straydogstudio
commented
6 years ago It should probably be addressed, so that it is excluded. If you have a suggested setup please submit a PR for the Readme.
Closed nratter closed 5 years ago
straydogstudio
commented
6 years ago It should probably be addressed, so that it is excluded. If you have a suggested setup please submit a PR for the Readme.
cguyer
commented
5 years ago @straydogstudio seems axlsx is now at 3.0.0-pre which takes care of the Rubyzip problem with a dependency update. Any breaking changes to updating axlsx_rails with that release? would be good to update the docs due to the vulnerability.
straydogstudio
commented
5 years ago @cguyer As far as I know it is not possible to specify prerelease gems as dependencies. I will at some point relax the dependencies and make sure the readme makes it clear you must specify gem versions. Someone else could also do that work.
cguyer
commented
5 years ago @straydogstudio was talking about your docs and how your gem works with the axlsx 3.0.0-pre release vs the 2.1.0-pre of which the 2.1 requires an insecure version of rubyzip
straydogstudio
commented
5 years ago axlsx_rails is now at http://github.com/caxlsx/axlsx_rails, depends on 3.0.0 of caxlsx/caxlsx. This allows the use of rubyzip 1.2 +.
It looks like Rubyzip 1.2.1 now has a known vulnerability (https://github.com/rubyzip/rubyzip/issues/369). Is this something we have to worry about with axlsx_rails?