Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Nokogiri dependency hell again... #194

Open
schungx opened this issue Aug 16, 2021 · 12 comments
Open

Nokogiri dependency hell again... #194

schungx opened this issue Aug 16, 2021 · 12 comments

Comments

@schungx
Copy link

schungx commented Aug 16, 2021

Will there be an updated version with nokogiri 1.12 any time soon?
@nertzy
Copy link

nertzy commented Sep 9, 2021

This is a similar problem to #196

I left a comment with some advice for the Azure ruby team: #196 (comment)

@schungx schungx closed this as completed Sep 9, 2021
@schungx schungx reopened this Sep 9, 2021
@scwells
Copy link

scwells commented Sep 27, 2021

Currently running into this issue as well due to a nokogiri vulnerability. Failing bundler-audit.

Reference GHSA-2rr5-8q37-2w7h

Possible to get it bumped to 1.12.5 ?

@tbuehlmann
Copy link

Came here for the CVE as well. Do we really need the pessimistic operator ~> 1.11.0.rc2 for nokigiri? Can we loosen that up?

@sojan-official sojan-official mentioned this issue Sep 28, 2021
Closed
@nertzy
Copy link

nertzy commented Sep 28, 2021

I opened a support issue with Azure. I encourage everyone else to do the same to make it clear that this is important to Azure customers.

@schungx
Copy link
Author

schungx commented Sep 29, 2021

I agree. Azure needs to LISTEN to customers.

I have been totally fed up by the past year of pain (starting with the gem suddenly moving to persistent connections without an option to turn it off, and thus causing massive build conflicts due to Faraday dependency conflicting with Bundler). I couldn't even keep it at a lower version because the host system has moved on, and the nokogiri dependencies are specified so narrowly.

So I've said sod it and since moved on to S3, which is much more normal.

@schungx
Copy link
Author

schungx commented Sep 29, 2021

IMHO I think this gem is getting out of maintenance.

cooperka added a commit to thecartercenter/nemo that referenced this issue Oct 1, 2021
@cooperka
Use forked azure-storage-blob to address nokogiri vuln
9046af7 
Azure/azure-storage-ruby#194
@cooperka
Copy link

cooperka commented Oct 1, 2021
edited

✅ Solution in the meantime: @mschiller made a nice fork directly off of master than you can use while Azure takes their time fixing this high-risk security vulnerability. Here's their fork: https://github.com/mschiller/azure-storage-ruby/commit/c84806f766b773cdeea72a7f73d79ddab598b256

You can use it in your app like this (don't forget to bundle update nokogiri after this change):

gem "azure-storage-blob", github: "mschiller/azure-storage-ruby", tag: "c84806f766b773cdeea72a7f73d79ddab598b256"

@jwipeout
Copy link

jwipeout commented Oct 1, 2021

when are you guys going to fix this?

@grosscr
Copy link

grosscr commented Oct 4, 2021
edited

I opened a support ticket with azure, and they responded that:

Ruby is unsupported, its in community domain. You can send a Pull Request to follow up on the Github issue.

So, seems like we're likely on our own. :/

@srp-developers
Copy link

@grosscr Could you please respond to them with links to these pull requests, each of which address this problem?

#177
#182
#183
#199

@schungx
Copy link
Author

schungx commented Oct 6, 2021

And I also have an issue #190 which requests the move to persistent connections be made optional (or have a way to turn off) behind an option flag. It doesn't seem anybody is listening at Azure's side...

@ghost ghost mentioned this issue Oct 7, 2021
Open
@nertzy
Copy link

nertzy commented Dec 7, 2021

Solved for me in the gems released yesterday.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@nertzy @tbuehlmann @schungx @cooperka @jwipeout @grosscr @scwells @srp-developers