jekyll/jekyll-admin

Update sinatra from 1.4.x to latest (2.0.x)

0xdevalias opened this issue · 3 comments

0xdevalias commented

Currently the gemspec pins sinatra / sinatra-contrib to 1.4.x, which was last updated in January 2017.

The latest released sinatra version currently is 2.0.8.1, released in January 2020.

This leads to the following output when using jekyll-admin:

⇒  bundle outdated

..snip..

Outdated gems included in the bundle:
  * rack (newest 2.2.3, installed 1.6.13)
  * rack-protection (newest 2.0.8.1, installed 1.5.5)
  * sinatra (newest 2.0.8.1, installed 1.4.8)
  * sinatra-contrib (newest 2.0.8.1, installed 1.4.7)

While the changelog doesn't seem to directly mention any breaking changes, a Hacker News comment thread talks about some deprecated ruby versions, the URL matching engine (mustermann), and supporting rack 2 may cause some breaking changes.

jekyllbot commented

This issue has been automatically marked as stale because it has not been commented on for at least two months.

The resources of the Jekyll team are limited, and so we are asking for your help.

If this is a bug and you can still reproduce this error on the master branch, please reply with all of the information you have about it in order to keep the issue open.

If this is a feature request, please consider whether it can be accomplished in another way. If it cannot, please elaborate on why it is core to this project and why you feel more than 80% of users would find this beneficial.

This issue will automatically be closed in two months if no further activity occurs. Thank you for all your contributions.

tosbourn commented

I think this should be re-opened. It is a bug in that there are insecure versions of Rack being used as a result of these older sinatra and sinatra-contrib gems.

  • 👍1
kebugcheckex commented

GitHub Dependabot warns me about two security vulnerabilities

  • CVE-2020-8184 High severity
  • CVE-2020-8161 Moderate severity
    caused by outdated rack version, that should be upgraded to ~> 2.1.4. I believe this outdated dependency is caused by outdated sinatra version.

I'm not very experienced with Ruby package managing but I'm happy to contribute. Can anyone tell me if there are any blockers upgrading sinatra to the latest version here?