pcai
commented
2 months ago Sure - if you propose a PR I will merge it and cut a release
Closed ChristopherBert closed 2 months ago
pcai
commented
2 months ago Sure - if you propose a PR I will merge it and cut a release
ChristopherBert
commented
2 months ago Opened PR: https://github.com/savonrb/httpi/pull/252
ChristopherBert
commented
2 months ago @pcai I thought the above release would resolve my problem, however it did not. The problem now is that the wasabi gem is a dependency of the savon gem and it also has a dependency on the httpi gem. I tried to update to version 2.15.1 of savon, but this introduces a conflict because the version of wasabi that supports the new version of httpi also introduces a dependency on faraday which conflicts with the version of faraday already used by my project. Would it be possible to create a version 2.4.6 or 3.0.4 of the httpi gem that has the same change introduced in version 4.0.4? This would allow me to use a version of savon and wasabi that do not introduce a new version of faraday and are compatible with a version of httpi with my fix to exclude the spec directory from the released version of the gem.
pcai
commented
2 months ago which version of faraday does your project require, is it 1.x? It seems more straightforward (IMO) to loosen wasabi's faraday requirement if possible. I would much prefer that than commit to maintaining multiple branches of httpi, which itself is in maintenance mode only. what do you think
ChristopherBert
commented
2 months ago @pcai Yes, my project requires faraday version < 2.0. I think loosening wasabi's faraday requirement to something like ">=1.9", "<3" would work flor me. Will using a 1.x version of Faraday cause any problems for wasabi?
pcai
commented
2 months ago Wasabi doesn’t use anything specific to faraday 2.x. Wasabi 5.x declares a dependency on faraday, but actually prefers to use httpi if it is present for compatibility reasons. I should update this to make it clearer in the docs
ChristopherBert
commented
2 months ago @pcai I have opened the following PR for the wasabi gem to relax the faraday version restriction: https://github.com/savonrb/wasabi/pull/120
I have a project that uses the savon gem and by extension uses this gem (httpi) as well. My organization runs TwistLock/Prisma scans for security vulnerabilities and has flagged this gem for exposing private keys here: /httpi-2.4.5/spec/integration/fixtures/server.key. It also flagged the akami gem for a similar issue, but I noticed that the latest version of the akami gem no longer has this problem because it does not include the spec directory in the published gem. Would it be possible to update the httpi gemspec file to exclude the spec directory similar to what was done for the akami gem in this commit: https://github.com/savonrb/akami/commit/b318eded4a3fdec965e6ca29ff0ba26e16b4bf25?