roo-rb / roo

Roo provides an interface to spreadsheets of several sorts.
MIT License
2.8k stars 501 forks source link

Update rubyzip from 1.2.1 to 1.3.0 #515

Closed Kevinrob closed 4 years ago

Kevinrob commented 5 years ago

Summary

Updated rubyzip version. Now minimal version is 1.3.0. CVE-2019-16892

coveralls commented 5 years ago

Coverage Status

Coverage increased (+0.04%) to 94.404% when pulling 22b5c3a9f9218544d96f6cbce38e8e8ac6e56879 on Kevinrob:rubyzip_CVE-2019-16892 into 4ec1104f0c3c2a29711c0c907371cd2be12bcc3c on roo-rb:master.

coveralls commented 5 years ago

Coverage Status

Coverage increased (+0.04%) to 94.408% when pulling 09bf80ee67776b5eeef3bda9b0ad22a1375a4b77 on Kevinrob:rubyzip_CVE-2019-16892 into 4ec1104f0c3c2a29711c0c907371cd2be12bcc3c on roo-rb:master.

ansonhoyt commented 5 years ago

What do you think about also loosening the maximum version to allow rubyzip 2.0.0, which just came out 2019-09-25?

The rubyzip changelog covers the breaking changes. I'm not a roo expert, but they don't sound like things that would break roo itself.

Curious what you (more knowledgeable) folks think about loosening the dependency.

Kevinrob commented 5 years ago

@ansonhoyt Yeah, that's right! I will update the PR

manuelmeurer commented 5 years ago

Would love to see this merged to be able to use RubyZip 2.0!

daande commented 4 years ago

@Kevinrob Can we get this merged? As prior to ruby-zip 1.3.0 there is the following vulnerability: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubyzip/CVE-2019-16892.yml

ahukkanen commented 4 years ago

Definitely needed as other external dependencies are updating to rubyzip 2.0+.

Kevinrob commented 4 years ago

@Kevinrob Can we get this merged? As prior to ruby-zip 1.3.0 there is the following vulnerability: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rubyzip/CVE-2019-16892.yml

Of course we can. But I don't have write access to this repo 😜

daande commented 4 years ago

@Empact @stevendaniels @simonoff @chopraanmol1 @rlburkes @tpickett66 @pabloh @FestivalBobcats Can one of you merge this or get it merged please?

daande commented 4 years ago

@chopraanmol1 Thank you!

manuelmeurer commented 4 years ago

@chopraanmol1 Could you please release a new version of this gem as well?

daande commented 4 years ago

@chopraanmol1 Could you please release a new version of this gem as well?

I will send @chopraanmol1 an email trying to get a new release

uri-ravzin commented 4 years ago

would love to get a new version here as well ! especially allowing rubyzip over 2.0.0

chopraanmol1 commented 4 years ago

Will try my best to release on the weekend. If I'm unable to release on the weekend will surely release by next week

jspanjers commented 4 years ago

@chopraanmol, would love to have a new version!

chopraanmol1 commented 4 years ago

Sorry for the delay. I've released v2.8.3

jspanjers commented 4 years ago

Thanks!