html2text_ruby icon indicating copy to clipboard operation
html2text_ruby copied to clipboard
verified publisher icon soundasleep

Allow nokogiri 1.11 and above

Open aried3r opened this issue 5 years ago • 5 comments

aried3r avatar Feb 18 '20 16:02 aried3r

@soundasleep Please merge. This is fixing a critical vulnerability: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m

kwent avatar Jan 02 '21 05:01 kwent

only question is: should we force 1.11 to be the minimum?

krtschmr avatar Jan 05 '21 08:01 krtschmr

Nokogiri 1.11 ist 2 days old and ends support for Ruby 2.3 and 2.4.

There might be users that use this project or nokogiri itself in ways that is safe enough for them, given the vulnerability.

I'd say, allow people to update, but don't force this version, at least for now.

https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md#v1110--2021-01-03

WDYT?

aried3r avatar Jan 05 '21 10:01 aried3r

That's actually a fair argument. We run 2.7 so we can force 1.11. I opened a pull request earlier today where we use 1.11, then saw yours and just asked why, but i never thought about older versions ;-)

Seems like owner abandoned this project. The classy fail of github opensource somehow. sad.

i dobut this gets merged :/

krtschmr avatar Jan 05 '21 10:01 krtschmr

When the new maintainers revive this project, please close this in favor of #16 or #17.

baburdick avatar Mar 01 '22 01:03 baburdick

Resolved in #17

mscrivo avatar Jun 07 '24 13:06 mscrivo