Closed alaendle closed 1 year ago
Makes sense. I'll add it to the upcoming v3 release which will introduce a bunch of modernity.
A new (beta) release of HTML-Proofer has been released, v3.0.0.pre1. I tried to go back and address all the issues in this repo.
activesupport
was actually not a strictly necessary dependency, and as such, I've removed it.
Guess this is a controversial issue - and I absolutely not an expert for the ruby ecosystem - but I wonder if it wouldn't be preferable to enforce users of the package to also use a supported activesupport version? (>=6?) https://github.com/gjtorikian/html-pipeline/blob/84c75b3d123c5219238c5f01c2b7de7ea73755cd/html-pipeline.gemspec#L18 In my example this is the online dependency into rails/activesupport - so
bundle
install chooses a 3.x version of activesupport for me - bringing in potential vulnerabilities (my guess is they aren't exploitable through html-pipeline, but nonetheless I see no reason to have/indicate support for unsecure/outdated versions). Sure this can be worked around by manually touching gemfile.lock or adding an artificial direct unnecessary dependency to activesupport - but is this the preferred way or should this package require a newer version?End-of-life rails