Updating the simple_form dependency to use 5.0.x releases and releases version 5.0.1

[jrgriffiniii]

This is issued in response to GHSA-r74q-gxcg-73hx. Please see https://github.com/samvera/hydra-editor/pull/180 for an earlier pull request which I issued from my fork.

[straleyb]

Curious on the state of this. Im sure there are a lot of people who need this security update pushed through Hyrax ASAP.

[jrgriffiniii]

CircleCI was bringing in a deprecated release of either ActiveFedora or solr_wrapper for the caches. @botimer fixed this for Rails 5.2.x releases, and I'm rerunning the job now for 5.1.x.

[jrgriffiniii]

This appears to be blocked due to an old, cached ActiveFedora dependency:

circleci@f571e194be55:~/project$ bundle show active-fedora
The dependency tzinfo-data (>= 0) will be unused by any of the platforms Bundler is installing for. Bundler is installing for ruby but the dependency is only for x86-mingw32, x86-mswin32, x64-mingw32, java. To add those platforms to the bundle, run `bundle lock --add-platform x86-mingw32 x86-mswin32 x64-mingw32 java`.
/home/circleci/project/vendor/bundle/gems/active-fedora-11.3.0

I'm going to see about getting the cache key updated in order to address this.

[jrgriffiniii]

Upgrading ActiveFedora beyond 11.x releases only breaks for builds using Rails 5.1.7. I am looking through the dependencies in order to locate the origin of this.

[jrgriffiniii]

https://github.com/samvera/active_fedora/pull/1403/files#diff-28a4e4c5735e5df842c2bbb6e81e30c3R18 is related to this problem. Until https://github.com/samvera/active_fedora/releases/tag/v13.1.1 was released, faraday-encoding could not be updated. However, https://github.com/samvera/active_fedora/releases/tag/v13.1.0 prevents activesupport releases prior to 5.2.0 from being used.

[jrgriffiniii]

Trying to upgrade these while working with Rails 5.1.z releases produces the following errors:

Bundler could not find compatible versions for gem "activemodel":
  In snapshot (Gemfile.lock):
    activemodel (= 5.1.7)

  In Gemfile:
    hydra-editor was resolved to 5.0.1, which depends on
      activemodel (>= 5.2)

    rails (= 5.1.7) was resolved to 5.1.7, which depends on
      activemodel (= 5.1.7)

Running `bundle update` will rebuild your snapshot from scratch, using only
the gems in your Gemfile, which may resolve the conflict.

Basically, this security upgrade may force us to drop Rails 5.1.z release support (or, require that ActiveFedora restore it).

[jrgriffiniii]

https://circleci.com/workflow-run/e0eaabc9-a476-415c-9ee6-086de7fdd11c has the build passing when I downgrade faraday-encoding, but there are still caching issues with this.

[jrgriffiniii]

Resetting the cache did not resolve the issue on https://circleci.com/gh/samvera/hydra-editor/134, trying to get this addressed now.

[jrgriffiniii]

This also failing for Rails 5.2.z releases after I updated the cache key: https://circleci.com/gh/samvera/hydra-editor/139

[jrgriffiniii]

Forcing a downgrade for sprockets provides a temporary solution for this, and 4.0.0 was released just two days prior to this (https://rubygems.org/gems/sprockets/versions/4.0.0). I'll defer to others once I can confirm that this is a stable solution as to whether or not anything further is needed to support later sprockets releases.

[jrgriffiniii]

After discussing this briefly with community members, supporting sprockets 4.0.0 is not immediately addressed by the latest release of Blacklight (https://github.com/projectblacklight/blacklight/issues/2174).

[jrgriffiniii]

https://circleci.com/workflow-run/946283eb-baaf-4415-9c3e-7a9b30de6307 now passes for the squashed commits, I will request a review on these newly-proposed changes.

[straleyb]

🎉 Ill see that after this stuff gets merged, to let the samvera community know that there is an update path to get the ball rolling there. Thanks @jrgriffiniii

[no-reply]

this looks good. any reason not to merge and release?

[jrgriffiniii]

Thank you everyone for your patience and for merging, this is now released: https://github.com/samvera/hydra-editor/releases/tag/v5.0.1