Upgrade Faraday and Thor Dependencies #224
Conversation
We need to install Ruby 2.7 to test against it.
|
Hi @jimmycuadra. Please let me know if I can provide any further information or testing to get this incorporated. Many thanks 🙇 |
|
Hiya! Thanks for doing this. I've let Lita sit for a long time without much maintenance, but I'm planning to do a pass through all the pending issues very soon, at which point I'll review this and likely merge it in. Sorry for the radio silence! |
|
I just released Lita v4.8.0.beta1: https://github.com/litaio/lita/releases/tag/v4.8.0.beta1. I'm unlikely to continue development of Lita 5 (the master branch) so this new release does the bare minimum on top of v4.7.1 to get it working on current versions of Ruby. Can you try this out and see if it works for you? |
|
Hi @jimmycuadra, Thanks for the v4.8.0-beta1 release. I've confirmed this solves our issues and works as expected with our custom plugins. I'm sorry to hear that you are unlikely to continue development of the main branch. I know maintaining open-source software can be a thankless and time-consuming task. Please let me know if I can offer any help. Again, many thanks. 🙇 |
| @@ -37,7 +37,7 @@ Gem::Specification.new do |spec| | |||
| } | |||
|
|
|||
| spec.add_runtime_dependency "bundler", "~> 2.0" | |||
| spec.add_runtime_dependency "faraday", "~> 0.15.0" | |||
| spec.add_runtime_dependency "faraday", "~> 1.0" | |||
There was a problem hiding this comment.
Addressed in 9bb5951#diff-ee0dfbe0509abc47c944702671133788R24
| @@ -46,7 +46,7 @@ Gem::Specification.new do |spec| | |||
| spec.add_runtime_dependency "rack", "~> 2.0" | |||
| spec.add_runtime_dependency "rb-readline", "~> 0.5.0" | |||
| spec.add_runtime_dependency "redis-namespace", "~> 1.6" | |||
| spec.add_runtime_dependency "thor", "~> 0.20.0" | |||
| spec.add_runtime_dependency "thor", "~> 1.0" | |||
There was a problem hiding this comment.
Addressed in 9bb5951#diff-ee0dfbe0509abc47c944702671133788R33
| @@ -3,7 +3,7 @@ sudo: false | |||
| cache: "bundler" | |||
| matrix: | |||
| include: | |||
| - rvm: "2.6" | |||
| - rvm: "2.7" | |||
There was a problem hiding this comment.
Addressed in 4434336#diff-354f30a63fb0907d4ad57269548329e3R7
Context
We recently ran
bundle updateon our Lita instance to address CVE-2020-8184 and CVE-2020-8161.The latest Lita version release is 4.7.1 (2016-09-17), which requires Rack ">= 1.5.2", "< 2.0.0" (see fda3a80) and prevents us from updating Rack to version
2.1.4or later to address these CVEs.Taking the latest version from GitHub (312df73) comes with the trade-off that we have to downgrade Faraday to
0.15.4from1.0.1and Thor from1.0.1to0.20.3. This version also fails CI (see build 631295227).I'd really like to upgrade these dependencies to ensure we don't have any known vulnerabilities.
Change
Confirmation
bundle exec rakeruns successfully locally.