New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump Nokogiri #5182
Bump Nokogiri #5182
Conversation
This can only go after the spree PRs are merged. |
… AND remove deface from list of dependencies
… of OFN and we dont need to control the version now, so I remove it from Gemfile)
ready for review. |
if you have reviewed this PR you can probably quickly review this one #5194 that updates the spree revision on the 3-0-stable version. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is very good news! 💪
We should watch out with Paperclip upgrades. Upgrading it in the past proved to be tricky because it had backward-incompatible changes. I'd double-check their release notes.
Hi @luisramos0, I performed a basic sanity check:
All good - moving to ready to go. |
What? Why?
I think I just fixed our only critical severity security issue 🎉
https://github.com/openfoodfoundation/openfoodnetwork/network/alert/Gemfile.lock/nokogiri/closed
We can remove deface from spree_core now that we dont use spree_backend and spree_i18n and better_spree_paypal dont use deface. This is done in openfoodfoundation/spree#42 for current spree 2-0-4 and in openfoodfoundation/spree#42 for the next spree 2-1-0.
After removing deface from spree we can just remove nokogiri from our concerns and let it upgrade through the other gems that depend on it 🎉
The paperclip requirement in spree_core changed but our version 3.4.2 is good for it, no paper_clip upgrade in this PR.
What should we test?
Maybe a sanity check? I think this is a fundamental piece of software so we would see problem in the build if there were any.
Release notes
Changelog Category: Fixed
Fixed long standing critical security issue in OFN related to a dependency with security problems 🎉