Supply-chain security issue: CVE-2021-41098 (CVSS High in stale dependency) || Support for EOL'd ruby versions #201
Comments
|
I think the mistake here is that the version of nokogiri is locked to 1.11.x due to the ~> operator. If it would have been set to ~> 1 it would be bundler that could pick the most suitable and secure version. I have 1.12.5 installed, but it's now not accepted because it has to be 1.11.x Instead of bumping the version number of nokogiri and faraday in this gem which now seems to be common practice given all the issues and pull requestes, the gemspec should let the environment decide what is good for them, now my logstash plugin for azure can't use this gem, because it's too narrow on the versions. If the devs want to block the usage of insecure versions, they could include a negative to state which versions are not supported. like this ['~>1', '!<1.12.5'] https://guides.rubygems.org/patterns/#semantic-versioning Ruby may have declared 2.5 EOL, but JRUBY 9.2.19 is still in support. Don't get me wrong, I very much in favor to leave old insecure unsupported software to die, but give people some time to update their stack. |
|
Yes, #199 uses The current spec of As for JRuby ... it's unfortunate they're still supporting ruby 2.5 compat. But I still think #184 should be merged, as it only drops 2.4 & 2.3. |
|
Solved for me in the gems released yesterday. |
nokogiri <1.12.5 has a vulnerability classified as high-risk: CVE-2021-41098. However, this package is currently bundling nokogiri v1.11.0.rc2. That version
1.11.0.rc2was released in April-2020 and appears to be in-use ONLY to maintain support for ruby v2.3 & 2.4.Both versions of ruby have been EOL'd for more than a year (https://endoflife.date/ruby):
To remediate:
Could this module be updated to deprecate support for ruby <2.6 & require the secure nokogiri version?
The text was updated successfully, but these errors were encountered: