axlsx icon indicating copy to clipboard operation
axlsx copied to clipboard

Published 20 hours ago verified publisher icon randym

Allow both minor and patch changes in dependencies

Open sandstrom opened this issue 11 years ago • 6 comments

The optimistic operator ~> is tricky. I only recently learned how it works. The level of precision determines what ranges are allowed (http://guides.rubygems.org/patterns/).

With the current gemspec rubyzip and htmlentities are pinned down to only path level changes. This change allows rubyzip >= 1.1 && < 2.0 which is fine.

Only allowing patch level changes causes needless dependency issues.

This adjustment is theoretically safe as long as semantic versioning is adhered to by the dependencies.

sandstrom avatar Jun 25 '14 18:06 sandstrom

I'd second, at the very least, loosening up 'rubyzip', '~> 1.1.7' to 'rubyzip', '~> 1.1'. I'm in an unfortunate position with multiple dependences that use rubyzip, and this makes it hard to add Axlsx into the mix.

jgr avatar Oct 04 '16 00:10 jgr

friendly ping @randym

sandstrom avatar Oct 04 '16 08:10 sandstrom

@randym Any chance that this would be accepted and merged since there is an High severity vulnerability in rubyzip versions older than 1.2.1? https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5946

romansklenar avatar Nov 21 '17 16:11 romansklenar

@romansklenar In case it's useful to you too, I've moved on to xlsxtream, which is an excellent library for writing XLSX-files.

It doesn't handle fancy color formatting etc., but works really well for simple files.

sandstrom avatar Nov 21 '17 17:11 sandstrom

Chiming in with a +1 on requesting this to be merged due to the vulnerability in rubyzip versions older than 1.2.1

shirts avatar Apr 27 '18 21:04 shirts

@randym any news on this?

ushi-as avatar May 08 '18 10:05 ushi-as