Closed rpuzdrowski closed 1 year ago
kwitczak
commented
6 years ago @andyatkinson what do you think about this? This small change, together with last updates in 1.4.3 may be a next step to increase delayed_job_web security value.
Like with https://github.com/ejschmitt/delayed_job_web/pull/103 that's one of the security requirements we need to meet in order to use this gem (and we really want to! ;))
aaronbronow
commented
6 years ago Hi, any chance to get this merged? Thanks!
andyatkinson
commented
2 years ago @kwitczak @aaronbronow Are either of you still actively using this and willing to refresh this PR? Perhaps there are newer versions available for the changes made that could replaced what is here currently, and those newer changes could be merged in?
kwitczak
commented
2 years ago Hey @andyatkinson, we are both in different companies right now, but I know one persistent guy who may help us all out. @rpuzdrowski, I summon you, our hero, to rescue us! ;p
andyatkinson
commented
2 years ago Thanks @kwitczak - a new player has entered the game: https://github.com/ejschmitt/delayed_job_web/pull/122 - @nashby wants to help as a maintainer, so they've submitted a PR and I was reviewing some old PRs. I don't want to directly close them if someone responds within a week or so, but otherwise I suggest we close the neglected ones.
thegeorgeous
commented
1 year ago @andyatkinson there aren't many newer versions of jQuery, and I don't want to close contributions. I've tested this on an application, and there don't seem to be any issues. I suggest merging this to fix the security issue. We can upgrade to a newer version later.
andyatkinson
commented
1 year ago @thegeorgeous I don't use this project at all and am not actively involved in maintenance any more. It's merged based on your request. Do you want to also try using this version of the gem pointing to the master branch or do you need a new version released? For the new version ideally an active user can build it and document it in the changelog. If you're able to prepare a PR for that or another reader, I'm happy to push it to Rubygems.
thegeorgeous
commented
1 year ago @andyatkinson I'm using the master version on a development/test branch in my project. I don't see any issues yet, but I want to let it run for some days.
Meanwhile, I also want to change the minimum versions of one of the dependencies to resolve some known security issues. After that, I'll update the changelog, and you can release a new version.
Hello, we're using this gem in our project and during the audit was pointed, that on some pages we're using the jquery (v1.7.1), which has known vulnerabilities. They are listed here - https://www.cvedetails.com/vulnerability-list/vendor_id-6538/product_id-11031/version_id-235564/Jquery-Jquery-1.7.1.html
We realized that delayed_job_web gem uses the jquery version which causes the issues. So I created the pull request with updating the jquery. I tested scripts in "application.js" and it looks like everything works correctly. Could you merge this and release the new version of gem?
Thank you in advance!