Bump rubyzip from 1.2.1 to 1.3.0 #232

brad-lewis · 2020-01-29T16:34:30Z

Automated security updates showed these alerts:

Dependency      Version                Upgrade to
rubyzip               Version<= 1.2.1   ~> 1.2.2

Vulnerabilities
CVE-2019-16892 High severity
CVE-2018-1000544 Moderate severity

Could we bump to 1.3.0?

The text was updated successfully, but these errors were encountered:

repeatedly · 2020-01-29T21:49:43Z

This will be fixed in td-agent 3.6.0.
Of course, you know fluentd itself doesn't use rubyzip.

brad-lewis · 2020-01-29T21:56:46Z

I would have thought the way to fix it, is to edit Gemfile.lock

-    rubyzip (1.2.1)
+    rubyzip (1.3.0)

I didn't see that address in the 3.6.0 pull request. Does something else imply a newer version?

repeatedly · 2020-01-29T22:01:32Z

td-agent 3.5.1 has already installed rubyzip 2.0.0, not 1.2.1.
See #233 (comment)

repeatedly closed this as completed Jan 29, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump rubyzip from 1.2.1 to 1.3.0 #232

Bump rubyzip from 1.2.1 to 1.3.0 #232

brad-lewis commented Jan 29, 2020

repeatedly commented Jan 29, 2020 •

edited

Loading

brad-lewis commented Jan 29, 2020 •

edited

Loading

repeatedly commented Jan 29, 2020

Bump rubyzip from 1.2.1 to 1.3.0 #232

Bump rubyzip from 1.2.1 to 1.3.0 #232

Comments

brad-lewis commented Jan 29, 2020

repeatedly commented Jan 29, 2020 • edited Loading

brad-lewis commented Jan 29, 2020 • edited Loading

repeatedly commented Jan 29, 2020

repeatedly commented Jan 29, 2020 •

edited

Loading

brad-lewis commented Jan 29, 2020 •

edited

Loading