Permalink
Browse files

Bump multi_xml dependency to 0.5.2 for CVE-2013-0175 fix

  • Loading branch information...
titanous committed Jan 12, 2013
1 parent 3e2ec2b commit e38baab559bb078ee421676b752d9877e5828b48
Showing with 1 addition and 1 deletion.
  1. +1 −1 httparty.gemspec
View
@@ -13,7 +13,7 @@ Gem::Specification.new do |s|
s.description = %q{Makes http fun! Also, makes consuming restful web services dead easy.}
s.add_dependency 'multi_json', "~> 1.0"
- s.add_dependency 'multi_xml'
+ s.add_dependency 'multi_xml', ">= 0.5.2"
s.post_install_message = "When you HTTParty, you must party hard!"

7 comments on commit e38baab

@jweiss

This comment has been minimized.

Show comment Hide comment
@jweiss

jweiss Jan 17, 2013

Unfortunately this now introduces a GPLv3 dependency as multi_xml 0.5.2 switched to kramdown from maruku :-(

Unfortunately this now introduces a GPLv3 dependency as multi_xml 0.5.2 switched to kramdown from maruku :-(

@jnunemaker

This comment has been minimized.

Show comment Hide comment
@jnunemaker

jnunemaker Jan 17, 2013

Owner

I would talk to multi xml about this. The reason for this is security, so I definitely won't be reverting it.

Owner

jnunemaker replied Jan 17, 2013

I would talk to multi xml about this. The reason for this is security, so I definitely won't be reverting it.

@lsegal

This comment has been minimized.

Show comment Hide comment
@lsegal

lsegal Jan 21, 2013

Maybe @sferik can comment on this? It's marked as a development dependency, so it should not be an issue, but maybe using redcarpet or rdiscount would be better?

Maybe @sferik can comment on this? It's marked as a development dependency, so it should not be an issue, but maybe using redcarpet or rdiscount would be better?

@sferik

This comment has been minimized.

Show comment Hide comment
@sferik

sferik Jan 21, 2013

This is non-issue. I've already addressed it here: sferik/multi_xml@c760063#commitcomment-2454641

I switched to kramdown because it is a fast, pure-Ruby Markdown parser. I was previously using maruku but it contains issues that still haven't been addressed.

This is non-issue. I've already addressed it here: sferik/multi_xml@c760063#commitcomment-2454641

I switched to kramdown because it is a fast, pure-Ruby Markdown parser. I was previously using maruku but it contains issues that still haven't been addressed.

@sferik

This comment has been minimized.

Show comment Hide comment
@sferik

sferik Jan 21, 2013

@lsegal Looking back in my timeline, I actually made this change in response to this tweet from you. 😉

@lsegal Looking back in my timeline, I actually made this change in response to this tweet from you. 😉

@lsegal

This comment has been minimized.

Show comment Hide comment
@lsegal

lsegal Jan 21, 2013

@sferik: oops! I forgot "pure Ruby" was the requirement here. The ones I mentioned are not in fact pure implementations. kramdown is indeed the best option.

@sferik: oops! I forgot "pure Ruby" was the requirement here. The ones I mentioned are not in fact pure implementations. kramdown is indeed the best option.

@sferik

This comment has been minimized.

Show comment Hide comment
@sferik

sferik Jan 21, 2013

Yeah, tests were failing on JRuby during the installation of redcarpet. Same for rdiscount.

Yeah, tests were failing on JRuby during the installation of redcarpet. Same for rdiscount.

Please sign in to comment.