search

rubymem / bundler-leak

Known-leaky gems verification for bundler: `bundle leak` to check your app and find leaky gems in your Gemfile :gem::droplet:
https://www.rubymem.com
GNU General Public License v3.0
288 stars 11 forks source link

redcarpet v3.3.2 is not being reported as a leaky version #34

Closed etagwerker closed 4 years ago

etagwerker commented 4 years ago

Hey @bronzdoc,

It seems that there is a problem with the redcarpet gem: 

$ bundle leak
No leaks found
$ bundle leak --update
Updating ruby-mem-advisory-db ...
Fetching origin
From https://github.com/rubymem/ruby-mem-advisory-db
 * [new branch]      master     -> origin/master
HEAD is now at 352fb1f Merge pull request #19 from rubymem/add-code-of-conduct-1
Updated ruby-mem-advisory-db
ruby-mem-advisory-db: 11 advisories
No leaks found
$  cat Gemfile.lock | grep redcarpet
    redcarpet (3.3.2)
  redcarpet (= 3.3.2)

I was expecting it to report it as leaky but it did not. :(

I see that the patch for the leaky version is present in versions 3.3.3, 3.5.0, and their main branch: https://github.com/vmg/redcarpet/pull/516/commits/e2e26e2aec320b853282f1f8eca190560b52b0d9

According to the database, it should report it as leaky: https://github.com/rubymem/ruby-mem-advisory-db/blob/main/gems/redcarpet/516.yml

So maybe there is something wrong with the version comparison?

Not sure why that one is failing and other gems are working fine.

bronzdoc commented 4 years ago

I think is not reporting it since the patched version is:

 patched_versions:
  - ">= 3.3"`

that includes 3.3.3

etagwerker commented 4 years ago

@bronzdoc Got it. Just submitted a PR to fix that. redcarpet v3.3.2 is known to have a memory leak.