Skip to content
This repository
Browse code

Bump multi_xml dependency to 0.5.2 for CVE-2013-0175 fix

  • Loading branch information...
commit e38baab559bb078ee421676b752d9877e5828b48 1 parent 3e2ec2b
Jonathan Rudenberg authored January 12, 2013

Showing 1 changed file with 1 addition and 1 deletion. Show diff stats Hide diff stats

  1. 2  httparty.gemspec
2  httparty.gemspec
@@ -13,7 +13,7 @@ do |s|
13 13
   s.description = %q{Makes http fun! Also, makes consuming restful web services dead easy.}
14 14
15 15
   s.add_dependency 'multi_json', "~> 1.0"
-  s.add_dependency 'multi_xml'
+  s.add_dependency 'multi_xml', ">= 0.5.2"
17 17
18 18
   s.post_install_message = "When you HTTParty, you must party hard!"
19 19

7 notes on commit e38baab

Jonathan Weiss

Unfortunately this now introduces a GPLv3 dependency as multi_xml 0.5.2 switched to kramdown from maruku :-(

John Nunemaker

I would talk to multi xml about this. The reason for this is security, so I definitely won't be reverting it.

Loren Segal

Maybe @sferik can comment on this? It's marked as a development dependency, so it should not be an issue, but maybe using redcarpet or rdiscount would be better?

Erik Michaels-Ober

This is non-issue. I've already addressed it here: sferik/multi_xml@c760063#commitcomment-2454641

I switched to kramdown because it is a fast, pure-Ruby Markdown parser. I was previously using maruku but it contains issues that still haven't been addressed.

Erik Michaels-Ober

@lsegal Looking back in my timeline, I actually made this change in response to this tweet from you. :wink:

Loren Segal

@sferik: oops! I forgot "pure Ruby" was the requirement here. The ones I mentioned are not in fact pure implementations. kramdown is indeed the best option.

Erik Michaels-Ober

Yeah, tests were failing on JRuby during the installation of redcarpet. Same for rdiscount.

Please sign in to comment.
Something went wrong with that request. Please try again.