Comments (5)
+1 to this! I was trying to figure out why Sprockets 4 wasn't working with my site since it looked like it had been fixed here a couple years ago and was surprised find out it was because the latest version on Ruby Gems was really old. A release would be appreciated!
from jekyll-assets.
Bump - I just ran into the sprockets 4 issue due to the new bundler 2.4 release which brings in a new resolver. My app is now resolving to jekyll-assets 3.0.12 + sprockets 4 which is causing issues that have been fixed, but not released.
from jekyll-assets.
Until this project releases a new gem, I am using this unstable mechanism to get the gem from git HEAD:
gem 'jekyll-assets', git: 'https://github.com/envygeeks/jekyll-assets'
An actual release would be so much better!
A new release would mean that bundle audit
on Jekyll projects would pass. Using jekyll-assets
v3.0.12 results in the audit failing with multiple CVEs:
Name: rack
Version: 1.6.13
CVE: CVE-2020-8161
GHSA: GHSA-5f9h-9pjv-v6j7
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Title: Directory traversal in Rack::Directory app bundled with Rack
Solution: upgrade to '~> 2.1.3', '>= 2.2.0'
Name: rack
Version: 1.6.13
CVE: CVE-2020-8184
GHSA: GHSA-j6w9-fv6q-3q52
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Solution: upgrade to '~> 2.1.4', '>= 2.2.3'
Name: rack
Version: 1.6.13
CVE: CVE-2022-30122
GHSA: GHSA-hxqx-xwvh-44m2
Criticality: High
URL: https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk
Title: Denial of Service Vulnerability in Rack Multipart Parsing
Solution: upgrade to '~> 2.0.9, >= 2.0.9.1', '~> 2.1.4, >= 2.1.4.1', '>= 2.2.3.1'
Name: rack
Version: 1.6.13
CVE: CVE-2022-30123
GHSA: GHSA-wq4h-7r42-5hrr
Criticality: Critical
URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8
Title: Possible shell escape sequence injection vulnerability in Rack
Solution: upgrade to '~> 2.0.9, >= 2.0.9.1', '~> 2.1.4, >= 2.1.4.1', '>= 2.2.3.1'
Name: rack
Version: 1.6.13
CVE: CVE-2022-44570
GHSA: GHSA-65f5-mfpf-vfhj
Criticality: Unknown
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Title: Denial of service via header parsing in Rack
Solution: upgrade to '~> 2.0.9, >= 2.0.9.2', '~> 2.1.4, >= 2.1.4.2', '~> 2.2.6, >= 2.2.6.2', '>= 3.0.4.1'
Name: rack
Version: 1.6.13
CVE: CVE-2022-44571
GHSA: GHSA-93pm-5p5f-3ghx
Criticality: Unknown
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Title: Denial of Service Vulnerability in Rack Content-Disposition parsing
Solution: upgrade to '~> 2.0.9, >= 2.0.9.2', '~> 2.1.4, >= 2.1.4.2', '~> 2.2.6, >= 2.2.6.1', '>= 3.0.4.1'
Name: rack
Version: 1.6.13
CVE: CVE-2022-44572
GHSA: GHSA-rqv2-275x-2jq5
Criticality: Unknown
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Title: Denial of service via multipart parsing in Rack
Solution: upgrade to '~> 2.0.9, >= 2.0.9.2', '~> 2.1.4, >= 2.1.4.2', '~> 2.2.6, >= 2.2.6.1', '>= 3.0.4.1'
Name: sinatra
Version: 1.4.8
CVE: CVE-2022-29970
GHSA: GHSA-qp49-3pvw-x4m5
Criticality: High
URL: https://github.com/sinatra/sinatra/pull/1683
Title: sinatra does not validate expanded path matches
Solution: upgrade to '>= 2.2.0'
Name: sinatra
Version: 1.4.8
CVE: CVE-2022-45442
GHSA: GHSA-2x8x-jmrp-phxw
Criticality: High
URL: https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw
Title: Sinatra vulnerable to Reflected File Download attack
Solution: upgrade to '~> 2.2.3', '>= 3.0.4'
from jekyll-assets.
We're using jekyll-assets to increase the performance of our static site. Thank you for this awesome gem.
Currently, we've added jekyll-asset with the corresponding git-URL to our Gemfile. However, this causes various problems with GitHub Action and security policies. A new release to Rubygems would be highly appreciated. Let me know if we can support you with maintaining this project!
from jekyll-assets.
Related Issues (20)
- [SassC::FunctionsHandler] undefined method `asset_path' HOT 7
- magick:flip does not work, passes extra cli argument
- FileStore caching under Sprockets 4.x / Issue with `digest_path` HOT 4
- Dependabot can't resolve your Ruby dependency files
- Get a list of assets processed in SCSS file so they can be preloaded
- Where in worlds name is the documentation for Jekyll assets 2, because I cannot get 3 to work and can't find any links whatsoever on 2. HOT 1
- Warnings on Ruby 2.7
- Auto-generate image width and height into html
- Can not run bundle install because jekyll-assets dependency on macOS Catalina
- Uglifier issue: Extra configuration is required for Uglifier 3.x to support ES6 in production mode (it is supported in development mode) #2755 HOT 1
- Jekyll-assets ~> 3.0 does not support Jekyll 4.2.0 HOT 3
- Uglifier/UglifyJS doesn't support modern ES6 HOT 2
- Can't figure out how to insert an image HOT 2
- SCSS AutoPrefixer Doesn't output any prefixes.
- CDN destination is treated as boolean
- Dependabot can't resolve your Ruby dependency files
- asset_path is scss is never called HOT 3
- Asset helpers not working post upgrading to ruby 2.7 HOT 1
- pages: Jekyll-Assets deployment URL is wrong (this repo)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from jekyll-assets.