Indicate a version for activesupport that has support/receives security patches (>= 6?)
alaendle opened this issue · 2 comments
alaendle commented
Guess this is a controversial issue - and I absolutely not an expert for the ruby ecosystem - but I wonder if it wouldn't be preferable to enforce users of the package to also use a supported activesupport version? (>=6?)
html-pipeline/html-pipeline.gemspec
Line 18 in 84c75b3
In my example this is the online dependency into rails/activesupport - so
bundle
install chooses a 3.x version of activesupport for me - bringing in potential vulnerabilities (my guess is they aren't exploitable through html-pipeline, but nonetheless I see no reason to have/indicate support for unsecure/outdated versions). Sure this can be worked around by manually touching gemfile.lock or adding an artificial direct unnecessary dependency to activesupport - but is this the preferred way or should this package require a newer version?
gjtorikian commented
Makes sense. I'll add it to the upcoming v3 release which will introduce a bunch of modernity.
gjtorikian commented
A new (beta) release of HTML-Proofer has been released, v3.0.0.pre1. I tried to go back and address all the issues in this repo.
activesupport
was actually not a strictly necessary dependency, and as such, I've removed it.