Update sinatra from 1.4.x to latest (2.0.x)

jekyll / jekyll-admin

A Jekyll plugin that provides users with a traditional CMS-style graphical interface to author content and administer Jekyll sites.

https://jekyll.github.io/jekyll-admin/

MIT License

2.83k stars 361 forks source link

Update sinatra from 1.4.x to latest (2.0.x) #601

Closed 0xdevalias closed 2 years ago

0xdevalias commented 4 years ago

Currently the gemspec pins sinatra / sinatra-contrib to 1.4.x, which was last updated in January 2017.

The latest released sinatra version currently is 2.0.8.1, released in January 2020.

This leads to the following output when using jekyll-admin:

⇒  bundle outdated

..snip..

Outdated gems included in the bundle:
  * rack (newest 2.2.3, installed 1.6.13)
  * rack-protection (newest 2.0.8.1, installed 1.5.5)
  * sinatra (newest 2.0.8.1, installed 1.4.8)
  * sinatra-contrib (newest 2.0.8.1, installed 1.4.7)

While the changelog doesn't seem to directly mention any breaking changes, a Hacker News comment thread talks about some deprecated ruby versions, the URL matching engine (mustermann), and supporting rack 2 may cause some breaking changes.

jekyllbot commented 4 years ago

This issue has been automatically marked as stale because it has not been commented on for at least two months.

The resources of the Jekyll team are limited, and so we are asking for your help.

If this is a bug and you can still reproduce this error on the master branch, please reply with all of the information you have about it in order to keep the issue open.

If this is a feature request, please consider whether it can be accomplished in another way. If it cannot, please elaborate on why it is core to this project and why you feel more than 80% of users would find this beneficial.

This issue will automatically be closed in two months if no further activity occurs. Thank you for all your contributions.

tosbourn commented 3 years ago

I think this should be re-opened. It is a bug in that there are insecure versions of Rack being used as a result of these older sinatra and sinatra-contrib gems.

kebugcheckex commented 2 years ago

GitHub Dependabot warns me about two security vulnerabilities

CVE-2020-8184 High severity
CVE-2020-8161 Moderate severity caused by outdated rack version, that should be upgraded to ~> 2.1.4. I believe this outdated dependency is caused by outdated sinatra version.

I'm not very experienced with Ruby package managing but I'm happy to contribute. Can anyone tell me if there are any blockers upgrading sinatra to the latest version here?