo::Parameters;
 use Mojolicious::Types qw();
 use Digest::SHA;
@@ -125,9 +126,8 @@ sub _response_to_hash {
         : Mojo::Parameters->new( $res->body )->to_hash;
 }
 
-# default state param generator copy from Plack::Session::State
 sub _state_generator {
-    Digest::SHA::sha1_hex(rand() . $$ . {} . time) 
+    unpack("H*", random_bytes(20))
 }
 
 1;