Code Monkey home page Code Monkey logo

Comments (5)

tcdowney avatar tcdowney commented on June 8, 2024 6

+1 to this! I was trying to figure out why Sprockets 4 wasn't working with my site since it looked like it had been fixed here a couple years ago and was surprised find out it was because the latest version on Ruby Gems was really old. A release would be appreciated! 🙏

from jekyll-assets.

Fryguy avatar Fryguy commented on June 8, 2024 3

Bump - I just ran into the sprockets 4 issue due to the new bundler 2.4 release which brings in a new resolver. My app is now resolving to jekyll-assets 3.0.12 + sprockets 4 which is causing issues that have been fixed, but not released.

from jekyll-assets.

mslinn avatar mslinn commented on June 8, 2024 1

Until this project releases a new gem, I am using this unstable mechanism to get the gem from git HEAD:

gem 'jekyll-assets', git: 'https://github.com/envygeeks/jekyll-assets'

An actual release would be so much better!

A new release would mean that bundle audit on Jekyll projects would pass. Using jekyll-assets v3.0.12 results in the audit failing with multiple CVEs:

Name: rack
Version: 1.6.13
CVE: CVE-2020-8161
GHSA: GHSA-5f9h-9pjv-v6j7
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Title: Directory traversal in Rack::Directory app bundled with Rack
Solution: upgrade to '~> 2.1.3', '>= 2.2.0'

Name: rack
Version: 1.6.13
CVE: CVE-2020-8184
GHSA: GHSA-j6w9-fv6q-3q52
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Solution: upgrade to '~> 2.1.4', '>= 2.2.3'

Name: rack
Version: 1.6.13
CVE: CVE-2022-30122
GHSA: GHSA-hxqx-xwvh-44m2
Criticality: High
URL: https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk
Title: Denial of Service Vulnerability in Rack Multipart Parsing
Solution: upgrade to '~> 2.0.9, >= 2.0.9.1', '~> 2.1.4, >= 2.1.4.1', '>= 2.2.3.1'

Name: rack
Version: 1.6.13
CVE: CVE-2022-30123
GHSA: GHSA-wq4h-7r42-5hrr
Criticality: Critical
URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8
Title: Possible shell escape sequence injection vulnerability in Rack
Solution: upgrade to '~> 2.0.9, >= 2.0.9.1', '~> 2.1.4, >= 2.1.4.1', '>= 2.2.3.1'

Name: rack
Version: 1.6.13
CVE: CVE-2022-44570
GHSA: GHSA-65f5-mfpf-vfhj
Criticality: Unknown
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Title: Denial of service via header parsing in Rack
Solution: upgrade to '~> 2.0.9, >= 2.0.9.2', '~> 2.1.4, >= 2.1.4.2', '~> 2.2.6, >= 2.2.6.2', '>= 3.0.4.1'

Name: rack
Version: 1.6.13
CVE: CVE-2022-44571
GHSA: GHSA-93pm-5p5f-3ghx
Criticality: Unknown
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Title: Denial of Service Vulnerability in Rack Content-Disposition parsing
Solution: upgrade to '~> 2.0.9, >= 2.0.9.2', '~> 2.1.4, >= 2.1.4.2', '~> 2.2.6, >= 2.2.6.1', '>= 3.0.4.1'

Name: rack
Version: 1.6.13
CVE: CVE-2022-44572
GHSA: GHSA-rqv2-275x-2jq5
Criticality: Unknown
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Title: Denial of service via multipart parsing in Rack
Solution: upgrade to '~> 2.0.9, >= 2.0.9.2', '~> 2.1.4, >= 2.1.4.2', '~> 2.2.6, >= 2.2.6.1', '>= 3.0.4.1'

Name: sinatra
Version: 1.4.8
CVE: CVE-2022-29970
GHSA: GHSA-qp49-3pvw-x4m5
Criticality: High
URL: https://github.com/sinatra/sinatra/pull/1683
Title: sinatra does not validate expanded path matches
Solution: upgrade to '>= 2.2.0'

Name: sinatra
Version: 1.4.8
CVE: CVE-2022-45442
GHSA: GHSA-2x8x-jmrp-phxw
Criticality: High
URL: https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw
Title: Sinatra vulnerable to Reflected File Download attack
Solution: upgrade to '~> 2.2.3', '>= 3.0.4'

from jekyll-assets.

itrich avatar itrich commented on June 8, 2024

We're using jekyll-assets to increase the performance of our static site. Thank you for this awesome gem.
Currently, we've added jekyll-asset with the corresponding git-URL to our Gemfile. However, this causes various problems with GitHub Action and security policies. A new release to Rubygems would be highly appreciated. Let me know if we can support you with maintaining this project!

from jekyll-assets.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.