Closed indrajit-gsa closed 6 years ago
indrajit-gsa
commented
6 years ago @lachellel I see this vulnerability with the redcloth version that is specified for this repo. I do not see the redcloth dependency in the other repositories. So I tested it out without the redcloth in my local repo and it seems to have worked fine except one markdown. I will fix that markdown as well. Please verify and let me know if you see any issues with removing the dependency.
lachellel
commented
6 years ago @indrajit-gsa you see the new GitHub vuln notice because I added you (and the team / group) to the Alerts for this repo yesterday. :+1:
I'm blocking this merge until this is also fixed - let's fix it all in one PR
seems to have worked fine except one markdown. I will fix that markdown as well.
indrajit-gsa
commented
6 years ago @lachellel Though it is building fine, the federalist preview is showing the 404 error for this branch. I am not sure if this is because the gem lock file is not regenerated. Can you see any issues reported in federalist build?
lachellel
commented
6 years ago no build errors.
Why remove the full gemfile?
indrajit-gsa
commented
6 years ago The only file which has rendering issues without RedCloth was the 91_localca.md since it has breaks in sections within numbered lists. The markdown for github pages seems to ignore the line breaks in such cases as with tables as well. I can research more if you do not want html breaks without introducing RedCloth.
It is better to let the gemfile generate the gemfile.lock during build so that the latest gems are installed instead of manually maintaining the gemfile.lock. We do not have the lock file in other repositories, and also no RedCloth.
indrajit-gsa
commented
6 years ago indrajit-gsa
commented
6 years ago @lachellel -- Are you ok with this pull request merged to staging?
Removing Gemfile.lock so it gets generated with the lastest version during build. This will remove the redcloth from the dependency and the vulnerabilty issue with the redcloth.