Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update rubyzip to 1.3.0 to fix vulnerability #4133

Merged
merged 1 commit into from Sep 30, 2019
Merged

Update rubyzip to 1.3.0 to fix vulnerability #4133

merged 1 commit into from Sep 30, 2019

Conversation

rhymes
Copy link
Contributor

@rhymes rhymes commented Sep 30, 2019

What type of PR is this? (check all applicable)

  • Refactor
  • Feature
  • Bug Fix
  • Documentation Update

Description

There's a vulnerability about entry sizes during extraction in rubyzip that has been fixed both in versions 1.3.0 and 2.0

Related Tickets & Documents

rubyzip/rubyzip#403

Added to documentation?

  • docs.dev.to
  • readme
  • no documentation needed

@pr-triage pr-triage bot added the PR: unreviewed bot applied label for PR's with no review label Sep 30, 2019
lightalloy
lightalloy reviewed Sep 30, 2019
View reviewed changes
Gemfile
@@ -76,7 +76,7 @@ gem "redcarpet", "~> 3.5" # A fast, safe and extensible Markdown to (X)HTML pars
gem "reverse_markdown", "~> 1.3" # Map simple html back into markdown
gem "rolify", "~> 5.2" # Very simple Roles library
gem "rouge", "~> 3.10" # A pure-ruby code highlighter
gem "rubyzip", "~> 1.2" # Rubyzip is a ruby library for reading and writing zip files
gem "rubyzip", "~> 1.2", ">= 1.3.0" # Rubyzip is a ruby library for reading and writing zip files
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not just gem "rubyzip", ">= 1.3.0" ? 🤔

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Honestly, no particular reason, the algorithm works the same I think, see the line with Rails and other gems with the same double rule

@maestromac maestromac mentioned this pull request Sep 30, 2019
Closed
@pr-triage pr-triage bot added PR: reviewed-approved bot applied label for PR's where reviewer approves changes and removed PR: unreviewed bot applied label for PR's with no review labels Sep 30, 2019
@maestromac maestromac merged commit 280f314 into forem:master Sep 30, 2019
@pr-triage pr-triage bot added PR: merged bot applied label for PR's that are merged and removed PR: reviewed-approved bot applied label for PR's where reviewer approves changes labels Sep 30, 2019
@rhymes rhymes deleted the rhymes/upgrade-rubyzip-vulnerability branch September 30, 2019 14:44
Aswathprabhu pushed a commit to Aswathprabhu/dev.to that referenced this pull request Sep 30, 2019
@rhymes @Aswathprabhu
Update rubyzip to 1.3.0 to fix vulnerability (forem#4133)
9313752
Aswathprabhu pushed a commit to Aswathprabhu/dev.to that referenced this pull request Sep 30, 2019
@rhymes @Aswathprabhu
Update rubyzip to 1.3.0 to fix vulnerability (forem#4133)
56c5f08
@weekly-digest weekly-digest bot mentioned this pull request Oct 7, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lightalloy lightalloy lightalloy left review comments

@maestromac maestromac maestromac approved these changes

Assignees
No one assigned
Labels
PR: merged bot applied label for PR's that are merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@rhymes @lightalloy @maestromac