deckar01
commented
5 years ago The 2.0.1 release was javascript patch, and only the npm package got released at the time. Someone pointed it out recently and requested a gem release. Sorry for the delay.
Closed shepmaster closed 5 years ago
deckar01
commented
5 years ago The 2.0.1 release was javascript patch, and only the npm package got released at the time. Someone pointed it out recently and requested a gem release. Sorry for the delay.
deckar01
commented
5 years ago I the future you can audit the contents of a gem by fetching and diffing it with the previous version.
gem fetch deckar01-task_list -v 2.0.0
gem fetch deckar01-task_list -v 2.0.1
gem unpack deckar01-task_list-2.0.0.gem
gem unpack deckar01-task_list-2.0.1.gem
diff -r -u 1 deckar01-task_list-2.0.0/ deckar01-task_list-2.0.1/diff -r -U 1 deckar01-task_list-2.0.0/.travis.yml deckar01-task_list-2.0.1/.travis.yml
--- deckar01-task_list-2.0.0/.travis.yml 2019-01-14 11:15:52.000000000 -0600
+++ deckar01-task_list-2.0.1/.travis.yml 2019-01-14 11:16:02.000000000 -0600
@@ -7,3 +7,2 @@
rvm:
- - 1.9.3
- 2.0
diff -r -U 1 deckar01-task_list-2.0.0/app/assets/javascripts/task_list.coffee deckar01-task_list-2.0.1/app/assets/javascripts/task_list.coffee
--- deckar01-task_list-2.0.0/app/assets/javascripts/task_list.coffee 2019-01-14 11:15:52.000000000 -0600
+++ deckar01-task_list-2.0.1/app/assets/javascripts/task_list.coffee 2019-01-14 11:16:02.000000000 -0600
@@ -192,10 +192,3 @@
)
- \s+ # is followed by whitespace
- (?!
- \(.*?\) # is not part of a [foo](url) link
- )
- (?= # and is followed by zero or more links
- (?:\[.*?\]\s*(?:\[.*?\]|\(.*?\))\s*)*
- (?:[^\[]|$) # and either a non-link or the end of the string
- )
+ \s # is followed by whitespace
///
diff -r -U 1 deckar01-task_list-2.0.0/bower.json deckar01-task_list-2.0.1/bower.json
--- deckar01-task_list-2.0.0/bower.json 2019-01-14 11:15:52.000000000 -0600
+++ deckar01-task_list-2.0.1/bower.json 2019-01-14 11:16:02.000000000 -0600
@@ -2,3 +2,3 @@
"name": "deckar01-task_list",
- "version": "2.0.0",
+ "version": "2.0.1",
"description": "Markdown TaskList components",
diff -r -U 1 deckar01-task_list-2.0.0/lib/task_list/version.rb deckar01-task_list-2.0.1/lib/task_list/version.rb
--- deckar01-task_list-2.0.0/lib/task_list/version.rb 2019-01-14 11:15:52.000000000 -0600
+++ deckar01-task_list-2.0.1/lib/task_list/version.rb 2019-01-14 11:16:02.000000000 -0600
@@ -1,3 +1,3 @@
class TaskList
- VERSION = [2, 0, 0].join('.')
+ VERSION = [2, 0, 1].join('.')
end
diff -r -U 1 deckar01-task_list-2.0.0/package.json deckar01-task_list-2.0.1/package.json
--- deckar01-task_list-2.0.0/package.json 2019-01-14 11:15:52.000000000 -0600
+++ deckar01-task_list-2.0.1/package.json 2019-01-14 11:16:02.000000000 -0600
@@ -2,3 +2,3 @@
"name": "deckar01-task_list",
- "version": "2.0.0",
+ "version": "2.0.1",
"description": "Markdown TaskList components",
diff -r -U 1 deckar01-task_list-2.0.0/script/bootstrap deckar01-task_list-2.0.1/script/bootstrap
--- deckar01-task_list-2.0.0/script/bootstrap 2019-01-14 11:15:52.000000000 -0600
+++ deckar01-task_list-2.0.1/script/bootstrap 2019-01-14 11:16:02.000000000 -0600
@@ -8,2 +8,2 @@
npm install
-bower install --no-color
+./node_modules/bower/bin/bower install --no-color
diff -r -U 1 deckar01-task_list-2.0.0/task_list.gemspec deckar01-task_list-2.0.1/task_list.gemspec
--- deckar01-task_list-2.0.0/task_list.gemspec 2019-01-14 11:15:52.000000000 -0600
+++ deckar01-task_list-2.0.1/task_list.gemspec 2019-01-14 11:16:02.000000000 -0600
@@ -18,3 +18,3 @@
- gem.required_ruby_version = ">= 2.1.0"
+ gem.required_ruby_version = ">= 2.0.0"
@@ -24,3 +24,3 @@
- gem.add_development_dependency "github-markdown"
+ gem.add_development_dependency "commonmarker"
gem.add_development_dependency "rake"
diff -r -U 1 deckar01-task_list-2.0.0/test/unit/test_updates.coffee deckar01-task_list-2.0.1/test/unit/test_updates.coffee
--- deckar01-task_list-2.0.0/test/unit/test_updates.coffee 2019-01-14 11:15:52.000000000 -0600
+++ deckar01-task_list-2.0.1/test/unit/test_updates.coffee 2019-01-14 11:16:02.000000000 -0600
@@ -468,7 +468,7 @@
field = $ '<textarea>', class: 'js-task-list-field', text: """
- - [ ] (link)
- - [ ] [reference]
- - [ ] () collapsed
- - [ ] [] collapsed reference
- - [ ] \\(escaped item)
+ - [ ](link)
+ - [ ][reference]
+ - [ ]() collapsed
+ - [ ][] collapsed reference
+ - [ ] (no longer a link)
- [ ] item
@@ -477,7 +477,7 @@
changes = """
- - [ ] (link)
- - [ ] [reference]
- - [ ] () collapsed
- - [ ] [] collapsed reference
- - [ ] \\(escaped item)
+ - [ ](link)
+ - [ ][reference]
+ - [ ]() collapsed
+ - [ ][] collapsed reference
+ - [ ] (no longer a link)
- [x] itemThe only actual changes to the gem (other than link spacing) were replacing the deprecated github-markdown dev dependency with commonmarker and dropping support for ruby 1.9.3.
If you know of a better way to audit gem updates let me know.
Edit: I forgot to include the -r recursive flag.
shepmaster
commented
5 years ago a better way to audit gem updates
We use dependabot, which scrapes gem release notes, CHANGELOG files, and shows the difference between tagged releases. Unfortunately, this library doesn't seem to use any of those mechanisms. Barring that, I'd look to find the commits that changed the gem version and diff them (https://github.com/deckar01/task_list/compare/bce1c5e1f9f4e85bb8ac8c07bd468343655c8e5d...ba9a48994f7dd1fa30bdd66bdd35608ec1cf8a56).
This isn't really an audit of the gem, as I'm trusting that what went to rubygems matches what's in your git repo, but I'm not currently interested in auditing for actively malicious gem authors, just simple mistakes or changes that might break our usage. Downloading the gem is the only "true" audit, AFAIK.
The real concern isn't the diff, just the large time difference between the change to the code and the publish of the gem, which was surprising.
shepmaster
commented
5 years ago Thanks for the responses and for the gem!
The gem was pushed to Rubygems a few days ago (2018-01-11), but there haven't been any changes to the repository's default branch since April of 2018.
Was this publish deliberate, or is something nefarious happening?