search

github / pages-gem

A simple Ruby Gem to bootstrap dependencies for setting up and maintaining a local Jekyll environment in sync with GitHub Pages
http://pages.github.com
MIT License
1.82k stars 350 forks source link

i18n dependency version conflict preventing activesupport update to fix CVE-2023-22796 #866

Closed agnostic-apollo closed 1 year ago

agnostic-apollo commented 1 year ago

Before submitting an issue, please be sure to

This issue affects

Issue

The CVE-2023-22796 requires activesupport to be updated to 6.1.7.1 or 7.0.4.1.

The github-pages 227 gem depends on jekyll = 3.9.2, which depends on i18n ~> 0.7.

The activesupport 6.1.7.1 depends on i18n >= 1.6, < 2, which prevents an update. The activesupport 6.0.6.1 was the last version that depended on i18n >= 0.7, < 2, which then used i18n 0.9.5 to also satisfy jekyll's i18n ~> 0.7 requirement.

Note sure what can be done, other than possibly updating to jekyll >= 4.0.0, which depends on i18n >= 0.9.5, < 2. Any suggestions? Thanks.

parkr commented 1 year ago

You can file this and mention me in jekyll/Jekyll repo. I'm not sure why we'd rely on i18n directly.

I can release a 3.9.x fix for this.

agnostic-apollo commented 1 year ago

@parkr Done. Thanks for taking notice.