Update rubyzip from 1.2.1 to 1.3.0 #515
Conversation
|
Coverage increased (+0.04%) to 94.404% when pulling 22b5c3a on Kevinrob:rubyzip_CVE-2019-16892 into 4ec1104 on roo-rb:master. |
|
Coverage increased (+0.04%) to 94.408% when pulling 09bf80e on Kevinrob:rubyzip_CVE-2019-16892 into 4ec1104 on roo-rb:master. |
|
What do you think about also loosening the maximum version to allow rubyzip 2.0.0, which just came out 2019-09-25? The rubyzip changelog covers the breaking changes. I'm not a roo expert, but they don't sound like things that would break roo itself. Curious what you (more knowledgeable) folks think about loosening the dependency. |
|
@ansonhoyt Yeah, that's right! I will update the PR |
|
Would love to see this merged to be able to use RubyZip 2.0! |
|
@Kevinrob Can we get this merged? As prior to ruby-zip 1.3.0 there is the following vulnerability: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubyzip/CVE-2019-16892.yml |
|
Definitely needed as other external dependencies are updating to rubyzip 2.0+. |
Of course we can. But I don't have write access to this repo 😜 |
|
@Empact @stevendaniels @simonoff @chopraanmol1 @rlburkes @tpickett66 @pabloh @FestivalBobcats Can one of you merge this or get it merged please? |
|
@chopraanmol1 Thank you! |
|
@chopraanmol1 Could you please release a new version of this gem as well? |
I will send @chopraanmol1 an email trying to get a new release |
|
would love to get a new version here as well ! |
|
Will try my best to release on the weekend. If I'm unable to release on the weekend will surely release by next week |
|
@chopraanmol, would love to have a new version! |
|
Sorry for the delay. I've released v2.8.3 |
|
Thanks! |
Update ruby-roo to 2.8.3. ## [2.8.3] 2020-02-03 ### Changed/Added - Updated rubyzip version. Now minimal version is 1.3.0 [515](roo-rb/roo#515) - [CVE-2019-16892](rubyzip/rubyzip#403)
Summary
Updated rubyzip version. Now minimal version is 1.3.0. CVE-2019-16892