Replace http_parser.rb with llhttp or other equivalents #3437

ashie · 2021-06-30T03:09:27Z

Describe the bug
Fluentd depends on http_parser.rb but it's not maintained and not released new version since December 11, 2013.
In this gem, vulnerability is often detected mistakenly by several security tools because it includes a garbage Gemfile.lock. e.g.) #3409 #3374

I'm troublesome to support such issue, so that I've gotten ownership of http_parser.rb and I'll release a new gem which fixes this issue. Although such false positive will be suppressed by it, we should consider replacing http_parser.rb with other equivalents such as llhttp because dependent http-parser is already dead too.

To Reproduce
See https://github.com/nodejs/http-parser

http-parser is not actively maintained. New projects and projects looking to migrate should consider llhttp.

Expected behavior
Dependent libraries should be well maintained.

Your Environment
N/A

Your Configuration
N/A

Your Error Log
N/A

Additional context
N/A

http_parser.rb 0.6.0 includes a garbage Gemfile.lock and it causes false positive detection by security scanning tools. 0.7.0 fixes this issue. See also: #3374 #3409 #3437 Signed-off-by: Takuro Ashie <ashie@clear-code.com>

ashie added the feature request label Jun 30, 2021

ashie self-assigned this Jun 30, 2021

ashie mentioned this issue Jul 8, 2021

Relax http_parse.rb version #3450

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Replace http_parser.rb with llhttp or other equivalents #3437

Replace http_parser.rb with llhttp or other equivalents #3437

ashie commented Jun 30, 2021 •

edited

Replace http_parser.rb with llhttp or other equivalents #3437

Replace http_parser.rb with llhttp or other equivalents #3437

Comments

ashie commented Jun 30, 2021 • edited

ashie commented Jun 30, 2021 •

edited